MrNasro Posted January 11, 2014 Posted January 11, 2014 I have done some work exploiting my home router and I'm sharing the full disclosure on how i did it, remote exploitation : http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/ Any comments or suggestions are very welcome ! Happy reading :) Quote
tom564 Posted January 11, 2014 Posted January 11, 2014 I have done some work exploiting my home router and I'm sharing the full disclosure on how i did it, remote exploitation : http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/ Any comments or suggestions are very welcome ! Happy reading :) You said you did this for good but did you attempt to contact the vendor prior to disclosing? Quote
MrNasro Posted January 11, 2014 Author Posted January 11, 2014 You said you did this for good but did you attempt to contact the vendor prior to disclosing? Yep but as always no replies and no fixes Quote
MrNasro Posted January 11, 2014 Author Posted January 11, 2014 That's awesome! The config file is readable to everyone??? I laughed so hard when I read your article. Thank you so much! I have actually been playing with my verizon router/modem combo at home and found something interesting. I was just fuzzing the web service today and it crashed. Not just the web service: the whole router. Like it turned off. So I went to try again and it worked again. The third time I tried it didn't work. Now I can't remember which header I was testing when I got the first crash so I'm back to square one. I have been working on it all day. I am now pulling my hair out. Has anyone else had a similar result with their verizon router? Hahaha .. man you have to save the process and the findings in text file next time XD Quote
MrNasro Posted January 11, 2014 Author Posted January 11, 2014 Good write up Thanks, more interesting posts comming :) Quote
MrNasro Posted January 11, 2014 Author Posted January 11, 2014 (edited) I usually do but this time I really wasn't expecting to find anything and the time after that my computer died (apparently fuzzing drains the battery pretty quickly) and I lost my data :( I'm new to wireless security. Also, where did you get the firmware image to create the virtual machine? I was running Ubuntu on the virtualbox, and the firmware i got it from the router vendor website : http://www.tp-link.com/en/products/details/?model=TD-W8951ND Edited January 11, 2014 by MrNasro Quote
MrNasro Posted January 11, 2014 Author Posted January 11, 2014 Thanks. I'll download that and start playing. The firmware was posted on their website? I couldn't find verizon's when I looked. Hmm, just login to the router's web interface and search for "firmware" page you'll find informations about the version and build number ... etc with a good google search you'll find download links. ;) Quote
Guest spazi Posted January 12, 2014 Posted January 12, 2014 (edited) I tried something simillar not so long ago. I was able to retrieve the rom-0 file by typing in a special link. Funny to see this exploit still works :P ps. Just looked through your code.py, it was just like yours "http://"+host+"/rom-0" can't remember the model of the router though :/ Edited January 12, 2014 by spazi Quote
MrNasro Posted January 13, 2014 Author Posted January 13, 2014 ". . .I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords." Hmm. . . Is there any way that I could have that code? I would like to update that to support http logins as well and combine it with a project of mine that scrapes usernames and passwords from routerpasswords.com. If you read the article carefully you'll find my Github : https://github.com/MrNasro/zynos-attacker%C2'> , ;) Quote
Guest spazi Posted January 16, 2014 Posted January 16, 2014 I guess that shit just hit the fan... http://thehackernews.com/2014/01/TP-LINK-Routers-password-hacking.html Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.