Skip to content

Instantly share code, notes, and snippets.

@FennyFatal

FennyFatal/routerPwn.src

Last active October 9, 2024 19:18
Show Gist options
  • Save FennyFatal/b0b2f202222d939516987377dd3deed6 to your computer and use it in GitHub Desktop.
Save FennyFatal/b0b2f202222d939516987377dd3deed6 to your computer and use it in GitHub Desktop.
Download ZIP
Grey hack router exploit.
Raw
routerPwn.src
metaxploit = include_lib("/lib/metaxploit.so")
if not metaxploit then metaxploit = include_lib(current_path + "/metaxploit.so")
c_red = "<color=#ff0000>"
c_green = "<color=#00ff00>"
c_blue = "<color=#0000ff>"
c_grey = "<color=#999999>"
c_reset = "</color>"
vbt = get_shell.host_computer.File(current_path + "/vbt")
if not vbt or vbt == null then
print("Trying for vbt at /bin/vbt")
vbt = get_shell.host_computer.File(current_path + "/bin/vbt")
end if
if vbt then
print "Found vbt at " + vbt.path
end if
getPorts = function (remote)
for port in remote.get_ports
print port
end for
end function
GetPassword = function(userPass)
cryptools = include_lib("/lib/crypto.so")
if not cryptools then
cryptools = include_lib(current_path + "/crypto.so")
end if
if not cryptools then exit("Error: Can't find crypto.so library in the /lib path or the current folder")
if userPass.len != 2 then exit("decipher: wrong syntax")
password = cryptools.decipher(userPass[1])
return password
end function
listFiles = function (remote, folderPath)
libfolder = remote.File(folderPath)
for lib in libfolder.get_files
print lib.path
if not lib.is_binary then print lib.get_content
end for
end function
decypherEtcPasswd = function (remote)
configFile = "/etc/passwd"
bankFile = remote.File(configFile)
if not bankFile then return
if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
userPasses = bankFile.get_content.split("\n")
for user in userPasses
userPass = user.split(":")
if user.len < 2 then continue
print("Deciphering " + configFile)
print(configFile + " account: " + userPass[0])
pass = null
if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
if pass then
found = true
else
password = GetPassword(userPass)
if not password then
print("Nothing found...")
else
print("Password: " + password)
found = true
end if
end if
end for
return found
end function
decypherThing = function (remote, userFolder, configFile)
found = false
bankFile = remote.File("/home/" + userFolder.name + "/Config/" + configFile +".txt")
if not bankFile then return
if not bankFile.has_permission("r") then exit("Error: can't read file contents. Permission deniend")
userPass = bankFile.get_content.split(":")
print("Deciphering " + configFile + " password for user: " + userFolder.name)
print(configFile + " account: " + userPass[0])
pass = null
if vbt then pass = get_shell.launch(vbt.path, "-c -t " + userPass[1])
if pass then
found = true
else
password = GetPassword(userPass)
if not password then
print("Nothing found...")
else
print("Password: " + password)
found = true
end if
end if
return found
end function
routerExploit = function (ip, address, funcstring, lanIp)
net_session = metaxploit.net_use( ip )
if not net_session then exit("Error: can't connect to net session")
libKernel = net_session.dump_lib
libName = "kernel_router.so"
print("Searching " + libName +" ...")
if libKernel.lib_name != libName then exit("Error: " + libName + " not found.")
if lanIp == "" then lanIp = user_input("Enter a LAN address: ")
result = libKernel.overflow(address, funcstring, lanIp)
typeObject = typeof(result)
if(typeObject != "computer") then exit("Error: expected computer, obtained " + typeObject)
homeFolder = result.File("/home")
if not homeFolder then exit("Error: /home folder not found")
userFolders = homeFolder.get_folders
found = false
for userFolder in userFolders
found = decypherThing(result, userFolder, "Bank")
found = decypherThing(result, userFolder, "Mail")
listFiles(result, userFolder.path)
end for
listFiles(result, "/lib")
getPorts(result)
found = decypherEtcPasswd(result)
if not found then print("No files found")
end function
scanMode = function(ip, port, metaLib)
addresses = metaxploit.scan(metaLib)
vulns = []
index = 0
for address in addresses
print address
index = index + 1
print(c_green + index + ".")
print(ip + " " + port + " " + address + c_reset)
result = metaxploit.scan_address(metaLib, address)
print(result)
string_arr = result.split("Unsafe")
vars = []
vars.push(address)
for string in string_arr
vars.push(string[string.indexOf("<b>")+3:string.indexOf("</b>")])
end for
vars.remove(1)
vulns.push(vars)
end for
commands = []
index = 0
for vuln in vulns
address = vuln.pull()
for var in vuln
index = index + 1
command = []
command.push(index)
command.push(ip)
command.push(port)
command.push(address)
command.push(var)
command.push("")
commands.push(command)
end for
end for
for command in commands
if not command[5] == "" then
print(c_grey + "<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5] + " " + c_reset)
else
print("<b>" + command[0] + ".</b> " + command[1] + " " + command[2] + " " + command[3] + " " + command[4] + " " + command[5])
end if
end for
end function
inclusiveIndexes = function (max)
retval = []
i = 0
while(i < max)
retval.push(i)
i = i + 1
end while
return retval
end function
propNames = ["ip", "address", "var", "lanIp"]
props = {}
props.port=0
props.address = ""
props.lanIp = ""
for i in inclusiveIndexes(params.len)
if propNames.len > i then
props[propNames[i]] = params[i]
end if
end for
props.metalib = metaxploit.net_use( props.ip ).dump_lib
if (props.address == "") then
scanMode(props.ip, props.port, props.metalib)
else
routerExploit(props.ip, props.address, props.var, props.lanIp)
end if
@FennyFatal
Copy link
Author

FennyFatal commented Oct 9, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment