threat9 / routersploit Goto Github PK
View Code? Open in Web Editor NEWExploitation Framework for Embedded Devices
License: Other
Exploitation Framework for Embedded Devices
License: Other
Not an issue per se, just an addendum to the documentation.
Seems to work well on Mac (at least the autopwn part). I only had to install these Python modules:
sudo pip install requests paramiko gnureadline
Tested on OS X 10.11.4
exploits/juniper/screenos_backdoor
crash after Succesful authentication:
rsf (Juniper ScreenOS Backdoor) > run
[*] Running module...
[+] SSH - Successful authentication
> help
[-] Traceback (most recent call last):
File "/home/gchain/routersploit/routersploit/interpreter.py", line 292, in command_run
self.current_module.run()
File "/home/gchain/routersploit/routersploit/modules/exploits/juniper/screenos_backdoor.py", line 51, in run
stdin, stdout, stderr = ssh.exec_command(cmd.strip())
File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/client.py", line 418, in exec_command
chan.exec_command(command)
File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 60, in _check
return func(self, *args, **kwds)
File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 234, in exec_command
self._wait_for_event()
File "/home/gchain/.venv/py2/lib/python2.7/site-packages/paramiko/channel.py", line 1103, in _wait_for_event
raise e
SSHException: Channel closed
when i try load module exploits get the error "It should be valid path to the module. Use key multiple times for completion." , what is the problem?
I've found a way to bypass authentication on most of Technicolor and Thomson routers.
Inspite of my efforts contacting them, they didn't replied to my emails, so I would like to disclosure it over here.
As my Python skills aren't the best yet, is there any python master over there who would like to help me writing it?
When doing the step pip install -r requirements an error gets thrown: 'Could not open requirements file: [Errno 2] No such file or directory: 'requirements'.
If you run pip install -r requirements.txt however it runs fine. Running on Ubuntu
While trying to use the "exploits/netgear/n300_auth_bypass" module the exploit reports successful and supplies a url but the URL redirects to here:
http://www.netgear.com/success/wnr2000v5.aspx?sn=(my-serial-number)
Serial number redacted for security reasons :)
Thanks for such an awesome toolkit!
I found a couple tiny bugs which I'll provide a pull request for. Basically authorship information was being set under 'author'
instead of 'authors'
. I wanted to write a test for it, maybe even one that checked all modules.
Would it be useful to have a set of tests that are executed against every module? A place for certain invariants to be asserted? This might help keep future modules at a high quality, especially those contributed by newcomers.
Thoughts?
ZTE AC3633R (Wifi Router) exploit - Authentication Bypass
I'm not sure if this counts as an issue, really, but I feel that this framework could be greatly improved by the addition of a RAT, similar to meterpreter, but written in python, perhaps.
Implement mechanism responsible for reverse shell connections from exploited devices. It will be useful in all blind command injection scenarios.
For now it should support MIPS 32 bit architecture.
When inputting text longer than the width of the terminal, the line wraps over on the same line, overwriting itself. I have traced this back to an issue in 'readline', but uninstalling that does not fix the issue.
Thx for making this project! To make it easier for starters a hint on the required python modules in the readme whould be fine. On MacOS X 10.11 I needed to install requests, gnureadline and paramiko via pip.
Here See this Screen Shot ...
Fix these Errors Please...
i am using Linux Mint ...
http://i.imgur.com/Gukb3PT.png
Manufacturers are pretty relaxed about firmware updates. After shellshock was discovered, not many home devices were patched. I'd wager most home-routers can still be pwned using it.
reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
no previously-included directories found matching 'docs/_build'
warning: no previously-included files matching '*' found under directory 'vectors'
writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
running build_ext
generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
creating build/temp.linux-x86_64-2.7
generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
building '_openssl' extension
creating build/temp.linux-x86_64-2.7/build
creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fno-strict-aliasing -Wdate-time -D_FORTIFY_SOURCE=2 -g -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I/usr/include/python2.7 -c build/temp.linux-x86_64-2.7/_openssl.c -o build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7/_openssl.o
build/temp.linux-x86_64-2.7/_openssl.c:423:30: fatal error: openssl/opensslv.h: No such file or directory
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-2PT4aF/cryptography/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-KR1zQ_-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-2PT4aF/cryptography/
Add verbosity option (True / False) to all creds modules.
Verbosity set to True (by default) displays additional information:
exit command that will close the RSF.
Tokenizer that will retrieve data from text based on regexp patterns.
______ _ _____ _ _ _
| ___ \ | | / ___| | | (_) |
| |_/ /___ _ _| |_ ___ _ __\ `--. _ __ | | ___ _| |_
| // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
| |\ \ (_) | |_| | || __/ | /\__/ / |_) | | (_) | | |_
\_| \_\___/ \__,_|\__\___|_| \____/| .__/|_|\___/|_|\__|
| |
Router Exploitation Framework |_|
Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
Codename : Wildest Dreams
Version : 1.0.0
Total module count: {modules_count}
debug command will be displaying modules that raised exception during indexing.
rsf > debug
routersploit.modules.creds.snmp_bruteforce
[-] No module named netsnmp
routersploit.modules.creds.http_form_default
[-] No module named bs4
routersploit.modules.scanners.dlink_scan
[-] No module named routersplot
rsf >
I've set my target and run AutoPwn, and I get the following output. Tried multiple times with the exact same result. D-Link Scanner is able to successfully complete a scan.
rsf (AutoPwn) > run
[*] Running module...
[-] exploits/multi/misfortune_cookie is not vulnerable
[-] exploits/linksys/1500_2500_rce is not vulnerable
[-] exploits/linksys/wap54gv3_rce is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/belkin/n150_path_traversal is not vulnerable
[-] exploits/belkin/g_n150_password_disclosure is not vulnerable
[-] Traceback (most recent call last):
File "/home/pi/routersploit/routersploit/interpreter.py", line 292, in command_run
self.current_module.run()
File "/home/pi/routersploit/routersploit/modules/scanners/autopwn.py", line 49, in run
response = exploit.check()
File "/home/pi/routersploit/routersploit/utils.py", line 101, in wrapper
return fn(self, *args, **kwargs)
File "routersploit/modules/exploits/belkin/n750_rce.py", line 71, in check
response = self.execute(cmd)
File "routersploit/modules/exploits/belkin/n750_rce.py", line 60, in execute
response = http_request(method="POST", url=url, headers=headers, data=data)
File "/home/pi/routersploit/routersploit/utils.py", line 331, in http_request
return getattr(requests, method.lower())(url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 94, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 49, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 606, in send
r.content
File "/usr/lib/python2.7/dist-packages/requests/models.py", line 724, in content
self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
File "/usr/lib/python2.7/dist-packages/requests/models.py", line 653, in generate
for chunk in self.raw.stream(chunk_size, decode_content=True):
File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 256, in stream
data = self.read(amt=amt, decode_content=decode_content)
File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 186, in read
data = self._fp.read(amt)
File "/usr/lib/python2.7/httplib.py", line 573, in read
s = self.fp.read(amt)
File "/usr/lib/python2.7/socket.py", line 380, in read
data = self._sock.recv(left)
error: [Errno 104] Connection reset by peer
Dell-N5110 routersploit # ./rsf.py
Traceback (most recent call last):
File "./rsf.py", line 11, in
routersploit()
File "./rsf.py", line 7, in routersploit
rsf = RoutersploitInterpreter()
File "/home/hamza/programmation/router/routersploit/routersploit/interpreter.py", line 167, in init
self.load_modules()
File "/home/hamza/programmation/router/routersploit/routersploit/interpreter.py", line 196, in load_modules
module = importlib.import_module(module_path)
File "/usr/lib/python2.7/importlib/init.py", line 37, in import_module
import(name)
File "/home/hamza/programmation/router/routersploit/routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 14, in
class Exploit(exploits.Exploit):
File "/home/hamza/programmation/router/routersploit/routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 43, in Exploit
requests.packages.urllib3.disable_warnings()
AttributeError: 'module' object has no attribute 'packages'
I had this error when trying to execute "pip install -r requirements.txt"
Don't know how to fix it
Implement heartbleed exploit module.
Trying to install this package to debian, I figured out that the right name of the package is python-pynetsnmp.
Wrapping requests API.
Ability to feed exploits with text file containing target list. Exploit would iterate through the list and run its run() method against yielded target.
Hi again,
I would like to know if i can find more exploits and incorporate into your tool ?
Shed some light.
Thanks.
It would be nice to have a 'help' command like in MSF to list all of the available commands and give a short description of each.
I was installing routersploit on a relatively clean Kubuntu 16 and I've noticed that some packages are missing from installation instructions in README, namely: libffi-dev and libssl-dev.
Cheers!
rsf > use scanners/autopwn
rsf (AutoPwn) > set target 192.168.0.1
[+] {'target': '192.168.0.1'}
rsf (AutoPwn) > run
[*] Running module...
[-] exploits/technicolor/tc7200_password_disclosure is not vulnerable
[-] exploits/2wire/gateway_auth_bypass is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/netgear/multi_rce is not vulnerable
[-] exploits/netgear/n300_auth_bypass is not vulnerable
[-] exploits/netgear/prosafe_rce is not vulnerable
[-] Traceback (most recent call last):
File "/home/michal-praca/Workspaces/Playground/routersploit/routersploit/interpreter.py", line 261, in command_run
self.current_module.run()
File "/home/michal-praca/Workspaces/Playground/routersploit/routersploit/modules/scanners/autopwn.py", line 49, in run
module = imp.load_source('module', rootpath + f + '.py')
File "routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 14, in
class Exploit(exploits.Exploit):
File "routersploit/modules/exploits/ubiquiti/airos_6_x.py", line 43, in Exploit
requests.packages.urllib3.disable_warnings()
AttributeError: 'module' object has no attribute 'packages'
rsf (AutoPwn) >
[*] routersploit stopped
Run on Ubuntu 14.04 with Python 2.7.6
Having a weird issue running AutoPwn on Ubuntu: http://www.screencast.com/t/mMOPdyFDA
All dependencies installed fine. Any idea?
I've noticed that after today's pull, I'm getting some unprintable characters in the framework's output. For example, yesterday, if I typed an unknown command, the output was as follows:
rsf > asdf
[-] Unknown command: 'asdf'
rsf >
After today's pull (37840f3), I get the following output:
rsf > asdf
��[-]�� Unknown command: 'asdf'
rsf >
Fedora 23
Python 2.7.11
EDIT: Adding a screenshot because things look different in the terminal than they do when I paste the text into a browser.
So I've tried to run routersploit on NetHunter 3.0 on a Nexus 6 appears NetHunter is missing paramiko not 100% sure how that can be install or if it even can be installed on NetHunter 3.0 or not. but after I did the run it started to check my router to see if it was vulnerable and then it errored out about paramiko being a missing module.
Adding function decorator that will suppress printing to sys.stdout
Function will be used to decorate exploit's check() method to assure clean output for scanners.
I noted that you made commits mentioning "New release" and the version of the release but it would be great if you could make a tagged release the next time.
I'm packaging routersploit for distro kali linux and the packaging tools works best with tagged release (we have tools that monitors web pages listing release, and it works well with github pages showing git tags).
Thanks!
Do routersploit have ability to set multiple targets (network/mask, ip list...) in exploit or scan?
I've set my target and run AutoPwn, and I get the following output.
Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
Codename : Bad Blood
Version : 2.0.0
Total module count: 39
rsf > use scanners/autopwn
rsf (AutoPwn) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target Target IP address e.g. 192.168.1.1
port 80 Target port
rsf (AutoPwn) > set target 192.168.1.254
�[92m[+]�[0m {'target': '192.168.1.254'}
rsf (AutoPwn) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target 192.168.1.254 Target IP address e.g. 192.168.1.1
port 80 Target port
rsf (AutoPwn) > set target 192.168.0.254
�[92m[+]�[0m {'target': '192.168.0.254'}
rsf (AutoPwn) > show options
Target options:
Name Current settings Description
---- ---------------- -----------
target 192.168.0.254 Target IP address e.g. 192.168.1.1
port 80 Target port
rsf (AutoPwn) > run
�[94m[*]�[0m Running module...
�[91m[-]�[0m exploits/2wire/gateway_auth_bypass is not vulnerable
�[91m[-]�[0m exploits/asmax/ar_1004g_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/asmax/ar_804_gu_rce is not vulnerable
�[91m[-]�[0m exploits/asus/infosvr_backdoor_rce is not vulnerable
�[91m[-]�[0m exploits/asus/rt_n16_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/g_n150_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/g_plus_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/belkin/n150_path_traversal is not vulnerable
�[91m[-]�[0m exploits/belkin/n750_rce is not vulnerable
�[91m[-]�[0m exploits/cisco/ucs_manager_rce is not vulnerable
�[91m[-]�[0m exploits/comtrend/ct_5361t_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_300_600_rce is not vulnerable
�[91m[-]�[0m exploits/dlink/dir_645_password_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dns_320l_327l_rce is not vulnerable
�[91m[-]�[0m exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
�[91m[-]�[0m exploits/dlink/dvg_n5402sp_path_traversal is not vulnerable
�[91m[-]�[0m exploits/dlink/dwr_932_info_disclosure is not vulnerable
�[91m[-]�[0m Traceback (most recent call last):
File "C:\Users\tyller\Documents\routersploit\routersploit\interpreter.py", line 292, in command_run
self.current_module.run()
File "C:\Users\tyller\Documents\routersploit\routersploit\modules\scanners\autopwn.py", line 43, in run
module = imp.load_source('module', rootpath + f + '.py')
File "routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py", line 6, in <module>
import termios
ImportError: No module named termios
rsf (AutoPwn) >
Could you check this issue and let me know, what could be happening.
It should be possible to set stdout parameter through http_request function in order to toggle displaying statuses/errors on stdout.
There are still some issues with PEP8 styling on the code, most of them about long lines. Do you want them to get fixed or do you want for the long line error to be ignored?
Hi.
I am getting an error when i use "use exploits/"
"Error during loading 'routersploit/modules/exploits' module"
Please help.
Command "/usr/bin/python -u -c "import setuptools, tokenize;file='/tmp/pip-build-TNedkU/gnureadline/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-bKAv1O-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-TNedkU/gnureadline/
I had this error when trying to execute "pip install -r requirements.txt"
Don't know how to fix it
Implement mechanism responsible for reverse shell connections from exploited devices. It will be useful in all blind command injection scenarios.
It should support ARMv7 architecture.
Hi,
How would you get the target IP address so you can run the exploit module?
Hello,
Thank you for your work on this project!
I am finding the following error when running scanners/autopwn:
[-] Traceback (most recent call last):
File "/home/<redacted>/gitClones/routersploit/routersploit/interpreter.py", line 292, in command_run
self.current_module.run()
File "/home/<redacted>/gitClones/routersploit/routersploit/modules/scanners/autopwn.py", line 43, in run
module = imp.load_source('module', rootpath + f + '.py')
File "routersploit/modules/exploits/fortinet/fortigate_os_backdoor.py", line 9, in <module>
from paramiko.py3compat import u
ImportError: No module named py3compat
I went ahead and attempted to "sudo -H pip install --upgrade " the packages from the requirements.txt file:
gnureadline
requests
paramiko
beautifulsoup4
as well as "sudo -H pip install --upgrade py3compat"
but the error continues.
can anyone shed light on the correct packages to install that resolve the "ImportError: No module named py3compat" error?
Thank you again
I'm about to scan my tplink router with scanner/autopwn, but it give me this error
rsf (AutoPwn) > run
[_] Running module...
[-] exploits/comtrend/ct_5361t_password_disclosure is not vulnerable
[-] exploits/asmax/ar_1004g_password_disclosure is not vulnerable
[-] exploits/asmax/ar_804_gu_rce is not vulnerable
[-] exploits/2wire/gateway_auth_bypass is not vulnerable
[-] exploits/belkin/g_n150_password_disclosure is not vulnerable
[-] exploits/belkin/n150_path_traversal is not vulnerable
[-] exploits/belkin/n750_rce is not vulnerable
[-] exploits/belkin/g_plus_info_disclosure is not vulnerable
[-] exploits/juniper/screenos_backdoor is not vulnerable
[-] exploits/ubiquiti/airos_6_x is not vulnerable
[-] exploits/multi/misfortune_cookie is not vulnerable
[-] exploits/multi/shellshock is not vulnerable
[-] Traceback (most recent call last):
File "/home/netgear/pwn/routersploit/routersploit/interpreter.py", line 261, in command_run
self.current_module.run()
File "/home/netgear/pwn/routersploit/routersploit/modules/scanners/autopwn.py", line 51, in run
response = exploit.check()
File "/home/netgear/pwn/routersploit/routersploit/utils.py", line 153, in wrapper
return fn(self, *args, *_kwargs)
File "routersploit/modules/exploits/multi/heartbleed.py", line 164, in check
typ, ver, pay = self.recvmsg(s)
File "routersploit/modules/exploits/multi/heartbleed.py", line 102, in recvmsg
pay = self.recvall(s, ln, 10)
File "routersploit/modules/exploits/multi/heartbleed.py", line 87, in recvall
data = s.recv(remain)
error: [Errno 104] Connection reset by peer
Ability to increase/decrease level of verbosity offered by routersploit.
/routersploit# ./rsf.py
shows followin :
Traceback (most recent call last):
File "./rsf.py", line 3, in
from routersploit.interpreter import RoutersploitInterpreter
File "/home/aditya/routersploit/routersploit/init.py", line 1, in
from routersploit.utils import (
File "/home/aditya/routersploit/routersploit/utils.py", line 10, in
import requests
ImportError: No module named requests
So I ran this module on my router and it said "credentials could not be retrieved" even though the 'check' command said that the target is vulnerabld
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.