Misfortune Cookie Authentication Bypass

[doorbash]

Hi,
I have been working on this more than a month and now decided to add it here.
The framework is great good job.we can work on this to add more vulnerable models/firmwares in the future.
The main exploit i wrote is here

[doorbash]

https://asciinema.org/a/3vonkhsn9q176zw2j4rdqiq0r

[lucyoa]

Wow that is impressive. We will definitely add this to routersploit, but we need to think about displaying firmwares to the user. Modules should not implement own init method.

[doorbash]

I could not find a more proper way to implement it since Routersploit has not (yet?) a set target concept as in Metasploit.
You should change "target" to "rhost" since its more convenient for Metasploit users I think.and also the ability to choose a target.
See this module for example to see what I am talking about.
Anyway your repository your way :) I am just trying to help.

The exploit just published on exploit-db : https://www.exploit-db.com/exploits/39739/
and 0day.today : http://0day.today/exploit/25259

[lucyoa]

Your suggestions are good, we gonna make necessary changes to allow this kind of exploit implementation with setting targets. Thanks

[lucyoa]

@doorbash following your suggestions we added necessary changes:

• info 'targets' has been changed to 'devices'
• there is new command 'show devices' to display all target devices

Proof of concept exploit that shows how it works:

class Exploit(exploits.Exploit):
    """
    Exploit implementation for Test vulnerability.
    """
    __info__ = {
        'name': 'Test',
        'description': 'Exploits asmax password disclosure vulnerability that allows to '
                       'fetch credentials for: Admin, Support and User accounts.',
        'authors': [
            'test',  # routersploit module
        ],
        'references': [
             'http://www.google.com',
        ],
        'devices': [
            {'name': 'Device 1', 'param': 'Some param 1', 'attr': 'Attr 1'},
            {'name': 'Device 2', 'param': 'Some param 2', 'attr': 'Attr 2'},
            {'name': 'Device 3', 'param': 'Some param 3', 'attr': 'Attr 3'},
        ],
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1')  # target address
    port = exploits.Option(80, 'Target port')  # default port
    device = exploits.Option(0, 'Target device (show devices)')

    def run(self):
        devices = self._Exploit__info__['devices']

        for device in devices:
            print device['param']

        if int(self.device) >= 0 and int(self.device) < len(devices):
            print devices[int(self.device)]['attr']
        else:
            print_error("Invalid device identifier option")

    @mute
    def check(self):
        return False  # target not vulnerable

Commands:

rsf (Test) > show options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port                                


Module options:

   Name       Current settings     Description                      
   ----       ----------------     -----------                      
   device     0                    Target device (show devices)     


rsf (Test) > show devices

Target devices:
   0 - Device 1
   1 - Device 2
   2 - Device 3

rsf (Test) > run
[*] Running module...
Some param 1
Some param 2
Some param 3
Attr 1

Would you mind adapting your pull request?

[doorbash]

Cool. Yes I will adapt PR as soon as I can.

[doorbash]

@lucyoa I adapted it.
Please take a look.

[lucyoa]

@doorbash there is an issue with off by one:

int(self.device) > len(devices)

it should be

int(self.device) >= len(devices)

Setting device id to 86 raises index out of range exception

[doorbash]

@lucyoa Correct! fixed.

[lucyoa]

Great job. Really happy to merge this module.