Jump to content

Hacking "ZynOS" routers !


MrNasro
 Share

Recommended Posts

I have done some work exploiting my home router and I'm sharing the full disclosure on how i did it, remote exploitation :

http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/

Any comments or suggestions are very welcome !

Happy reading :)

You said you did this for good but did you attempt to contact the vendor prior to disclosing?

Link to comment
Share on other sites

That's awesome! The config file is readable to everyone??? I laughed so hard when I read your article. Thank you so much!

I have actually been playing with my verizon router/modem combo at home and found something interesting. I was just fuzzing the web service today and it crashed. Not just the web service: the whole router. Like it turned off. So I went to try again and it worked again. The third time I tried it didn't work. Now I can't remember which header I was testing when I got the first crash so I'm back to square one. I have been working on it all day. I am now pulling my hair out.

Has anyone else had a similar result with their verizon router?

Hahaha .. man you have to save the process and the findings in text file next time XD

Link to comment
Share on other sites

I usually do but this time I really wasn't expecting to find anything and the time after that my computer died (apparently fuzzing drains the battery pretty quickly) and I lost my data :( I'm new to wireless security.

Also, where did you get the firmware image to create the virtual machine?

I was running Ubuntu on the virtualbox, and the firmware i got it from the router vendor website : http://www.tp-link.com/en/products/details/?model=TD-W8951ND

Edited by MrNasro
Link to comment
Share on other sites

Thanks. I'll download that and start playing. The firmware was posted on their website? I couldn't find verizon's when I looked.

Hmm, just login to the router's web interface and search for "firmware" page you'll find informations about the version and build number ... etc with a good google search you'll find download links. ;)

Link to comment
Share on other sites

I tried something simillar not so long ago. I was able to retrieve the rom-0 file by typing in a special link.

Funny to see this exploit still works :P

ps. Just looked through your code.py, it was just like yours

"http://"+host+"/rom-0"

can't remember the model of the router though :/

Edited by spazi
Link to comment
Share on other sites

". . .I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords."

Hmm. . .

Is there any way that I could have that code? I would like to update that to support http logins as well and combine it with a project of mine that scrapes usernames and passwords from routerpasswords.com.

If you read the article carefully you'll find my Github : https://github.com/MrNasro/zynos-attacker%C2'> , ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...