The CWMP-Server-RCE-Exploit is a Python script that demonstrates a Remote Code Execution (RCE) vulnerability in Ruijie Reyee Wireless Routers firmware version B11P204. This vulnerability allows an attacker to execute arbitrary commands on the affected device by exploiting a Man-in-The-Middle (MiTM) attack on the Cloud Web Controller.
The Ruijie Reyee Cloud Web Controller contains a diagnostic tool that includes a ping check to ensure connectivity to the intended network. However, the input form for IP addresses is not properly validated, enabling an attacker to inject operating system commands. Additionally, the Ruijie Reyee Cloud-based Device makes unencrypted HTTP polling requests to the Ruijie Reyee CWMP server. This vulnerability allows an attacker to set up a fake server using a MiTM attack and send arbitrary commands to the cloud-based device, triggering remote code execution.
-
Clone the repository:
git clone https://github.com/0x1x02/CWMP-Server-RCE-Exploit.git
-
Navigate to the cloned directory:
cd CWMP-Server-RCE-Exploit -
Install the required dependencies:
pip install -r requirements.txt
-
Modify the
commandvariable in the script to specify the command you want to execute on the target device. -
Run the exploit script:
python3 exploit.py
-
The script will start a fake CWMP server and wait for connections from the target device.
-
Once the target device connects, the script will intercept the connection, execute the specified command, and display the output.
This exploit script is intended for educational and research purposes only. Unauthorized use of this script against networks or devices without proper authorization may be illegal. Use it at your own risk.
- Exploit Author: 0x1x02 / Mochammad Riyan Firmansyah of SecLab Indonesia
- Original Advisory: Link
- Vendor Homepage: Ruijie Networks
- Software Link: Firmware Version B11P204
- Tested Devices: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO