零、绪论:

1、鸣谢freebuf的文章,主要是学习这个漏洞,文章地址: Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现

2、在shadon上找了多个该漏洞尝试复现失败(评论区有人复现成功,所以方法肯定可行),我的免费用户只能查看前两页,存在如下两种可能性:

(1)我尝试的靶机已经被打了补丁,或者默认账户已经被所有者或攻击者修改。

(2)此WEB服务器有版本区别,只有特定的一些版本存在该问题,而我没有遇到。

3、补充一点知识点:

受影响端口为4个:623、624、16992、16993

4、以上:如有错误和疏漏请批评指出,谢谢!!!

尝试扫描测试脚本:

 # -*- encoding:utf-8 -*-

 #import lib files:
import os
import sys
import logging
import requests
import threading
from optparse import OptionParser #global configuration
reload(sys)
sys.setdefaultencoding("utf-8")
logging.basicConfig(level=logging.INFO,format='%(message)s') #global varites define:
VulnPortList = [623,624,16992,16993]
VulnUrl = "http://%s:%s/logon.htm"
VulnList = [] class VulnScanner(threading.Thread):
def __init__(self,threadname):
threading.Thread.__init__(self,name=threadname)
self.targetlist = []
def _config_init(self,target=None,targetfile=None):
if target != None:
for port in VulnPortList:
targeturl = VulnUrl%(target,str(port))
self.targetlist.append(targeturl)
if targetfile !=None:
with open(targetfile,"r") as fr:
for line in fr.readlines():
target = line.split("\n")[0].split("\r")[0]
self._config_init(target=target)
def _check(self,target):
try:
logging.info("[+] checking %s"%str(target))
response = requests.get(target,timeout=3)
except Exception,ex:
logging.info("[*] Safe! Reason:%s"%str(ex))
return None
if response.status_code == 200:
if response.content.find("Log On"):
logging.info("[+] Vuln! %s"%str(target))
return target
else:
logging.info("[+] Safe! Reason:%s"%str(target))
return None
def run(self):
global VulnList
for target in self.targetlist:
result = self._check(target)
if result != None:
VulnList.append(result) if __name__ == "__main__":
logging.info("[+]*****************************************************************[+]")
logging.info("IAMT Scan Init!")
parser = OptionParser()
parser.add_option("-i","--iptarget",dest="iptarget",help="Target IP address!")
parser.add_option("-f","--iptargetfile",dest="iptargetfile",help="Target IPs file!")
parser.add_option("-t","--threadnum",dest="threadnum",help="Number of Added Threads to Scan!")
(options, args) = parser.parse_args()
parameterchecklist = [options.iptarget,options.iptargetfile]
if parameterchecklist in [[None,None],[None,""],["",None],["",""]]:
logging.error("[-] Target parameters error!")
exit(0)
try:
options.threadnum = 1 if options.threadnum == None or options.threadnum == "" else int(options.threadnum)
options.threadnum = 100 if options.threadnum > 100 else options.threadnum
except Exception,ex:
logging.error("[-] Threadnum parameter error!")
exit(0)
logging.info("[+] Scan Config Init!")
if options.iptargetfile != None:
ret = os.popen("wc -l ./%s"%options.iptargetfile)
size = str(ret.read()).split(" ")
size = int(size[0])+1
size = size/int(options.threadnum)
os.popen("split -l %s %s -d -a 3 scanfile"%(str(size),str(options.iptargetfile)))
scanfilelist = []
for parents,dirs,filenames in os.walk("./"):
for filename in filenames:
if filename.find("scanfile") >= 0:
scanfilelist.append(filename)
threadlist = []
for targetfile in scanfilelist:
thread = VulnScanner(threadname=str(targetfile))
thread._config_init(target=None,targetfile=targetfile)
threadlist.append(thread)
for thread in threadlist:
thread.start()
for thread in threadlist:
thread.join()
for filename in scanfilelist:
os.remove(filename)
print "************************************************************"
for vulntarget in VulnList:
print "[*]Unsafe!,targetIP:",str(vulntarget.split("http://")[-1].split("/")[0]),",targeturl:%s"%vulntarget
print "************************************************************"
else:
thread = VulnScanner(threadname="scanner")
thread._config_init(target=options.iptarget)
thread.start()
thread.join()
print "************************************************************"
for vulntarget in VulnList:
print "[*]Unsafe!,targetIP:",str(vulntarget.split("http://")[-1].split("/")[0]),",targeturl:%s"%vulntarget
print "************************************************************"

一、下面是引文:

漏洞原理:

利用截包软件把web登录数据包中Authorization字段中的response对应值全删除,就能以管理员用户登录AMT的web界面。

复现步骤:

第一步先利用搜索引擎zoomeye、shadan去搜索可能存在漏洞的链接,利用关键字port:16992

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

打开要检测的网站,点击Login登录,账号密码都为admin

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

把response里面的内容都清除

response="4208c148a7a8a9176bd8cb8d3a87464d"

点击burpsuite的Forward放行,成功以管理员进行登录

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

接下来新建账号,同理还是要清除response内的内容

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

这里设置密码需要注意密码复杂性要求,最少八个字符大小写特殊字符

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

新建账户成功后,刷新界面重新登录,此后操作就不需要在截包

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

Intel产品AMT本地及远程提权漏洞(CVE-2017-5689)复现 【转载自freebuf.com】-LMLPHP

以上就是复现过程。通过该漏洞,可以管理用户,远程开关机,使用创建的用户通过Manageability Commander Tool、vnc实现远程管理BIOS和操作系统。

05-02 10:47