kallsyms

ShareWay / Personal File Sharing final exploit path

This is the final exploit chain for the Mac OS 9.2.1 Personal File Sharing / ShareWay DSI bug. It requires AFP-over-DSI on TCP port 548.

Target

The vulnerable surface is Personal File Sharing / AppleShare over AFP-over-DSI on TCP port 548.

Relevant component: the ShareWay IP Personal Background extension used by Personal File Sharing.

kallsyms

import socket
import struct
import threading
import time

GPUDPORT = 59123
APIVERSION = 1

class GPUDServer:
    def __init__(self, port=GPUDPORT):

kallsyms

Switch

Setup ONIE

1. Flash ONIE iso to USB (DL from here DL from https://misc.bigdata.sh/as7712-32x-r0_onie_v2020.08.00.02.iso.zip)
2. Connect to console: screen /dev/cu.usbserial-* 115200
3. Boot switch to USB (Del to get into BIOS to set boot priority) -> Rescue
4. Wipe the drive: parted /dev/sda mklabel
5. Reboot to USB again -> Embed ONIE

Install SONiC

1. Get link for most recent SONiC 202311 broadcom: https://sonic.software/

kallsyms

// Simple flyweight pattern implementation.
#include <memory>
#include <mutex>
#include <unordered_set>

template <typename T>
class FlyweightObj
{
    // FlyweightObj takes two forms:
    //  1) A raw pointer to the object, which is used for cheap lookups.

kallsyms

from lxml import html
import argparse
import logging
import os
import re
import requests
import subprocess
import sys
import tempfile

kallsyms

import sys
import struct
import requests

# some details from https://github.com/RedhawkSDR/VITA49/blob/master/cpp/include/BasicVRTPacket.h

def parse_vita_float(radix, bits):
    # https://github.com/RedhawkSDR/VITA49/blob/a7230bcbd3547733be669b7c745eb7d9b0e17d25/cpp/include/VRTMath.h#L471
    div = float(1 << radix)
    return float(bits) / div

kallsyms

table netdev filter_test {
  chain ingress {
    type filter hook ingress device lo priority 0;
    ip daddr 127.1.2.3 dup to lo
  }
}