## https://sploitus.com/exploit?id=B5E38C3A-43D4-582D-BB1F-B3E3512CEB82
===============
Fantec MWiD25-DS
===============
Writeup for CVE-2022-28113
by @code-byter
==========================
This is a writeup of exploiting the Fantec MWiD25-DS Travel Router (Firmware version: 2.000.030).
This vulnerability allows any unauthorized user to execute arbitrary commands as root user. A vulnerability in the
backup functionality (upload.csp) allows any user to write files and thus reset the user passwords without a valid
session cookie. Using these new credentials the attacker can log into the web interface and exploit a buffer overflow
vulnerability. The SSID parameter of the set wifi client functionality is vulnerable to a heap overflow and allows
the attacker to execute arbitrary terminal commands. The whole exploit is possible without any user input or
required reboot.
.. image:: images/router.jpg
:width: 1200
CVSS 3.1 Base Score: 9.8
------------------------
Affected file: ``/protocol.csp``
.. image:: images/base.png
:width: 1000
Exploit
=======
The whole exploitation process is automated with a python script. To spawn a root shell run ``exploit.py``.
.. code:: python
python3 exploit.py 10.10.10.254
.. image:: images/exploit.png
:width: 1600
.. footer::
Daniel Schwendner, Email: hello@code-byter.com, Instagram: code_byter