bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/49695.txt
Offensive Security 27af25c8c3 DB: 2021-11-02 
19 changes to exploits/shellcodes

jQuery UI 1.12.1 - Denial of Service (DoS)

Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)

Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)

Microsoft Exchange 2019 - Server-Side Request Forgery

KZTech T3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm

MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting

CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)

WordPress Plugin SuperForms 4.9 - Arbitrary File Upload

Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal

SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)

Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting

Online Ordering System 1.0 - Arbitrary File Upload

Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated)
CouchCMS 2.2.1 - Persistent Cross-Site Scripting
Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC)

MagpieRSS 0.72 - 'url' Command Injection

CouchCMS 2.2.1 - Server-Side Request Forgery

GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting

Montiorr 1.7.6m - Persistent Cross-Site Scripting
2021-11-02 05:02:13 +00:00

82 lines
No EOL
3 KiB
Text
Raw Blame History

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device generates its SSID and password based on the
WAN MAC address.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5638
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php
03.02.2021
--
Example defaults:
# ifconfig |grep HWaddr
br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01
ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C
rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C
SSID1=MyWiFi-167C5D
SSID1=MyWiFi-5G-167C5D
WiFi password = EF167C5D
Reference in a new issue View git blame Copy permalink