bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/45937.txt
Offensive Security 60710bbfd9 DB: 2018-12-05 
19 changes to exploits/shellcodes

Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download
Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption
Wireshark - 'find_signature' Heap Out-of-Bounds Read
Xorg X11 Server (AIX) - Local Privilege Escalation
Emacs - movemail Privilege Escalation (Metasploit)
OpenSSH < 7.7 - User Enumeration (2)
HP Intelligent Management - Java Deserialization RCE (Metasploit)
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass
DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting
NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
KeyBase Botnet 1.5 - SQL Injection
Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting
DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting
DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting
NUUO NVRMini2 3.9.1 - Authenticated Command Injection
DomainMOD 4.11.01 - Registrar Cross-Site Scripting
FreshRSS 1.11.1 - Cross-Site Scripting

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)
Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)
2018-12-05 05:01:44 +00:00

15 lines
No EOL
972 B
Text
Raw Blame History

# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control
# Date: 2018-11-27
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.rockwellautomation.com/
# Version: 1408-EM3A-ENT B
# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000
# CVE : CVE-2018-19616
# 1. Description:
# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, there are a few buttons are disabled,
# such as “Edit”, “Remove”, “AddNew”, “Change Policy Holder” and “Security Configuration”.
# View the source code of login page, those buttons/functions just use the “disabled” parameter to control the access right.
# It is allow attackers using proxy to erase the “disabled” parameter, and enable those buttons/functions.
# Once those buttons/functions are enabled.
# Attackers is capable to add a new user who have administrator right.
Reference in a new issue View git blame Copy permalink