![]() The function itself creates the directory /pckg/option and mounts /boot to it. The lol() function will be invoked when the SNMP binary calls dlopen() on the shared object. What shared object? This one: #include #include void _attribute_((constructor)) lol(void) We’ll need to cross-compile the malicious shared object to MIPS big endian. This little guy features a USB port and it uses RouterOS MIPSBE. We can do the exact same thing here using CVE-2019–15055 and the USB’s file system. This works because the SNMP process loops over all the directories in /pckg/ looking for shared objects to dlopen(). If you read my previous blog, RouterOS Post Exploitation, you might recall that I was able to get RouterOS’s SNMP binary to load a shared object by storing it in /pckg/snmp_xploit/nova/lib/snmp/. ![]() In fact, I’m about to show you how to use it to get a root shell. ![]() But that isn’t all CVE-2019–15055 can do. ![]() Resetting the user accounts when you already have a valid account isn’t that exciting. MikroTik’s forum post, pictured at the beginning of this blog, is kind of right though. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |