threat9 / routersploit Goto Github PK

Not an issue per se, just an addendum to the documentation.

Seems to work well on Mac (at least the autopwn part). I only had to install these Python modules:

sudo pip install requests paramiko gnureadline

Tested on OS X 10.11.4

exploits/juniper/screenos_backdoor crash after Succesful authentication:

rsf (Juniper ScreenOS Backdoor) > run
[*] Running module...
[+] SSH - Successful authentication
> help
[-] Traceback (most recent call last):
  File "/home/gchain/routersploit/routersploit/interpreter.py", line 292, in command_run
    self.current_module.run()
  File "/home/gchain/routersploit/routersploit/modules/exploits/juniper/screenos_backdoor.py", line 51, in run
    stdin, stdout, stderr = ssh.exec_command(cmd.strip())
  File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/client.py", line 418, in exec_command
    chan.exec_command(command)
  File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 60, in _check
    return func(self, *args, **kwds)
  File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 234, in exec_command
    self._wait_for_event()
  File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 1103, in _wait_for_event
    raise e
SSHException: Channel closed

when i try load module exploits get the error "It should be valid path to the module. Use key multiple times for completion." , what is the problem?

I've found a way to bypass authentication on most of Technicolor and Thomson routers.
Inspite of my efforts contacting them, they didn't replied to my emails, so I would like to disclosure it over here.

As my Python skills aren't the best yet, is there any python master over there who would like to help me writing it?

More details:
https://www.reddit.com/r/netsec/comments/4gc0f8/routersploit_router_exploitation_framework/d2gh4gl

When doing the step pip install -r requirements an error gets thrown: 'Could not open requirements file: [Errno 2] No such file or directory: 'requirements'.

If you run pip install -r requirements.txt however it runs fine. Running on Ubuntu

While trying to use the "exploits/netgear/n300_auth_bypass" module the exploit reports successful and supplies a url but the URL redirects to here:

http://www.netgear.com/success/wnr2000v5.aspx?sn=(my-serial-number)

Serial number redacted for security reasons :)

Thanks for such an awesome toolkit!

I found a couple tiny bugs which I'll provide a pull request for. Basically authorship information was being set under 'author' instead of 'authors'. I wanted to write a test for it, maybe even one that checked all modules.

Would it be useful to have a set of tests that are executed against every module? A place for certain invariants to be asserted? This might help keep future modules at a high quality, especially those contributed by newcomers.

Thoughts?

ZTE AC3633R (Wifi Router) exploit - Authentication Bypass

http://seclists.org/fulldisclosure/2015/May/80

I'm not sure if this counts as an issue, really, but I feel that this framework could be greatly improved by the addition of a RAT, similar to meterpreter, but written in python, perhaps.

Implement mechanism responsible for reverse shell connections from exploited devices. It will be useful in all blind command injection scenarios.

For now it should support MIPS 32 bit architecture.

When inputting text longer than the width of the terminal, the line wraps over on the same line, overwriting itself. I have traced this back to an issue in 'readline', but uninstalling that does not fix the issue.

Thx for making this project! To make it easier for starters a hint on the required python modules in the readme whould be fine. On MacOS X 10.11 I needed to install requests, gnureadline and paramiko via pip.

Here See this Screen Shot ...
Fix these Errors Please...
i am using Linux Mint ...
http://i.imgur.com/Gukb3PT.png

Manufacturers are pretty relaxed about firmware updates. After shellshock was discovered, not many home devices were patched. I'd wager most home-routers can still be pwned using it.

reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'docs/_build'
warning: no previously-included files matching '*' found under directory 'vectors'
writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
running build_ext
generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
creating build/temp.linux-x86_64-2.7
generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
building '_openssl' extension
creating build/temp.linux-x86_64-2.7/build
creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
build/temp.linux-x86_64-2.7/_openssl.c:423:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-2PT4aF/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-KR1zQ_-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-2PT4aF/cryptography/

Add verbosity option (True / False) to all creds modules.

Verbosity set to True (by default) displays additional information:

• worker starting status
• all authentication attempts

exit command that will close the RSF.

Tokenizer that will retrieve data from text based on regexp patterns.

debug command will be displaying modules that raised exception during indexing.

rsf > debug
routersploit.modules.creds.snmp_bruteforce
[-] No module named netsnmp 

routersploit.modules.creds.http_form_default
[-] No module named bs4 

routersploit.modules.scanners.dlink_scan
[-] No module named routersplot 

rsf > 

I've set my target and run AutoPwn, and I get the following output. Tried multiple times with the exact same result. D-Link Scanner is able to successfully complete a scan.

rsf (AutoPwn) > run
[*] Running module...
[-] exploits/multi/misfortune_cookie is not vulnerable
[-] exploits/linksys/1500_2500_rce is not vulnerable
[-] exploits/linksys/wap54gv3_rce is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/belkin/n150_path_traversal is not vulnerable
[-] exploits/belkin/g_n150_password_disclosure is not vulnerable
[-] Traceback (most recent call last):
  File "/home/pi/routersploit/routersploit/interpreter.py", line 292, in command_run
    self.current_module.run()
  File "/home/pi/routersploit/routersploit/modules/scanners/autopwn.py", line 49, in run
    response = exploit.check()
  File "/home/pi/routersploit/routersploit/utils.py", line 101, in wrapper
    return fn(self, *args, **kwargs)
  File "routersploit/modules/exploits/belkin/n750_rce.py", line 71, in check
    response = self.execute(cmd)
  File "routersploit/modules/exploits/belkin/n750_rce.py", line 60, in execute
    response = http_request(method="POST", url=url, headers=headers, data=data)
  File "/home/pi/routersploit/routersploit/utils.py", line 331, in http_request
    return getattr(requests, method.lower())(url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 94, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 49, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 606, in send
    r.content
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 724, in content
    self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 653, in generate
    for chunk in self.raw.stream(chunk_size, decode_content=True):
  File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 256, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 186, in read
    data = self._fp.read(amt)
  File "/usr/lib/python2.7/httplib.py", line 573, in read
    s = self.fp.read(amt)
  File "/usr/lib/python2.7/socket.py", line 380, in read
    data = self._sock.recv(left)
error: [Errno 104] Connection reset by peer

Dell-N5110 routersploit # ./rsf.py
Traceback (most recent call last):
File "./rsf.py", line 11, in
routersploit()
File "./rsf.py", line 7, in routersploit
rsf = RoutersploitInterpreter()
File "/home/hamza/programmation/router/routersploit/routersploit/interpreter.py", line 167, in init
self.load_modules()
File "/home/hamza/programmation/router/routersploit/routersploit/interpreter.py", line 196, in load_modules
module = importlib.import_module(module_path)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/home/hamza/programmation/router/routersploit/routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 14, in
class Exploit(exploits.Exploit):
File "/home/hamza/programmation/router/routersploit/routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 43, in Exploit
requests.packages.urllib3.disable_warnings()
AttributeError: 'module' object has no attribute 'packages'

I had this error when trying to execute "pip install -r requirements.txt"

Don't know how to fix it

Implement heartbleed exploit module.

Trying to install this package to debian, I figured out that the right name of the package is python-pynetsnmp.

Wrapping requests API.

Ability to feed exploits with text file containing target list. Exploit would iterate through the list and run its run() method against yielded target.

Hi again,

I would like to know if i can find more exploits and incorporate into your tool ?
Shed some light.
Thanks.

It would be nice to have a 'help' command like in MSF to list all of the available commands and give a short description of each.

I was installing routersploit on a relatively clean Kubuntu 16 and I've noticed that some packages are missing from installation instructions in README, namely: libffi-dev and libssl-dev.

Cheers!

rsf > use scanners/autopwn
rsf (AutoPwn) > set target 192.168.0.1
[+] {'target': '192.168.0.1'}
rsf (AutoPwn) > run
[*] Running module...
[-] exploits/technicolor/tc7200_password_disclosure is not vulnerable
[-] exploits/2wire/gateway_auth_bypass is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/netgear/multi_rce is not vulnerable
[-] exploits/netgear/n300_auth_bypass is not vulnerable
[-] exploits/netgear/prosafe_rce is not vulnerable
[-] Traceback (most recent call last):
File "/home/michal-praca/Workspaces/Playground/routersploit/routersploit/interpreter.py", line 261, in command_run
self.current_module.run()
File "/home/michal-praca/Workspaces/Playground/routersploit/routersploit/modules/scanners/autopwn.py", line 49, in run
module = imp.load_source('module', rootpath + f + '.py')
File "routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 14, in
class Exploit(exploits.Exploit):
File "routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 43, in Exploit
requests.packages.urllib3.disable_warnings()
AttributeError: 'module' object has no attribute 'packages'

rsf (AutoPwn) >
[*] routersploit stopped

Run on Ubuntu 14.04 with Python 2.7.6

Having a weird issue running AutoPwn on Ubuntu: http://www.screencast.com/t/mMOPdyFDA
All dependencies installed fine. Any idea?

I've noticed that after today's pull, I'm getting some unprintable characters in the framework's output. For example, yesterday, if I typed an unknown command, the output was as follows:

rsf > asdf
[-] Unknown command: 'asdf'
rsf >

After today's pull (37840f3), I get the following output:

rsf > asdf
��[-]�� Unknown command: 'asdf'
rsf >

Fedora 23
Python 2.7.11

EDIT: Adding a screenshot because things look different in the terminal than they do when I paste the text into a browser.

So I've tried to run routersploit on NetHunter 3.0 on a Nexus 6 appears NetHunter is missing paramiko not 100% sure how that can be install or if it even can be installed on NetHunter 3.0 or not. but after I did the run it started to check my router to see if it was vulnerable and then it errored out about paramiko being a missing module.

Adding function decorator that will suppress printing to sys.stdout

Function will be used to decorate exploit's check() method to assure clean output for scanners.

I noted that you made commits mentioning "New release" and the version of the release but it would be great if you could make a tagged release the next time.
I'm packaging routersploit for distro kali linux and the packaging tools works best with tagged release (we have tools that monitors web pages listing release, and it works well with github pages showing git tags).
Thanks!

Do routersploit have ability to set multiple targets (network/mask, ip list...) in exploit or scan?

I've set my target and run AutoPwn, and I get the following output.

Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Bad Blood
 Version  : 2.0.0

 Total module count: 39

rsf > use scanners/autopwn
rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target                          Target IP address e.g. 192.168.1.1
   port       80                   Target port


rsf (AutoPwn) > set target 192.168.1.254
�[92m[+]�[0m {'target': '192.168.1.254'}
rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target     192.168.1.254        Target IP address e.g. 192.168.1.1
   port       80                   Target port


rsf (AutoPwn) > set target 192.168.0.254
�[92m[+]�[0m {'target': '192.168.0.254'}
rsf (AutoPwn) > show options

Target options:

   Name       Current settings     Description
   ----       ----------------     -----------
   target     192.168.0.254        Target IP address e.g. 192.168.1.1
   port       80                   Target port


rsf (AutoPwn) > run
�[94m[*]�[0m Running module...
�[91m[-]�[0m exploits/2wire/gateway_auth_bypass is not vulnerable
�[91m[-]�[0m exploits/asmax/ar_1004g_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/asmax/ar_804_gu_rce is not vulnerable
�[91m[-]�[0m exploits/asus/infosvr_backdoor_rce is not vulnerable
�[91m[-]�[0m exploits/asus/rt_n16_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/g_n150_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/g_plus_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/n150_path_traversal is not vulnerable
�[91m[-]�[0m exploits/belkin/n750_rce is not vulnerable
�[91m[-]�[0m exploits/cisco/ucs_manager_rce is not vulnerable
�[91m[-]�[0m exploits/comtrend/ct_5361t_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_600_rce is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_645_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dns_320l_327l_rce is not vulnerable
�[91m[-]�[0m exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dvg_n5402sp_path_traversal is not vulnerable
�[91m[-]�[0m exploits/dlink/dwr_932_info_disclosure is not vulnerable
�[91m[-]�[0m Traceback (most recent call last):
  File "C:\Users\tyller\Documents\routersploit\routersploit\interpreter.py", line 292, in command_run
    self.current_module.run()
  File "C:\Users\tyller\Documents\routersploit\routersploit\modules\scanners\autopwn.py", line 43, in run
    module = imp.load_source('module', rootpath + f + '.py')
  File "routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py", line 6, in <module>
    import termios
ImportError: No module named termios

rsf (AutoPwn) >

Could you check this issue and let me know, what could be happening.

It should be possible to set stdout parameter through http_request function in order to toggle displaying statuses/errors on stdout.

There are still some issues with PEP8 styling on the code, most of them about long lines. Do you want them to get fixed or do you want for the long line error to be ignored?

Hi.

I am getting an error when i use "use exploits/"
"Error during loading 'routersploit/modules/exploits' module"

Please help.

Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-TNedkU/gnureadline/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-bKAv1O-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-TNedkU/gnureadline/

I had this error when trying to execute "pip install -r requirements.txt"

Don't know how to fix it

Implement mechanism responsible for reverse shell connections from exploited devices. It will be useful in all blind command injection scenarios.

It should support ARMv7 architecture.

Hi,
How would you get the target IP address so you can run the exploit module?

Hello,

Thank you for your work on this project!

I am finding the following error when running scanners/autopwn:

[-] Traceback (most recent call last):
  File "/home/<redacted>/gitClones/routersploit/routersploit/interpreter.py", line 292, in command_run
    self.current_module.run()
  File "/home/<redacted>/gitClones/routersploit/routersploit/modules/scanners/autopwn.py", line 43, in run
    module = imp.load_source('module', rootpath + f + '.py')
  File "routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py", line 9, in <module>
    from paramiko.py3compat import u
ImportError: No module named py3compat

I went ahead and attempted to "sudo -H pip install --upgrade " the packages from the requirements.txt file:
gnureadline
requests
paramiko
beautifulsoup4

as well as "sudo -H pip install --upgrade py3compat"

but the error continues.

can anyone shed light on the correct packages to install that resolve the "ImportError: No module named py3compat" error?

Thank you again

I'm about to scan my tplink router with scanner/autopwn, but it give me this error
rsf (AutoPwn) > run
[_] Running module...
[-] exploits/comtrend/ct_5361t_password_disclosure is not vulnerable
[-] exploits/asmax/ar_1004g_password_disclosure is not vulnerable
[-] exploits/asmax/ar_804_gu_rce is not vulnerable
[-] exploits/2wire/gateway_auth_bypass is not vulnerable
[-] exploits/belkin/g_n150_password_disclosure is not vulnerable
[-] exploits/belkin/n150_path_traversal is not vulnerable
[-] exploits/belkin/n750_rce is not vulnerable
[-] exploits/belkin/g_plus_info_disclosure is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/ubiquiti/airos_6_x is not vulnerable
[-] exploits/multi/misfortune_cookie is not vulnerable
[-] exploits/multi/shellshock is not vulnerable
[-] Traceback (most recent call last):
File "/home/netgear/pwn/routersploit/routersploit/interpreter.py", line 261, in command_run
self.current_module.run()
File "/home/netgear/pwn/routersploit/routersploit/modules/scanners/autopwn.py", line 51, in run
response = exploit.check()
File "/home/netgear/pwn/routersploit/routersploit/utils.py", line 153, in wrapper
return fn(self, *args, *_kwargs)
File "routersploit/modules/exploits/multi/heartbleed.py", line 164, in check
typ, ver, pay = self.recvmsg(s)
File "routersploit/modules/exploits/multi/heartbleed.py", line 102, in recvmsg
pay = self.recvall(s, ln, 10)
File "routersploit/modules/exploits/multi/heartbleed.py", line 87, in recvall
data = s.recv(remain)
error: [Errno 104] Connection reset by peer

Ability to increase/decrease level of verbosity offered by routersploit.

/routersploit# ./rsf.py
shows followin :
Traceback (most recent call last):
File "./rsf.py", line 3, in
from routersploit.interpreter import RoutersploitInterpreter
File "/home/aditya/routersploit/routersploit/init.py", line 1, in
from routersploit.utils import (
File "/home/aditya/routersploit/routersploit/utils.py", line 10, in
import requests
ImportError: No module named requests

So I ran this module on my router and it said "credentials could not be retrieved" even though the 'check' command said that the target is vulnerabld