exploits/routers/multi/rom0

[Armanmd]

rsf (AutoPwn) > use exploits/routers/multi/rom0 rsf (RomPager ROM-0) > set target 10.10.10.10 [+] {'target': '10.10.10.10'} rsf (RomPager ROM-0) > run [] Running module... [+] Target is vulnerable [] Downloading rom-0 file... *[] Extracting password from file... [-] Traceback (most recent call last): File "/root/Desktop/routersploit/routersploit/interpreter.py", line 299, in command_run self.current_module.run() File "/root/Desktop/routersploit/routersploit/modules/exploits/routers/multi/rom0.py", line 70, in run password = self.extract_password(f) File "/root/Desktop/routersploit/routersploit/modules/exploits/routers/multi/rom0.py", line 90, in extract_password result, window = lzs.LZSDecompress(chunk) File "/root/Desktop/routersploit/routersploit/utils/lzs.py", line 117, in LZSDecompress offset = reader.getBits(11) File "/root/Desktop/routersploit/routersploit/utils/lzs.py", line 50, in getBits res += self.getBit() << num - 1 - i File "/root/Desktop/routersploit/routersploit/utils/lzs.py", line 45, in getBit return self._bits.popleft() IndexError: pop from an empty deque**

os: kali Rolling and i install all of the Requirements

what to do?

[Armanmd]

is this bug ?

[0BuRner]

Hello, From what I see, it's more likely to be a false positive than a bug... I mean your device probably uses RomPager HTTP server but not a vulnerable version. I'll try to update this exploit to avoid false positive.

[Armanmd]

@0BuRner check this link i think your exploit not working ! screen shot and screen shot

and i test here my device is vulnerable

what to do ?

[Armanmd]

./rsf.py

LOGO

 Router Exploitation Framework   

Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz) Codename : Bad Blood Version : 2.2.1

Exploits: 117 Scanners: 29 Creds: 13

rsf > use scanners/autopwn rsf (AutoPwn) > set target 10.10.10.10 [+] {'target': '10.10.10.10'} rsf (AutoPwn) > show options

Target options:

Name Current settings Description

---

target 10.10.10.10 Target IP address e.g. 192.168.1.1
port 80 Target port

Module options:

Name Current settings Description

---

threads 8 Number of threads

rsf (AutoPwn) > run [] Running module... [] exploits/routers/shuttle/915wm_dns_change could not be verified [] exploits/routers/dlink/dsl_2740r_dns_change could not be verified [-] exploits/routers/asmax/ar_1004g_password_disclosure is not vulnerable [-] exploits/routers/asmax/ar_804_gu_rce is not vulnerable [] exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change could not be verified [-] exploits/routers/tplink/wdr740nd_wdr740n_path_traversal is not vulnerable [-] exploits/routers/tplink/archer_c2_c20i_rce is not vulnerable [-] exploits/routers/tplink/wdr740nd_wdr740n_backdoor is not vulnerable [-] exploits/routers/dlink/dcs_930l_auth_rce is not vulnerable [] exploits/routers/dlink/dir_815_850l_rce could not be verified [-] exploits/routers/dlink/dir_645_815_rce is not vulnerable [-] exploits/routers/dlink/dsl_2750b_info_disclosure is not vulnerable [-] exploits/routers/dlink/dir_825_path_traversal is not vulnerable [] exploits/routers/dlink/dsl_2640b_dns_change could not be verified [-] exploits/routers/dlink/dir_300_320_600_615_info_disclosure is not vulnerable [-] exploits/routers/dlink/dsl_2730_2750_path_traversal is not vulnerable [-] exploits/routers/netsys/multi_rce is not vulnerable [-] exploits/routers/dlink/dir_300_645_815_upnp_rce is not vulnerable [-] exploits/routers/dlink/multi_hnap_rce is not vulnerable [-] exploits/routers/dlink/dir_645_password_disclosure is not vulnerable [-] exploits/routers/dlink/dsp_w110_rce is not vulnerable [-] exploits/routers/dlink/dwl_3200ap_password_disclosure is not vulnerable [-] exploits/routers/dlink/dvg_n5402sp_path_traversal is not vulnerable [-] exploits/routers/dlink/dir_300_320_615_auth_bypass is not vulnerable [-] exploits/routers/dlink/dns_320l_327l_rce is not vulnerable [-] exploits/routers/dlink/dgs_1510_add_user is not vulnerable [-] exploits/routers/dlink/dir_300_600_rce is not vulnerable [-] exploits/routers/dlink/dwr_932_info_disclosure is not vulnerable [-] exploits/routers/asus/rt_n16_password_disclosure is not vulnerable [-] exploits/routers/zyxel/p660hn-t_v2_rce is not vulnerable [-] exploits/routers/zyxel/zywall_usg_extract_hashes is not vulnerable [-] exploits/routers/zyxel/d1000_wifi_password_disclosure is not vulnerable [-] exploits/routers/zyxel/d1000_rce is not vulnerable [-] exploits/routers/zyxel/p660hn-t_v1_rce is not vulnerable [-] exploits/routers/netgear/multi_password_disclosure-2017-5521 is not vulnerable [-] exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal is not vulnerable [-] exploits/routers/netgear/dgn2200_ping_cgi_rce is not vulnerable [] exploits/routers/netgear/dgn2200_dnslookup_cgi_rce could not be verified [-] exploits/routers/netgear/r7000_r6400_rce is not vulnerable [-] exploits/routers/ubiquiti/airos_6_x is not vulnerable [-] exploits/routers/netgear/jnr1010_path_traversal is not vulnerable [-] exploits/routers/netgear/n300_auth_bypass is not vulnerable [] exploits/routers/cisco/secure_acs_bypass could not be verified [-] exploits/routers/netgear/prosafe_rce is not vulnerable [-] exploits/routers/comtrend/ct_5361t_password_disclosure is not vulnerable [] exploits/routers/cisco/catalyst_2960_rocem could not be verified [-] exploits/routers/cisco/ucs_manager_rce is not vulnerable [-] exploits/routers/cisco/dpc2420_info_disclosure is not vulnerable [-] exploits/routers/netgear/multi_rce is not vulnerable [-] exploits/routers/cisco/firepower_management60_rce is not vulnerable [-] exploits/routers/cisco/firepower_management60_path_traversal is not vulnerable [-] exploits/routers/cisco/video_surv_path_traversal is not vulnerable [-] exploits/routers/cisco/unified_multi_path_traversal is not vulnerable [-] exploits/routers/cisco/ios_http_authorization_bypass is not vulnerable [-] exploits/routers/multi/shellshock is not vulnerable [+] exploits/routers/multi/rom0 is vulnerable [-] exploits/routers/multi/misfortune_cookie is not vulnerable [-] exploits/routers/multi/heartbleed is not vulnerable [-] exploits/routers/dlink/dwr_932b_backdoor is not vulnerable [-] exploits/routers/ipfire/ipfire_proxy_rce is not vulnerable [-] exploits/routers/ipfire/ipfire_shellshock is not vulnerable [-] exploits/routers/2wire/4011g_5012nv_path_traversal is not vulnerable [-] exploits/routers/2wire/gateway_auth_bypass is not vulnerable [-] exploits/routers/asus/infosvr_backdoor_rce is not vulnerable [-] exploits/routers/technicolor/dwg855_authbypass is not vulnerable [-] exploits/routers/technicolor/tc7200_password_disclosure is not vulnerable [-] exploits/routers/technicolor/tc7200_password_disclosure_v2 is not vulnerable [-] exploits/routers/billion/7700nr4_password_disclosure is not vulnerable [] exploits/routers/billion/5200w_rce could not be verified [-] exploits/routers/bhu/bhu_urouter_rce is not vulnerable [-] exploits/routers/cisco/ucm_info_disclosure is not vulnerable [-] exploits/routers/zte/zxv10_rce is not vulnerable [-] exploits/routers/zte/f460_f660_backdoor is not vulnerable [+] exploits/routers/juniper/screenos_backdoor is vulnerable [-] exploits/routers/technicolor/tg784_authbypass is not vulnerable [-] exploits/routers/3com/officeconnect_rce is not vulnerable [-] exploits/routers/3com/ap8760_password_disclosure is not vulnerable [-] exploits/routers/3com/officeconnect_info_disclosure is not vulnerable [-] exploits/routers/3com/imc_path_traversal is not vulnerable [-] exploits/routers/3com/3cradsl72_info_disclosure is not vulnerable [-] exploits/routers/3com/imc_info_disclosure is not vulnerable [-] exploits/routers/movistar/adsl_router_bhs_rta_path_traversal is not vulnerable [-] exploits/routers/linksys/wap54gv3_rce is not vulnerable [-] exploits/routers/linksys/smartwifi_password_disclosure is not vulnerable [-] exploits/routers/linksys/1500_2500_rce is not vulnerable [-] exploits/routers/linksys/wrt100_110_rce is not vulnerable [-] exploits/routers/zte/f660_config_disclosure is not vulnerable [-] exploits/routers/netcore/udp_53413_rce is not vulnerable [-] exploits/routers/multi/tcp_32764_rce is not vulnerable [-] exploits/routers/multi/tcp_32764_info_disclosure is not vulnerable [-] exploits/routers/huawei/e5331_mifi_info_disclosure is not vulnerable [-] exploits/routers/huawei/hg530_hg520b_password_disclosure is not vulnerable [-] exploits/routers/huawei/hg866_password_change is not vulnerable [-] exploits/routers/thomson/twg850_password_disclosure is not vulnerable [-] exploits/routers/huawei/hg630a_default_creds is not vulnerable [-] exploits/routers/belkin/n750_rce is not vulnerable [-] exploits/routers/belkin/play_max_prce is not vulnerable [-] exploits/routers/belkin/auth_bypass is not vulnerable [-] exploits/routers/belkin/g_plus_info_disclosure is not vulnerable [-] exploits/routers/belkin/n150_path_traversal is not vulnerable [-] exploits/cameras/dlink/dcs_930l_932l_auth_bypass is not vulnerable [-] exploits/routers/belkin/g_n150_password_disclosure is not vulnerable [-] exploits/cameras/honeywell/hicc_1100pt_password_disclosure is not vulnerable [-] exploits/cameras/videoiq/videoiq_camera_path_traversal is not vulnerable [-] exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal is not vulnerable [-] exploits/cameras/brickcom/corp_network_cameras_conf_disclosure is not vulnerable [-] exploits/cameras/multi/netwave_IP_camera is not vulnerable [-] exploits/misc/wepresent/wipg1000_rce is not vulnerable [-] exploits/misc/asus/b1m_projector_rce is not vulnerable [-] exploits/misc/miele/pg8528_path_traversal is not vulnerable [-] exploits/routers/zte/f609_config_disclosure is not vulnerable [-] exploits/routers/thomson/twg849_info_disclosure is not vulnerable [-] exploits/routers/huawei/hg520_info_dislosure is not vulnerable [-] exploits/routers/multi/ssh_auth_keys is not vulnerable [-] exploits/routers/fortinet/fortigate_os_backdoor is not vulnerable [-] exploits/routers/zte/f6xx_default_root is not vulnerable [-] exploits/cameras/grandstream/gxv3611hd_ip_camera_rce is not vulnerable [*] Elapsed time: 218.641897917 seconds

[*] Could not verify exploitability:

• exploits/routers/shuttle/915wm_dns_change
• exploits/routers/dlink/dsl_2740r_dns_change
• exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
• exploits/routers/dlink/dir_815_850l_rce
• exploits/routers/dlink/dsl_2640b_dns_change
• exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
• exploits/routers/cisco/secure_acs_bypass
• exploits/routers/cisco/catalyst_2960_rocem
• exploits/routers/billion/5200w_rce

[+] Device is vulnerable:

• exploits/routers/multi/rom0
• exploits/routers/juniper/screenos_backdoor

rsf (AutoPwn) >

_this expoit - exploits/routers/juniper/screenosbackdoor working but - exploits/routers/multi/rom0 not working What os do you use for test penetration?

[0BuRner]

What's your device and it's firmware version ?

[Armanmd]

@0BuRner Tp-link TD-W8901N firmware version v1 here you can find a full Guide about my Router :) TP-link site PDF Guide

[lucyoa]

@0BuRner @Armanmd were you able to push it forward? It seems that bug is in decompressing process. Maybe @Armanmd you will be able to send us your rom-0 file so we could debug and fix decompressing?

[0BuRner]

@lucyoa I haven't had time to look at it until now but I still think this one is a false positive. The rom-0 file from @Armanmd would indeed be very useful to confirm that hypothesis. Then we could fix the issue to avoid exception in others cases.

[lucyoa]

follow up #311

[arismelachroinos]

rsf (Zyxel ZyWALL USG Extract Hashes) > use exploits/routers/multi/rom0 rsf (RomPager ROM-0) > set target 192.168.2.1 [+] {'target': '192.168.2.1'} rsf (RomPager ROM-0) > run [] Running module... [+] Target is vulnerable [] Downloading rom-0 file... [*] Extracting password from file...

and it is stuck there. I run autopwn and it tells me it is vulnerable on this exploit as well.But when i run it, it goes till there.

[0BuRner]

@arismelachroinos can you upload your rom-0 file somewhere ? So I'll be able to find out what's going wrong. To download it simply go to : http://your.router.ip/rom-0

[arismelachroinos]

@0BuRner when i go to that address i dont get any file. Maybe that's why it doesnt work but it says its vulnerable.

[arismelachroinos]

faced the same issue again with another router, when i go to http://your.router.ip/rom-0 i get no file, the login screen appears again, like i didnt even type the extra /rom-0

[0BuRner]

Does the latest version of routersploit still says it is vulnerable?