| Real Name | ribeirux |
|---|---|
| Email address | private |
| First Active | 2012-08-17 |
| Last Active | 2018-11-13 |
Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.
2c9170145359581c4c8d1c13f564bce3Full write up on the unauthenticated remote code execution and privilege escalation vulnerability in Cisco Prime Infrastructure.
463b73ab6b4dc341e0abdb15816e4711Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing.
05f34986eb4c21ba7fbb27faa2f9bc8fIBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.
221b05c8f4d9bb44521c8ebfe10f771dIBM QRadar SIEM versions prior to 7.3.1 Patch 3 or 7.2.8 Patch 28 suffer from authentication bypass, code execution, and privilege escalation vulnerabilities.
0e6ecaa9d4eab8b0a258bb8b10edb984DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve remote code execution as root / SYSTEM on all versions until 2.2.2. Exploit code included.
4c7d83cfec04d1724b9d118fb3cd42e1The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
0a0cdd7637ea7a4a50df34cad0df396fBMC Track-It! version 11.4 suffers from remote code execution and credential disclosure vulnerabilities.
d6507459a64e274eb19ea9d09ebbf627AsusWRT Router versions prior to 3.0.0.4.380.7743 suffer from an unauthenticated LAN remote code execution vulnerability.
76e861a72a3ce836f6c0b5f6dc36b004The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute-forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be brute-forced. This Metasploit module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses.
620f8fffe7cce1685fc6d76883a8968cTrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a default password on the device. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. Note that the inline payloads work best. There are Turkish and other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v2 in other countries might be vulnerable too.
5144d45c548229d7ab14cb1798aacdb3TrueOnline is a major ISP in Thailand, and it distributes a customized version of the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This Metasploit module will attempt to exploit the unauthenticated injection first, and if that fails, it will attempt to exploit the authenticated injection. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other Billion 5200W-T in other countries might be vulnerable too.
a23cc92232428177c4f3ec4f89a7822dTrueOnline is a major ISP in Thailand, and it distributes a customised version of the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command injection vulnerability in the remote log forwarding page. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.
dd4213c7e16f8b71eda3aa6be42156f4TrueOnline is a Thai ISP that distributes customized versions of ZyXEL and Billion routers - customized with vulnerabilities that is. The routers contain several default administrative accounts and command injections that can be abused by authenticated and unauthenticated attackers.
d49de80d7e395e6a46e6479d644ea66fNetgear WNR2000 suffers from a remote code execution vulnerability and various other security issues.
c796a4c7e2b080855fb0e6456b4b3a6cSeveral Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.
dd3ba90a3c8d9aee1a73c5d68572d159A stack buffer overflow affects several D-Link routers and can be exploited by an unauthenticated attacker. The interesting thing about this vulnerability is that it affects both ARM and MIPS devices, so exploitation is slightly different for each type.
d3a085c7858b7b0de7bb572e6ea818f9This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to upload text files by using a directory traversal attack on the FileUploadServlet servlet. A JSP file can be uploaded that then drops and executes a malicious payload, achieving code execution under the user which the WebNMS server is running. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
603fc189cd0d143b775250d52f85f13dThe NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
d40e6b7096ec53c035171a4378040b94The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable to an authenticated remote code execution on the exposed web administration interface. An administrative account is needed to exploit this vulnerability. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
d61e75ee975d366c5637cabef3503939WebNMS Framework versions 5.2 and 5.2 SP1 suffer from directory traversal, code execution, weak obfuscation, and user impersonation vulnerabilities.
9ffda3b41068196845e0fd2a8bebd824NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities.
f350ea6228b354cd0f926e9dd1d7e81bThis Metasploit module exploits an authenticated arbitrary file upload via directory traversal to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in Windows and Linux installations of Novell ServiceDesk, as well as the Virtual Appliance provided by Novell.
d722296cd47cfba9661f305b5965b0a7Novell Service Desk versions 7.1.0 and below suffer from code execution, information disclosure, cross site scripting, remote file upload, HQL injection, and traversal vulnerabilities.
96ca11a4d3ed6007f2182749ed202e09Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This Metasploit module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
3d6c659220bc9733c182c19629aadafe
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed