![]() ![]() So at this stage we just have total pwnage. We could also sniff traffic waiting for any clear text passwords to come up or we could browse to the following directory and view the clear text Wi-Fi passwords for the devices it has connected to – /etc/config/wireless As the Neet device is connected to another Wi-Fi network we can get up to some malicious activity, essentially making this a pivoting device. We now have access to the device over the Internet rather than having to be physically present near the access point or on the adjacent Wi-Fi device it is connected to.įrom here we can do a few things. So we have managed to get the user to click the link and the reverse shell has connected back to us. The downloaded bash file contains the reverse shell as below: When our CSRF sprayer hits the page, we get sent a reverse shell from the target network. sh file (which itself is written to get around the fact that the busybox implementation of nc lacks the “-e” flag functionality), makes it executable and then runs it. If we inject the below into the vulnerable password parameter field, it is possible to make it execute and sends us a reverse shell. The GET Request can be found on line 41 of the JavaScript. But code injected into the password parameter of the string runs nicely. The web app runs from /Running the command clean did nothing. The very lightweight version of linuxseems to use busybox for its system tools which, lucky for us, includes a basic implementation of netcat. We dug deeper into the box and found a few interesting things. In principle, once doing this, we could physically drive to the location where the AirStream is, log into it with the password we set, and dump out the plaintext SSID & passwords that the AirStream stores for the local Wi-Fi. Once the target user clicks a link to a page containing our sprayer, the sprayer sends the GET request all over the network, eventually hitting the AirStream, and the AP SSID and password are changed. The GET request was then put into our JavaScript. We crafted a GET request out of the POST request along with its parameters which asks the settings binary to change the AP name and password. To test this premise, we first exploited the combination of unauthenticated access to the web app alongside the POST/GET conversion. It’s a spray approach, which guarantees to eventually hit the AirStream device. This JavaScript determines the IP range of the LAN using the browser and forces the browser to send HTTP GET requests all over the network, 192.168.0.0/24 (for example). ![]() Our proof of concept ( PoC ) page looks like this: Then, since we don’t know the actual IP of the AirStream on the LAN, we send our target user a link to a webpage which holds CSRF-spraying JavaScript. So, we first identify a user connected either directly to their AirStream, or connected concurrently with their AirStream to the LAN. Proof of Concept STEP 1 – Identification for CSRF:ĬSRF doesn’t necessarily need to happen over the Internet: due to the way the device is made our targeted user always has unauthenticated access to their web interface through their home/office LAN. A normal user can’t change these default credentials on the web app configuration page so they’re likely to stay default making owning this device too easy and not fun. The user has got it through the post, turned it on, actually set up authentication on the AirStream itself, so it’s not just left as an open AP (if it has been left as an open AP, hitting the telnet port with the undocumented default user/password of root/ifconfig (We know, sigh) will give us a shell). Okay, so let’s imagine that this has been set up properly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |