I am working on an exploit over a month now I have a problem and cannot go further.
here is the link of the exploit:
https://gist.github.com/doorbash/f454c698f192a0e5d1bf4da9c6869b67
https://www.exploit-db.com/exploits/39739
Description:
Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks.With a few magic cookies added to your request you bypass any authentication and browse the configuration interface as admin, from any open port.
By sending Cxxx=yyy cookie to the router web interface yyy will be saved at memory address xxx * 0x28 + Offset.If we find Authentication Enable/Disable boolean address and offset we can add data for this firmware to the exploit's target list and bypass the authentication by sending the right cookie.
How I analyzed the firmwares:
The firmware I analyzed at first is TP-Link 8901G V3 3.0.1 Build 100901 Rel.23594. download it here and run binwalk -e V3 3.0.1 Build 100901 Rel.23594 then open the largest file in extracted directory using IDA by selecting mipsb as the cpu architecture and 0x80020000 for base address.
If you search for Do not need string using Alt+T keys you will find a sb XXXX($gp) at the very first lines of the code you realize the li $gp,YYYYY instruction. the authentication address will be located by adding XXXX and YYYYY which in this case will be 0x803E1829
Now we must discover how Cookie: CNNNN=MMM; alter memory contents:
if you search for "soapaction" using Alt+T you will find this:
Go to the sub process highlighted by red color.
Now consider the number 0x6b28 as A = 0x6B28
Now back and toward up:
Now go to the top sub process:
you will find this:
now B = 0xA44, C = 0x1887C and D = 0x8041877C.
and MAGIC_NUMBER = 0x16B88 (I don't have any idea why but it works)
Now OFFSET = A - B + C + D - MAGIC_NUMBER = 0x80420554
now call info(calc(0x8041877C,0x1887c,0xa44,0x6B28,0x16b88),0x803E1829) or info(0x80420554,0x803E1829) in util.py I attached the output is ,107367749,13 which is the data we need for this firmware in the exploit.
the process is very similar (and different and also easier in the TP-Link W8961ND V3 120830 download it here
AuthenticationAddress = 0x803605B4
A = 0x6B28
B = 0x0 (move $a0, $s1)
C = 0x17E38
D = 0x804234C8
MAGIC_NUMBER = 0x16B88
OFFSET = A-B+C+D-MAGIC_NUMBER = 0x8042B2A0
We call info(0x8042B2A0,0x803605B4) in util.py and output is ,107353414,36 which is tested on real device and works.
THE PROBLEM IS:
for TD_W961ND_V3_140305 download it here the firmware has "Do not need" and "soapacation" texts but IDA cannot find the pointing addresses to these strings.I could not find out why.
The modifications and bug fixes for this according to here is :
Add the security mechanism.
Fixed the problem router's time can't synchronize from PC successfully.
Banned accessing the firmware upgrading page from WAN.
Fixed the problem that router failed to upload rom-0(Backup configuration).
Solved the problem that the login interface can't save the password correctly in Chrome and Firefox.
Solved the problem that we can’t visit CPE using “IP:Port” after we set up Virtual Server.
Forbidden access to the device through http://wan/lan ip/ or http://wan/lan ip/xxx.htm.
Fixed other bugs and problems.
I am not sure if the security mechanism (#1) is what is making this issue or not.
I also tried to compare 100901, 120830 and 140305 using binwalk entropy:
binwalk -E -J 120830 140305 100901
100901:
120830:
140305:
I know somethings wrong with 140305 (unusual wave forms at left) but could not come across any findings.
Update 1:
Here is how memory address 0x800D53BC looks like in my IDA:
Any idea or tip about how to fix this mess?
