Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternative method to upload binary #38

Closed
DSchndr opened this issue Sep 14, 2022 · 1 comment
Closed

Alternative method to upload binary #38

DSchndr opened this issue Sep 14, 2022 · 1 comment

Comments

@DSchndr
Copy link

DSchndr commented Sep 14, 2022

Since NFS (perm error), bin2sh and other methods did not work I came up with another (automated) method to upload ipctool.
busybox with uudecode needed on target

Proof-of-concept:

#!/usr/bin/env python

#encode file with uuencode -m ipctool ipctool > ipctoolu
#run script with  python sender.py --host IP ipctoolu

import argparse
import telnetlib
from tqdm import tqdm


argparser = argparse.ArgumentParser()
argparser.add_argument('--host', required=True)
argparser.add_argument('--port', type=int, default=23)
argparser.add_argument('--user', type=str, default="root")
argparser.add_argument('--password', type=str, default="ivideo")
argparser.add_argument('src')
args = argparser.parse_args()

# Connect to the cam
t = telnetlib.Telnet(args.host, args.port)
#t.set_debuglevel(4)

# handle login prompt
t.read_until(b'(none) login: ', timeout=1)
t.write(args.user + b'\n')

t.read_until(b'Password: ', timeout=1)
t.write(args.password + b'\n')

#bad test if we are logged in
print("If this takes 10+ secs something is wrong...")
expected_sh = b'~ # '
t.read_until(expected_sh, timeout=10)
t.write(b'echo "test" > /tmp/testf\n')
t.read_until(expected_sh, timeout=10)
print("Did it? I am too lazy to implement a check xD")

#load file
payload = open(args.src, 'r')
Payload_Lines = payload.readlines()

expected_sh_2 = b"/tmp # "

print("If this takes 10 secs something is wrong...")
t.write(b'cd /tmp;F=payload;true>$F;chmod +x $F\n')
r = t.read_until(expected_sh_2, timeout=10)

print("Pushing file, go and grab a coffee :)")
for line in tqdm(Payload_Lines):
    t.write(b'echo "' + line.strip() + '" >> $F' + b'\n')
    r = t.read_until(expected_sh_2, timeout=10)

print("Captain speaking: File arrived at destination, we are now going to convert it back. hehe")
#decode on target
t.write(b'busybox uudecode payload\n')
r = t.read_until(expected_sh_2, timeout=5)
#make executable on target
t.write(b'chmod +x ipctool\n')
r = t.read_until(expected_sh_2, timeout=5)

print("Done :)")
@widgetii
Copy link
Member

Great! Feel free to make a PR to save it as reusable script and write few words in README with description

@viktorxda viktorxda mentioned this issue Apr 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@widgetii @DSchndr