Routerpwn
== ROUTERPWN.com ==
Routerpwn.com is a web application that helps you in the exploitation of vulnerabilities in residential routers.
It is a compilation of ready to run local and remote web exploits.
Programmed in Javascript and HTML in order to run in all "smart phones" and mobile internet devices.
It is only one page, so you can store it offline for local exploitation without internet connection.
== Exploits ==
# 154 Total (11 Modules) 08/09/2012 #
Sagem Fast Telnet Root Password Generator
A1/Telekom PRG EAV4202N Default WPA Key Generator
Discus DRG A225 WiFi router Default WPA2-PSK Key Generator
Thomson BBox BBKeys TG787 Default Wireless Key Generator
EasyBox Standard WPA2 Key Generator
ZynOS (Huawei) Configuration Decompressor
Thomson SpeedTouch STKeys Default Wireless Key Generator
Huawei HG5XX Mac2wepkey Default Wireless Key Generator
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
Arris Password of The Day Generator
20x 27x authentication bypass (xss + info disclosure)
17x 18x 20x 27x CRLF denial of service remote MDC
17x 18x 20x 27x CRLF denial of service
17x 18x 20x 27x password_required.html authentication bypass
17x 18x 20x 27x CD35_SETUP_01 authentication bypass
17x 18x 20x 27x CD35_SETUP_01 password reset
17x 18x 20x 27x DSL denial of service
17x 18x 20x 27x mgmt_data configuration disclosure
17x 18x 20x 27x H04 authentication bypass
17x 18x 20x 27x 38x Add domain to hosts table CSRF
Backdoor password in Accton-based switches (3com, Dell, SMC, Foundry and EdgeCore)
iMC Intelligent Management Center configuration disclosure
iMC Intelligent Management Center traversal
OfficeConnect command execution
AP 8760 auhentication bypass
OfficeConnect configuration disclosure
OfficeConnect 3CRWE454G72 configuration disclosure
3cradsl72 configuration disclosure
3cradsl72 information disclosure & authenication bypass
812 denial of service
812 denial of service 2
Arris Password of The Day (list.txt)
Arris password of the day web interface
AR-804gu command execution
AR-804gu file disclosure
AR-804gu directory listing
F5D7234-4 v5 admin password md5
F5D8233-4 v3 configuration disclosure
F5D8233-4 v3 router reboot
F5D7230-4 factory reset
F5D7230-4 change dns servers
MIMO F5D9230xx4 configuration disclosure
WAG120N Change admin password
WAG120N Add admin user
WAP54Gv3 debug interface (Gemtek:gemtekswd)
WRT54G enable remote interface
WRT54G config disclosure
WRT54G restore factory defaults
WRT54G last password in plain text
WRT54G disable wifi encription
WRT54G change admin password
D-Link WBR-1310 Authentication Bypass set new password
D-Link DIR-615, DIR-320, DIR-300 Authentication Bypass
D-Link DAP-1160 Authentication Bypass
D-Link DIR-615 change password & enable remote admin
DSL-G604T change DNS servers
D-Link DIR-615 configuration disclosure
704P denial of service
DSL-G624T DSL-G604T directory traversal
DWL-7x00AP configuration disclosure
G604T DSL Routers "firmwarecfg" Authentication Bypass
HG5XX mac2wepkey default wireless key generator
HG520 rpADSLMode_1 denial of service
HG520 HTTP auth denial of service
HG520 rpEthernet_1 denial of service
HG520c HG530 enable remote management CSRF
HG520c HG530 Listadeparametros.html information disclosure
HG520c HG530 AutoRestart.html denial of service & factory reset
HG520 LocalDevicejump.html denial of service
HG510 rebootinfo.cgi denial of service
SmartAX MT880 default password
SmartAX MT880 add administrator account
SmartAX MT880 disable firewall/anti-dos w/default pass
ZyNOS configuration disclosure
SBG900 change admin password
SBG900 turn off firewall
SBG900 enable remote access
SBG900 disable DHCP & add custom DNS server
WNAP210 authentication bypass
WNDAP350, WNAP210 BackupConfig.php config disclosure
CG3100D privilege escalation
RP614v4 config disclosure
WNR2000 information disclosure
WNR2000 information disclosure
WNR2000 config disclosure
DG632 auth bypass (config disclosure)
DG632 auth bypass
DG632 'firmwarecfg' denial of service
WGR614v9 denial of service
SSL312 VPN denial of service
FVS318 content filtering bypass
FVS318 log file arbitrary content injection
DG834G enable telnet root shell
WG602 undocumented admin account (superman)
WG602 undocumented admin account (super)
FlexiISN auth bypass AAA Configuration
FlexiISN auth bypass Aggregation Class Configuration
FlexiISN auth bypass GGSN general Configuration
FlexiISN auth bypass Network Access & services
5200 Default administrator account
5200 Host authentication bypass
5200 Configuration disclosure /.cfg
SE461 denial of service
ST585, TG585n user.ini arbitrary download vulnerability
ST585 Redirect domain CSRF
ST585 Add administrator account CSRF
bthomehub call number (voice-jacking) auth bypass
bthomehub authentication bypass
bthomehub enable remote access and change tech password
bthomehub disable wifi
TEW-633GR A-to-C authentication bypass
TEW-633GR unauthorized factory reset
ZyWALL USG client side authorization config disclosure
G-570S configuration disclosure
Prestige configuration disclosure
Prestige privilege escalation
Prestige default password
ZyNOS configuration disclosure
Zywall2 Persistent Cross Site Scripting
Prestige unauthorized reset
DNA-A-211, UT300R2U information disclosure
Fibrehome HG-110 Local File Include and Directory/Path Traversal
Fibrehome HG-110 Cross site scripting
Zyxel O2 Classic persistent cross site scripting
Thomson ST585 Cross site scripting
CT-5367 Change ALL passwords
CT-5367 Information Disclosure
CT-507IT Cross site scripting
CT-536 HG-536+ Information Disclosure
CT-536 HG-536+ Configuration Disclosure
DSL-500T CSRF reset password
DSL-500T Directory Traversal (post auth)
DSL-500T old "firmwarecfg" Authentication Bypass
2701HGV-E 2700HGV-2 2700HG singtel default mdc password DoS
CT-5624 Info disclosure / Change passwords
X7968 cross site scripting
X7968 persistent cross site scripting
X7968 open port for ip CSRF
X7968 denial of service
CT-53XX CT-5071 CT-56XX Put a local IP in DMZ
CT-53XX CT-5071 CT-56XX Enable remote admin
DD-WRT information disclosure
DD-WRT command execution
2200 Sprint Verizon configuration disclosure
2352 Vodafone configuration disclosure
AirOS v3.6.1 v4.0 v5.x command execution
AirOS Remote Command Execution
HG5xx remote ppp password disclosure
DAP-1150 save configuration CSRF
DAP-1150 denial of service
DNS-320 DNS-325 command execution
DNS-320 DNS-325 information disclosure
DNS-320 DNS-325 information disclosure
TV-IP Cameras authentication bypass
2Wire remote administration password disclosure
D-Link DSL-2640B CSRF
Netgear remote information disclosure
Sagem F@ST 2604 CSRF Change Admin Password
HG866 Authentication Bypass
HG866 Denial of service
Shell oculta para depuración
F9K1002 Authentication Bypass
F9K1002 Web Management Password Exposure
BlackArmor NAS Password Reset
== Install ==
Android: Available in the Android Market.
iPhone/iTouch (JailBreak not needed):
Using Safari, browser the main url:
http://routerpwn.com
Select in Safari's main menu: [+]
Choose: "Add to home screen",
Enter a name or accept the default: "Routerpwn"
Click "Save".