jduck / asus-cmd Goto Github PK

View Code? Open in Web Editor NEW

252.0 252.0 44.0 335 KB

ASUS Router infosvr UDP Broadcast root Command Execution

Makefile 1.68% C 69.79% Python 28.53%

asus-cmd's People

Contributors

Stargazers

Watchers

asus-cmd's Issues

AC55U is vulnerable too

extendno=6587-gaa506e9
firmver=3.0.0.4

Asus AC68U with firmware 3.0.0.4.376_3626 is also vulnerable

The AC68U with stock firmware is vulnerable. Firmware version: 3.0.0.4.376_3626-g9a8323e

No response on RT-N56U.

Input:

sudo ./asus-cmd "nvram show"

Output:

[*] sent command: nvram show
[!] received 512 bytes from 192.168.1.90:34285
    0c 15 0033 5a6c89a6 41:41:41:41:41:41
    000a nvram show

I have a direct ethernet connection to the router.

ASUS DSL-N55U is vulnerable too

Firmware version 3.0.0.4.374_4422-gc83c78f

RT-AC66R with Firmware 3.0.0.4.376_3602 vulnerable

Latest firmware fix this: 3.0.0.4.376_3754-g5ef7c1f
It can't be downloaded authomatically, you must download it manually from Support Site here: http://www.asus.com/Networking/RTN66U/HelpDesk_Download/

DSL-AC68U Vulnerable

I have confirmed the DSL-AC68U is vulnerable running firmware 3.0.0.4.376_2158-g340202b

Asus RT-N12E is vulnerable

Asus RT-N12E is vulnerable with firmware prior to version 2.0.0.37.

All RT-N12E models prior to RT-N12E B1 are end-of-life. As far as I'm aware, the only RT-N12E model prior to RT-N12E B1 was simply known as RT-N12E. This ancient device bares the marking "H/W Ver: A" - implying it's model A or A1, however this is not mentioned in the product name nor anywhere on the administrative web interface.

Off the shelf, the device is labelled with "F/W Ver: 1.1.0.13".

RT-N12HP is vulnerable

Tested on my RT-N12HP_B1 firmware version 3.0.0.4.374_1327

$ ./asus-cmd "echo \$USER"
[*] sent command: echo $USER
[!] received 512 bytes from 192.168.1.22:62134
    0c 15 0033 54b4f46d 41:41:41:41:41:41
    000a echo $USER
[!] received 512 bytes from 192.168.1.1:9999
    0c 16 0033 54b4f46d e0:3f:49:91:54:b4
    0005 root

[!] received 512 bytes from 192.168.1.1:9999
    0c 16 0033 54b4f46d e0:3f:49:91:54:b4
    0005 root

[!] received 512 bytes from 192.168.1.1:9999
    0c 16 0033 54b4f46d e0:3f:49:91:54:b4
    0005 root

ASUS RT-N12C1 is also vulnerable

Tested on firmware version 3.0.0.4.370.

ASUS RT-N16 with asuswrt firmware (not merlin) is vulnerable.

ASUS RT-N16 running firmware 3.0.0.4.220 (not merlin) is vulnerable.

Asus WL-330NUL with firmware 3.0.0.35 is potentially vulnerable

WL-330NUL seems not officially supported device. But it's codebase is Merlin and I could verify the vulnerability by starting infosvr "manually" from console and invoking asus-cmd exploit.

Asus RT-N56U with firmware 3.0.0.4.374_5656 is vulnerable

In case you'd like to add to the list of affected hardware, I've confirmed that the ASUS RT-N56U running firmware 3.0.0.4.374_5656 is vulnerable.

Also affects ASUS-WL500g

This issue also affects the ASUS WL-500g (from about 9 years ago). The format of the infosrvr protocol header is probably different. Here was some old code i had to exercise one of the innocuos OpCodes:

https://github.com/awalls-cx18/wl500g-infoclient/blob/master/infoclient.c#L55

jduck / asus-cmd Goto Github PK

asus-cmd's People

Contributors

Stargazers

Watchers

Forkers

asus-cmd's Issues

Recommend Projects

Recommend Topics

Recommend Org