Author: Zachary Cutlip uid000 AT gmail dot com Twitter:@zcutlip Target: DIR-815 Rev A1 Firmware: 1.01 hedwig.cgi buffer overflow in HTTP header field Cookie: uid="<cookie value>" Credit: Craig Heffner (@devttyS0) for discovering the vulnerability
This exploit code exploits a buffer overflow in the HTTP Cookie header field as processed by the /htdocs/cgibin executable.
You can run the exploit code against a live target using the -t option. Alternatively, you may want to run the cgi binary standalone in QEMU.
In this case, run the exploit code with the -F option. The name of the output file should be "cgibinoverflow.txt", and the path should be the directory above the root directory of the firmware's file system.
If the firmware's filesystem is in your QEMU machine under:
Then you would run the exploit code with
When you run the exploit code in this mode, it will write the overflow string to the output file, start the connect-back server and wait.
In QEMU, copy runhedwig.sh to the directory above the firmware's file system, and run it from that directory. If you have gdbserver in the firmware's root directory, you may invoke it with this script by setting DEBUG=1:
And the binary will run with gdbserver attached listening on port 1234.
The usage of the exploit script is:
Usage: ./dir815_httpcookie_overflow.py [OPTIONS] Option summary: -t, --target=IP_ADDRESS Remote target to exploit. This option is mutually exclusive with -F and -f. -c,--connectback_ip Connect-back IP address. This option is mandatory in all cases. -F,--file=FILE Output file to write the overflow string to. This option is mutually exclusive with -t. -f,--find_offset=FIND_STRING String whose offset in the overflow buffer to find and report. This option is mutually exclusive with -t.