You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since NFS (perm error), bin2sh and other methods did not work I came up with another (automated) method to upload ipctool.
busybox with uudecode needed on target
Proof-of-concept:
#!/usr/bin/env python
#encode file with uuencode -m ipctool ipctool > ipctoolu
#run script with python sender.py --host IP ipctoolu
import argparse
import telnetlib
from tqdm import tqdm
argparser = argparse.ArgumentParser()
argparser.add_argument('--host', required=True)
argparser.add_argument('--port', type=int, default=23)
argparser.add_argument('--user', type=str, default="root")
argparser.add_argument('--password', type=str, default="ivideo")
argparser.add_argument('src')
args = argparser.parse_args()
# Connect to the cam
t = telnetlib.Telnet(args.host, args.port)
#t.set_debuglevel(4)
# handle login prompt
t.read_until(b'(none) login: ', timeout=1)
t.write(args.user + b'\n')
t.read_until(b'Password: ', timeout=1)
t.write(args.password + b'\n')
#bad test if we are logged in
print("If this takes 10+ secs something is wrong...")
expected_sh = b'~ # '
t.read_until(expected_sh, timeout=10)
t.write(b'echo "test" > /tmp/testf\n')
t.read_until(expected_sh, timeout=10)
print("Did it? I am too lazy to implement a check xD")
#load file
payload = open(args.src, 'r')
Payload_Lines = payload.readlines()
expected_sh_2 = b"/tmp # "
print("If this takes 10 secs something is wrong...")
t.write(b'cd /tmp;F=payload;true>$F;chmod +x $F\n')
r = t.read_until(expected_sh_2, timeout=10)
print("Pushing file, go and grab a coffee :)")
for line in tqdm(Payload_Lines):
t.write(b'echo "' + line.strip() + '" >> $F' + b'\n')
r = t.read_until(expected_sh_2, timeout=10)
print("Captain speaking: File arrived at destination, we are now going to convert it back. hehe")
#decode on target
t.write(b'busybox uudecode payload\n')
r = t.read_until(expected_sh_2, timeout=5)
#make executable on target
t.write(b'chmod +x ipctool\n')
r = t.read_until(expected_sh_2, timeout=5)
print("Done :)")
The text was updated successfully, but these errors were encountered:
Since NFS (perm error), bin2sh and other methods did not work I came up with another (automated) method to upload ipctool.
busybox with uudecode needed on target
Proof-of-concept:
The text was updated successfully, but these errors were encountered: