Skip to content

SLoSnow9879/FPT-Router-RCE

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

FPT-Router-RCE

G-97RG6M and G-97RG3 Remote Command Execution

Affected device

  1. G-97RG6M R4.2.98.035
  2. G-97RG3 R4.2.43.078

instruction: Since there are no other models of devices and the firmware download address cannot be found, I am not sure if any other devices are affected.

Description

There are ping and traceroute tools in the web management page of the device, the user can enter the test target, but the background program does not filter and check the user's input, directly splicing the string and then calling the system function to execute, causing a command injection vulnerability.

Fortunately, this vulnerability requires authentication before it can be exploited. However, since the user can modify the login password, there is a possibility of being blasted by a weak password. image image

Recurrent

  1. First, log in to the device Web management background, and then enter the Utilities page, click Ping Test or Traceroute.

image

  1. Second, enter the target to be tested, and then use the BurpSuite tool to intercept the request package.

image

  1. Modify the wanIndex field in the HTTP request body to 0, then inject the command to be executed in the url_or_ip field, and finally send the data packet, the command is successfully executed.

image image

Video

Exploit.mp4

About

G-97RG6M and G-97RG3 Remote Command Execution

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published