CVE-2023-30065: mitrastar-code-execution/README.md at main · Sigmw/mitrastar-code-execution

Code execution on MitraStar GPT-2741GNAC-N2.

Should work on GPT-2741GNAC-N1.

Firmware: BR_g5.9_1.11(WVK.0)b32 (last version at this moment.)

Exploit: We can pass a pipe to execute commands with the ping diagnostic tool of the router.

Considering a variable $GATEWAY=192.168.15.1 (generally the MitraStar gateway)

We can access the panel in http://GATEWAY/padrao

After logging, we can go to this field: (Im logging with support user)

We can do a simple ping and see the tool working:

But a simple and poisonous shell pipe operator give us a possibilty to exec commands in operational system.

It seems we have permissions in root FS too: (Considering that I logged in using the support user, the password I used is the one under the router.)