metasploit-framework/modules/auxiliary/scanner/wproxy/att_open_proxy.py

53 lines
1.8 KiB
Python
Raw Normal View History

#!/usr/bin/env python3
2018-01-17 20:46:31 +00:00
from metasploit import module, probe_scanner
metadata = {
'name': 'Open WAN-to-LAN proxy on AT&T routers',
'description': '''
The Arris NVG589 and NVG599 routers configured with AT&T U-verse
firmware 9.2.2h0d83 expose an un-authenticated proxy that allows
connecting from WAN to LAN by MAC address.
''',
'authors': [
'Joseph Hutchins' # Initial disclosure
'Jon Hart <jon_hart[AT]rapid7.com>', # Dummy payload and response pattern
'Adam Cammack <adam_cammack[AT]rapid7.com>' # Metasploit module
],
'date': '2017-08-31',
'references': [
{'type': 'cve', 'ref': '2017-14117'},
{'type': 'url', 'ref': 'https://www.nomotion.net/blog/sharknatto/'},
2018-08-27 21:06:07 +00:00
{'type': 'url', 'ref': 'https://blog.rapid7.com/2017/09/07/measuring-sharknat-to-exposures/#vulnerability5port49152tcpexposure'}
],
'type': 'multi_scanner',
'options': {
'rhosts': {'type': 'address_range', 'description': 'The target address', 'required': True, 'default': None},
'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 49152},
},
2018-08-27 21:06:07 +00:00
'notes': {
'AKA': [
'SharknAT&To',
'sharknatto'
]
}
}
def report_wproxy(target, response):
2018-01-17 18:04:12 +00:00
# We don't use the response here, but if we were a banner scraper we could
# print or report it
module.report_vuln(target[0], 'wproxy', port=target[0])
if __name__ == "__main__":
2018-01-17 20:46:31 +00:00
study = probe_scanner.make_scanner(
2018-01-17 18:04:12 +00:00
# Payload and pattern are given and applied straight to the socket, so
# they need to be bytes-like
2018-01-23 15:17:22 +00:00
payload=b'\x2a\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00',
pattern=b'^\\*\xce.{3}$',
onmatch=report_wproxy
2018-01-17 18:04:12 +00:00
)
module.run(metadata, study)