Exploitation of Opendreambox – Remote Code Execution

The OpenDreambox project aims to bring an open and extensible image to the Dreambox receivers and to provided viable alternatives to other images that are kept closed-source by their authors.

In this OpenDreambox Project, there is a webadmin module which is vulnerable to Remote Code Execution vulnerability through which you can perform command injection via script.py file.

Suggested Read: [Exploitation] Apache Struts OGNL Code Execution Vulnerability – CVE-2017-9791

In first step, you need to find out the server running OpenDreambox project version 2.0.0 with the help of Shodan Search Engine by searching query “DreamBox” 200 OK as shown below:

Next you’ll see the below welcome screen of OpenDreamBox which shows some kind of Web Control mechanism.

Go to Extras Tab, and check whether WebAdmin Plugin is installed or not as shown in left hand side under WebPlugins.

From the address bar run Linux commands using the syntax: http://IP/PORT/webadmin/script?command=| “Linux_command” as shown below:

For Example, if you want to run id command then the URL address will be:

http://IP:PORT/webadmin/script?command=| id

When these kind of arbitrary commands are executed on target machines over very big networks like the Internet, we call it Remote Code Execution.

Furthermore, you can all Linux commands like whoami, uname -a etc

This type of a vulnerability can make a system viable to high levels of exploitation as it makes the target machine exposed to running of sorts of commands that can be capable of taking over the entire machine and destruct it down.

You can even view the contents of /etc/shadow or /etc/passwd file.

Well this RCE seems to be very easy but what’s next after this?

An attacker who is able to execute such a flaw is usually able to execute commands with the privileges of the programming language or the web server. Mostly an attacker can issue system commands, write, delete or read files or connect to databases.

You can even listen a port on OpenDreamBox server with the help of nc command and can back connect with your Kali Linux machine as a reverse shell connection.

You can also use this OpenDreamBox server for launching DOS / DDOS Attacks against any target. There are so many other things which you can easily do with this hacked machine.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts