MrNasro Posted January 11, 2014 Share Posted January 11, 2014 I have done some work exploiting my home router and I'm sharing the full disclosure on how i did it, remote exploitation : http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/ Any comments or suggestions are very welcome ! Happy reading :) Quote Link to comment Share on other sites More sharing options...
tom564 Posted January 11, 2014 Share Posted January 11, 2014 I have done some work exploiting my home router and I'm sharing the full disclosure on how i did it, remote exploitation : http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/ Any comments or suggestions are very welcome ! Happy reading :) You said you did this for good but did you attempt to contact the vendor prior to disclosing? Quote Link to comment Share on other sites More sharing options...
digininja Posted January 11, 2014 Share Posted January 11, 2014 Good write up Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 11, 2014 Author Share Posted January 11, 2014 You said you did this for good but did you attempt to contact the vendor prior to disclosing? Yep but as always no replies and no fixes Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 11, 2014 Author Share Posted January 11, 2014 That's awesome! The config file is readable to everyone??? I laughed so hard when I read your article. Thank you so much! I have actually been playing with my verizon router/modem combo at home and found something interesting. I was just fuzzing the web service today and it crashed. Not just the web service: the whole router. Like it turned off. So I went to try again and it worked again. The third time I tried it didn't work. Now I can't remember which header I was testing when I got the first crash so I'm back to square one. I have been working on it all day. I am now pulling my hair out. Has anyone else had a similar result with their verizon router? Hahaha .. man you have to save the process and the findings in text file next time XD Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 11, 2014 Author Share Posted January 11, 2014 Good write up Thanks, more interesting posts comming :) Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 11, 2014 Author Share Posted January 11, 2014 (edited) I usually do but this time I really wasn't expecting to find anything and the time after that my computer died (apparently fuzzing drains the battery pretty quickly) and I lost my data :( I'm new to wireless security. Also, where did you get the firmware image to create the virtual machine? I was running Ubuntu on the virtualbox, and the firmware i got it from the router vendor website : http://www.tp-link.com/en/products/details/?model=TD-W8951ND Edited January 11, 2014 by MrNasro Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 11, 2014 Author Share Posted January 11, 2014 Thanks. I'll download that and start playing. The firmware was posted on their website? I couldn't find verizon's when I looked. Hmm, just login to the router's web interface and search for "firmware" page you'll find informations about the version and build number ... etc with a good google search you'll find download links. ;) Quote Link to comment Share on other sites More sharing options...
Guest spazi Posted January 12, 2014 Share Posted January 12, 2014 (edited) I tried something simillar not so long ago. I was able to retrieve the rom-0 file by typing in a special link. Funny to see this exploit still works :P ps. Just looked through your code.py, it was just like yours "http://"+host+"/rom-0" can't remember the model of the router though :/ Edited January 12, 2014 by spazi Quote Link to comment Share on other sites More sharing options...
MrNasro Posted January 13, 2014 Author Share Posted January 13, 2014 ". . .I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords." Hmm. . . Is there any way that I could have that code? I would like to update that to support http logins as well and combine it with a project of mine that scrapes usernames and passwords from routerpasswords.com. If you read the article carefully you'll find my Github : https://github.com/MrNasro/zynos-attacker%C2'> , ;) Quote Link to comment Share on other sites More sharing options...
melindachen Posted January 14, 2014 Share Posted January 14, 2014 Good job, and thanks for sharing! Quote Link to comment Share on other sites More sharing options...
Guest spazi Posted January 16, 2014 Share Posted January 16, 2014 I guess that shit just hit the fan... http://thehackernews.com/2014/01/TP-LINK-Routers-password-hacking.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.