WRT120N v1.0.0.7 stack overflow, ROP to 4-byte overwrite which clears the admin password - by Craig Heffner

[m-1-k-3]

This is the great new exploit for the WRT120N. The vulnerability was discovered by Craig Heffner. Also the original exploit is his work thumbs up

Original exploit: http://www.exploit-db.com/exploits/31758/

Best,
Mike

[jvazquez-r7]

Just Linksys WRT120N tmUnblock Buffer Overflow looks like a better title

[jvazquez-r7]

I'm trying on a Linksys WRT120N, Firmware Version: v1.0.07 WRT120N with both Local Management and Remote Management available through HTTP, no success :S (neither with the original PoC).

[jvazquez-r7]

Not working for me :\

A request like that:

POST /cgi-bin/tmUnblock.cgi HTTP/1.1
Host: 192.168.1.1
Proxy-Connection: keep-alive
Authorization: Basic blahblah
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6
Content-Type: application/x-www-form-urlencoded
Content-Length: 64

period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL=http://test

Answer with:

HTTP/1.0 302 Found
Server: Apache
Pragma: no-cache
Cache-Control: max-age=0, must-revalidate
Connection: close
Location: http://test
Content-type: text/html

<HEAD><TITLE>302 Document moved</TITLE></HEAD>
<BODY><H1>302 Document moved</H1>
This document has moved <A HREF="http://test</A>.<P>
</BODY>

In requests with long TM_Block_URL values I just get not answer (same thing with the craig's poc and the module).

Since I don't have the ability to debug atm, let me give a chance to @jvennix-r7 to test it, since he was interested and maybe I'm forgetting something obviously obvious :)

[m-1-k-3]

My WRT120N v1.0.0.7 works good. Should I send you the pcap?

[jvennix-r7]

@juan that's strange, I was testing that POST route yesterday and got "connection closed", not a 404. I will dive in soon

[jvazquez-r7]

@jvennix-r7 not a 404 here neither, no rush, when you have the time :)

@m-1-k-3 pcap would be helpful if you could share :) thanks!

[jvennix-r7]

Okay, I got this working. I had to reset the router firmware to the available 1.0.07. @jvazquez-r7: it's possible that some modification/setting I changed was messing things up. Against the newly updated firmware it seems to work well, even when run multiple times in a row.

@m-i-k-3 could you change the result:

print_status("Unknown exploiting status - try to login with user admin and without a password")

To just test logging in with admin:'', and print a success message then

[m-1-k-3]

@jvennix-r7 very cool! I will include all updates to the module tomorrow.

[jvazquez-r7]

+1 thanks both @jvennix-r7 and @m-1-k-3 , you are great guys :D

[wchen-r7]

Can do #{peer} here. Either Mike can do it, or whoever's merging this PR can just change it.

[m-1-k-3]

msf auxiliary(linksys_tmunblock_admin_reset_bof) > run

[] 192.168.1.1:80 - Trying to login with admin and empty password
[] 192.168.1.1:80 - No successful login possible with admin and empty password
[] 192.168.1.1:80 - Resetting password for the admin user ...
[] 192.168.1.1:80 - Trying to login with admin and empty password
[+] 192.168.1.1:80 - Successful login admin and empty password
[+] 192.168.1.1:80 - Expected answer and the login was successful. Try to login with the user admin and a blank password
[*] Auxiliary module execution completed

[jvazquez-r7]

Awesome, processing! thanks @m-1-k-3!